CISA mandates remediation for active Windows “DWM” exploit (CVE-2026-20805)
CISA has added a known exploited vulnerability in the Windows Desktop Window Manager to the KEV catalog, setting a federal remediation deadline of February 3. For enterprise CISOs, this is a non-negotiable signal to prioritize this patch, as active exploitation of core OS components represents a high-risk vector for unauthorized access. Sources: https://www.cisa.gov/news-events/alerts/2026/01/13/cisa-adds-one-known-exploited-vulnerability-catalog
FedRAMP releases 6 new RFCs for machine-readable packages and “Sponsorless” paths
FedRAMP is accelerating its implementation of the Authorization Act by releasing six new Requests For Comment. These RFCs address reporting costs, machine-readable packages, and new paths for certification without a federal sponsor. IT leaders should engage with these windows now to influence procurement and evidence requirements before they are hardened into policy. Sources: https://www.fedramp.gov/rfcs/0024/
GAO warns of AI-driven fraud gaps and $162B in improper federal payments
In a new testimony to Congress, the GAO warned that AI is enabling synthetic identity fraud at a scale that traditional controls cannot handle. With $162 billion lost to improper payments, the agency is pushing for AI-driven continuous verification as a mandatory component of federal IT modernization. CIOs and CFOs should expect future modernization funding to be tied directly to these program integrity outcomes. Sources: https://www.gao.gov/assets/gao-26-108850.pdf
Microsoft “Agent 365” management layer enters final production development
Microsoft is preparing to launch a centralized control plane for managing autonomous AI agents within the M365 ecosystem. This management layer provides necessary visibility for IT teams to track agent actions, set access controls, and manage tool-calling boundaries. Leaders should define their agent governance policy now to ensure autonomous workflows stay within risk tolerances. Sources: https://sharepointstuff.com/2026/01/12/microsoft-roadmap-roundup-12-january-2026/
Google Cloud launches “Gemini Enterprise for Customer Experience” (CX)
Google is shifting AI from passive search to active transactions with its new Gemini CX agent platform. These agents are designed to resolve customer problems and manage orders autonomously in highly regulated environments. This transition requires a shift in governance from “chat monitoring” to “transactional auditability” for AI-led workflows. Sources: https://cloud.google.com/transform/a-new-era-agentic-commerce-retail-ai
Topics We’re Tracking (But Didn’t Make the Cut)
Dropped Topic: GSA OASIS+ Phase II continuous submission opening.
* Why It Didn’t Make the Cut: While critical for vendor pipelines, it lacks the immediate “remediate now” or “comment now” urgency of the CISA and NIST updates.
* Why It Caught Our Eye: It fundamentally changes the rhythm of engagement for one of the government’s largest professional services vehicles.
Quick Disclaimer and Sources Note: The author used AI in part to create this newscast. Our goal is to be transparent and show you how we sourced the info we used. This newscast was developed using only public sources of information. The Exchange Daily is a production of Metora Solutions. For more information about how to participate in this daily newscast, contact us at podcasts@metorasolutions.com .. All original content, formatting, and presentation are copyright 2026 Metora Solutions LLC, all rights reserved. For more information about our work and other projects, drop us a note at info@metorasolutions.com
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit theexchangedaily.substack.com
