Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.
CISA 2015: Congress Faces Fast-Approaching Deadline to Reauthorize a Critical Cybersecurity Law
Key point: With the Cybersecurity Information Sharing Act of 2015 (CISA 2015) scheduled to sunset on September 30, 2025, Congress will need to act quickly to renew the law and maintain, if not improve, the liability protections for industry when sharing cyber threat indicators and defensive measures.
The Coast Guard’s Maritime Cybersecurity Rule Takes Effect
Key point: The US Coast Guard’s new cybersecurity rule will transform the security standards and reporting requirements for vessels and marine facilities nationwide over the next three years.
On July 16, 2025, the US Coast Guard’s (USCG) final rule, Cybersecurity in the Marine Transportation System, codified at 33 C.F.R. § 101.600 et seq., went into effect. The final rule establishes cybersecurity requirements for the critical infrastructure owners and operators (CI/OO) of regulated entities (e.g., U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities regulated under the Maritime Transportation Security Act of 2002). See 90 Fed. Reg. 6298 (Jan. 17, 2025). These entities were already required to have a Vessel or Facility Security Plan (VSP/FSP) as defined by 33 C.F.R. §§ 104-106. Under the final rule, the CI/OO for these entities have incident reporting obligations, must develop Cybersecurity and Cyber Incident Response Plans, and designate a Cybersecurity Officer charged with implementing the plans. The regulation will be introduced in stages over the next three years, with certain provisions taking effect immediately.
NYDFS Issues Guidance to Mitigate AI Cybersecurity Risks
Keypoint: The New York Department of Financial Services (NYDFS) circulated an industry letter offering guidance to NYDFS “Covered Entities” for assessing and managing AI-related cybersecurity risks, including threats malicious actors using AI and the risks associated with a Covered Entity’s own AI systems.
The NYDFS industry letter (“Letter”) recognizes that Covered Entities can leverage AI to enhance their cybersecurity posture. The department contends that doing so would bolster entities’ compliance with NYDFS cybersecurity regulation 23 NYCRR Part 500 (“Part 500”).