Weekly Policy & Activities Report
Weekly Recap
General Overview
DHS Shutdown Now Active
DHS/CISA shut down Saturday morning after lawmakers failed to reach agreement on a funding package.
- CISA indicated that ~38% (888 of its 2,341) employees are “excepted” during a shutdown, allowing certain critical functions to continue.
- With both the Senate and House out this week, and many Democrats saying that they will not support a stopgap CR without ICE reforms, the timeline for resolution remains uncertain.
-
NTSC members should expect a period of degraded — though not eliminated — federal cybersecurity support.
- Advisory cadence, outreach, and non-emergency coordination are likely to slow first.
- If a major cyber incident were to occur during the lapse, surge capacity and interagency coordination could be constrained.
Broader Cyber Environment Remains Elevated
At the Munich Security Conference, senior officials continued to frame cyber capabilities as instruments of national policy. Public commentary referenced cyber weapons development and imposing costs on malicious actors, reinforcing the normalization of cyber operations within geopolitical strategy.
This signals continued elevation in the threat environment. While no immediate legislative trigger emerged this week beyond the funding lapse, the geopolitical backdrop supports sustained investment in resilience, detection, and third-party risk management.
Operational Guidance Continues
- The FTC issued its second report to Congress on ransomware and other cyberattacks, and the SEC remained under oversight scrutiny in the Senate.
- Congressional engagement across AI and cybersecurity topics continues at a steady pace.
- CISA released practical guidance on securing OT communications and their 2025 Year in Review.
- NIST issued guidance on data classification practices.
Washington D.C. Mission
We are organizing a working session on the long-term stability of the CVE ecosystem with the White House, federal agencies, and lawmakers in both parties. Please email csullivan@ntsc.org if you or someone on your team are working in this area and might want to attend.
Mid-Atlantic Policy Roundtable | March 19 | Washington, D.C.
The agenda has been updated and registration is now open. Please share the updated agenda and registration link with your colleagues and invite at least one peer to attend. We look forward to welcoming you and your team.
NTSC Calendar
Please see NTSC Events for a full 2026 calendar. To see Executive Committee, Board, and Finance Committee meetings, turn off those filters using the password NTSC2026
Leadership Buzz Feed
Hundreds of top-level decision-makers, including heads of state, ministers, and military leaders, gathered to discuss critical global challenges.
- EU Tech chief says Europe needs cyber weapons - Politico
- Anny Vu, Senior State Department Official for the newly established Bureau of Emerging Threats, says the US needs to impose ‘real costs’ on bad actors. This aligns with the 1st pillar of the ONCD's forthcoming national cybersecurity strategy. - Politico
TL;DR FTC issued its Second Report to Congress, detailing its work combating ransomware and other cyberattacks, and highlights its data security enforcement program, noting it has brought more than 90 enforcement actions related to inadequate data protection practices.
The CIA is centralizing vendor vetting and streamlining cybersecurity approvals to keep pace with rapidly evolving technologies like AI and advanced analytics.
There may be some insight here for members with TPRM cycles that are throttling the business.
Activity by Policy Priority
The U.S. government is taking a light-touch approach to AI regulation, prioritizing speed and innovation over strict safety and security requirements. The goal is to give companies room to experiment and iterate without heavy oversight. However, critics argue that this strategy could make U.S. AI less competitive abroad, where regulators and consumers often expect stronger safety and security standards. CyberScoop.
A federal court ruled that documents generated by a defendant using a consumer AI tool and then shared with counsel were not protected by attorney-client privilege or work-product doctrine. AI tools are not attorneys, their terms often disclaim confidentiality, and sharing material with them can mean it’s discoverable in litigation. United States v. Heppner - FRB Law
NIST Announces $3.19M in SBIR Funding for Quantum, Semiconductor and Biotech R&D - Quantum Zeitgeist
Hearings Update
| Status | Hearing Detail | Date / Link |
|---|---|---|
| Recent | S. 3468, National Programmable Cloud Laboratories Network Act; S. 3639 SAT Streamlining Act; S. 3700; FAA SMS Compliance Review Act of 2026 Senate Committee on Commerce, Science, and Transportation |
Feb 4, 2026 Watch Recording |
| Recent | Oversight of the U.S. SEC Senate Banking Committee |
Feb 12, 2026 Watch Recording |
| Recent | Building an AI-Ready America House Workforce Protections Subcommittee |
Feb 11, 2026 Watch Recording |
| Recent | Potential DHS Shutdown Impacts House Appropriations Subcommittee |
Feb 11, 2026 Watch Recording |
Publication Updates
- CISA Guidance: Barriers to Secure OT Communication: Why Johnny Can’t Authenticate.
- CISA 2025 Year in Review
- CISA announces rulemaking town halls on the CIRCIA ruling in March and April.
- NIST 1800-39: Data Classification Practices.