diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 614a3925d2881b9cdaffa849ebee86e4bbcafb15..09249b04374b82b947e796478edb554f01b2ed6c 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -13,6 +13,72 @@ waitforready:
   - name: private-registry
 
 policies:
+  add-default-capability-drop:
+    validationFailureAction: Enforce
+    exclude:
+      any:
+      {{- if .Values.neuvector.enabled }}
+      # Neuvector needs access to host to inspect network traffic
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-enforcer-pod*
+          - neuvector-cert-upgrader-job*
+          - neuvector-controller-pod*
+          - neuvector-scanner-pod*
+          - neuvector-prometheus-exporter-pod*
+      {{- end }}
+      {{- if .Values.addons.holocron.enabled }}
+      - resources:
+          namespaces:
+          - holocron
+          names:
+          - holocron-postgresql-0
+      {{- end }}
+      {{- if .Values.addons.velero.enabled }}
+      - resources:
+          namespaces:
+          - velero
+          names:
+          - velero-backup-restore-test*
+      {{- end }}
+      {{- if .Values.addons.gitlabRunner.enabled }}
+      - resources:
+          namespaces:
+          - gitlab-runner
+          names:
+          - runner*
+      {{- end }}
+      {{- if .Values.addons.gitlab.enabled }}
+      - resources:
+          namespaces:
+          - gitlab
+          names:
+          - webservice-test-runner*
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      - resources:
+          namespaces:
+          - twistlock
+          names:
+          - twistlock-defender-ds*
+          - volume-upgrade*
+      {{- end }}
+      {{- if .Values.addons.mimir.enabled }}
+      - resources:
+          namespaces:
+          - mimir
+          names:
+          - mimir-mimir-smoke-test*
+      {{- end }}
+      {{- if .Values.addons.vault.enabled }}
+      - resources:
+          namespaces:
+          - vault
+          names:
+          - vault-vault-job-init*
+      {{- end }}
 
   {{- if or .Values.twistlock.enabled .Values.neuvector.enabled }}
   disallow-host-namespaces:
diff --git a/chart/values.yaml b/chart/values.yaml
index fd25d50402768c72068830ea7fa5e382f7808c65..f13c37998b58ccb53a2d0c2041e4f978843d283c 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -647,11 +647,11 @@ kyvernoPolicies:
   git:
     repo: https://repo1.dso.mil/big-bang/product/packages/kyverno-policies.git
     path: ./chart
-    tag: "3.3.4-bb.1"
+    tag: "3.3.4-bb.3"
   helmRepo:
     repoName: "registry1"
     chartName: "kyverno-policies"
-    tag: "3.3.4-bb.1"
+    tag: "3.3.4-bb.3"
 
   # -- Flux reconciliation overrides specifically for the Kyverno Package
   flux: {}
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 0a5d3b2bdcd6452d3fcf13abaf042b22c9704464..a0c44edb059dd9e23561d1d449cc125590a2c1ae 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -503,6 +503,21 @@ kyvernoPolicies:
     # Parameters are copied from kyverno policies for test vectors
     # Exclusions are for allowing other helm tests to function
     policies:
+      add-default-capability-drop:
+        exclude:
+          any:
+          # Need to be able to test the `require-drop-all-capabilities` policy
+          # without this policy mutating the podspecs and adding the "missing" capability
+          - resources:
+              namespaces:
+              - default
+              names:
+              - require-drop-all-capabilities*
+          - resources:
+              namespaces:
+              - argocd
+              names:
+              - guestbook-ui-*
       clone-configs:
         parameters:
           clone: