Full steam ahead: the federal government’s focus on cybersecurity regulation and enforcement
Full steam ahead: the federal government’s focus on cybersecurity regulation and enforcement
Publish Date: 2026-05-20 15:06:00
Source Domain: www.reuters.com
Using an unordered list, summarize the following article with between 4 and 8 key points. May 20, 2026 – The White House recently released its National Cyber Strategy and accompanied it with the Executive Order, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (Executive Order). The National Cyber Strategy outlines the Administration’s priorities for combating cybercrime and modernizing critical infrastructure. It is the most high-profile cybersecurity action from this Administration, which has been extremely active across federal agencies on both the regulatory and enforcement fronts.This article provides an overview of the White House’s National Cyber Strategy, a review of other recent cybersecurity activities by federal agencies, and previews the federal government’s likely future cybersecurity activity, including the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rulemaking. Sign up here.The White House’s National Cyber StrategyOn March 6, 2026, the White House released its National Cyber Strategy (Strategy). The Strategy broadly signals that there would be greater coordination across the federal government and calls for increased coordination with the privacy sector.The Strategy focuses on six pillars:(1) Shaping adversary behavior, including by “creating incentives” for the private sector to identify and disrupt adversary networks;(2) Promoting common sense regulation and streamlining data and cybersecurity regulations;(3) Modernizing and securing federal government networks, with a focus on implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition;(4) Securing critical infrastructure, including defense critical infrastructure and adjacent vendors, private companies, networks, and services — such as the energy grid, financial and telecommunication systems, data centers, water utilities, and hospitals — securing information and operational technology supply chains;(5) Sustaining superiority in critical and emerging technologies by focusing on protecting users’ privacy from design to deployment, including supporting the security of cryptocurrencies and blockchain technologies; and(6) Building American cybersecurity talent and capacity.The Strategy is intended to articulate the Administration’s high-level vision and direction, while deferring new requirements, regulations, and operational activities to agency actions and other implementation measures.The administration’s focus on cybersecurityWhile the Strategy positions the Administration for future action on cyber issues, since 2025, federal agencies have been highly active in building cybersecurity resilience and mitigating threats. Many agencies have proposed or enacted new cybersecurity regulations (including regulations proposed under the prior administration) and engaging in substantial enforcement activity.Some of the key federal cybersecurity enforcement actions from federal agencies under this Administration so far include:•The Department of Justice’s Civil Cyber-Fraud Initiative. Since the inception of the Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative (“Initiative”), the DOJ has publicly announced 15 settlements against defense contractors for failing to implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (Revision 2) controls. As Federal News Network previously covered, the Initiative’s enforcement substantially increased in 2025, with the DOJ announcing that it recovered $52 million across nine cybersecurity fraud settlements in 2025. On December 10, 2025, the Initiative also announced its first criminal indictment, which alleges a defense contractor’s senior manager defrauded the United States by obstructing federal auditors and falsely representing that the contractor’s cloud platform had implemented required security controls. The defendant pleaded not guilty.•Health and Human Services’ cyber enforcement. Healthcare data breach enforcement by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has shown no signs of slowing down under this Administration. In 2025 alone, HHS OCR announced, according to The HIPAA Journal 21 settlements — almost matching its record 22 settlements in 2022. Many of these settlements stem from HHS OCR’s 2024 Risk Analysis Initiative, which focused on covered entities’ compliance with the HIPAA Security Rule’s risk analysis provision. Thus far in 2026, HHS OCR has already announced two settlements and, on April 9, 2026, announced (https://bit.ly/3PhO53k) that it was expanding the scope of its Risk Analysis Initiative to also focus on the HIPAA Security Rule’s risk management implementation specifications.Some of the key federal cybersecurity regulatory and rulemaking developments from federal agencies under this Administration so far include:•The Defense Department’s cybersecurity rules. On November 10, 2025, the U.S. Department of Defense’s (DoD) final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) took effect, which incorporated the Cybersecurity Maturity Model Certification (CMMC) program. Boiled down, this rule requires that by November 2028, to bid on defense contracts, defense contractors must obtain a certification from a third-party auditor certifying that they have fully implemented all 110 controls of NIST SP 800-181, Revision 2.•The General Services Administration’s new framework. In a move that echoes the Defense Department’s actions, on January 5, 2026, the General Services Administration (GSA) introduced a new — and immediately effective — cybersecurity compliance framework requiring GSA contractors to implement NIST SP 800-181 (Revision 3) controls (which are more strenuous than the Defense Department’s NIST 800-171 (Revision 2) requirements).•The Food and Drug Administration’s continued focus on cybersecurity. On February 3, 2026, the Food and Drug Administration (FDA) released its updated cybersecurity guidance. The guidance provides industry with the FDA’s cybersecurity recommendations for designing devices that may have cybersecurity risks, and is the latest in the FDA’s efforts to address cybersecurity risks posed to the ever-increasing number of medical devices integrated with wireless, Internet- and network-connected capabilities.•The Federal Communication Commission’s warnings and covered list. Although the Federal Communications Commission (FCC) withdrew its cybersecurity rulemaking, cybersecurity remains top of mind at the FCC, with the FCC recently releasing guidance for the communications industry to protect against ransomware attacks. The FCC has also, notably, taken a more targeted approach to protect from potential cyber-attacks by relying on its “Covered List,” which it has used to effectively ban the sale of Chinese products that may potentially contain security vulnerabilities or pose risks to national security.•The Federal Energy Regulatory Commission’s (FERC) focus on supply chain risk and cybersecurity requirements. On September 18, 2025, FERC adopted new rules to address supply chain risk to the electric grid, including related to certain network-connected equipment, and proposed to update standards to ensure the safe application of virtual and cloud-based technologies to critical energy infrastructure. In addition, efforts are underway to develop new federal standards to address increasing reliability risks in connection with data centers, which could include cybersecurity directives. Separately, the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced on March 18, 2026, that it had published its first Five-Year Strategic Plan articulating actions it could take with industry to strengthen the energy sector’s protection again cyber threats.Looking aheadWith the Strategy seemingly giving the green light to agencies to prioritize cybersecurity regulations and enforcement, it is likely that several agencies are poised to increase their activity on both fronts.Rulemakings. The most notable cybersecurity rulemaking on the horizon is CISA’s CIRCIA rulemaking, which largely laid dormant until recently.First initiated on April 4, 2024, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the CIRCIA proposed rules would subject companies operating in any of the 16 critical infrastructure structures to cyber incident and ransom payment reporting requirements.The 16 critical infrastructure sectors are chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government services and facilities, healthcare, information technology, nuclear ecosystem, transportation systems, and water and wastewater systems.After nearly two years of inactivity, on February 13, 2026, CISA announced that it would host a series of town halls related to the rulemaking; however, the town halls were delayed due to the government shutdown and have yet to be rescheduled as of this writing.Nevertheless, with the CIRCIA rulemaking set to impose cybersecurity requirements on almost every corner of the U.S. economy, and given the White House’s references to critical infrastructure in its National Cyber Strategy, the CIRCIA rulemaking appears poised to move forward this year.Enforcement. Given the White House’s signaling, other agencies with cybersecurity-specific regulations are likely poised to ramp up their cybersecurity-related enforcement. While the DOJ and HHS have arguably been the most active federal agencies, several other agencies have previously enacted cybersecurity regulations that may be a source of enforcement in the near future.These include the Federal Trade Commission’s Health Breach Notification Rule, which requires non-HIPAA covered entities to report certain breaches of unsecured personal health information, as well as the Securities and Exchange Commission’s cybersecurity rules, which require public companies to report certain cybersecurity incidents and detail their risk management strategies.TakeawaysCybersecurity-related enforcement and rulemaking is a clear priority for the current Administration. For more highly regulated sectors, like the defense and healthcare industries, the federal government’s cybersecurity posture has moved beyond issuing regulations and is now heavily focused on enforcement. And as shown by the CIRCIA rulemaking, other industries may not be too far behind.At a minimum, companies should ensure that they have up-to-date and usable incident response and disaster recovery policies in place. Companies, particularly those in critical sectors, should also consider evaluating the delta between their cyber practices and NIST 800-171, as it appears that the federal government is increasingly angling towards requiring those controls across sectors.Tyler Bridegan, a partner at the firm, contributed to this article.Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.Purchase Licensing RightsJeffrey S. Whittle is a partner at Womble Bond Dickinson and the head of the firm’s global energy and natural resources industry sector. His transactional practice encompasses strategic complex technology mergers and acquisitions, joint ventures, and commercial and licensing arrangements across the energy and technology sectors, including intellectual property transactional matters. He is based in Houston and can be reached at [email protected] M. Moore, partner at Womble Bond Dickinson, advises highly regulated industries with a focus on policy and legal challenges. She uses her experience in Congress to advise companies facing congressional inquiries as well as litigation into toxic tort matters. She is based in Washington, D.C., and can be reached at [email protected] Marshall, of counsel at Womble Bond Dickinson, is an energy and regulatory attorney advising on complex legal, policy, and infrastructure matters. His practice builds on a career of senior leadership in state government and regional energy. He is based in Boston and can be reached at [email protected].
