CISA KEV adds MongoDB CVE-2025-14847, and the deadline forces real patch governance.
CISA’s Known Exploited Vulnerabilities process is a forcing function because it translates “this is exploited” into a date-driven executive expectation. In this case, the CVE is tied to MongoDB, which many organizations treat as core infrastructure and sometimes forget to treat as part of the externally abused attack surface.
If you want a clean year-end posture, treat this as a governance test, not just a patch ticket. Confirm you know where MongoDB is running, which versions are in play, and which instances are internet reachable. Then prove your change process can hit a tight remediation window without breaking production.
Sources:
https://nvd.nist.gov/vuln/detail/CVE-2025-14847
NIST releases the Cyber AI Profile preliminary draft, giving security leaders a usable AI governance anchor.
Nist’s preliminary draft Nist I R eight five nine six is positioned as a practical way to help organizations adopt AI while prioritizing the cybersecurity risks introduced by AI systems. It also sets clear next steps, including a workshop date and a public comment window that can be used to shape the final guidance.
For CIOs and CISOs, the value is the structure. Instead of debating AI risk in the abstract, you can map your program to defined focus areas and then translate that into policy, controls, and investment decisions that are consistent across teams. This is a good time to run a gap review and turn the results into a real AI security roadmap for twenty twenty-six.
Sources:
https://csrc.nist.gov/News/2025/nist-releases-prelim-draft-cyber-ai-profile
GAO says VA’s EHR modernization still has critical actions outstanding, and most recommendations are not fully implemented.
GAO’s latest update reinforces a lesson every modernization leader has learned the hard way: scale and complexity punish wishful thinking. The report frames VA’s EHR modernization as a multi-attempt effort with persistent challenges across cost, schedule, program management, user adoption, and operational testing.
The most actionable takeaway is to treat governance and readiness gates as non-negotiable. Before accelerating deployments, demand evidence that costs and schedules are credible, that user feedback is being incorporated, and that operational stability is proven. This is how you avoid turning “modernization” into “extended disruption.”
Sources:
https://www.gao.gov/products/gao-26-108812
OMB’s President’s Management Agenda memo spotlights tech consolidation, secure digital-first services, and AI-enabled process improvement.
OMB’s memo and attached framework put technology directly in the management reform conversation, including consolidating and standardizing systems while eliminating duplicative ones. It also calls out reducing data silos and duplicative data collection, paired with an emphasis on secure, digital-first services that work for real users.
For federal IT leaders, the immediate implication is prioritization pressure. Portfolio rationalization, identity and data governance, and shared services become enabling moves that support multiple mandates at once. This is also a reminder to define what success looks like with measurable outcomes, so “faster and more secure” translates into real delivery and defensible budgets.
Sources:
https://www.whitehouse.gov/wp-content/uploads/2025/12/M-26-03-Presidents-Management-Agenda.pdf
Topics We’re Tracking (But Didn’t Make the Cut)
Dropped Topic: Google Cloud and Vertex AI governance and Agent Builder updates.
Why It Didn’t Make the Cut: Primary-source verification could not be completed in this run due to source access constraints, so we held it back to protect the zero-hallucination standard.
Why It Caught Our Eye: Tool governance and agent development controls are becoming a board-level risk and compliance conversation for enterprise AI programs.
Quick Disclaimer and Sources Note: The author used AI in part to create this newscast. Our goal is to be transparent and show you how we sourced the info we used.
This newscast was developed using only public sources of information.
The Exchange Daily is a production of Metora Solutions. For more information about how to participate in this daily newscast, contact us at info@metorasolutions.com.
