On July 15 CISA added CVE-2023-4346 โ an overly restrictive account-lockout flaw in the KNX building-automation protocol โ to the KEV catalog, with a federal remediation deadline of July 29. An attacker can lock legitimate operators out of KNX devices by setting a BCU key. It's not a server, it's not an app: it's the protocol that runs the lights, HVAC, and door controllers. Which makes it the cleanest test yet of the question a KEV clock asks first โ is this even inside your authorization boundary?
CISA added CVE-2026-39808 โ an unauthenticated OS command injection in Fortinet FortiSandbox โ to the KEV catalog on July 16, with a federal remediation deadline of July 19. Three days. And the awkward question it forces isn't 'can we patch it,' it's 'is this box even inside the authorization boundary we drew?' Security appliances have a way of living just off the edge of the diagram.
Two weeks after the last SharePoint KEV item, CISA added another one โ CVE-2026-56164, a missing-authentication flaw in on-premises SharePoint Server that lets an unauthenticated attacker elevate privileges over the network. The federal deadline is today. Two things make this one worth a post: it drops the authentication requirement the July 2 bug still needed, and its severity graders can't agree โ NVD calls it 9.8, Microsoft calls it 5.3. Both of those roads lead to the same first question: is that farm even inside your authorization boundary, and can you answer before the clock runs out?
CISA added CVE-2026-55255 โ an authorization-bypass flaw in Langflow, the open-source AI agent builder โ to the KEV catalog on July 7, with a federal remediation deadline of July 10. Six weeks after the last Langflow KEV item, the actively-exploited thing is Langflow again. But this one isn't remote code execution. It's an authenticated user reaching into another user's flows, which means the thing that broke is the wall between tenants.
On June 25 FedRAMP launched the Consolidated Rules for 2026, and with them a transition calendar that stops being a projection today: July 6 is the day Marketplace listings open for the 20x initial implementation stage. FedRAMP Ready goes Legacy on July 28, the Class A pipeline opens August 3, Classes B and C on August 31 โ and every existing Rev5 system is on the clock to adopt the new rules by January 1, 2027. Here's the whole ladder, and what each rung actually asks of you.
On July 1 CISA added CVE-2026-45659 โ a deserialization RCE in on-premises SharePoint Server โ to the KEV catalog with a federal deadline of July 4. Microsoft patched it back in late May and rated it 'Exploitation Less Likely.' Five weeks later it's being exploited in the wild, with a three-day clock attached. That gap between the advisory's probability field and the catalog's certainty is the whole post: it's the empirical case for FedRAMP's 'assume it's automatable' rule, playing out in real time.
On June 22 the White House signed an executive order putting hard federal dates on the move to post-quantum cryptography โ encryption by 2030, authentication by 2031 โ and pulling contractors onto the same clock through the FAR. The deadline reads like it's years away. It isn't, for two reasons: adversaries are collecting encrypted data now to decrypt later, and you can't migrate cryptography you've never inventoried. The order's quietest provision โ a cryptographic bill of materials โ is the part we want to dwell on.
We've written a lot about securing the agent โ its identity, its blast radius, its egress. There's a governance layer sitting above all of that, and for federal AI it now has teeth: OMB's M-25-21 requires every agency to name a Chief AI Officer, publish a use-case inventory, and apply minimum risk-management practices to any system it designates high-impact. As of April, 56 agencies had reported 3,611 AI use cases โ 445 of them high-impact. The hard part isn't the practices. It's having an honest list in the first place.
CISA's BOD 26-04 retires the CVSS-sort-and-march approach to patching in favor of four risk questions โ is it exposed, is it automatable, does it grant control, is it being exploited โ and a set of urgency tiers from three days to fix-on-upgrade. FedRAMP's NTC-0014 aligns to it and then goes one step further with a rule we keep thinking about: assume every exploit is automatable unless you can prove otherwise.
On June 23 CISA added three Ubiquiti UniFi OS flaws to the KEV catalog โ an access-control bypass that's already being exploited, a path traversal, and a command injection. Read separately they're a mixed bag. Read the way an attacker reads them, they're a staircase from network access to running commands on the box. And the box is usually the network fabric nobody put inside the boundary.
CISA added CVE-2026-42271 โ a command-injection bug in LiteLLM, the open-source AI gateway teams put in front of their models โ to the KEV catalog on June 8, with a federal remediation deadline of June 22. The injection point is a pair of MCP preview endpoints, and chained with a Starlette host-header bypass it becomes unauthenticated RCE. Two weeks after Langflow, the actively-exploited thing is the proxy layer itself.
With the Consolidated Rules for 2026 landing at the end of this month, FedRAMP is retiring a phrase it's used for a decade. 'FedRAMP Authorized' becomes 'FedRAMP Certified,' and the Low/Moderate/High baselines pick up new names: Certification Classes A, B, C, and D. It's the same controls and the same boundary โ but a relabel this public is worth reading carefully, because some of it is cosmetic and some of it isn't.
On June 2, CISA added CVE-2022-0492 โ a four-year-old container-escape bug in the Linux kernel's cgroups code โ to the KEV catalog. It's a quiet entry next to the headline RCEs, but it's the one worth pausing on if your answer to 'is the agent contained?' is 'we run it in a container.' Because this is a clock on the container floor itself.
CISA added CVE-2026-0257 โ an actively-exploited authentication bypass in Palo Alto PAN-OS GlobalProtect โ to the KEV catalog on May 29 with a federal remediation deadline of June 1. But Cloud NGFW and Panorama aren't affected, only on-prem GlobalProtect is, which makes this a good week to talk about the question that actually comes first under a KEV clock: is this even inside your authorization boundary?
FedRAMP 20x has moved out of pilot and into Phase 3 โ GSA has confirmed it as the permanent authorization model. The Consolidated Rules for 2026 finalize by the end of June, take effect July 1, and run through 2028, with the real submission pipeline opening in Q4. Here's what changes when the experiment becomes the standard.
CISA added CVE-2025-34291 โ a CVSS 9.4 account-takeover-to-RCE chain in Langflow, the open-source AI agent and workflow builder โ to the KEV catalog on May 21, with a federal remediation deadline of June 4. It's the first time the actively-exploited thing on the clock is the orchestration layer itself, and that changes the conversation about where AI risk actually lives.
A browsable Rev 5 Moderate + 20x KSI catalog shipped today at /fedramp/controls โ the same catalog the Novaprospect audit engine evaluates AWS environments against. The engine itself is alpha: one collector (IAM), one evaluator (AC-2), the shape of the rest. Here's where it is and where it's going.
The 20x Phase One pilot draft submission window opens today and runs through May 26, with formal submissions starting May 30. The shorter timeline and machine-readable package format are real, and the prep work is also real. Here's what we've seen teams underestimate.
CISA added CVE-2026-20182 โ an authentication bypass in Cisco Catalyst SD-WAN Controller and Manager, CVSS 10.0, actively exploited โ to the KEV catalog on May 14 with a federal remediation deadline of May 17. For FedRAMP CSPs, this is the shape of ConMon working under load: a 72-hour clock, a control-plane device, and an obligation that the Consolidated Rules will soon make explicit.
Week 1 of a recurring brief on FedRAMP 20x: RFC movements, cohort status, schema changes, and the program-level dates worth tracking. This week is the kickoff snapshot โ what is currently open, where the program is, and what to watch.
FedRAMP published the public preview of its Consolidated Rules for 2026 on May 4. Templates are being retired in favor of machine-readable artifacts, Balance Improvement Releases become mandatory, and Rev 5 and 20x will run as parallel paths through 2028. Here's what that actually looks like from inside an authorization.
An agent with a long-lived API key in an environment variable is the new equivalent of the developer who stored production credentials in plaintext config. The fix is not new โ agents just make it urgent.
Evaluation suites for AI features are usually run by data scientists in notebooks, on demand, before launches. That is the wrong place for them. Evals belong on the same merge gate as the unit tests.
The first agentic incidents are already happening. The IR playbooks most organizations have do not contain useful instructions for what to do when the responsible party is a model.
Agents need identities, and 'the engineer who started the session' is not one. The non-human identity problem has been quietly waiting for AI to make it urgent.
The AI gateway shipped by Vercel and the equivalents emerging elsewhere are marketed as developer convenience โ one API across providers. The more interesting read is compliance. A gateway is the only chokepoint a regulated org has for AI traffic, and most teams are not yet treating it as one.
Anthropic's Computer Use API and the equivalents now shipping from other frontier labs let a model drive a real desktop โ screen, keyboard, mouse. Air gaps that worked against network-layer exfiltration do not work against a model that can type.
Anthropic's 1M-token context window is a genuine capability leap. It is also an unannounced change to your data-minimization story, your audit log volume, and your exfiltration surface. The engineering teams pulling it in have not yet reconciled any of those.
Model Context Protocol servers are the new universal connector between agents and the rest of the enterprise. They are also a threat surface with properties no prior connector had, and the industry has not caught up.
Every AI-assisted session produces a log. Most organizations treat it as a chat transcript. We treat it as a first-class SDLC artifact, and it has changed how we do nearly everything downstream.
Data residency commitments were easier to keep when data sat in databases. AI systems transmit slices of that data to model providers on every inference, and most organizations cannot say where it lands.
Network egress policy is a control most security teams consider mature. It usually is โ for the workloads it was designed against. Agents are a different workload, and most egress policies treat them as if they were not.
When you have more than one agent operating in your system, the coordination problem starts dominating the capability problem. We solved it by building a PM chain โ not a flat mesh.
Continuous monitoring was never going to be satisfied by quarterly screenshots. Now that automation is doing the work of collection, the gap between the compliance artifact and the control it represents is visible in a way it was not before.
A model red team finds jailbreaks. An agentic-system red team finds the chain of plausible actions that ends with your production database unrecoverable. The skill sets overlap only partially.
The engineer who dispatched the agent should not be the engineer who approves the agent's output. This is a rule the rest of the industry has quietly forgotten in the rush to ship AI features.
A FedRAMP authorization boundary is a specific, drawn thing. An AI workload that reaches an external model provider crosses the boundary every time it runs. That is the problem the industry has not fully reckoned with.
The fastest path out of a well-defended network is now a chatbot with a tool that fetches URLs. The attack does not require a model compromise. It requires only the behavior the agent was designed to exhibit.
An agent that can commit to main is an agent you cannot recover from. We enforce branch discipline on agents more strictly than we enforce it on human engineers, for exactly that reason.
SOC 2 did not add new Trust Services Criteria for AI. It did not need to. The existing criteria apply, and auditors have started asking AI-specific questions that your current evidence does not answer.
The foundation model your product depends on is a piece of third-party software. Everything your security program says about third-party software applies to it. Most programs have not caught up.
We put our agent prompts in version control, next to the code. That single decision turned out to be load-bearing for nearly everything else we built around AI.
An audit trail designed for human engineers does not survive contact with an agentic workflow. The log volume alone breaks it. What replaces it is not more logs, but better structure.
When an agentic system makes a wrong decision โ and it will โ the damage is bounded by the authority you gave it. Most teams do not think about that envelope until after the incident.
The NIST AI Risk Management Framework tells you what to govern. It does not tell you how to produce evidence that you are governing it. That gap is where most AI compliance programs stall.
Giving an agent a role and a scope produces better output than giving it a task and a prayer. The reasons are less about the model and more about how humans structure work.
The discipline that makes regulated engineering work is exactly the discipline that makes AI-assisted engineering safe. They're the same muscle. This is not a coincidence.
Two years after the industry collectively agreed prompt injection was a serious problem, it is still the default vulnerability in agentic deployments. The reasons are structural, not technical.
Amazon's AI coding tool reportedly deleted a production environment and took AWS down for 13 hours. Amazon called it 'user error.' They're right โ but not in the way they mean.
Streamlined authorization paths and up to 80% documentation reduction sound like good news. They are. They're also about to create a problem that most mid-market CSPs aren't ready for.