Review - CISA Publishes ChemLock Initial 30-day ICR Notice

Today, CISA published a 30-day information collection request (ICR) notice in the Federal Register (91 FR 32993-32994) for a new ICR for their ChemLock program. The 60-day ICR notice was published on December 31st, 2024. The table below shows the burden estimate for this ICR. 

Request for Comments 

CISA is soliciting comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov, Docket # CISA-2024-0034). Comments should be submitted by July 2nd, 2026. 

No comments were received on the 60-day ICR notice. 

Commentary 

The disruptions that CISA suffered in the first year of the new Administration certainly contributed to the delay in issuing today’s notice. I hope that its publication signals that there is a resurgence of interest in chemical facility security. Since the demise of the CFATS program, I have been advocating an increased emphasis on the ChemLock program as a method, and this would certainly be a necessary first step in that increase. 

For more details about the buden estimate for this ICR, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-chemlock-initial-30 - subscription required. 

FCC Sends Space Modernization Final Rule to OMB

 Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the FCC on “Space Modernization for the 21st Century (SB Docket No. 25.306)”. The notice of proposed rulemaking was published on December 5th, 2025. 

This rulemaking was not listed in the Spring 2025 Unified Agenda. The preamble to the NPRM noted that: 

“As we re-design the Commission's space licensing processes to increase speed, predictability, and flexibility we must do so in a way that guides our determination as to whether a license for space-based communications is in the public interest based on evaluation in these areas. We recognize that a process which efficiently and effectively reviews license applications for these factors will promote the wide availability of communications delivered by a thriving space economy employing new technologies. In addition, it is our intention that by simplifying and modernizing our space licensing procedures we will ensure that the use of part 5 experimental licenses will again be for the testing and development of truly novel space concepts.” 

I will not be covering this rule in any detail, but as part of my limited Space Geek coverage, I will report its publication in the appropriate Short Takes post. 

Review - Public ICS Disclosures – Week of 5-23-26 – Part 3

For Part 3 we have nine additional vendor disclosures from Hitachi Energy, TP-Link (4), Westermo (3), and Zyxel. We have bulk vendor updates from Palo Alto Networks (9). There are three additional vendor updates from D-Link, HPE, and Siemens. There is a researcher report for vulnerabilities in products from Fimer. Finaly, we have an exploit for products from D-Link. 

Advisories  

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses seven vulnerabilities (one with publicly available exploit) in their RTU500 product. 

TP-Link Advisory #1 - TP-Link published an advisory that describes a cross-site scripting vulnerability in their TL-SG108PE v5.6 switch. 

TP-Link Advisory #2 - TP-Link published an advisory that describes a cleartext transmission of sensitive information vulnerability in their Tapo L535E, P300 and D100C products. 

TP-Link Advisory #3 - TP-Link published an advisory that describes an authentication bypass using an alternate path or channel vulnerability in their Archer C64 product. 

TP-Link Advisory #4 - TP-Link published an advisory that describes and improper input validation vulnerability in their Archer BE450 and BE7200 products. 

Westermo Advisory #1 - Westermo published an advisory that discusses an integer overflow vulnerability in their WeOS 5 devices. 

Westermo Advisory #2 - Westermo published an advisory that discusses an improper preservation of permissions vulnerability in their WeOS 5 devices. 

Westermo Advisory #3 - Westermo published an advisory that describes an insufficient session expiration vulnerability in their WeOS5 devices. 

Zyxel Advisory - Zyxel published an advisory that describes a missing authorization vulnerability in their GS1200v3 series switches. 

Updates  

Bulk Vendor Updates – Palo Alto Networks (9). 

D-Link Update - D-Link published an update for their DIR-X3260 advisory that was originally published on June 27th, 2023. 

HPE Update - HPE published an update for their ProLiant DL/ML/XD Alletra and Synergy Servers advisory that was originally published on December 12th, 2025, and most recently updated on February 10th, 2026. 

Siemens Update - Siemens published an update for their KACO blueplanet Inverters advisory that was originally published on May 12th, 2026. 

Researcher Reports  

Fimer Report - Saiflow published a report that describes an authentication bypass using an alternate path or channel vulnerability in the Fimer VSN700 Data Logger. 

Exploit  

D-Link Exploit - Amir Hossein Jamshidi published an exploit for an administrative password vulnerability in the D-Link DSL2600U high-speed wireless router. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-afa - subscription required. 

Short Takes – 6-1-26 - Federal Register Edition

Security Zones; Vessels Carrying Dangerous Cargo, Corpus Christi and La Quinta Ship Channels, Corpus Christi, TX. Federal Register CG final rule. Summary: “The Coast Guard is establishing a security zone around vessels carrying Certain Dangerous Cargos (CDCs), for which the Captain of the Port, Corpus Christi deems enhanced security measures are necessary on a case-by-case basis. This security zone is needed to safeguard these vessels, the public, and the surrounding area from sabotage or other subversive acts, accidents, or other events of a similar nature. This rulemaking prohibits entry of vessels or person into this security zone during enforcement periods unless specifically authorized by the Captain of the Port, Corpus Christi or their designated representative.” 

Medical Devices; Gastroenterology-Urology Devices; Classification of the Orally Ingested Transient Device for Constipation. Federal Register FDA final order. Summary: “The Food and Drug Administration (FDA) is classifying the orally ingested transient device for constipation into class II (special controls). The special controls that apply to the device type are identified in this order and will be part of the codified language for classification of the orally ingested transient device for constipation. We are taking this action because we have determined that classifying the device into class II will provide a reasonable assurance of safety and effectiveness of the device. We believe this action will also enhance patients' access to beneficial innovative devices, in part by reducing regulatory burdens.” 

See here for an insurance company perspective.  

NOTE: I am sorry, but I just had to include this new medical device announcement. I mean, a swallowable vibrator to stimulate bowel movements, how could I not mention it? 

Agency Information Collection Activities: Office for Bombing Prevention-Technical Analysis. Federal Register, CISA new 30-day information collection request (ICR) notice. Summary: “The Office for Bombing Prevention (OBP) within Cybersecurity and Infrastructure Security Agency (CISA) will submit the following information collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. CISA previously published this information collection request (ICR) in the Federal Register on July 11, 2025, for a 60-day public comment period. Zero comments were received by CISA. The purpose of this notice is to allow additional 30 days for public comments.” 

Agency Information Collection Activities: State and Local Cybersecurity Grant Program (SLCGP) Evaluation. Federal Register CISA new 60-day ICR notice. Summary: “The Stakeholder Engagement Division (SED) Grant Analytics Branch within the Cybersecurity and Infrastructure Security Agency (CISA) submits the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995.”