Cybersecurity regulation in United States (2026)

President Trump signed EO 14306, partially amending Biden's EO 14144 — removing prescriptive CISA software-attestation mandates and digital-identity requirements, decentralizing cybersecurity responsibilities away from federal agencies toward industry, while preserving core goals such as secure software development and federal network visibility.

Days before leaving office, President Biden issued a sweeping eleventh-hour cyber executive order formalizing CISA software-attestation requirements for federal vendors, mandating post-quantum cryptography adoption, expanding AI-for-cyber-defense research, and requiring enhanced network visibility across civilian federal agencies.

A Chinese state-backed threat actor (Salt Typhoon, linked to MSS) was found to have compromised at least nine U.S. telecoms including AT&T, Verizon, and T-Mobile — accessing call metadata for millions of users and infiltrating lawful-intercept wiretap systems; CISA/NSA/FBI issued joint hardening guidance in December 2024 and Treasury imposed sanctions in January 2025.

CISA issued a comprehensive Notice of Proposed Rulemaking implementing CIRCIA, requiring covered critical-infrastructure entities to report substantial cyber incidents within 72 hours and ransom payments within 24 hours; after significant industry pushback over scope and burden, CISA deferred the final rule to May 2026.

NIST published CSF 2.0, expanding its widely-adopted voluntary framework to all sectors and organization sizes; the update added a sixth core function — 'Govern' — covering cybersecurity risk management strategy, organizational roles, and supply-chain oversight, fulfilling a directive from the 2023 National Cybersecurity Strategy.

The SEC finalized rules requiring U.S. public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality, and to provide annual disclosures of cyber risk-management strategy and board governance in Form 10-K — effective December 18, 2023 for most filers.

The Office of the National Cyber Director published a 39-page National Cybersecurity Strategy organized around five pillars — defending critical infrastructure, disrupting threat actors, rebalancing liability onto software makers rather than end users, investing in resilience, and forging international partnerships — marking the most ambitious U.S. cyber policy document in over a decade.

President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law as part of the Consolidated Appropriations Act 2022, directing CISA to establish binding incident-reporting regulations for critical-infrastructure operators — the first time Congress imposed mandatory sector-wide federal reporting duties on private critical-infrastructure owners.

Triggered by SolarWinds and Microsoft Exchange compromises, EO 14028 required federal agencies to adopt zero-trust architecture and MFA, mandated that federal software vendors provide SBOMs and meet NIST secure-development standards, established a Cyber Safety Review Board, and created a standardized federal incident-response playbook — a sweeping overhaul of federal baseline cybersecurity obligations.

A DarkSide ransomware attack forced Colonial Pipeline to shut 5,500 miles of fuel pipeline for six days, causing fuel shortages across the U.S. East Coast; DHS/TSA responded with two mandatory Security Directives (May 27 and July 20, 2021) requiring incident reporting, 24/7 cybersecurity coordinators, and specific technical controls — a historic departure from the prior voluntary-guideline model for pipeline operators.

FireEye and Microsoft disclosed a Russian SVR supply-chain attack embedded in SolarWinds Orion software updates, affecting up to 18,000 organizations including Treasury, DHS, State, and DOJ; CISA issued Emergency Directive 21-01 and the incident directly catalyzed EO 14028 and congressional action on mandatory incident reporting.

Congress enacted CISA 2015, creating a voluntary framework for private-sector companies to share cyber-threat indicators and defensive measures with DHS (via the Automated Indicator Sharing portal) with explicit liability protection — establishing the foundational legal architecture for the public-private threat intelligence sharing system still in operation today.

Congress modernized the original 2002 FISMA by codifying DHS authority over civilian-agency cybersecurity, replacing paper-based annual assessments with continuous real-time monitoring requirements, and strengthening OMB/DHS oversight — providing the current statutory framework governing federal agency information-security programs and compliance obligations.

Congress enacted the CFAA, criminalizing unauthorized access to federal computers and those used in interstate commerce; subsequently amended six times (most significantly in 1994, 1996, and 2008 to cover private computers and add civil remedies), it remains the primary U.S. federal criminal statute invoked in virtually all computer-intrusion prosecutions and cybersecurity enforcement actions.