CISA Announces KEV Nominations

This morning CISA announced that it had published their new Known Exploited Vulnerabilities nomination form. According to today’s announcement: 

“The new form is a secure, web-based tool that will improve CISA’s ability to intake and analyze reported vulnerabilities and ensure we continue to help organizations effectively keep pace with threat activity. Vulnerabilities submitted for potential addition to the catalog must have a Common Vulnerabilities and Exposures (CVE) ID, evidence of exploitation, and clear mitigation guidance. Learn more about the criteria for KEV catalog submissions and CISA’s efforts to reduce KEV-related risk.” 

According to the approved information collection request (ICR) supporting this reporting form, CISA expects as many as 2,725 annual submissions 

This should allow CISA participate earlier in the exploit notification process. Instead of having to wait until they read about the exploits in the press, this will allow them to hear directly from owners, vendors, and researchers when exploits are identified. 

Short Takes – 5-21-26 - Federal Register Edition

Area Maritime Security Advisory Committee (AMSC), Eastern Great Lakes, Northwestern Pennsylvania; Sub-Committee Vacancy. Federal Register CG notice. Summary: “The Coast Guard is accepting applications to fill one vacancy on the Area Maritime Security Committee, Eastern Great Lakes, Northwestern Pennsylvania Region Sub-Committee (Sub-Committee). The Area Maritime Security Committee assists the Captain of the Port as the Federal Maritime Security Coordinator (FMSC), Buffalo, in developing, reviewing, and updating the Area Maritime Security Plan for their area of responsibility.” 

Clearance of Renewed Approval of Information Collection: for the Information Collection Entitled, Website for Frequency Coordination Request. Federal Register FAA 30-day information collection request renewal – Summary: “The information collected is needed to perform the aeronautical studies, technical evaluations required, and to meet the specified requirements for the radio frequency engineering pursuant to the Federal Aviation Administration (FAA) Order 6050.32.B, Chapter 3, Section 302. This FAA Order outlines the U.S. National Organizations and the role of the National Telecommunications and Information Administration (NTIA) in assigning and coordinating the Aviation Assignment Group (AAG) radio spectrum used by the FAA to support aeronautical services. Hence, the FAA must “authorize” aeronautical frequencies of broadcast applications that impact the AAG bands.” 

Ebola Notices  

Notice of Order Under Sections 362 and 365 of the Public Health Service Act Suspending Introduction of Certain Persons from Countries Where a Communicable Disease Exists. Federal Register CDC notice. 

Arrival Restrictions Applicable to Flights Carrying Persons Who Have Recently Traveled From or Were Otherwise Present Within the Democratic Republic of the Congo (DRC), Uganda, or South Sudan. CBP announcement. 

PFOA NPRMs  

Rescission of Regulatory Determinations and Removal of Related Provisions for Four PFAS Substances (PFHxS, PFNA, HFPO-DA (GenX), and the Mixture of These Three PFAS Plus PFBS). Federal Register EPA notice of proposed rulemaking. 

Extending the Compliance Deadline for the PFOA and PFOS Maximum Contaminant Levels. Federal Register EPA notice of proposed rulemaking. 

Review – Bills Introduced – 5-20-26

 Yesterday, with both the House and Senate in session, there were 89 bills introduced. One of those bills may receive additional coverage in this blog: 

S 4615 An original bill to authorize appropriations for fiscal year 2027 for intelligence and intelligence-related activities of the United States Government, the Intelligence Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes.  Cotton, Tom [Sen.-R-AR] 

For more information on these bills, including legislative history for similar bills, as well as a mention-in-passing of a bill that would provide biotech scale-up support, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-5-20-26-5a2 - subscription required. 

Review – Bills Introduced – 5-19-26

Yesterday, with both the House and Senate in session, there were 74 bills introduced. Four of those bills may receive additional coverage in this blog: 

HR 8870 To authorize funding for Federal-aid highways, bridge construction and rehabilitation, highway safety programs, transit programs, and rail programs, and for other purposes. Graves, Sam [Rep.-R-MO-6]   

HR 8880 To require the Comptroller General to evaluate Federal cybersecurity assistance to small business concerns, and for other purposes. Simon, Lateefah [Rep.-D-CA-12]   

S 4564 A bill to amend title 46, United States Code, to require the Secretary of the department in which the Coast Guard is operating to assess cybersecurity risks of certain software and hardware used in certain maritime facilities, and for other purposes. Scott, Rick [Sen.-R-FL]   

S 4565 A bill to ensure the security and integrity of United States critical infrastructure by establishing an interagency task force and requiring a comprehensive report on the targeting of United States critical infrastructure by People's Republic of China state-sponsored cyber actors, and for other purposes. Scott, Rick [Sen.-R-FL]   

For more information on these bills, including legislative history for similar bills in the 118th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-5-20-26 - subscription required. 

Note: Corrected the date in the title to reflect the date of introduction. 5-21-26

Review - FAA UAS Facility NPRM – Critical Infrastructure Qualifications

The FAA recently published a notice of proposed rulemaking (NPRM) that would allow critical infrastructure facilities to apply to the agency for designation as a unmanned aircraft flight restrictions (UAFR) zone, in accordance with the requirements of § 2209, of the FAA Extension, Safety and Security Act of 2016 {PL 114-190 (130 STAT. 634)}. This post looks at the critical infrastructure requirements that a facility must meet to successfully apply for such a designation. 

Earlier posts about this NPRM include: 

PHMSA Publishes UAS Facility Restriction NPRM, and 

FAA UAS Facility NPRM – UAFR Descriptions. 

The FAA was specifically tasked with establishing a process for critical infrastructure facilities to request UAFR designation. The problem faced by the FAA is that there are no current definitions of critical infrastructure that would help the FAA select the critical infrastructure facilities that would justify limiting access to the National Air Space. 

To deal with this problem, the FAA is proposing to establish specific criteria for each critical infrastructure sector to identify those facilities. Those criteria are outlined in Subpart C of the proposed Part 74. They include: 

• Chemical Sector (§ 74.81) 

• Commercial Facilities Sector (§ 74.82), 

• Communications Sector (§ 74.83), 

• Critical Manufacturing Sector (§ 74.84), 

• Dams Sector (§ 74.85), 

• Defense Industrial Base Sector (§ 74.86), 

• Emergency Services Sector (§ 74.87), 

• Energy Sector (§ 74.88), 

• Financial Services Sector (§ 74.89), 

• Food and Agriculture Sector (§ 74.90), 

• Government Services and Facilities Sector (§ 74.91), 

• Healthcare and Public Health Sector (§ 74.92), 

• Information Technology Sector (§ 74.93), 

• Nuclear Reactors, Materials, and Waste Sector (§ 74.94), 

• Transportation Systems Sector (§ 74.95), 

• Water and Wastewater Systems Sector (§ 74.96) 

For more information on these sector criteria, including a detailed look at the chemical sector requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/faa-uas-facility-nprm-critical-infrastructure - subscription required.