Policy Pulse - Issue #3 | Week of February 15, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Top Story

CISA Issues BOD 26-02: Federal Agencies Must Eliminate Unsupported Edge Devices

On February 5, CISA issued Binding Operational Directive 26-02, ordering all Federal Civilian Executive Branch agencies to identify and remove end-of-support edge devices from their networks. The directive targets routers, firewalls, load balancers, VPN appliances, switches, and other network equipment that no longer receives security patches. Nation-state actors, including groups tied to the PRC, have increasingly exploited these unpatched perimeter devices as persistent footholds into federal networks.

The timeline is phased: agencies have until May 5, 2026 to inventory devices on the new "CISA EOS Edge Device List," 12 months to decommission devices already past end-of-support, 18 months to replace all remaining listed devices with supported equipment, and two years to implement continuous discovery ensuring only supported devices remain in production. The directive was developed in coordination with OMB and implements longstanding policy on phasing out unsupported systems.

Why it matters for VDP: Edge devices are a critical attack surface that often sits outside traditional vulnerability management and disclosure programs. Security researchers have long flagged perimeter infrastructure as under-monitored. This directive forces federal agencies to gain visibility into devices that many VDP programs do not currently cover. It also signals growing federal recognition that network hardware needs the same patching and disclosure discipline applied to software.

Upcoming Deadlines & Events

• Feb 23: NIST Transit CSF Profile (IR 8576) and SP 800-82 Rev 4 comments due.
• Mar 1: CISA ED 26-01 (F5) implementation report due to DHS Secretary.
• Mar 9: NIST CAISI AI Agent Security RFI comments due (submit via regulations.gov, NIST-2025-0035). Also: CIRCIA town hall for Chemical, Water, Dams, Energy, and Nuclear sectors.
• Mar 12: CIRCIA town hall for Commercial Facilities, Critical Manufacturing, and Food/Agriculture sectors. (Additional sessions: Mar 17, Mar 19, Mar 31. See Federal Register notice 2026-02948 for full schedule. Register here.)
• Mar 16: MITRE CVE contract option period expires. No public renewal announcement yet.
• Mar 19: New York RAISE Act takes effect (frontier AI compliance requirements).
• Apr 2: NIST AI Agent Identity Paper comments due (submit comments). CIRCIA general session town hall.
• May 2026: CIRCIA final rule targeted (delayed from October 2025).
• May 5: BOD 26-02 first milestone: agencies must inventory all EOS edge devices.
• Aug 2: EU AI Act high-risk system requirements take effect (red-teaming mandate).
• Sep 11: EU Cyber Resilience Act vulnerability reporting obligations begin (24hr/72hr timelines).

This Week in Policy

Federal Strategy & Regulation

• White House Previews Six-Pillar National Cyber Strategy: National Cyber Director Sean Cairncross confirmed the administration's forthcoming strategy will cover: (1) shaping adversary behavior, (2) streamlining the regulatory environment, (3) securing federal government systems, (4) protecting critical infrastructure, (5) maintaining dominance in emerging technologies, and (6) closing the cybersecurity workforce gap. Cairncross described it as "a short statement of intent" paired with action items, not the lengthy documents of previous administrations. Release expected in the coming weeks. (Federal News Network)

• CIRCIA Town Halls Announced, Final Rule Targeted for May: CISA published a Federal Register notice on February 13 announcing sector-specific virtual town halls for additional stakeholder input on the CIRCIA incident reporting rule. The final rule, affecting roughly 316,000 entities across 16 critical infrastructure sectors, would require reporting substantial cyber incidents within 72 hours and ransomware payments within 24 hours. (CISA)

• CIPAC Replaced by ANCHOR: DHS dissolved the Critical Infrastructure Partnership Advisory Council and replaced it with the Alliance of National Councils for Homeland Operational Resilience (ANCHOR), creating focused discussion groups for specialized infrastructure domains. This restructuring could open new formal channels for security researchers to engage on critical infrastructure protection. (Federal News Network)

CVE & Vulnerability Programs

• MITRE CVE Contract: 30 Days to the Cliff: The 11-month CISA contract extension granted in April 2025 expires March 16, 2026. Neither CISA nor MITRE has publicly announced a renewal or transition plan. The CVE Foundation continues developing as a nonprofit backstop for long-term program independence, but the 30-day countdown adds urgency. The global vulnerability coordination ecosystem depends on continuity. (Krebs on Security, Cybersecurity Dive)

  Throwback: In Issue #2, we covered CISA's CVE "Quality Era" roadmap and the MITRE funding cliff. With 30 days until expiration and no public renewal signal, the community should be watching this closely.

AI & Emerging Tech Security

• Cisco Launches Agentic AI Security Suite: On February 10, Cisco announced a major expansion of its AI Defense product: AI Bill of Materials (AI BOM) for tracking model dependencies and MCP servers, an MCP Catalog for managing risk across Model Context Protocol registries, advanced algorithmic red teaming with multi-turn and multi-language testing, and real-time agentic guardrails that monitor for prompt injection and unauthorized tool use. Integrates with NVIDIA NeMo Guardrails. (Cisco Newsroom)

• DHS Developing AI-ISAC for Cross-Sector Threat Sharing: The Department of Homeland Security is establishing an AI Information Sharing and Analysis Center to coordinate AI-related threat intelligence across critical infrastructure sectors. Separately, the National Cyber Director's office is developing an AI security policy framework aimed at embedding security into AI systems without slowing innovation. (Executive Gov)

Legal & Researcher Protections

• UK CMA Statutory Defence Takes Shape: Security Minister Dan Jarvis's December 2025 commitment to create a "statutory defence" for researchers conducting legitimate vulnerability research continues to develop. The Home Office is actively engaging with industry to scope concrete proposals. This represents the most significant movement on Computer Misuse Act reform in decades, with amendments progressing through Parliament via the Crime and Policing Bill and the Cyber Security and Resilience Bill, and committee hearings ongoing in early 2026. The CyberUp Campaign, which has advocated for reform for years, is tracking the consultation closely. (Computer Weekly, CyberUp Campaign)

  Throwback: In Issue #2, we noted the UK CMA rewrite commitment. The statutory defence language is now entering concrete proposal territory.

• HackerOne launches AI Safe Harbor: Launched January 20, HackerOne's Good Faith AI Research Safe Harbor defines good-faith AI research and commits adopting organizations to: recognizing AI testing as authorized activity, refraining from legal action, providing limited exemptions from restrictive terms of service, and supporting researchers against third-party claims. The framework extends HackerOne's 2022 attempt to standardize Safe Harbor into AI-specific scenarios, addresses the legal ambiguity that slows responsible AI vulnerability research. (Help Net Security)

International Developments

• EU CRA Vulnerability Reporting: Countdown to September: Manufacturers of products with digital elements should be preparing now for the September 11, 2026 deadline. Requirements include a 24-hour early warning for actively exploited vulnerabilities, a 72-hour full notification, and a 14-day final report after a corrective measure is available. Reports go through the new CRA Single Reporting Platform to national CSIRTs and ENISA simultaneously. Importantly, these obligations apply to products already on the EU market, not just new ones. (EU Digital Strategy, Keysight)

• UN Cybercrime Treaty Stalled at 74 Signatures, Zero Ratifications: The convention signed in Hanoi (October 2025) remains unratified by any member state, with 40 ratifications needed for entry into force. Concerns persist about provisions that could compel disclosure of unknown vulnerabilities and private encryption keys. The Budapest Convention, ratified by 81 states, continues as the more operationally relevant framework for cross-border cybercrime cooperation. (Atlantic Council)

Worth Reading

• Agencies face big risks in 2026 with AI browsers (FedScoop): Federal agencies adopting AI-powered browsers face novel attack surfaces; explores how purple-teaming approaches can create continuous defense feedback loops.

• CISA's 7 biggest challenges in 2026 (Cybersecurity Dive): Assessment of institutional pressures facing CISA after workforce reductions, with implications for vulnerability coordination and directive enforcement.

• Architecting Trust: A NIST-Based Security Governance Framework for AI Agents (Microsoft): Maps NIST controls to AI agent security. Useful background reading as the CAISI AI Agent Security RFI comment deadline (March 9) approaches.

• Advancing Secure by Design Through Security Research (Lawfare): Analysis connecting CISA's Secure by Design initiative to the legal protections that make security research viable.

Friends of disclose.io

Under Pressure: Exploring the Effect of Legal and Criminal Threats on Security Researchers and Journalists by Zack Whittaker and Dissent Doe. A pilot survey of over 100 security researchers and journalists found that three-quarters have faced threats due to their work, with half reporting at least one legal threat. Despite receiving everything from law firm letters to death threats, the majority did not retract or change their work. The findings underscore exactly why bilateral safe harbor and legal protections for good-faith security research matter: the chilling effect is real, but the community's resilience is remarkable. Essential reading for anyone working on researcher protection policy.

Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.

Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!