Each October, Cybersecurity Awareness Month serves to remind the general public of the role each person plays in securing the online systems we have all come to depend on. While cybersecurity is a year-round focus for government agencies, the last year has seen some significant updates to several key government cybersecurity programs.
Common Vulnerabilities and Exposures Program
The Common Vulnerabilities and Exposures (CVE) Program started as a collaboration with the nonprofit R&D corporation MITRE to develop a concept for organizing information around computer vulnerabilities. The program provides a standardized method for identifying, naming, and describing publicly known cybersecurity vulnerabilities. This includes assigning a unique record to each reported vulnerability and providing a consistent, structured description of it, with references to trusted advisories, reports, or vendor fixes. With this standard definition and singular hub, public-sector agencies and private companies can all share information and access needed remediation data and tools.
The Cybersecurity and Infrastructure Security Agency (CISA) recently announced updates to the program, including:
- Plans to broaden the CVE advisory board to better reflect the global cybersecurity ecosystem. The board will benefit from expanded expertise from governments, academia, open-source developers, tool providers, and researchers.
- Improvements in data quality through increased collaboration with industry and international governments, with a focus on raising the minimum standards for record quality using federated mechanisms that scale vulnerability data enrichment.
- Prioritizing more rapid implementation of automation and other capabilities and expanding API support to downstream data consumers.
There are currently over 450 organizations from more than 40 countries reporting CVEs. In 2024, there were over 40,000 new reported vulnerabilities, and the total CVE records for that year climbed to 270,768.
FedRAMP
FedRAMP, the government program that sets standardized security requirements for cloud services used by federal agencies, began a significant overhaul in March of 2025. FedRAMP 20x was announced to reimagine the approval process, with the goal of removing complexity and speeding up the timeline for companies to get approval on their cloud solutions. The initial efforts were focused on:
- Moving from manual compliance checklists to automated security validations. The stated goal is to have automated validation for over 80% of the program’s security requirements, as opposed to the written explanations currently required.
- Change in agency sponsorship activities. GSA removed the need for agency sponsors for “simple, low-impact service offerings.” The program will continue to support agency authorizations for higher-impact projects until new processes are finalized.
- Increased collaboration with industry through working groups. A number of working groups have been established, including the Automation Community Working Group, the Applying Existing Frameworks Working Group, and the Continuous Reporting Community Working Group.
Cloud offerings that moved through the new FedRAMP process received a 12-month FedRAMP Low authorization and will be prioritized for FedRAMP Moderate authorization in Phase Two. FedRAMP has also released the 20x Vulnerability Detection and Response Standard which formalizes requirements for proactively and continuously identifying, analyzing, prioritizing, mitigating, and remediating vulnerabilities.
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) principles have been in place for over a decade, but this year marked the formal implementation of a comprehensive CMMC program. As of October 2025, the CMMC standards are included in every Department of Defense (DoD) solicitation and contract. CMMC requires contractors to meet cybersecurity benchmarks based on the sensitivity of the information they handle. Contractors must also annually affirm compliance. Previously, compliance with these benchmarks was done through self-attestation. Moving forward, DoD will require third-party validation of these security processes.
To stay on top of cybersecurity policies and tactics, check out these resources from GovWhitePapers and GovEvents:
- FedRAMP: Evolving Standards, Emerging Challenges, and the Road Ahead (white paper) – FedRAMP, once a groundbreaking framework for authorizing cloud services, is now undergoing a critical transformation through the 20x initiative—aimed at streamlining processes, reducing sponsor burden, and embracing automation over paperwork. Yet, challenges remain, from securing agency sponsorship to helping smaller innovators break into the federal market. This report examines what is necessary for secure cloud adoption.
- Safeguarding the Digital Realm (white paper) – Cyber threats facing government agencies are growing more sophisticated, with nation-state actors and AI-powered attacks escalating the urgency of defense. Legacy systems, budget constraints, and fragmented oversight continue to weaken cyber resilience. To counter this, experts emphasize a shift toward threat-informed risk management, Secure by Design principles, and integrating AI with strong governance.
- Understanding CMMC (white paper) – CMMC is more than a compliance checkbox—it’s a long-term process that must be embedded into business operations, particularly to safeguard sensitive data and defend against cyber threats. The report emphasizes that organizations must shift their culture, improve documentation, and maintain ongoing vigilance, particularly as the CMMC model evolves.
- Strengthening Zero Trust Under Pressure (October 16, 2025; webcast) – Learn how zero trust can be made resilient and capable of improving under pressure and how to align your agency’s zero-trust journey with federal guidance.
- CyberTalks 2025 (December 9, 2025; Washington, DC) – CyberTalks presents a powerful opportunity to hear from the leading voices at the intersection of government and the technology industry on the latest tactics to combat current cybersecurity risks.
Search GovWhitePapers and GovEvents to find even more insights about cybersecurity in government.
