Dreadnode Response to the 2025 Regulatory Reform for Artificial Intelligence

TOC
This is some text inside of a div block.

The Office of Science and Technology Policy (OSTP) recently opened a Request for Information (RFI) on regulatory reform for artificial intelligence—geared towards removing hindrances to strategic AI adoption across federal systems. As part of our response to the RFI, we've focused on manual processes and traditional cyber capabilities that have not kept pace with the AI-enabled threat landscape. Federal policies must fill these gaps, urgently.

View our the complete 15-page response to the RFI.

Dreadnode has intensively studied the effects of automated capabilities in network operations, web application penetration, vulnerability exploitation, and threat intelligence. Our research has highlighted a number of advancements, such as the potential for C2-less malware that lives off the land by running inference on a victim’s computer with embedded large language model (LLM) capabilities. Further, through evaluations of Claude, Gemini, Llama, and DeepSeek, Dreadnode has demonstrated the potential of LLM-powered adversarial operations and offensive cyber agents.

In the last three months alone, the cyber industry has seen notable demonstrations of polymorphic or self-replicating malware and automated vulnerability exploitation. PromptLock emerged as the first AI-powered ransomware, HexStrike’s pentesting framework was weaponized to exploit zero-day vulnerabilities in minutes, and the Shai-Hulud attack deployed a self-propagating worm that targeted supply chain software.

The cyber threat landscape is evolving rapidly and outdated, costly policy frameworks put U.S. critical infrastructure and national security at risk. Still, the federal government has already proven that machine-readable compliance works at scale. FedRAMP 20x reduced authorization timelines from over 12 months to approximately five weeks, authorizing 26 cloud services in its Phase One pilot—more than the rescinded FedRAMP Joint Authorization Board processed in the previous four years combined. In the six months following its March 2025 launch, FedRAMP 20x authorized over 114 cloud services, more than double the entire previous fiscal year.

The technology barrier has been eliminated. What remains is scaling this model across all federal cybersecurity frameworks. To that end, we’ve identified the following challenges in, and accompanying recommendations for, the AI-enabled cyber domain.

The Paperwork Bottleneck: From Static SSP to Dynamic Code

Problem (Structural Incompatibility): Today, FISMA/CMMC forces contractors to create static SSPs and POA&Ms. These documents are outdated the moment they are printed, making them incompatible with continuous cloud environments. For small and medium-sized businesses in the Defense Industrial Base, achieving CMMC Level 2 compliance costs between $63,000 and $300,000 in the first year—costs driven largely by manual documentation creation and point-in-time audits. The necessary technology exists: NIST Special Publication 800-53 Revision 5.2.0 is already published in OSCAL format.
Solution: OSTP must implement the transition to PaC for all mission-critical systems. This automation allows AI tools to auto-generate and continuously validate compliance, replacing manual documentation with real-time digital artifacts. This shift must also be rewarded with regulatory relief, such as streamlined cATO maintenance and simplified CMMC Level 2 audit pathways.

The 72-Hour Crisis: Automation to End Duplication

Problem (Regulatory Mismatch): The 72-hour reporting mandate is structurally flawed. DFARS 252.204-7012 (DOW) and CIRCIA (CISA) create parallel, duplicative reporting requirements during an active incident, forcing personnel to manage paperwork instead of remediation. For small businesses lacking dedicated compliance staff, this dual reporting requirement represents hours of manual work during the worst possible time—active cyber incidents. Furthermore, manual coordination for high-impact incidents, like a Title 32 National Guard activation, is simply too slow.
Solution: We must accelerate AI-driven operational automation. AI agents and SOAR systems should be mandated to serve as a central, autonomous reporting layer, ingesting incident data once and simultaneously generating the distinct reports for both the DOW and CISA. This operational automation extends to Title 32 coordination, where AI identifies and matches needed cyber units in minutes, eliminating a critical bottleneck to national cyber response.

The Innovation Tax: Securing the Supply Chain and Funding the Future

Problem (Lack of Clarity & Organizational Barriers): Procurement is stalled by organizational resistance and the lack of funding. The core tools—SBOM and SSDF—lack clear acquisition pathways and the necessary machine-readable verification. Small, agile AI companies, who are essential for innovation, cannot afford the steep compliance entry costs.
Solution:
1. Clarify Procurement: Agencies must clarify acquisition pathways by developing guidance that mandates automated SBOM validation and continuous SSDF monitoring over manual attestation review. The workforce must be trained to evaluate these continuous, automated systems.
2. Fund the Carrot: To solve the budget constraint, the DOW must provide financial assistance for small and medium-sized businesses to acquire the commercial tools needed to produce these machine-readable artifacts. This ensures the market is driven by innovation, not just financial size.

The United States cannot achieve AI dominance in cybersecurity while constraining defensive capabilities with pre-AI compliance frameworks. The regulatory infrastructure must evolve to enable—not hinder—the deployment of AI agents capable of autonomous threat detection, incident response, vulnerability remediation, and continuous compliance validation. FedRAMP 20x demonstrates this transformation is achievable at scale. The question is whether policymakers will mandate the adoption of strategic automations before adversaries fully exploit the growing capability gap.

Read our complete 15-page response to OSTP for detailed regulatory citations, specific statutory authorities, and implementation pathways. Dreadnode stands ready to support federal partners in operationalizing these recommendations and welcomes further discussion on AI-enabled defensive capabilities.

For questions, comments, or feedback, reach out to daria@dreadnode.io.

Author’s Note

In the absence of Clippy, we’d be remiss if we didn’t break down the aforementioned acronyms for context and understanding. Many of these terms are listed in the blog synopsis of this RFI, but I've included all terms referenced in the full 15-page response for additional context.

Federal Oversight and Policy

The Office of Science and Technology Policy (OSTP) is part of the Executive Office of the President.
Requests for Information (RFIs) in the Federal Register seek input, data, or feedback on a specific topic, policy, or potential project, on behalf of the U.S. government. RFIs are open to the public.
The Cybersecurity and Infrastructure Security Agency (CISA) operates under the Department of Homeland Security as the National Coordinator for Critical Infrastructure Security and Resilience.
On September 5, 2025, the President of the United States authorized the use of "Department of War" (DOW) as a secondary title for the Department of Defense (DOD) in official correspondence and public communications within the executive branch.

Federal Compliance Frameworks

The Federal Information Security Modernization Act (FISMA) is a NIST-based framework codified into federal legislation under 44 U.S.C. § 3551 et seq. It is designed to protect federal data and applies to all federal information systems.
- System Security Plans (SSPs) provide a high-level overview of an organization's security posture, including policies, procedures, and technical controls. SSPs are derived from FISMA and are similarly required for CMMC Level 2.
- Plan of Action and Milestones (POA&Ms) track the remediation of specific security weaknesses or unmet controls. POA&Ms are derived from FISMA and are similarly required for CMMC Levels 2 and 3.
- Authority to Operate (ATO) is an accredited authorization to use, buy, or build software for the government, derived from FISMA.
  - Continuous ATO (cATO) is a process of ongoing authorization tailored for continuous software delivery, also derived from FISMA.
The Federal Risk and Authorization Management Program (FedRAMP) is also a NIST-based framework codified into federal legislation under 44 U.S.C. § 3601 et seq. It is designed to standardize security authorizations for cloud services to comply with FISMA. To that end, FedRAMP applies exclusively to cloud service providers (CSPs).
- FedRAMP 20x is a pilot initiative by the U.S. government to modernize the Federal Risk and Authorization Management Program for cloud services through machine-readable compliance frameworks and strategic automations.
The NIST Risk Management Framework (RMF) contains six steps (Categorize, Select, Implement, Assess, Authorize, Monitor) upon which FISMA and FedRAMP heavily rely to guide their highly document-intensive, procedural frameworks.
- The latest update to NIST RMF (NIST SP 800-37 Revision 2) adds a seventh step: (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor).

Defense Industrial Base Compliance Frameworks

The Cybersecurity Maturation Model Certification (CMMC) was codified into federal legislation under 32 CFR Part 170. CMMC has three levels: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3). These levels correspond to the sensitivity of the data being handled and apply to the Defense Industrial Base Sector.
- CMMC Level 1 applies to Federal Contract Information (FCI) with 15 security requirements from FAR 52.204-21
- CMMC Level 2 applies to Controlled Unclassified Information (CUI) with 110 security requirements from NIST SP 800-171.
- CMMC Level 3 applies to highest-priority CUI programs with 110 controls from NIST SP 800-171 plus additional controls from NIST SP 800-172.
Certified Third-Party Assessor Organization (C3PAO): Independent organizations accredited to conduct CMMC assessments of Defense Industrial Base contractors.
Defense Federal Acquisition Regulation Supplement (DFARS): The DOD supplement to the Federal Acquisition Regulation (FAR) that governs defense contracts. DFARS 252.204-7012 is the specific clause requiring 72-hour cyber incident reporting and implementation of NIST SP 800-171 controls.

Incident Reporting Requirements

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a 2022 U.S. law that requires critical infrastructure organizations to report significant cyber incidents and ransomware payments to CISA. CISA will be producing a final rule of law enacting CIRCIA in May 2026 after finding ways to deconflict CIRCIA with other cyber regulations, such as DFARS 252.204-7012.
Title 32 of the U.S. Code outlines the role of the United States National Guard. Guard members in Title 32 status fall under the command and control of their state or territory governor, but their duty is federally funded and regulated.

Supply Chain Security

A Software Bill of Materials (SBOM) is a nested inventory, a list of ingredients that make up software components. It was mandated by E.O. 14028 and applies to all federal agencies and contractors.
The Secure Software Development Framework (SSDF) is a NIST-curated set of fundamental, sound, and secure software development practices based on established secure software development practice documents. Like SBOM, SSDF was mandated by E.O. 14028 and applies to all federal agencies and contractors. Compliance is measured through attestation processes.

Automation Technologies and Methodologies

Policy-as-Code (PaC) is an approach to policy management in which policies are defined, updated, shared, and enforced using code. OSCAL is an example of PaC.
Open Security Controls Assessment Language (OSCAL) is a NIST-led initiative developed in collaboration with industry to modernize and automate the processes of security and compliance.
Governance, Risk, and Compliance (GRC) Platforms: Commercial software solutions that help organizations manage cybersecurity compliance by automating documentation, tracking security controls, and generating required reports like SSPs and POA&Ms.
Security Orchestration, Automation, and Response (SOAR) is designed to coordinate, execute and automate tasks under three primary software capabilities: threat and vulnerability management, security incident response, and security operations automation.