HR 8880 Passed in House – Cybersecurity Assistance Report

 Yesterday, the House took up HR 8880, the Small Business Cybersecurity Assistance Evaluation Act of 2026, under the suspension of the rules process. After just 11 minutes of debate, the bill was passed by a voice vote. 

The bill would require the GAO to conduct a study of current Federal cybersecurity initiatives, programs, resources, tools, and services intended to assist owners of small business concerns. No new funding is authorized by this legislation. 

As this legislation moves to the Senate, it will almost certainly not be considered under regular order; the bill is not politically important enough for that time consuming process. The lack of opposition in the House may mean that it could pass in the Senate under their unanimous consent process. A more likely possibility is that the language could be added to another, more politically important, bill, either in committee consideration or as part of the floor consideration process. 

CISA Adds Lantronix Vulnerability to KEV Catalog – 6-23-26

Today, CISA announced that they added a code injection vulnerability in the Lantronix EDS5000 Serial-to-Ethernet Converters to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was previously disclosed by Lantronix. The vulnerability was originally reported by Forescout as part of their Bridge:Break report; that report included proof-of-concept code for the vulnerability. 

CISA has directed federal agencies using the Lantronix EDS5000 product to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. CISA established a compliance date of June 26th, 2026. 

Review – 7 Advisories and 3 Updates Published – 6-23-26

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Hubbell, B&R Industrial Automation, ABB, and Siemens (4). They also updated three vulnerabilities from Zero Motorcycles, Rockwell Automation, and Brightpick AI. 

Advisories  

Hubbell Advisory - This advisory describes a missing authentication for critical function vulnerability in the Hubbell Aclara Metrum Cellular Web Interface. 

B&R Advisory - This advisory discusses five vulnerabilities (three with publicly available exploits) in multiple Linux based B&R products. 

ABB Advisory - This advisory describes an authentication bypass by primary weakness vulnerability in the ABB Freelance Security Lock. 

Siemens Advisory #1 - This advisory discusses four vulnerabilities in the Siemens SINEC INS. 

Siemens Advisory #2 - This advisory discusses an out-of-bounds write vulnerability in the Siemens Products using OpenSSL. 

Siemens Advisory #3 - This advisory discusses an unrestricted upload of file with dangerous type vulnerability in the Siemens SIPROTEC 5 Using DIGSI5 Protocol. 

Siemens Advisory #4 - This advisory describes a cleartext storage in a file or on disk vulnerability in the Siemens WinCC Certificate Manager. 

Updates  

Zero Motorcycles Update - This update provides additional information on the firmware advisory that was originally published on March 21st, 2026. 

Rockwell Update - This update provides additional information on the Arena advisory that was originally published on December 10th, 2024, and most recently updated on February 3rd, 2026. 

Brightpick Update - This update provides additional information on the Internal Logic Control advisory that was originally published on November 13th, 2025. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-3-updates-published-d4b - subscription required. 

HR 2344 Cosponsor Added – Water ISAAC

Yesterday, Rep Figures (D,AL) was added as a sponsor for HR 2344, the Water ISAC Threat Protection Act. Figures is a member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that there may now be enough influence to see the bill considered by the Committee. 

The bill would require the EPA to carry out a program to support and encourage participation in the Water Information Sharing and Analysis Center (W-ISAC). The legislation would authorize $10 million for FY 2024 and FY 2025 to support this initiative. 

HR 8880 Introduced - Small Business Cybersecurity Assistance Report

Last month, Rep Simon (D,CA) introduced HR 8880, the Small Business Cybersecurity Assistance Evaluation Act of 2026. The bill would require the GAO to conduct a study of current Federal cybersecurity initiatives, programs, resources, tools, and services intended to assist owners of small business concerns. No new funding is authorized by this legislation. 

I can find no legislation in the 118th Congress that would appear to be similar to HR 8880. 

Moving Forward  

On May 20th, 2026, the House Small Business Committee held a business meeting where nine bills were considered, including HR 8880. By a vote of 23 to 0, the Committee adopted the bill as introduced. On June 3rd, 2026, the Committee Report on the bill was published. HR 8880 is currently scheduled to be considered by the House today under the suspension of the rules process. Strong, bipartisan support for the bill is expected. 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8880-introduced-small-business - subscription required.