← Retour au blog sécurité
Compliance & Réglementation
Breaking
7 mars 2026
9 min de lecture
FBI Surveillance System Breached, New Pentagon CISO Named, CISA Expands KEV — Security Réglementation Roundup
The FBI is investigating a breach of a system holding sensitive surveillance information. The Pentagon appoints James "Aaron" Bishop as its new CISO. CISA adds 23 iOS vulnérabilités from the Coruna kit d'exploiteration to the KEV catalog. Meanwhile, sécurité de l'IA vulnérabilités in Chrome's Gemini integration highlight the urgency of the EU AI Act's newly enforced pratiques interdites. Google's 2025 zero-day report reveals 90 exploitered vulnérabilités — half targeting entreprise infrastructure.
🔴 FBI Investigating Breach of Surveillance System
Critique Gouvernement Security Incident
The FBI a confirmé it is investigating "suspicious" cyber activity on a system containing sensitive surveillance information. The bureau notified members of Congress about the incident and is working to determine the scope and impact of the compromise.
Regulatory Implications
This incident carries significant implications for gouvernement cybersécurité regulation and oversight:
- Congressional oversight: The breach is likely to accelerate legislative action on federal cybersécurité mandates, with both intelligence committees expected to hold classified briefings
- FISMA conformité: Questions will arise about whether the compromis system met Federal Information Security Modernization Act requirements
- Surveillance reform: The breach of surveillance-related data may reignite debates around Section 702 of FISA and data protection safeguards for intelligence systems
- Supply chain concerns: Investigators are examining whether the breach originated through a third-party vendor, echoing NIS2 and DORA sécurité de la chaîne d'approvisionnement requirements
For EU organisations, this incident underscores the importance of NIS2 Article 21 requirements for incident handling and crisis management — even the most security-focused agencies remain vulnerable.
🛡️ Pentagon Appoints New CISO: James "Aaron" Bishop
James "Aaron" Bishop has been selected to serve as the new Pentagon Chief Information Security Officer, replacing David McKeown, who will transition to the private sector after 40 years of gouvernement service. The appointment signals continued prioritization of cybersécurité at the highest levels of U.S. defense.
Ce que cela signifie for Réglementation
The Pentagon CISO oversees politique de cybersécurité for the Department of Defense — the world's largest organization by headcount. Bishop's appointment comes at a critical time:
- CMMC 2.0 application: The Cybersécurité Maturity Model Certification program is entering full application, requiring all defense contractors to meet verified cybersécurité standards
- Zero trust architecture: DoD's Zero Trust implementation deadline is approaching, with all components expected to achieve target-level maturity
- International alignment: Increasing coordination between U.S. defense cybersécurité standards and EU frameworks (NIS2, DORA) for allied interoperability
- AI/ML security: DoD's expanding use of systèmes d'IA requires alignment with emerging sécurité de l'IA standards — paralleling the EU AI Act's IA à haut risque requirements
⚠️ CISA Adds Coruna Exploit Kit iOS Flaws to KEV Catalog
23 iOS Vulnérabilités Added to Known Exploited Vulnérabilités Catalog
CISA has added iOS vulnérabilités exploitered by the Coruna kit d'exploiteration — described as a "étatique-grade" tool — to the Known Exploited Vulnérabilités (KEV) catalog. The kit d'exploiteration targets 23 vulnérabilités affecting iOS versions 13 through 17.2.1.
Compliance Impact
Under Binding Operational Directive (BOD) 22-01, all U.S. federal civilian agencies must remédier KEV-listed vulnérabilités within prescribed timelines. But the regulatory impact extends far beyond the U.S.:
- NIS2 (EU): Article 21 mandates vulnérabilité handling and disclosure — organisations using iOS devices in essential/important entity operations must corriger immédiatement
- DORA (Financial): Financial entities under DORA must include mobile device vulnérabilités in their gestion des risques TIC frameworks and signalement des incidents
- GDPR: Exploitation of these vulnérabilités could lead to personal exfiltration de données, triggering 72-hour notification de violation obligations under Article 33
- EU AI Act: systèmes d'IA running on compromis iOS infrastructure may fail IA à haut risque system security requirements under Article 15
Coruna Exploit Kit: Key Details
| Attribute | Detail |
| Classification | Nation-state grade commercial kit d'exploiteration |
| Cible | iOS 13 through iOS 17.2.1 |
| Vulnérabilités | 23 chained exploiters for full device compromise |
| Capability | Zero-click exécution de code à distance, persistent access |
| KEV Statut | All 23 CVEs now in CISA KEV catalog |
🤖 AI Security Under Fire: Chrome Gemini Vulnérabilité & Fake Extensions
Two developments this week highlight the growing intersection of sécurité de l'IA and conformité réglementaire:
Chrome Gemini Vulnérabilité (CVE-2026-0628)
Google corrigé CVE-2026-0628 (CVSS 8.8 — Élevé), an elevation-of-privilege vulnérabilité in the Gemini AI integration within Chrome. Reported by Palo Alto Réseaus Unit 42, the flaw allowed malveillant navigateur extensions with basic permissions to hijack the Gemini Live panel, potentially accessing:
- User conversations with the assistant IA
- Browsing context and page content shared with Gemini
- Any data processed through the AI panel
Fake AI Extensions Epidemic
Security researchers continue to flag malveillant navigateur extensions masquerading as outils IA in official app stores. These extensions provide superficial AI functionality while silently exfiltrating user data, keystroke logs, and authentication tokens.
EU AI Act Relevance
As of February 2, 2026, the EU AI Act's pratiques interdites (Article 5) are now enforceable. While these specific vulnérabilités don't fall under prohibited AI categories, they highlight lacune critiques in système d'IA security that the Act's IA à haut risque requirements (effective August 2026) will address:
- Article 15: Élevé-risk systèmes d'IA must achieve appropriate levels of accuracy, robustness, and cybersécurité
- Article 9: Risk management systems must address cybersécurité threats to AI components
- GPAI transparency (May 2026): General-purpose AI model providers must document cybersécurité measures protecting model integrity
📊 Google Zero-Day Report: 90 Exploited Vulnérabilités in 2025
Google's annual exploiter zero-dayation analysis reveals 90 zero-day vulnérabilités ont été exploiterés dans la nature during 2025 — with a significant shift toward entreprise-targeting:
- 50% targeted entreprise products — security appliances, VPN gateways, réseau infrastructure
- Spyware vendors remain the most prolific zero-day users, with commercial surveillance tools accounting for the largest attributed share
- China-linked groups led étatique attribution, focusing on réseau edge devices and infrastructure critique
- Less than half of all zero-days could be attributed to specific acteurs malveillants
Regulatory Takeaway
The entreprise focus of exploiter zero-dayation directly validates the regulatory approach of NIS2 and DORA:
- NIS2 essential entities operating réseau infrastructure are prime targets — Article 21 gestion des risques measures are not optional recommendations but survival requirements
- DORA's operational resilience testing (including threat-led penetration testing) reflects the reality that secteur financier infrastructure faces sustained, sophistiqué attacks
- EU Cyber Resilience Act (CRA) requirements for manufacturers to provide mises à jour de sécurité and vulnérabilité handling become critical as attackers increasingly target product-level flaws
🔄 Microsoft Copilot Data Protection Updates
Microsoft announced new controls over which files its Microsoft 365 Copilot assistant IA can access during data processing. The change comes in direct response to customer reports that Copilot was including confidential information in its outputs.
Key Changes
- DLP application expansion: Prévention de la perte de données labels will now apply to local files, not just OneDrive/SharePoint — preventing Copilot from accessing DLP-restricted content regardless of storage location
- Default protection: The new controls will be applied by default starting April 2026
- User responsibility: Organisations must properly configure DLP labels on sensitive files to prevent AI access
GDPR & AI Act Compliance
This development is directly relevant to EU conformité:
- GDPR Article 5(1)(f): Integrity and confidentiality — outils IA accessing data beyond their intended scope may violate the principle of appropriate security
- GDPR Article 25: Data protection by design — Microsoft's change reflects the regulatory expectation of built-in privacy safeguards
- EU AI Act Article 10: Data governance requirements for systèmes d'IA must ensure training and processing data meets quality and relevance standards
⚡ Cisco SD-WAN Vulnérabilités Exploited in the Wild
Cisco confirmé that two recently corrigé Catalyst SD-WAN vulnérabilités — CVE-2026-20128 and CVE-2026-20122 — sont activement exploiterés. SD-WAN infrastructure is classified as infrastructure critique in multiple regulatory frameworks.
NIS2 Infrastructure critique Alert
Organisations operating SD-WAN infrastructure that falls under NIS2 essential or important entity classifications must treat these exploitered vulnérabilités as obligatoire immediate corrigeres. Under Article 21, failure to address known-exploitered vulnérabilités in critical réseau infrastructure may constitute a conformité violation subject to administrative amendes.
📋 Compliance Action Items — Week of 7 mars 2026
- Correctif iOS devices immédiatement — All 23 Coruna kit d'exploiteration CVEs now in CISA KEV; NIS2/DORA-regulated entities must prioritize
- Update Cisco SD-WAN — CVE-2026-20128 and CVE-2026-20122 activement exploiteré; infrastructure critique risk
- Audit AI tool permissions — Review navigateur extensions claiming AI functionality; remove unverified extensions
- Configure Microsoft 365 DLP — Ensure DLP labels are applied to sensitive files before Copilot default protections activate in April
- Review Chrome mises à jour de sécurité — Correctif CVE-2026-0628 (Gemini vulnérabilité); assess AI-integrated navigateur components
- EU AI Act readiness — Prohibited practices now enforceable; inventory systèmes d'IA for conformité by August 2026 high-risk deadline
- NIS2 réponse aux incidents drill — The FBI breach underscores that even top-tier security organisations face compromise; test your 24-hour early warning procedures
Automate Your Compliance Monitoring
KENSAI continuously monitors your infrastructure against NIS2, DORA, GDPR, and EU AI Act requirements. Real-time vulnérabilité detection meets regulatory mapping.
Start Free Compliance Scan
Stay regulated. Stay protected.
🗡️ KENSAI Compliance Intelligence
7 mars 2026