CISA Adds Hikvision Vulnerability KEV Catalog -3-5-26

Yesterday CISA announced that it had added an improper authentication vulnerability in multiple Hikvision IP cameras to the CISA Known Exploited Vulnerabilities (KEV) catalog. Hikvision reported the vulnerability in March 2017. ICS-CERT published an advisory for the vulnerability in May 2017. In January 2025 FortiNet published a report of attempts to exploit the vulnerability. In September 2025 the SANS Internet Storm Center published a report about attempts to exploit the vulnerability.

CISA ordered federal agencies using the affected equipment to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of March 26^th, 2026 has been applied.

Interestingly §889 of the 2019 National Defense Authorization Act (PL 115-232, 132 STAT. 1917) prohibited federal agencies from using ‘covered telecommunications equipment’ from Hikvision. So, this CISA directive may have very limited application within the federal government.

CISA Adds Rockwell Vulnerability to KEV Catalog – 3-5-26

Today, CISA announced that it had added an insufficiently protected credentials vulnerability in multiple Rockwell Automation products to CISA’s Known Exploited Vulnerabilities Catalog. Rockwell previously disclosed the vulnerability in February 2021, and most recently updated that advisory in July 2022. Today, they updated their advisory to report the KEV designation. The vulnerability was originally reported to Rockwell by Claroty Team 82.

CISA has ordered federal agencies utilizing the affected product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of March 26^th, 2026 has been provided.

Review – 1 Advisory and 2 Updates Published – 3-5-26

Today CISA’s NCCIC-ICS published one control system security advisory for products from Delta Electronics. They also updated advisories for products from Johnson Controls and Universal Boot Loader.

Advisories

Delta Advisory - This advisory describes an out-of-bounds write vulnerability in the Delta CNCSoft-G2 devices.

Updates

Johnson Controls Update - This update provides additional information on the PowerG advisory that was originally published on December 16^th, 2025.

U-Boot Update - This update provides additional information on the U-Boot advisory that was originally published on December 9^th, 2025.

 

For more information on these advisories, including a down-the-rabbit-hole look at outdated operating systems, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-e73 - subscription required.

Short Takes – 3-5-26 - Federal Register Edition

Agency Information Collection Activities; Notice and Request for Comment; Incident Reporting for Automated Driving Systems (ADS) and Level 2 Advanced Driver Assistance Systems (ADAS) . Federal Register NHTSA 60-day ICR extension notice. Summary: “This document describes NHTSA's information collection for incident reporting requirements for Automated Driving Systems (ADS) and Level 2 Advanced Driver Assistance Systems (ADAS). NHTSA previously requested and received a three-year approval of this information collection. NHTSA now requests OMB's approval for a three-year extension of this currently approved information collection with modifications. These modifications streamlined reporting requirements to reduce burdens compared to the prior version of this information collection and sharpening the focus on safety critical information.” Comments due May 4^th, 2026..

National Industrial Security Program Policy Advisory Committee (NISPPAC); Meeting. Federal Register NARA meeting notice. Summary: “This meeting is open to the public in accordance with the Federal Advisory Committee Act (5 U.S.C. app 2) and implementing regulations at 41 CFR 102-3. The Committee will discuss National Industrial Security Program policy matters.” Meeting date March 18^th, 2026.

Clean Water Act Hazardous Substance Facility Response Plans: Compliance Date Delay and Changes To Reflect Administration Policy. Federal Register EPA notice of proposed rulemaking. Summary: “The Environmental Protection Agency (EPA) is proposing to delay the compliance date for Facility Response Plan (FRP) requirements as well as to make language modifications to align with the Administration's climate change and environmental justice policies in Executive Order 14148 of January 20, 2025. These requirements are for onshore non-transportation-related facilities that could reasonably be expected to cause substantial harm to the environment from a CWA hazardous substance worst case discharge to navigable waters, adjoining shorelines, or the exclusive economic zone. This delay action is necessary to allow the Agency to consider implementation and compliance assistance tools that regulated parties may be able to take advantage of when complying with the new requirements. EPA notes that it cannot quantify the number, nature, and magnitude of covered discharges that may occur during the proposed rule delay period.” Comments due April 6^th, 2026.

Paper Manifest Sunset Rule; Modification of the Hazardous Waste Manifest Regulations. Federal Register EPA notice of proposed rulemaking. Summary: “The U.S. Environmental Protection Agency (EPA) is proposing regulatory amendments to the hazardous waste manifest regulations to establish a date for sunsetting use of paper manifests in favor of electronic manifests. Phasing out paper manifests would unlock the estimated $28.5 million annual savings through decreased burden to manifest users while also increasing human health and environmental protection through better tracking of hazardous waste and greater transparency for regulators and the public. The proposed rule also introduces several conforming amendments to existing regulations. These include new registration requirements with the EPA's e-Manifest system for RCRA hazardous waste transporters, certain PCB waste generators, and PCB waste transporters. Additionally, the rule updates exception reporting requirements for very small quantity generators (VSQGs) managing hazardous waste from episodic events, as well as for healthcare facilities and reverse distributors handling hazardous waste pharmaceuticals. It also revises discrepancy reporting requirements for owners and operators of hazardous waste facilities operating under standardized permits. Lastly, the proposed rule includes four technical corrections to the import and export requirements to correct EPA's mailing address, remove obsolete text, and correct a citation associated with manifest corrections for export shipments.” Comments due May 4^th, 2026.

Continuation of the National Emergency With Respect to Iran. Federal Register Presidential Document national emergency extension notice. Summary: “The actions and policies of the Government of Iran—including its proliferation and development of missiles and other asymmetric and conventional weapons capabilities, its network and campaign of regional aggression, its support for terrorist groups, and the malign activities of the Islamic Revolutionary Guard Corps and its surrogates—continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

EPA Sends EO NESHAP Reconsideration NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the EPA on “National Emission Standards for Hazardous Air Pollutants: Ethylene Oxide Emissions Standards for Sterilization Facilities Residual Risk and Technology Review, Reconsideration”.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“On April 5, 2024, the EPA published the risk and technology review (RTR) of the National Emission Standards for Hazardous Air Pollutants (NESHAP) for Commercial Ethylene Oxide (EtO) Sterilization Facilities (See 89 FR 73293). EPA announced on March 12, 2025 that this rule will be a prioritized rule for reconsideration. The EPA will be reconsidering this action in order to address several issues that are administration priorities and consistent with the direction of the Agency”

Actually, the Ethylene Oxide NESHAP rule was published at 89 FR 24090. The above referenced Federal Register publication was a more generalized look at changing major source classification to area source. There was no mention of EO in that final rule.

 

As with the publication of the Biden Administration regulation, I do not expect to cover this rulemaking in any detail. I will, at least, be acknowledging publication in the appropriate Short Takes post.

Review – Bills Introduced – 3-4-26

Yesterday, with both the House and Senate in session there were 62 bills introduced. Two of those bills would receive additional coverage in this blog:

HR 7784 To amend title 49, United States Code, to establish requirements regarding visual and automated track inspections, and for other purposes. Titus, Dina [Rep.-D-NV-1]

S 3987 A bill to amend title 49 to include certain requirements regarding visual track inspections, and for other purposes. Baldwin, Tammy [Sen.-D-WI]

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

S 3979 A bill to provide expanded cooperation by the National Aeronautics and Space Administration and the National Oceanic and Atmospheric Administration with Taiwan, and for other purposes. Schmitt, Eric [Sen.-R-MO]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill that includes an important law enforcement body camera provision, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-4-26 - subscription required.

CISA Adds VMware Vulnerability to KEV Catalog – 3-3-26

Yesterday CISA announced that they had added a command injection vulnerability in the VMware Aria Operations product to the CISA’s Known Exploited Vulnerabilities (KEV) catalog. The vulnerability had been previously disclosed by Broadcom. Broadcom updated that advisory yesterday, noting that: “Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity.”

CISA has directed federal agencies using the affected product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of March 24^th, 2026 has been established to accomplish those actions.