Regulatory & Standards Drift | December 9, 2025

Welcome reader, here's this week's Regulatory & Standards Drift.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Access all deep dives, weekly cyber intel reports, premium research, the AI Resume Builder, and more — $299/year. Corporate plans available.

The Convergence: Governance Evidence Is the New Control

Regulators are no longer asking whether you have controls—they're asking whether you can prove governance decisions were made by the right people, with the right evidence trail. NIST's initial public draft of SP 800-57 Rev. 6 (December 5) explicitly separates keys for storage versus keys for key establishment, forcing documentation of who owns which crypto lifecycle phase. The EU's ESAs designated 19 critical ICT third-party providers under DORA (November 18), cascading governance accountability back to every reliant financial entity. The SEC's 2026 Examination Priorities (November 17) target incident response programs and management of new risks associated with AI use and AI-driven threats—not controls themselves, but documented policies for detection, response, and recovery. Governance accountability is becoming an auditable artifact.

This creates organizational fracture lines regulators will exploit. NIST 800-57 Rev. 6's draft structure treats key establishment and key storage as distinct governance domains—your current key management owner probably lacks clean authority over both. DORA's CTPP designation forces third-party risk functions to prove they understood systemic concentration risk before regulators did. The SEC's Regulation S-P amendments require documented incident response programs by December 3 for larger entities. The FCC's November 20 CALEA rescission signals US telecom regulation softening while EU/UK enforcement intensifies—multi-jurisdictional organizations face regulatory divergence that demands jurisdiction-specific governance documentation.

The CISO Gut Punch

The SEC dismissed SolarWinds with prejudice November 20—not because CISOs won't face liability, but because courts rejected the agency's novel theories. What survived until dismissal? Claims that public security statements materially diverged from actual practices. If your public-facing representations can't be reconciled with internal governance evidence, private plaintiffs now have a roadmap.

High-Stakes Mandates

• Stand up a Governance Evidence Register documenting board sign-off on control framework decisions before auditors construct one from your emails

• Split accountable ownership for key storage versus key establishment now—once NIST 800-57 Rev. 6 is finalized, auditors will have a clean basis to treat this as a governance expectation

• Map every DORA-designated CTPP your EU operations rely on and document independent concentration risk assessment

• Ensure Regulation S-P incident response documentation demonstrates leadership-approved authority chains by December 3

The Cost of Ignoring This

Organizations treating governance documentation as theater face convergent exposure across SEC examinations, DORA oversight, and UK FCA scrutiny of operational resilience remediation. The SolarWinds dismissal provides no safe harbor for private plaintiffs. CISOs who don't own the governance evidence chain end up defending decisions they didn't document.

30-120 Day Projection

CISA's PQC product category list arrives this month, and while the amended EO dropped the formal 90-day solicitation mandate, procurement and OMB guidance will still treat that list as the de facto trigger for PQC expectations in contracts. UK Treasury's first CTP designations are now expected in 2026, after repeated slippage—the UK is lagging the EU on regulating critical third parties despite the regime taking effect January 1, 2025. NIST 800-57 Rev. 6 comments close February 5, 2026—implement the key governance split now rather than retrofitting after finalization.

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.