The Cybersecurity Information Sharing Act of 2015 (CISA 2015), an important law used by governmental and private-sector entities to share "cyber threat indicators" and "defensive measures," has sunset. Although Congress was...more
The Cybersecurity & Infrastructure Security Agency (CISA) has delayed publication of its cyber incident reporting rule for critical infrastructure operators. According to an entry on the Office of Management and Budget's...more
9/18/2025
/ Critical Infrastructure Sectors ,
Cyber Incident Reporting ,
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) ,
Cybersecurity ,
Department of Homeland Security (DHS) ,
Final Rules ,
Government Agencies ,
OMB ,
Proposed Rules ,
Regulatory Agenda ,
Regulatory Oversight ,
Regulatory Requirements ,
Reporting Requirements ,
Rulemaking Process
After more than six years of deliberations, significant revisions, and volumes of commentary from defense contractors, the Department of Defense (DoD) has finalized its Cybersecurity Maturity Model Certification (CMMC)...more
9/15/2025
/ Compliance ,
Corporate Counsel ,
Cybersecurity ,
Cybersecurity Maturity Model Certification (CMMC) ,
Defense Sector ,
Department of Defense (DOD) ,
DFARS ,
Federal Acquisition Regulations (FAR) ,
Popular ,
Regulatory Requirements ,
Subcontractors ,
Supply Chain
The U.S. Court of Appeals for the Sixth Circuit recently upheld data breach reporting requirements issued by the Federal Communications Commission (FCC or Commission) in 2023 (Data Breach Order) in its August 13, 2025 2-1...more
During his last few days in office, on January 16, 2025, President Biden issued Executive Order 14144, "Strengthening and Promoting Innovation in the Nation's Cybersecurity" (EO 14144). Building heavily on the May 2021...more
The National Security Agency (NSA), in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and cybersecurity agencies from Australia, New Zealand, and the...more
6/12/2025
/ Artificial Intelligence ,
Best Practices ,
Cybersecurity ,
Data Protection ,
Data Security ,
Government Agencies ,
Machine Learning ,
National Security ,
Popular ,
Risk Assessment ,
Risk Management
The U.S. Court of Appeals for the 5th Circuit held that the Federal Communications Commission (FCC or Commission) violated AT&T's Seventh Amendment right to a jury trial and right to adjudication by an Article III court when...more
5/19/2025
/ Administrative Proceedings ,
Appeals ,
Article III ,
Constitutional Challenges ,
FCC ,
Forfeiture ,
Judicial Authority ,
SCOTUS ,
SEC v Jarkesy ,
Seventh Amendment ,
Telecommunications
Major changes are coming again to the Federal Risk and Authorization Management Program ("FedRAMP"), the federal government's cybersecurity authorization program for cloud service providers ("CSPs")....more
4/21/2025
/ Automated Systems ,
Cloud Computing ,
Cybersecurity ,
Data Security ,
FedRAMP ,
Government Agencies ,
Information Technology ,
NIST ,
OMB ,
Regulatory Reform ,
Regulatory Requirements ,
Risk Management
The Department of Justice (DOJ) has issued guidance on its recently effective rule targeting foreign adversaries that "use commercial activities to access, exploit, and weaponize U.S. Government-related data and Americans'...more
4/16/2025
/ Biden Administration ,
Compliance ,
Data Security ,
Department of Justice (DOJ) ,
Enforcement Actions ,
Executive Orders ,
Final Rules ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
National Security ,
New Guidance ,
Regulatory Requirements ,
Trump Administration
In November 2023, the New York Department of Financial Services (NYDFS) issued its second amendment to its "Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500). This was the...more
4/10/2025
/ Chief Information Security Officer (CISO) ,
Compliance ,
Covered Entities ,
Cybersecurity ,
Filing Deadlines ,
Financial Services Industry ,
New Regulations ,
NYDFS ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management ,
Vulnerability Assessments
Lawmakers expressed bipartisan support for significantly amending or eliminating some cybersecurity incident notification requirements during a recent hearing of the U.S. House Committee on Homeland Security's Subcommittee on...more
The Payment Card Industry Security Standards Council (PCI SSC) has issued an FAQ for ecommerce merchants that outsource their payment card processing to a vendor using an embedded payment page or form (such as an "iframe")....more
In his final days in office, President Biden signed an ambitious executive order to improve the federal government's approach to cybersecurity. Executive Order 14114 ("Executive Order"), issued January 16, 2025, titled...more
2/5/2025
/ Biden Administration ,
Cloud Computing ,
Compliance ,
Cybersecurity ,
Data Security ,
Department of Justice (DOJ) ,
Enforcement ,
Executive Orders ,
Federal Acquisition Regulations (FAR) ,
Federal Contractors ,
FedRAMP ,
General Services Administration (GSA) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
NIST ,
OMB ,
Software
The U.S. Department of Justice (DOJ) has issued a comprehensive final rule (the "Rule") targeting foreign access to sensitive U.S. data, including Americans' "bulk" sensitive personal data....more
The U.S. District Court for the Southern District of New York has dealt a significant blow to the cybersecurity enforcement efforts of the U.S. Securities and Exchange Commission (SEC or Commission). In its July 18, 2024,...more
7/25/2024
/ Audits ,
Chief Information Security Officer (CISO) ,
Cybersecurity ,
Internal Controls ,
NIST ,
Public Statements ,
Scienter ,
Securities and Exchange Commission (SEC) ,
Securities Fraud ,
Securities Violations ,
SolarWinds
On June 11, the Federal Communications Commission ("FCC") issued a Report and Order creating the Schools and Libraries Cybersecurity Pilot Program ("Pilot Program") to provide funding for K-12 schools, libraries, and...more
The U.S. Securities and Exchange Commission's (SEC) Division of Corporate Finance (Division) published a statement on May 21, 2024, regarding how public companies may disclose cyber incidents they determined to be immaterial....more
On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to...more
5/28/2024
/ Broker-Dealer ,
Customer Information ,
Cybersecurity ,
Data Breach ,
FACTA ,
Financial Institutions ,
Gramm-Leach-Blilely Act ,
Investment Adviser ,
Investment Companies ,
New Amendments ,
Personal Information ,
Regulation S-P ,
Reporting Requirements ,
Securities and Exchange Commission (SEC)
The U.S. Department of Commerce's ("Commerce") Bureau of Industry and Security ("BIS") has issued a proposed rule (the "Proposed Rule") that would impose significant diligence, reporting, and recordkeeping requirements on...more
2/15/2024
/ Artificial Intelligence ,
Bureau of Industry and Security (BIS) ,
Cloud Service Providers (CSPs) ,
Cybersecurity ,
IaaS ,
Know Your Customers ,
Machine Learning ,
Patent Infringement ,
Penalties ,
Proposed Rules ,
Reporting Requirements ,
Training ,
U.S. Commerce Department
The Commodity Futures Trading Commission ("CFTC" or "Commission") issued two proposed rules on December 18, 2023, both of which are now open for public comment. The first proposed rule would create an "Operational Resilience...more
As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Rule")....more
12/15/2023
/ Cyber Incident Reporting ,
Cybersecurity ,
Department of Justice (DOJ) ,
Disclosure Requirements ,
FBI ,
Form 8-K ,
Infrastructure ,
New Guidance ,
Popular ,
Publicly-Traded Companies ,
Remediation ,
Securities and Exchange Commission (SEC)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (UK NCSC), along with partner agencies from 17 nations, have released Guidelines for Secure AI System Development (the...more
12/5/2023
/ Artificial Intelligence ,
Asset Protection ,
Biden Administration ,
Critical Infrastructure Sectors ,
Cyber Threats ,
Cybersecurity ,
Documentation ,
Executive Orders ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Incident Response Plans ,
Infrastructure ,
Machine Learning ,
NCSC ,
NIST ,
Popular ,
Risk Management ,
Supply Chain
The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form ("Form"). The Form, once finalized, will obligate vendors providing software...more
12/1/2023
/ Automation Systems ,
Cybersecurity ,
Department of Justice (DOJ) ,
Executive Orders ,
False Claims Act (FCA) ,
Federal Acquisition Regulations (FAR) ,
General Services Administration (GSA) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
NIST ,
Noncompliance ,
OMB ,
Risk Assessment ,
Software Developers ,
Supply Chain
The U.S. Securities and Exchange Commission ("SEC") has charged SolarWinds Corp. (SolarWinds) and the company's chief information security officer ("CISO") with securities fraud and violations of internal controls...more
11/20/2023
/ Anti-Fraud Provisions ,
Chief Information Security Officer (CISO) ,
Cybersecurity ,
Enforcement Actions ,
Governance Standards ,
Investors ,
Misleading Statements ,
Negligence ,
NIST ,
Publicly-Traded Companies ,
Risk Management ,
Sarbanes-Oxley ,
Securities Act of 1933 ,
Securities and Exchange Commission (SEC) ,
Securities Exchange Act of 1934 ,
SolarWinds ,
Vulnerability Assessments
The Federal Trade Commission (FTC or Commission) has amended its Standards for Safeguarding Customer Information, commonly known as the "Safeguards Rule," to require non-bank financial institutions to report certain data...more