The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provides liability protections and other safeguards for sharing certain cybersecurity information with the U.S. federal government and private entities, was reauthorized as part of the funding bill enacted on February 3, 2026. CISA 2015’s information‑sharing provisions, which had been scheduled to sunset on January 30, 2026, will now remain in effect through September 30, 2026.Continue Reading Cybersecurity Information Sharing Act of 2015 Reauthorized Through September 2026
CISA Releases Cybersecurity Performance Goals 2.0 for Critical Infrastructure
On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here. Established by the 2021 National Security Memorandum
Continue Reading CISA Releases Cybersecurity Performance Goals 2.0 for Critical InfrastructureCybersecurity Information Sharing Act of 2015 Reauthorized Through January 2026
The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provides protections for sharing cybersecurity threat information with the federal government and others, was reauthorized under the funding bill to reopen the federal government, which was enacted on November 12, 2025. The information sharing mechanisms and protections under CISA 2015, which had previously sunset on September 30, 2025, will now extend through January 30, 2026.Continue Reading Cybersecurity Information Sharing Act of 2015 Reauthorized Through January 2026
CISA Delays Cyber Incident Reporting Rule for Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). According to an entry on the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions, released on September
Continue Reading CISA Delays Cyber Incident Reporting Rule for Critical InfrastructureCISA Publishes OT Asset Inventory Guidance for Critical Infrastructure
Last month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), in partnership with the Federal Bureau of Investigation (“FBI”), National Security Agency, Environmental Protection Agency, and cybersecurity authorities in Australia, Canada, Germany, Netherlands, and New Zealand, published new cybersecurity guidance (the “Guidance”) related to operational technology (“OT”), i.e., systems and devices that interact with a physical environment that are commonly used in manufacturing, utilities, oil and gas production, transportation, and other industrial operations. The Guidance, which will be of interest to any organizations that have an OT environment, is intended to help critical infrastructure entities develop and implement an OT asset inventory and taxonomy to protect their critical assets and improve incident response preparedness. It comes in advance of upcoming cyber incident reporting requirements for critical infrastructure in the U.S. under the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) and in the EU under the revised Network and Information Systems Directive (“NIS2 Directive”). The Guidance is the latest in a series of joint releases from CISA, FBI and other U.S. and international partners on various security-related topics largely intended for critical infrastructure, including AI data security, product security bad practices, quantum computing cyber threats, and secure software development.Continue Reading CISA Publishes OT Asset Inventory Guidance for Critical Infrastructure
Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies. The case is the latest in a series of False Claims Act (“FCA”) settlements under the current administration that evidence DOJ’s continued focus on cybersecurity obligations for government contractors, particularly those that maintain sensitive data and personal information on behalf of federal customers.Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
FERC Finalizes New Internal Network Security Monitoring Requirements for Bulk Electric Systems
The U.S. Federal Energy Regulatory Commission (“FERC”) recently issued Order No. 907 (the “Order”), approving a new Critical Infrastructure Protection (“CIP”) Reliability Standard, CIP-015-1. The new standard will require covered entities that maintain certain bulk electric systems (“BES”) to implement Internal Network Security Monitoring (“INSM”) for network traffic within their “electronic security perimeter,” i.e., the logical border surrounding the network of interconnected devices that comprise a BES Cyber System. However, as discussed below, these requirements will not go into effect for approximately three years, and many covered entities will have an additional two years before they are required to comply.Continue Reading FERC Finalizes New Internal Network Security Monitoring Requirements for Bulk Electric Systems
New York State Department of Financial Services Issues Guidance on Cybersecurity, Sanctions, and Virtual Currency Following Escalation of Iran Conflict
On June 23, 2025, the New York State Department of Financial Services (“NY DFS”) issued guidance to NY DFS-regulated individuals and entities regarding the impact of “ongoing global conflicts” to the financial sector. The guidance follows a bulletin from the U.S. Department of Homeland Security about the “heightened threat environment” in the United States, which specifically references cyber attacks. The NY DFS guidance highlights three key areas of focus: cybersecurity, sanctions, and virtual currency, and may be helpful for organizations across industries globally:Continue Reading New York State Department of Financial Services Issues Guidance on Cybersecurity, Sanctions, and Virtual Currency Following Escalation of Iran Conflict
CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting
On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website. The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022. CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA. While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements. Under CIRCIA, the final rule must be published by September 2025.
The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert. This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements. The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. Continue Reading CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting
Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers
On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products. The accompanying request for comments has a deadline of April 29, 2024.Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers