Insights

On May 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the Australian Cyber Security Centre, the UK National Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre, published joint guidance on the “Careful Adoption of Agentic AI Services” (Guidance).

A recent Illinois appellate decision has narrowed a key protection that state and local government contractors have long been able to rely on under Illinois’ Biometric Information Privacy Act (BIPA). In Thomas v. Cornerstone Services, Inc., the Illinois Appellate Court held that BIPA’s government contractor exemption does not provide blanket immunity to contractors simply because they hold a contract or subcontract with a state agency or local unit of government. The ruling carries important compliance implications for contractors and subcontractors operating across both government and private-sector markets.

On March 19, 2026, President Donald Trump and Japanese Prime Minister Sanae Takaichi met at the White House and announced a series of initiatives to strengthen the U.S.-Japan alliance. Among the defense cooperation announcements, the White House fact sheet noted that “[t]he United States welcomed Japan’s commitment to develop a secure and sovereign cloud platform for government data to enhance bilateral information sharing, planning, and coordination.”[1] While it is a single sentence in a wide-ranging Summit document, the commitment represents a step in the growing architecture of allied sovereign cloud infrastructure. If this is operationalized, it will have important implications for defense, intelligence, and cloud services markets. This announcement follows the October 2025 Trump-Takaichi Summit in Tokyo, where the two governments agreed to launch a bilateral working group to deepen mutual understanding on cloud security technical standards and requirements—explicitly including U.S. experience with secure and sovereign cloud development—and to invite Japanese and American firms to participate.[2]

The Federal Risk and Authorization Management Program (FedRAMP) continues to advance its modernization agenda. On April 8, 2026, FedRAMP released RFC-0031, Updated Incident Communications Procedures for public comment. This RFC proposes replacing the current FedRAMP Incident Communications Procedures (ICP) with what FedRAMP calls “a clear set of reporting requirements … established using a modern rules-based format.” 

In its latest attempt to establish a national AI regulatory standard and quash “cumbersome” state AI laws, the White House on Friday, March 20, 2026, released legislative recommendations for a National Policy Framework on Artificial Intelligence. 

On March 6, 2026, the General Services Administration (GSA) issued a significant proposed contract clause, GSAR 552.239-7001, Basic Safeguarding of Artificial Intelligence Systems (“Clause”), for inclusion in GSA Schedule solicitations and contracts for AI capabilities.  The proposed clause would impose substantial new requirements related to AI sources, intellectual property rights, data use, change management, and performance standards.  The Clause would also take precedence over any other contract terms (including commercial licensing terms) related to AI, including a Seller’s terms of sale and service to which the Government had previously agreed.  GSA requests comments by March 20, 2026.

On March 6, 2026, the White House released its National Cyber Strategy (Strategy) and issued an accompanying Executive Order, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (EO). These documents outline the administration’s priorities for combating cybercrime and call for coordination across the federal government and the private sector to invest in new technologies, continue innovation, and prioritize the United States’ cyber capabilities. Key sectors of concern include energy, financial services, telecommunications, data centers, water, and health care. The Strategy and EO encourage increased public-private coordination, signal greater latitude for private sector offensive cyber operations, prioritize securing critical infrastructure, elevate cybercrime as a national security priority, outline a path for victim compensation, and promote streamlining cyber regulations.

On February 13, 2026, the U.S. Department of Homeland Security (DHS) announced upcoming virtual town hall meetings scheduled for March 2026 regarding the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  The meetings will allow industry stakeholders to provide input to DHS to refine the “scope and burden” of the forthcoming CIRCIA final rule.

On January 23, 2026, Office of Management and Budget (OMB) Director Russell T. Vought issued OMB Memorandum M-26-05 (Memo). The Memo rescinds prior OMB memoranda (M-22-18 and M-23-16) that required federal agencies to collect the Secure Software Development Attestation Form from entities selling software or products containing software to the U.S. government. The Trump administration previously retracted a Biden administration directive that called for formalization of the Attestation Form collection process in the Federal Acquisition Regulation (FAR). Many in industry saw this as a sign that the Trump administration disfavored the Attestation Form. Now, the Memo has gone one step further to officially terminate agencies’ obligation to collect the Form from their software suppliers.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative established to standardize the security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. FedRAMP’s primary objective is to ensure that cloud service providers (CSPs) implement robust security controls to protect federal information in cloud environments. By leveraging a consistent framework for security assessment and authorization, FedRAMP is intended to reduce duplication of effort, cost, and time for both agencies and vendors.

The National Institute of Standards and Technology (“NIST”) recently released draft guidelines for applying NIST’s Cybersecurity Framework to organizations adopting artificial intelligence. NIST requests public comments on its “Initial Preliminary Draft” Cybersecurity Framework Profile for Artificial Intelligence (the “Cyber AI Profile”) by midnight on January 30, 2026. 

In an important first, the yearly defense policy law, the National Defense Authorization Act (NDAA) for Fiscal Year 2026, directs the Department of Defense (DoD)  to develop and implement a framework addressing the cybersecurity and physical security of artificial intelligence and machine learning technologies (AI/ML) acquired by the Pentagon.

The California Privacy Protection Agency (“CPPA”) is intensifying its oversight of data brokers with a new dedicated Data Broker Enforcement Strike Force within its Enforcement Division. The strike force will monitor and investigate data brokers’ compliance with their legal obligations under California’s Delete Act and the California Consumer Privacy Act (“CCPA”).

Earlier this month, the Department of Justice (DOJ) announced that Swiss Automation Inc., an Illinois-based precision machining company, agreed to pay $421,234 to resolve allegations that it violated the False Claims Act (FCA) by inadequately protecting technical drawings for parts delivered to Department of Defense (DoD) prime contractors.  This settlement reflects DOJ's persistent emphasis on cybersecurity compliance across all levels of the defense industrial base, reaching beyond prime contractors to encompass subcontractors and smaller suppliers.  The settlement is also a reminder to all contractors not to overlook the often confusing relationship between Controlled Unclassified Information (CUI) and export-controlled information.

On December 18, 2025, the Fiscal Year 2026 National Defense Authorization Act (FY 2026 NDAA) (P.L. 119-60) was signed into law. The Act makes significant changes to defense acquisition, sourcing restrictions, and interactions between the Defense Industrial Base (DIB) and the Department of Defense (DOD). 

In July 2025, President Trump signed Executive Order (EO) 14319, Preventing Woke AI in the Federal Government, to preclude the federal government from procuring artificial intelligence (AI) models that incorporate “ideological biases or social agendas,” including “diversity, equity, and inclusion.” The EO mandates that the federal government purchase only large language models (LLMs) developed according to two “Unbiased AI Principles” — that they be “truth-seeking” and show “ideological neutrality.” To implement these principles, the EO directed the Office of Management and Budget (OMB) to issue guidance.

On December 11, 2025, President Trump signed a much-anticipated Executive Order that seeks to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds and calls for a national policy framework on AI. The Executive Order, Ensuring a National Policy Framework for Artificial Intelligence (EO), declares it the policy of the administration “to sustain and enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI.”

President Trump is preparing to sign an Executive Order that would seek to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds. The draft, unsigned six-page Executive Order, “Eliminating State Law Obstruction of National AI Policy” (EO), the text of which has been circulating publicly since November 19, would declare it the policy of the Administration “to sustain and enhance America’s global AI dominance through a minimally burdensome, uniform national policy framework for AI.”

Last year, the California General Assembly passed the California AI Transparency Act (CAITA), which Governor Gavin Newsom signed into law on September 19, 2024, and goes into effect on January 1, 2026. This may change because this year, the same General Assembly passed AB 853, an amendment to CAITA with potentially far-reaching implications.

Marking a significant milestone toward the broad deployment of commercial drones over American skies, the Federal Aviation Administration (“FAA”) and Transportation Security Administration issued a proposed rule in August that would streamline how drones can operate when they fly beyond the visual line of sight of their operators.