All news in category "Regulation and Policy Brief"

Disney to Pay $10M Over YouTube Kids' Data Violations

⚖️ The FTC secured a $10 million settlement with Disney after finding the company mislabeled children’s content on YouTube, enabling collection of kids' personal data without parental notice or consent. The complaint says Disney applied channel-level tags that caused many videos to be marked as 'Not Made for Kids' instead of Made for Kids, circumventing COPPA protections. The settlement imposes a civil penalty, requires parental notice prior to data collection, and mandates a new program to ensure correct MFK labeling on future uploads.

International Partners Release Shared SBOM Vision Statement

🔒 CISA, the NSA, and 19 international partners published a joint guide outlining the benefits of adopting software bills of materials (SBOM) to increase software component and supply chain transparency. The guide advises software producers, purchasers, and operators to integrate SBOM generation, analysis, and sharing into security processes to better identify and mitigate component risks. It calls for international alignment of SBOM technical approaches to reduce complexity, improve interoperability, and advance secure-by-design software.

CISA, NSA and Partners Release SBOM Shared Vision Guidance

🔐 CISA, in partnership with the NSA and 19 international agencies, released joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. The guidance defines an SBOM as a formal record of software components and supply chain relationships and explains how SBOMs provide essential visibility into dependencies. It outlines benefits for producers, purchasers, operators, and national security organizations and urges adoption of aligned technical approaches, standardized metadata, and automation to improve vulnerability management and strengthen global software supply chain resilience.

BSI Urges Users to Assess Outage Risks in Digital Products

🔒 The German Federal Office for Information Security (BSI) recommends that consumers consider potential outage risks when selecting digital products and services. Users should evaluate how manufacturers handle security incidents, what happens to personal or family data, and whether vendors have a solid security reputation or trustworthy seals. The BSI also advises checking published information about incidents, remediation measures and contact options. Given the end of free Windows 10 updates from October 14, the agency urges timely upgrades or migration to alternatives such as macOS or Linux to help preserve confidentiality, integrity and availability.

U.S. Sanctions Network Supporting North Korean IT Workers

🔒 The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals and two companies tied to a North Korean IT worker network that embeds personnel in foreign firms using stolen or fabricated identities and "laptop farms" to disguise locations. Designations include Russian national Vitaliy Sergeyevich Andreyev and DPRK consular official Kim Ung Sun, plus Chinese front Shenyang Geumpungri Network Technology Co., Ltd and DPRK-linked Korea Sinjin Trading Corporation. Blockchain intelligence firm Chainalysis identified Andreyev’s Bitcoin wallet as a laundering conduit, tied to nearly $600,000 in conversions. The sanctions freeze U.S.-based assets, bar American persons from transacting with the designees, and signal heightened targeting of infrastructure and crypto facilitators who help the DPRK monetize overseas IT labor.

UK Signals Possible Reversal of iPhone Backdoor Mandate

🔍 The US Director of National Intelligence reports that the UK government is dropping a proposed mandate requiring a backdoor into the Apple iPhone, a development attributed in early accounts to reporting by Tulsi Gabbard. If accurate, the announcement would mark a significant retreat from proposals that would compel vendors to weaken device security. The decision is described as provisional and underscores continuing tensions between privacy advocates, technology vendors, and law enforcement over access to encrypted communications.

German Government to Propose Stronger Cyber Defense Bill

🛡️ The federal government plans to present a draft bill by year-end aimed at strengthening cyber defense across Germany. The proposal would expand cyber-defense powers for security agencies and deepen cooperation between civilian and military bodies, with joint exercises planned between the Interior Ministry and the Ministry of Defence. It also calls for the development of a Cyber-Dome, an automated system to detect and respond to online attacks, as Interior Minister Alexander Dobrindt warned of daily cyberattacks and rising hybrid threats.

CISA Launches Interactive Tool to Secure Software Buying

🛡️ CISA has released the Software Acquisition Guide: Supplier Response Web Tool to help IT leaders, procurement officers and software vendors strengthen cybersecurity across the acquisition lifecycle. The free, interactive platform digitizes CISA’s existing guidance into an adaptive format that highlights context-specific questions and generates exportable summaries for CISOs, CIOs and other decision-makers. Designed with secure-by-design and secure-by-default principles, the tool supports due diligence without requiring procurement professionals to be cybersecurity experts and aims to simplify risk-aware procurement decisions.

ENISA to Run €36m EU Cybersecurity Incident Reserve

🛡️ ENISA has been allocated €36m to operate the EU Cybersecurity Reserve, a virtual pool of pre‑vetted private incident response providers established under the EU Cyber Solidarity Act. The funding, delivered through the Digital Europe Programme over three years, will be used to procure responders and to evaluate and fulfil support requests from member states, CSIRTs or CERT‑EU. Unused pre‑committed services can be repurposed for prevention and preparedness. ENISA will also lead a European certification scheme for managed security services, initially focusing on incident response.

CISA Launches Web Tool for Secure Software Procurement

🛡️ CISA released the Software Acquisition Guide: Supplier Response Web Tool, a free, interactive resource to help IT and procurement professionals assess software assurance and supplier risk across the acquisition lifecycle. The Web Tool converts existing guidance into an adaptive, question-driven interface with exportable summaries for CISOs and CIOs. It emphasizes secure-by-design and secure-by-default practices to strengthen due diligence and procurement outcomes.

CIISec: Majority of Security Pros Back Stricter Rules

🔒 A new CIISec survey finds 69% of security professionals believe current cybersecurity laws are insufficient. The annual State of the Security Profession report, compiled from CIISec members and the wider community, highlights a regulatory focus driven by recent legislation such as DORA, NIS2 and the EU AI Act. Respondents assign breach responsibility mainly to boards (91%), and indicate increasing support for senior management sanctions. CIISec's CEO urges improved collaboration, regulation literacy and clearer risk communication.

CISA Seeks Update to SBOM Minimum Requirements Guidance

📝 CISA has issued a request for public comment on an updated guideline defining minimum elements for a software bill of materials (SBOM), intending to reflect advances in tooling and wider adoption since the 2021 NTIA document. The effort traces to President Biden’s EO 14028 and subsequent OMB guidance (M-22-18) requiring improved software supply chain security. Recent shifts in leadership and the OpenSSF’s announcement about the SBOM working group have reshaped the community landscape. Stakeholders may submit comments through October 3, 2025.

CISA Issues Draft SBOM Minimum Elements Guide for Comment

📣 CISA released a draft Minimum Elements for a Software Bill of Materials (SBOM) for public comment, updating the baseline to reflect advances in tooling and increased SBOM adoption since 2021. The guidance adds elements such as component hash, license, tool name, and generation context, and clarifies existing fields like SBOM author and software producer. Comments are open through October 3, 2025.

CISA Seeks Comment on Updated SBOM Minimum Elements

📝 CISA opened a public comment period on updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM), with submissions accepted through October 3, 2025. The draft refines required data fields, strengthens automation and machine-readable support, and clarifies operational practices to help organizations produce scalable, interoperable, and comprehensive SBOMs. Stakeholders are encouraged to provide feedback via the Federal Register to inform a future final release.

UNWG Releases Video Series on P25 LMR Encryption Importance

🔐 The Joint SAFECOM–NCSWIC Project 25 (P25) User Needs Working Group (UNWG) has published a video series highlighting the importance of P25 land mobile radio (LMR) encryption for national security and first responder communications. The series explains three types of P25 protections — link layer authentication, link layer encryption, and voice traffic encryption — and why each matters. Another installment outlines UNWG’s role in preserving interoperability and encourages public safety stakeholder engagement.

Tackling the National Gap in Software Understanding

🔍 CISA, with partners including DARPA, OUSD R&E, and the NSA, is leading an interagency effort to close a national gap in software understanding that endangers critical infrastructure. A new Sandia National Laboratories report, The National Need for Software Understanding, describes the gap’s causes, risks, and options for remediation. CISA urges manufacturers to design software for independent analysis and invites experts and mission owners to engage on research priorities.

Black Hat USA 2025: Policy, Compliance and AI Limits

🛡️ At Black Hat USA 2025 a policy panel debated whether regulation, financial risk and AI can solve rising compliance burdens. Panelists said no single vendor or rule is a silver bullet; cybersecurity requires coordinated sharing between organisations and sustained human oversight. They warned that AI compliance tools should complement experts, not replace them, because errors could still carry regulatory and financial penalties. The panel also urged nationwide adoption of MFA as a baseline.

DHS Launches $100M+ Funding to Strengthen Cybersecurity

🔐 CISA and FEMA announced the availability of more than $100 million in grant funding to bolster state, local, and tribal cybersecurity capabilities. The FY2025 Notice of Funding Opportunity includes the State and Local Cybersecurity Grant Program (SLCGP) with $91.7 million and the Tribal Cybersecurity Grant Program (TCGP) with $12.1 million. Awards may support planning, exercises, hiring cybersecurity experts, network hardening, and improvements to services provided to citizens. Applicants should consult CISA application resources to prepare proposals.

Tech industry must resist weakening end-to-end encryption

🔐 The UK government's proposal to require access to end-to-end encrypted data—intended to combat terrorism and child sexual abuse—would effectively demand backdoors that major vendors refuse to build. Apple removed Advanced Data Protection for UK users after a non-public notice under the Investigatory Powers Act reportedly sought access, and WhatsApp has supported Apple's stance. The article argues such per-country mandates are technically unenforceable and easily circumvented, creating border chaos and disproportionate privacy harms. ESET recommends preserving strong encryption and using court-backed, oversightable access mechanisms rather than backdoors.

Google rolls out age assurance to protect U.S. youth

🛡️ Over the coming weeks Google will begin a limited U.S. rollout of age assurance, a system designed to distinguish users under 18 from adults and apply age-appropriate protections across its products. For accounts identified as minors Google will enable defaults such as YouTube Digital Wellbeing tools, disable Maps Timeline, turn off personalized advertising, and block adult-only apps on Google Play. The approach combines machine-learning age estimation based on existing account signals with optional age verification — including a government ID or a selfie — when users dispute their estimated age, and Google will notify users and provide options for adult verification.