Insights

The General Services Administration (GSA) is seeking public comment on a new GSA Regulation clause, 552.239-7001, Basic Safeguarding of Data within Large Language Model Artificial Intelligence Systems (LLMs), governing data safeguards and requirements prime contractors must comply with when providing or using LLMs under federal contracts. This updated clause (Revised Clause) reflects substantial revisions from an earlier version released in March 2026 (Original Clause) that faced substantial pushback from industry. Where the Original Clause cast a wide net — imposing obligations broadly across AI systems with little differentiation among supply-chain participants — the Revised Clause is more narrowly tailored. The Revised Clause:

On June 2, 2026, President Trump signed a highly anticipated artificial intelligence and cybersecurity Executive Order, “Promoting Advanced Artificial Intelligence Innovation and Security” (the EO), directing several national security and civilian agencies to ramp up scrutiny of cutting-edge AI models and bolster federal cybersecurity defenses against AI-enabled threats.

On May 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the Australian Cyber Security Centre, the UK National Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre, published joint guidance on the “Careful Adoption of Agentic AI Services” (Guidance).

On May 5, 2026, CISA announced CI Fortify — an initiative directing critical infrastructure owners and operators to prepare for geopolitical conflict in which OT networks are actively targeted while communications infrastructure is simultaneously degraded.

The recent $285 million theft from Drift Protocol serves as a high-stakes reminder that the human element remains one of the biggest cybersecurity gaps in any organization. This was not a “hack” in the traditional sense of breaking through a digital wallet. North Korean actors used sophisticated social engineering to exploit human trust ―  highlighting what looks like a “hacking” risk into valuable lessons learned for cybersecurity oversight.

On April 7, 2026, six federal agencies (FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command – Cyber National Mission Force) published a joint advisory warning that Iranian-affiliated threat actors are targeting internet-facing OT devices, particularly PLCs.  In some cases, the threat actors have caused operational disruptions and financial losses at U.S. critical infrastructure organizations by manipulating software files that contain configuration settings as well as showing false data on hardware and software dashboards and displays.

Organizations facing cyber incidents increasingly encounter follow-on civil litigation alleging failures to implement reasonable security measures. In response, a growing number of states — the most recent being Oklahoma this year — have enacted safe harbor laws designed to both protect consumers and reward organizations that take a proactive, documented, and structured approach to cyber threats.

On March 23, 2026, the Federal Communications Commission (FCC) updated its Covered List—a list of communications equipment and services deemed to pose an unacceptable risk to U.S. national security or the safety and security of U.S. persons—to include consumer-grade routers produced in a foreign country, absent an exemption granted by the U.S. Departments of War (DoW) or Homeland Security (DHS). This designation effectively prohibits the import of all consumer routers that are not produced in the United States.

In its latest attempt to establish a national AI regulatory standard and quash “cumbersome” state AI laws, the White House on Friday, March 20, 2026, released legislative recommendations for a National Policy Framework on Artificial Intelligence. 

On February 26, 2026, the Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act of 2026. Sponsored by a bipartisan group — led by HELP Committee Chair Senator Bill Cassidy (R-LA); and Senators Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX) — the bill represents perhaps the most significant federal legislative effort to overhaul health care cybersecurity since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and would compel health care companies to make major investments in cybersecurity.

On March 6, 2026, the White House released its National Cyber Strategy (Strategy) and issued an accompanying Executive Order, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (EO). These documents outline the administration’s priorities for combating cybercrime and call for coordination across the federal government and the private sector to invest in new technologies, continue innovation, and prioritize the United States’ cyber capabilities. Key sectors of concern include energy, financial services, telecommunications, data centers, water, and health care. The Strategy and EO encourage increased public-private coordination, signal greater latitude for private sector offensive cyber operations, prioritize securing critical infrastructure, elevate cybercrime as a national security priority, outline a path for victim compensation, and promote streamlining cyber regulations.