Short Takes – 3-5-26 - Federal Register Edition

Agency Information Collection Activities; Notice and Request for Comment; Incident Reporting for Automated Driving Systems (ADS) and Level 2 Advanced Driver Assistance Systems (ADAS) . Federal Register NHTSA 60-day ICR extension notice. Summary: “This document describes NHTSA's information collection for incident reporting requirements for Automated Driving Systems (ADS) and Level 2 Advanced Driver Assistance Systems (ADAS). NHTSA previously requested and received a three-year approval of this information collection. NHTSA now requests OMB's approval for a three-year extension of this currently approved information collection with modifications. These modifications streamlined reporting requirements to reduce burdens compared to the prior version of this information collection and sharpening the focus on safety critical information.” Comments due May 4^th, 2026..

National Industrial Security Program Policy Advisory Committee (NISPPAC); Meeting. Federal Register NARA meeting notice. Summary: “This meeting is open to the public in accordance with the Federal Advisory Committee Act (5 U.S.C. app 2) and implementing regulations at 41 CFR 102-3. The Committee will discuss National Industrial Security Program policy matters.” Meeting date March 18^th, 2026.

Clean Water Act Hazardous Substance Facility Response Plans: Compliance Date Delay and Changes To Reflect Administration Policy. Federal Register EPA notice of proposed rulemaking. Summary: “The Environmental Protection Agency (EPA) is proposing to delay the compliance date for Facility Response Plan (FRP) requirements as well as to make language modifications to align with the Administration's climate change and environmental justice policies in Executive Order 14148 of January 20, 2025. These requirements are for onshore non-transportation-related facilities that could reasonably be expected to cause substantial harm to the environment from a CWA hazardous substance worst case discharge to navigable waters, adjoining shorelines, or the exclusive economic zone. This delay action is necessary to allow the Agency to consider implementation and compliance assistance tools that regulated parties may be able to take advantage of when complying with the new requirements. EPA notes that it cannot quantify the number, nature, and magnitude of covered discharges that may occur during the proposed rule delay period.” Comments due April 6^th, 2026.

Paper Manifest Sunset Rule; Modification of the Hazardous Waste Manifest Regulations. Federal Register EPA notice of proposed rulemaking. Summary: “The U.S. Environmental Protection Agency (EPA) is proposing regulatory amendments to the hazardous waste manifest regulations to establish a date for sunsetting use of paper manifests in favor of electronic manifests. Phasing out paper manifests would unlock the estimated $28.5 million annual savings through decreased burden to manifest users while also increasing human health and environmental protection through better tracking of hazardous waste and greater transparency for regulators and the public. The proposed rule also introduces several conforming amendments to existing regulations. These include new registration requirements with the EPA's e-Manifest system for RCRA hazardous waste transporters, certain PCB waste generators, and PCB waste transporters. Additionally, the rule updates exception reporting requirements for very small quantity generators (VSQGs) managing hazardous waste from episodic events, as well as for healthcare facilities and reverse distributors handling hazardous waste pharmaceuticals. It also revises discrepancy reporting requirements for owners and operators of hazardous waste facilities operating under standardized permits. Lastly, the proposed rule includes four technical corrections to the import and export requirements to correct EPA's mailing address, remove obsolete text, and correct a citation associated with manifest corrections for export shipments.” Comments due May 4^th, 2026.

Continuation of the National Emergency With Respect to Iran. Federal Register Presidential Document national emergency extension notice. Summary: “The actions and policies of the Government of Iran—including its proliferation and development of missiles and other asymmetric and conventional weapons capabilities, its network and campaign of regional aggression, its support for terrorist groups, and the malign activities of the Islamic Revolutionary Guard Corps and its surrogates—continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

EPA Sends EO NESHAP Reconsideration NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the EPA on “National Emission Standards for Hazardous Air Pollutants: Ethylene Oxide Emissions Standards for Sterilization Facilities Residual Risk and Technology Review, Reconsideration”.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“On April 5, 2024, the EPA published the risk and technology review (RTR) of the National Emission Standards for Hazardous Air Pollutants (NESHAP) for Commercial Ethylene Oxide (EtO) Sterilization Facilities (See 89 FR 73293). EPA announced on March 12, 2025 that this rule will be a prioritized rule for reconsideration. The EPA will be reconsidering this action in order to address several issues that are administration priorities and consistent with the direction of the Agency”

Actually, the Ethylene Oxide NESHAP rule was published at 89 FR 24090. The above referenced Federal Register publication was a more generalized look at changing major source classification to area source. There was no mention of EO in that final rule.

 

As with the publication of the Biden Administration regulation, I do not expect to cover this rulemaking in any detail. I will, at least, be acknowledging publication in the appropriate Short Takes post.

Review – Bills Introduced – 3-4-26

Yesterday, with both the House and Senate in session there were 62 bills introduced. Two of those bills would receive additional coverage in this blog:

HR 7784 To amend title 49, United States Code, to establish requirements regarding visual and automated track inspections, and for other purposes. Titus, Dina [Rep.-D-NV-1]

S 3987 A bill to amend title 49 to include certain requirements regarding visual track inspections, and for other purposes. Baldwin, Tammy [Sen.-D-WI]

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

S 3979 A bill to provide expanded cooperation by the National Aeronautics and Space Administration and the National Oceanic and Atmospheric Administration with Taiwan, and for other purposes. Schmitt, Eric [Sen.-R-MO]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill that includes an important law enforcement body camera provision, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-4-26 - subscription required.

CISA Adds VMware Vulnerability to KEV Catalog – 3-3-26

Yesterday CISA announced that they had added a command injection vulnerability in the VMware Aria Operations product to the CISA’s Known Exploited Vulnerabilities (KEV) catalog. The vulnerability had been previously disclosed by Broadcom. Broadcom updated that advisory yesterday, noting that: “Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity.”

CISA has directed federal agencies using the affected product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of March 24^th, 2026 has been established to accomplish those actions.

CSB ‘Reiterates’ 2003 Recommendation Results

Yesterday the US Chemical Safety Board (CSB) updated their “Recent Recommendation Status Updates” page to reflect ‘changes’ to five recommendations made in their ‘Kaltech Industries Waste Mixing Explosion’ report from September 2003. The changes were made to ‘Reiterate’ the recommendations made to Kaltech Industries and DOL’s Occupational Safety and Health Administration (OSHA). Unlike with most recommendation updates made by the agency, CSB has not provided links to any updating document that would explain the reason for the change.

Interestingly, a portion of the recommendation identification number has been obliterated on all five of these updates by a ‘reiterated2.png’ graphic, the link for which returns a “Sorry, the page you requested was not found on our server.” message. The referenced Kaltech Industries recommendation (out of two originally made) almost certainly refers to 2002-02-I-NY-7 which was originally closed on January 28^th, 2008, as “Unacceptable Action/No Response Received”. The four referenced OSHA update all refer to one OSHA recommendation (out of two made), 2002-02-I-NY-8, which was originally closed on March 3^rd, 2009, as “Acceptable Action”.

OMB Approves DOE Sunset Provision NPRM

(In contravention of yesterday’s post which conflated the wrong OIRA announcement with this rulemaking.)

On Monday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) on “Zero-Based Regulating”. The NPRM was submitted to OIRA on May 21^st, 2025.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The U.S. Department of Energy is considering initiating a proposed rule to amend the regulations that govern energy production to include a sunset provision in compliance with EO 14270 [link added], "Zero-Based Regulatory Budgeting To Unleash American Energy".”

Depending on which rules the proposed sunsetting provision apply, this rulemaking may or may not receive detailed coverage in this blog. At the very least I will note its publication in the appropriate Short Takes post.

Review – 8 Advisories and 1 Published – 3-3-26

Today CISA’s NCCIC-ICS published eight control system security advisories for products from Everon, ePower, Mobiliti, Labkotec, Portwell, Hitachi Energy (2), and Mitsubishi Electric. They also updated an advisory for products from Hitachi Energy.

Advisories

Everon Advisory - This advisory describes four vulnerabilities in the Everon OCPP Backends.

ePower Advisory - This advisory describes four vulnerabilities in the ePower epower.ie.

Mobiliti Advisory - This advisory describes four vulnerabilities in the Mobiliti e-mobi.hu.

NOTE: For these first three advisories, see my “DTRH EV Charging Vulnerabilities” section in last week’s CISA advisory blog post.

Labkotec Advisory - This advisory describes a missing authentication for critical function vulnerability in the Labkotec LID-3300IP wind turbine ice detector.

Portwell Advisory - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Portwell Engineering Toolkits.

Hitachi Energy Advisory #1 - This advisory that describes four vulnerabilities (one with publicly available exploit) in their RTU500 series CMU Firmware.

NOTE: I briefly discussed these vulnerabilities on February 28^th, 2026.

Hitachi Energy Advisory #2 - This advisory describes two privilege defined with unsafe actions vulnerabilities in their Relion REB500 product.

NOTE: I briefly discussed these vulnerabilities on February 28^th, 2026.

Mitsubishi Advisory - This advisory describes three vulnerabilities in the Mitsubishi MELSEC iQ-F Series EtherNet/IP module and Ethernet module.

Updates

Hitachi Energy Update - This update provides additional information on the RTU500 Series advisory that was originally published on January 23^rd, 2025, and most recently updated on September 23^rd, 2025 (based on actual CISA release dates not the Hitachi dates republished in the Revision History).

NOTE: On Sunday I briefly discussed the Hitachi Energy update upon which this update is based.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-and-1-published-3-3 - subscription required.