Starting this week, The Exchange Daily is adopting a new structure aligned with the PAVE (Policy Aware Validation and Estimation) framework. Each day from Monday through Saturday, we focus on one of the six PAVE pillars. Today’s Saturday edition centers on Pillar F: Security & Risk, examining recent guidance and NDAA provisions that are strengthening zero trust, supply chain security, and risk management across federal and defense systems.
NEW Multi-Agency Guidance on Securing Agentic AI Systems
A May 1, 2026 joint publication from CISA, NSA, and Five Eyes partners titled “Careful Adoption of Agentic AI Services” provides over 100 recommendations for organizations working with autonomous AI agents. The guidance highlights key risk categories including privilege risks, insecure design, unexpected agent behavior, and inherited LLM vulnerabilities such as prompt injection and adversarial manipulation. It calls for layered controls, continuous monitoring, and red teaming, especially in defense and critical infrastructure sectors.
Action for security teams: Review the guidance and begin incorporating agent-specific controls into risk assessments and deployment plans for any agentic AI initiatives.
Adapting Zero Trust Principles to Operational Technology
A April 29, 2026 joint guide from CISA, the Department of War, Department of Energy, FBI, and Department of State provides practical recommendations for applying zero trust to OT environments. Key focus areas include asset visibility, supply chain risk management, identity and access management, network segmentation, and secure communication protocols, all under an “assume breach” philosophy while protecting safety and reliability.
Recommended step: Assess current OT environments against the guide’s recommendations and prioritize gaps in visibility and access control.
NDAA Sections 850 and 851 Target High-Risk Supply Chains
Section 850 of the FY 2026 NDAA begins the phased prohibition on DoD acquisition of computers and printers from covered Chinese military-industrial entities, with a 10 percent compliance threshold required in fiscal year 2026. Section 851 prohibits contracting for biotechnology equipment or services from biotechnology companies of concern. These provisions require strengthened supply chain risk management and vendor screening processes.
Compliance note: Update vendor risk assessments and procurement policies to address the new prohibitions and prepare for increasing compliance thresholds in future years.
CMMC Implementation Enters Next Phase Preparation Window
CMMC Phase 1 (self-assessments) has been underway since November 10, 2025. Phase 2, beginning November 10, 2026, will expand the use of third-party assessments (C3PAOs) for contracts involving Controlled Unclassified Information. Contractors and program offices should use the coming months to prepare systems, documentation, and processes for increased third-party validation requirements.
Best practice: Conduct gap analyses against NIST SP 800-171 and begin remediation planning ahead of Phase 2.
Expedited Mechanisms Support Secure Supply Chain Diversification
Sections 832 and 833 of the FY 2026 NDAA establish Expedited Qualification Panels for critical readiness items and authorize Interim National Security Waivers to support supply chain illumination. These tools help programs reduce foreign dependencies and single points of failure while maintaining security standards.
Executive implication: Identify candidate components where these authorities can accelerate secure alternative sourcing.
PAVE alignment: These developments directly support Pillar F objectives of strengthening zero trust, supply chain risk management, and overall security posture under the FY 2026 NDAA framework.
Topics We’re Tracking (But Didn’t Make the Cut)
Specific metrics and milestones from the DoD Zero Trust Portfolio Management Office (ongoing implementation).
Detailed technical requirements and timelines for CMMC Level 3 assessments in higher-sensitivity programs (still being refined).
Sources
CISA/NSA/Five Eyes: “Careful Adoption of Agentic AI Services” (May 1, 2026) — NEW
CISA et al.: “Adapting Zero Trust Principles to Operational Technology” (April 29, 2026) — NEW
FY 2026 National Defense Authorization Act (P.L. 119-60), Sections 850 and 851 | Official text:
https://www.congress.gov/
CMMC phased implementation updates and FAQs (2026) |
https://dodcio.defense.gov/
DoD Directive-Type Memorandum 25-003 on Zero Trust (updated 2025–2026)
The Exchange Daily and Weekly deliver verified public-source intelligence for executive decision-makers. All information is from reputable, publicly available sources. Every effort is made to keep details accurate as of publication time, but readers should always confirm time-sensitive items such as policy changes, budget figures, and timelines with official documents and briefings. Always validate with primary sources before action.
The Exchange Daily and the Exchange Weekly do not constitute legal, investment, procurement, security, compliance, or technical advice. Content is for informational purposes only.
The Exchange Daily and Weekly are a production of Metora Solutions LLC, a HUBZone and Service Disabled Veteran Owned Small Business. All rights reserved. Copyright Metora Solutions LLC 2026.
