Review – Bills Introduced – 5-7-26

 Yesterday, with the House and Senate meeting is pro forma session, there were 70 bills introduced. Four of those bills may receive additional coverage in this blog: 

HR 8697 To amend the Homeland Security Act of 2002 and titles 10 and 32, United States Code, to authorize the National Guard to protect certain facilities and assets from unmanned aircraft, and for other purposes. McCaul, Michael T. [Rep.-R-TX-10] 

HR 8701 To transfer to the Secretary of Transportation the functions of the Administrator of the Transportation Security Administration, and for other purposes. Moskowitz, Jared [Rep.-D-FL-23]  

HR 8702 To establish the United States Secret Service within the Executive Office of the President. Moskowitz, Jared [Rep.-D-FL-23]  

HR 8711 To require a strategy for the defense of data centers from external breaches from malefactors and the protection of the communities surrounding data centers, and for other purposes. Subramanyam, Suhas [Rep.-D-VA-10] 

For more information on these bills, including legislative history for similar bills in the 118th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-5-7-26 - subscription required. 

Review – 1 Advisory and 4 Updates Published – 5-7-26

 Today CISA’s NCCIC-ICS published one control system security advisory for products from Maxhub. CISA also updated two control system security advisories for products from Schneider and Intrado. They also updated two medical device security advisories for products from Medtronic. 

Advisories  

MAXHUB Advisory - This advisory describes a use of broken or risky cryptographic algorithm vulnerability in the MAXHUB Pivot client application. 

Updates  

Intrado Update - This update provides additional information on the 911 Emergency Gateway advisory that was originally published on April 23rd, 2026. 

Schneider Update - This update provides additional information on the EcoStruxure Control Expert advisory that was originally published on November 26th, 2024.  

NOTE: I briefly mentioned the Schneider update upon which this update was based on April 19th, 2026. 

Medtronic Update #1 - This update provides additional information on the MyCareLink advisory that was originally published on July 24th, 2025. 

Medtronic Update #2 - This update provides additional information on the MyCareLink 24950 advisory that was originally published on August 7th, 2018. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-4-updates-published-37a - subscription required. 

NHTSA Sends FMVSS Update for ADS NPRM to OMB

 Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from DOT’s National Highway Transportation Safety Administration (NHTSA) on “Modernization of Federal Motor Vehicle Safety Standard (FMVSS) No. 135 to Accommodate ADS-Equipped Vehicles”. FMVSS #135 deals with Light vehicle brake systems. This is part of NHTSA’s ongoing effort to update existing standards to reflect changing requirements for automated driving systems (ADS). 

This rulemaking was not included in the Spring 2025 Unified Agenda. 

Typically, FMVSS standards are outside the scope of this blog, but I will be watching this for any addition of cybersecurity requirements. Lacking such language, I would expect to note publication of the NPRM in the appropriate Short Takes post. 

CISA Adds Palo Alto Networks Vulnerability to KEV Catalog – 5-6-26

 Yesterday, CISA announced that it had added an out-of-bounds write vulnerability in the Palo Alto Networks PAN-OS product to their Known Exploited Vulnerabilities (KEV) catalog. Earlier yesterday, the vulnerability was disclosed by PAN. Fixes are planned for next week. PAN reports that customers with a Threat Prevention subscription can block attacks for this vulnerability. 

CISA has directed that federal agencies apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” In an untypical move, they added the following to the above boilerplate: 

“Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required.” 

CISA has provided a 3-day deadline of May 9th, 2026, to accomplish the above actions. 

Of Course It Was Not PHMSA

 I do not know how I got PHMSA, instead of FAA, in the title of yesterday’s post. If it makes any difference, I never once mentioned PHMSA in the post. It has since been corrected. 

Review - FAA Publishes UAS Facility Restriction NPRM

 Today, DOT’s Federal Aviation Administration (FAA) published a notice of proposed rulemaking (NPRM) in the Federal Register (91 FR 24650-24704) on “Designation-Restrict the Operation of Unmanned Aircraft in Close Proximity to a Fixed Site Facility”. The rulemaking would implement section 2209, of the FAA Extension, Safety and Security Act of 2016 {PL 114-190 (130 STAT. 634)}. FAA proposes a new part 74 to implement this mandate and properly balance FAA's other statutory mandates. 

More details about the provisions of this rule will be covered in future posts. 

Public Comments  

The FAA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FAA-2026-4558). Comments should be received by July 6th, 2026. 

For more details about the provisions of this NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-uas-facility-restriction - subscription required.