Before we jump into this week’s roundup, I’d like to include a quick note of congratulations 
to all of the winners of the inaugural Echo Awards recognizing achievements of journalists in the government technology sector. The awards event was truly inspiring. If you missed it this time, I strongly encourage you to participate next year. You can find a list of the winners here.
Two agencies appeared as the focus of attention this week: the Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA). While those two agencies frequently garner coverage, they seemed to generate even more articles than usual this week. See my roundup below for more:
CISA’s Big Week
CISA’s prominence in the headlines this week was due to the agency’s new directive on how the government should prioritize its responses to cyber vulnerabilities as well as a recent hiring spree at the agency – among other developments:
- David DiMolfetta of Nextgov/FCW (an Echo Award winner!) reported on a planned directive from CISA that aims to triage vulnerabilities by the real-world consequences of a successful cyberattack, marking a major shift in how the government decides which cyber risks demand attention first. In a separate piece, DiMolfetta noted that the directive also establishes new timelines to patch security flaws, from three days for the highest-risk vulnerabilities to 60 days for lower-priority items.
- Under the directive, high-risk vulnerabilities will be classified as those that apply to assets (hardware or software as part of an IT system), publicly exposed vulnerabilities (on public networks or the internet), partial control and total control (the degree to which threat actors can control the software, network or IT system), according to reporting by Kimberly Underwood for SIGNAL Media.
- In his coverage for Federal News Network, Justin Doubleday noted that the directive was largely driven by advances in new AI models that could allow hackers to more quickly identify new software vulnerabilities and exploit existing vulnerabilities before they can be patched or mitigated.
- Grace Dille wrote in MeriTalk that the directive orders agencies to evaluate vulnerabilities against four criteria: whether an asset is exposed publicly, whether an attacker can fully automate exploitation, whether exploitation gives an attacker full control of a system, or whether there is evidence of real-world exploitation.
- The directive gives agencies 180 days to meet its remediation timelines and continuously identify and tag every agency-owned asset reachable from outside their networks, labeling each by organization, environment, exposure and asset type, according to a piece in ExecutiveGov by Kristen Smith.
- Covering the story for CyberScoop, Tim Starks quoted acting CISA Director Nick Andersen: “CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change.”
- In separate but related CISA news, the week began with reports on a call from Congress to restore federal funding for CISA’s Multi-State Information Sharing and Analysis Center (MS-ISAC), a cybersecurity information-sharing program that supports state, local, tribal and territorial governments, as noted in an article by Dille.
- Covering the proposal in ExecutiveGov, Jane Edwards wrote that it would direct CISA to restore memberships lost after the program’s defunding and expand access to new eligible entities and promote data sharing with the FBI.
- The Senate also introduced the Combat Emerging Threats to Critical Infrastructure Act directing CISA to work with federal sector risk management agencies to update sector-specific plans within one year of enactment, DiMolfetta wrote.
- In another development, a report by Alexandra Kelley in Nextgov/FCW shared the news that White House officials are considering designating CISA as the nexus to coordinate vulnerability scans across federal agencies with Antropic’s high-powered AI model Mythos.
- Also, Doubleday reported on a speech in which Andersen stated that CISA is extending nearly 200 job offers this month, as the agency looks to reinforce its depleted ranks amid a wave of new AI security mandates. MeriTalk’s Dille also covered the speech and noted that CISA plans to bring in a total 329 new employees, according to Andersen.
GSA Pushes Forward
The GSA also grabbed several headlines related to its imminent takeover of a major government-wide acquisition program and advances made by the agency related to a centralized government portal and increased AI usage. Here’s a sample of those reports:
- The contracting arm of the National Institutes of Health (NIH) announced that the GSA would take over all of its cross-government contracting functions by the end of 2028, Madison Alder wrote in FedScoop.
- NIH’s action to pull the plug on its government-wide acquisition program followed a period in which the program had been “floundering for over a year,” according to coverage by Nick Wakeman of Washington Technology.
- FedScoop’s K. Sophie Will covered a speech this week by GSA Administrator Ed Forst in which he characterized the agency’s modernization objectives in terms of playing catch-up and of achieving “instant gratification” from early wins and measurable goals – including a more centralized government portal and increased AI deployment.
- MeriTalk’s Lisbeth Perez reported that the GSA plans to onboard 16 additional federal agencies to its USAi AI evaluation platform by the end of 2026, significantly expanding a governmentwide effort to help agencies test, evaluate and deploy AI tools in a secure environment.
- In related GSA AI news, the agency’s deputy administrator Michael Lynch in a speech this week said 70% of the agency’s workforce now regularly uses AI, which equates to about 400,000 hours of automation users have “been able to unlock with technology,” according to an article by Edward Graham in Nextgov/FCW.
Upcoming Industry Events
As always, we want to keep you up to speed on upcoming industry events you might find interesting. The number of events tends to shrink during the summer, but here’s one you might want to check out in the coming week:
- June 16: Defense One Tech Summit 2026, GovExec/Defense One, The Ritz-Carlton Pentagon City, Arlington, Virginia
If you would like your event included in this list, please fill out this form.
Thanks for reading. Please share this newsletter with your colleagues. Subscribe to this newsletter on LinkedIn or via the form below to receive it every week.