← Retour au blog sécurité
Compliance & Réglementation Breaking 7 mars 2026 9 min de lecture

FBI Surveillance System Breached, New Pentagon CISO Named, CISA Expands KEV — Security Réglementation Roundup

The FBI is investigating a breach of a system holding sensitive surveillance information. The Pentagon appoints James "Aaron" Bishop as its new CISO. CISA adds 23 iOS vulnérabilités from the Coruna kit d'exploiteration to the KEV catalog. Meanwhile, sécurité de l'IA vulnérabilités in Chrome's Gemini integration highlight the urgency of the EU AI Act's newly enforced pratiques interdites. Google's 2025 zero-day report reveals 90 exploitered vulnérabilités — half targeting entreprise infrastructure.


🔴 FBI Investigating Breach of Surveillance System

Critique Gouvernement Security Incident

The FBI a confirmé it is investigating "suspicious" cyber activity on a system containing sensitive surveillance information. The bureau notified members of Congress about the incident and is working to determine the scope and impact of the compromise.

Regulatory Implications

This incident carries significant implications for gouvernement cybersécurité regulation and oversight:

For EU organisations, this incident underscores the importance of NIS2 Article 21 requirements for incident handling and crisis management — even the most security-focused agencies remain vulnerable.


🛡️ Pentagon Appoints New CISO: James "Aaron" Bishop

James "Aaron" Bishop has been selected to serve as the new Pentagon Chief Information Security Officer, replacing David McKeown, who will transition to the private sector after 40 years of gouvernement service. The appointment signals continued prioritization of cybersécurité at the highest levels of U.S. defense.

Ce que cela signifie for Réglementation

The Pentagon CISO oversees politique de cybersécurité for the Department of Defense — the world's largest organization by headcount. Bishop's appointment comes at a critical time:


⚠️ CISA Adds Coruna Exploit Kit iOS Flaws to KEV Catalog

23 iOS Vulnérabilités Added to Known Exploited Vulnérabilités Catalog

CISA has added iOS vulnérabilités exploitered by the Coruna kit d'exploiteration — described as a "étatique-grade" tool — to the Known Exploited Vulnérabilités (KEV) catalog. The kit d'exploiteration targets 23 vulnérabilités affecting iOS versions 13 through 17.2.1.

Compliance Impact

Under Binding Operational Directive (BOD) 22-01, all U.S. federal civilian agencies must remédier KEV-listed vulnérabilités within prescribed timelines. But the regulatory impact extends far beyond the U.S.:

Coruna Exploit Kit: Key Details

AttributeDetail
ClassificationNation-state grade commercial kit d'exploiteration
CibleiOS 13 through iOS 17.2.1
Vulnérabilités23 chained exploiters for full device compromise
CapabilityZero-click exécution de code à distance, persistent access
KEV StatutAll 23 CVEs now in CISA KEV catalog

🤖 AI Security Under Fire: Chrome Gemini Vulnérabilité & Fake Extensions

Two developments this week highlight the growing intersection of sécurité de l'IA and conformité réglementaire:

Chrome Gemini Vulnérabilité (CVE-2026-0628)

Google corrigé CVE-2026-0628 (CVSS 8.8 — Élevé), an elevation-of-privilege vulnérabilité in the Gemini AI integration within Chrome. Reported by Palo Alto Réseaus Unit 42, the flaw allowed malveillant navigateur extensions with basic permissions to hijack the Gemini Live panel, potentially accessing:

Fake AI Extensions Epidemic

Security researchers continue to flag malveillant navigateur extensions masquerading as outils IA in official app stores. These extensions provide superficial AI functionality while silently exfiltrating user data, keystroke logs, and authentication tokens.

EU AI Act Relevance

As of February 2, 2026, the EU AI Act's pratiques interdites (Article 5) are now enforceable. While these specific vulnérabilités don't fall under prohibited AI categories, they highlight lacune critiques in système d'IA security that the Act's IA à haut risque requirements (effective August 2026) will address:


📊 Google Zero-Day Report: 90 Exploited Vulnérabilités in 2025

Google's annual exploiter zero-dayation analysis reveals 90 zero-day vulnérabilités ont été exploiterés dans la nature during 2025 — with a significant shift toward entreprise-targeting:

Regulatory Takeaway

The entreprise focus of exploiter zero-dayation directly validates the regulatory approach of NIS2 and DORA:


🔄 Microsoft Copilot Data Protection Updates

Microsoft announced new controls over which files its Microsoft 365 Copilot assistant IA can access during data processing. The change comes in direct response to customer reports that Copilot was including confidential information in its outputs.

Key Changes

GDPR & AI Act Compliance

This development is directly relevant to EU conformité:


⚡ Cisco SD-WAN Vulnérabilités Exploited in the Wild

Cisco confirmé that two recently corrigé Catalyst SD-WAN vulnérabilités — CVE-2026-20128 and CVE-2026-20122 — sont activement exploiterés. SD-WAN infrastructure is classified as infrastructure critique in multiple regulatory frameworks.

NIS2 Infrastructure critique Alert

Organisations operating SD-WAN infrastructure that falls under NIS2 essential or important entity classifications must treat these exploitered vulnérabilités as obligatoire immediate corrigeres. Under Article 21, failure to address known-exploitered vulnérabilités in critical réseau infrastructure may constitute a conformité violation subject to administrative amendes.


📋 Compliance Action Items — Week of 7 mars 2026

  1. Correctif iOS devices immédiatement — All 23 Coruna kit d'exploiteration CVEs now in CISA KEV; NIS2/DORA-regulated entities must prioritize
  2. Update Cisco SD-WAN — CVE-2026-20128 and CVE-2026-20122 activement exploiteré; infrastructure critique risk
  3. Audit AI tool permissions — Review navigateur extensions claiming AI functionality; remove unverified extensions
  4. Configure Microsoft 365 DLP — Ensure DLP labels are applied to sensitive files before Copilot default protections activate in April
  5. Review Chrome mises à jour de sécurité — Correctif CVE-2026-0628 (Gemini vulnérabilité); assess AI-integrated navigateur components
  6. EU AI Act readiness — Prohibited practices now enforceable; inventory systèmes d'IA for conformité by August 2026 high-risk deadline
  7. NIS2 réponse aux incidents drill — The FBI breach underscores that even top-tier security organisations face compromise; test your 24-hour early warning procedures

Automate Your Compliance Monitoring

KENSAI continuously monitors your infrastructure against NIS2, DORA, GDPR, and EU AI Act requirements. Real-time vulnérabilité detection meets regulatory mapping.

Start Free Compliance Scan

Stay regulated. Stay protected.

🗡️ KENSAI Compliance Intelligence

7 mars 2026