All news in category “Regulation and Policy Brief”

🔐 CISA and U.S. government partners published Adapting Zero Trust Principles to Operational Technology, a practical guide for OT owners, operators, and Zero Trust practitioners. The guidance explains how to apply Zero Trust in OT environments while minimizing risk to mission-critical systems and accommodating legacy constraints and safety requirements. It highlights establishing zones and conduits, addressing supply chain risks, and implementing robust identity and access management to reduce exposure and strengthen resilience.

🔒 The US Treasury's Office of Foreign Assets Control (OFAC) has designated Senator Kok An and 28 other individuals and entities accused of running a Cambodian network that orchestrated large-scale cryptocurrency fraud. Authorities say scammers operated from compounds embedded in casinos and commercial buildings, using romance lures and fake investment platforms to steal digital assets. The sanctions freeze US-linked assets and bar transactions by US persons to disrupt the network's financial and operational infrastructure.

📜 The House Republican proposals — the SECURE Data Act and the GUARD Financial Data Act — would establish federal privacy standards that broadly preempt stronger state laws while limiting private lawsuits and centralizing enforcement with the FTC and state attorneys general. The bills emphasize data minimization, controller-processor obligations, a federal data broker registry, and new limits on automated profiling and teen data. Critics warn the measures could weaken existing protections, impose heavy operational burdens on CIOs and CISOs, and force vendors and legal teams to rework procurement, retention, and AI training practices.

🔐 DORA's Article 9 makes credential management a binding financial risk control for EU financial entities, requiring least-privilege access, phishing‑resistant FIDO2/WebAuthn authentication, and cryptographic key protection. The regulation extends to third-party providers and mandates evidenceable controls. Organisations must deploy vaulting, JIT access, and continuous monitoring to reduce dwell time and meet supervisory expectations.

⚠️ Sean Plankey has withdrawn his nomination to lead CISA after a 13-month delay marked by bipartisan holds, unverified allegations, and reported Senate maneuvering. Plankey was first nominated last March, renominated in January, and faced objections from Sen. Rick Scott and Sen. Ron Wyden while working on Coast Guard issues. Conflicting reports — including a contested claim he was escorted out of Coast Guard headquarters — and questions about past financial ties surfaced but remain unresolved. Observers warn the leadership vacuum, amid staff and budget cuts at the agency, poses tangible national security risks; Plankey says he supports the administration’s next nominee.

🔐The UK National Cyber Security Centre now recommends offering passkeys as the default authentication option for consumer accounts, saying passwords are "no longer resilient enough" for modern threats. The agency highlights that FIDO2-based passkeys rely on device-bound cryptographic keys and local verification (biometrics or PINs), making them resistant to phishing and credential reuse. Where passkeys are not yet supported it advises using password managers and strong multi-factor verification, and warns organisations to secure account recovery and fallback processes.

🔐 The UK’s National Cyber Security Centre (NCSC) now recommends passkeys as the preferred sign-in method for consumers, advising passwords only when passkeys are unavailable. This follows a year of collaboration with the FIDO Alliance, observed improvements across the passkey ecosystem and successful NHS deployments. The NCSC also urges businesses to adopt passkeys as the default and to use single sign-on (SSO) where possible, with additional business guidance expected.

🔐 The UK government has pledged £90m to bolster national cyber resilience, announced at the NCSC's CYBERUK conference on 22 April, with a particular emphasis on supporting small and medium-sized enterprises. The funding will promote adoption of the Cyber Essentials standard, which recently passed a 10,000 quarterly certification milestone and saw around a 20% uplift in uptake. Ministers will also launch an Cyber Resilience Pledge this summer requiring signatories to make cyber security a board-level responsibility, join the NCSC Early Warning service and mandate Essentials across supply chains.

🕵️ Ofcom has opened an investigation under the UK's Online Safety Act after receiving evidence that Telegram is being used to share child sexual abuse material (CSAM). The regulator says its probe followed reports from the Canadian Centre for Child Protection and its own assessment. Ofcom is also examining teen chat services Teen Chat and Chat Avenue, and has separately scrutinised X over AI-generated nonconsensual explicit content. Where breaches are found, Ofcom can seek fines up to £18 million or 10% of qualifying worldwide revenue and, in serious cases, request court orders to disrupt or block services in the UK.

🔒 The NCSC has published a coordinated plan to improve NHS cyber resilience, focusing on piloting tools via ACD 2.0, securing the software supply chain, managing vulnerability disclosures, enhancing visibility and promoting services such as Early Warning, the Cyber Action Toolkit and Cyber Essentials. The agency is applying the Software Security Code of Practice in procurement and using data science to prioritise supplier risk while its Vulnerability Reporting Service continues to support GP surgeries, trusts and health boards. Additional measures include the NHS App adopting passkeys, attack surface management, deception-technology experiments, DNS analytics and Threat Hunting Workshops to develop playbooks and strengthen sector collaboration.

🔍 NIST will stop providing severity scores and detailed enrichment for lower-priority CVEs beginning April 15, citing a surge in submissions that has overwhelmed its capacity. The National Vulnerability Database will continue to list all reported CVEs, but entries deemed low priority will keep only the severity assigned by the submitting CNA. NIST will only add detailed analysis for issues in CISA’s KEV, those affecting U.S. federal software, or critical software defined by EO 14028; organizations may request enrichment for low-priority entries via email to nvd@nist.gov.

🔒The White House Office of Management and Budget is preparing protections to allow federal agencies to use a modified version of Anthropic's Claude Mythos model, according to an internal memo reported by Bloomberg. OMB CIO Gregory Barbaccia told Cabinet departments the agency is coordinating with model providers, industry partners, and the intelligence community to establish guardrails before potential release. The move comes while the Department of Defense's supply-chain risk designation against Anthropic remains in force, leaving the vendor barred from defense contracts.

🔒 NIST will only enrich CVEs in its NVD that meet defined high-priority criteria, citing a 263% surge in submissions from 2020–2025 that overwhelmed its enrichment capacity. Effective April 15, 2026, NIST will prioritize CVEs in CISA's KEV catalog, those affecting software used by the federal government, and software designated critical under EO 14028. CVEs that do not meet those thresholds will remain listed but be marked "Not Scheduled"; stakeholders may request targeted enrichment via email.

🛡️ Several major insurers are quietly limiting or excluding coverage for losses tied to AI-generated outputs across cybersecurity and errors-and-omissions policies. Carriers cite inability to trace model reasoning and nondeterministic outputs, prompting policy carve-outs, declinations for AI vendors, and premium increases for AI use. Underwriters are probing customers' AI governance and distinguishing governed deployments from experimental systems.

🔐 ENISA is pursuing top-level root status in the CVE Program as it is being onboarded by the US Cybersecurity and Infrastructure Security Agency (CISA) to become a TL-Root CNA. Agency leaders told VulnCon26 attendees the move, targeted for 2026 or early 2027, would secure European representation on the CVE Program Board. ENISA plans to onboard EU national CERTs and CSIRTs as CNAs and is expanding its vulnerability team to support this role.

🔐 The UK Cyber Security Council has launched a new Associate Cyber Security Professional title, with applications open from 13 April to 17 May. The entry-level certification places holders on the UK Cyber Security Professional Register, requiring demonstration of competence across five key areas and a commitment to 75 hours of CPD over three years. Applicants can fast-track if they hold aligned qualifications, and the scheme aims to help early-career candidates prove their readiness to employers.

🔍 The Trump administration's proposed 2027 budget trims total civilian federal cybersecurity funding by about $227 million, falling from $12.455 billion in 2026 to $12.228 billion in 2027. The request directs the largest increases to the Department of Justice (+$312M) and State (+$174M) while cutting Department of Homeland Security cyber funding and imposing deep reductions at CISA and the NSF. Enterprises should reassess dependencies on federal cyber support, accelerate private-sector threat intelligence ties, and review compliance assumptions given reduced federal capacity.

🔒 CMMC 2.0 requires federal contractors to demonstrate how they protect controlled unclassified information (CUI), shifting assessments from self-attestation to verified evidence. The standard prioritizes a risk-based, environment-specific approach that values documented, defensible safeguards rather than one-size-fits-all controls. That change elevates the need for clear data scoping, consistent administrative processes and reliable evidence capture. Automation and governed AI can streamline recurring reviews and produce verifiable artifacts, but only if organizations mature processes and explicitly document AI use and data flows.

🔐 On March 23, 2026, Hong Kong authorities amended enforcement of the National Security Law, allowing police to demand passwords or other assistance to access personal electronic devices, including phones, laptops, and hard drives. The U.S. Consulate General issued a security alert on March 26 warning that refusal to comply is now a criminal offense. Authorities may also seize and retain devices they allege are linked to national security offenses. The change applies even to travellers transiting the airport.

🔒 The White House's new cyber strategy and recent moves by major tech firms mark a clear shift from reactive defense toward proactive cyber, emphasizing disruption of adversaries earlier in the attack chain. Industry leaders frame this as the legal, intelligence-driven use of takedowns, litigation, public exposure of tools, and product hardening to impose cost and friction on attackers. While large platform providers can act at scale, enterprises are urged to focus on fundamentals, share telemetry, and support coordinated disruption rather than conduct offensive operations themselves.