Cyber One Solutions logo.
Get Support

FTC Safeguards Rule / GLBA

A Federal Router-Hygiene Advisory Is a Test of Your FTC Safeguards and HIPAA Network Controls

July 16, 2026 · Cyber One Solutions

CISA, the NSA, and the FBI urged businesses to harden their routers against Russian state actors. The fixes they name are controls that FTC Safeguards and HIPAA already require you to have and document.

On July 13, 2026, CISA, the NSA, the FBI, and the Department of Defense Cyber Crime Center, joined by more than a dozen international partners, released joint Cybersecurity Advisory AA26-194A, "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting." The advisory attributes an ongoing, decade-plus campaign to Russian Federal Security Service (FSB) Center 16, activity the security industry also tracks under names including Berserk Bear, Dragonfly, and Static Tundra. It names financial services, healthcare, energy, communications, the defense industrial base, and state and local government as the sectors most at risk.

What makes this one worth a business owner's attention is not an exotic new exploit. It is how ordinary the attack is.

How the Attack Actually Works

According to the advisory, the actors mostly do not break down the door. They scan the internet for networking devices, primarily routers, that still answer Simple Network Management Protocol (SNMP) requests using common or default community strings, which function as effectively unchanged passwords. When they find one, they instruct the device to copy its own configuration to a file and transfer that file, typically over Trivial File Transfer Protocol (TFTP), to a server they control. In plainer terms, a misconfigured router hands over its own blueprint because nobody changed the default settings. The agencies note the actors occasionally use known Cisco vulnerabilities and the legacy Cisco Smart Install feature as well, but the core weakness is configuration hygiene, not a zero-day.

That distinction matters for compliance, because a default SNMP string on an internet-facing router is exactly the kind of finding a real risk assessment is supposed to surface long before a foreign intelligence service does.

Why This Matters for FTC Safeguards and HIPAA Businesses

The advisory reads like a threat bulletin. For regulated businesses, it is closer to an audit checklist.

Under the FTC Safeguards Rule, non-banking financial institutions, which includes mortgage brokers, auto dealers, tax and accounting firms, and many others, must maintain a written information security program built on a risk assessment, with access controls, encryption, and oversight of the systems that hold customer information. A router running default credentials and legacy SNMP is a documented gap in that program, and financial services is one of the sectors the advisory names by title.

Under the HIPAA Security Rule, covered entities and their business associates owe the same category of technical safeguards over the network that carries electronic protected health information. Healthcare is named in the advisory too. An edge device leaking its configuration is a direct threat to the confidentiality and integrity the Security Rule requires you to protect.

Defense contractors face the same issue under CMMC and NIST SP 800-171, which include specific system and communications protection controls. And regardless of framework, cyber-insurance underwriters increasingly ask whether management protocols are restricted, whether default credentials have been eliminated, and whether internet-facing devices are patched. This advisory is a preview of the questions a carrier will ask after a claim.

What It Means for Your Obligations

The mitigations the agencies recommend map cleanly onto controls your compliance program should already claim to have. The work is turning that claim into evidence.

Disable Cisco Smart Install on every device that does not require it. It is a legacy provisioning feature that is frequently left enabled and is a repeat target.

Move from SNMPv1 and SNMPv2 to SNMPv3 with authentication and encryption enabled, and disable the older versions entirely. If a legacy version is genuinely required, replace every default community string and allow read-only access only. Those default, clear-text community strings are the exact weakness the campaign relies on.

Restrict management protocols to a dedicated management network using access control lists, and at the edge firewall, deny external traffic on the protocols the advisory calls out, including TFTP (UDP 69), Cisco Smart Install (TCP 4786), SNMP (UDP 161 and 162), and SNMPv3 (TCP and UDP 10161 and 10162), unless a specific service is mission critical.

Use strong, unique local passwords, store them with modern hashing, and require centralized authentication with multi-factor authentication for administrative access where the device supports it.

Update device firmware, prioritize known exploited vulnerabilities, and replace end-of-life hardware that can no longer be patched.

Then document all of it. Record that you checked, what you found, when you remediated, and who verified it. An FTC Safeguards annual report, a HIPAA risk analysis, and a cyber-insurance application all ask for evidence, not intentions. The organizations that treat this advisory as a dated, documented finding they closed out are the ones who can prove diligence later.

The Bottom Line

Federal agencies rarely tell every business, by sector, exactly which settings an adversary is hunting for. This advisory does. The fixes are neither expensive nor exotic, but they require someone to inventory the edge, change the defaults, restrict the protocols, and write down the result. If your last risk assessment cannot say whether a single router on your network still answers to a default SNMP string, that is the gap worth closing now. Cyber One Solutions builds and documents the network-security controls behind FTC Safeguards Rule and GLBA compliance and HIPAA Security Rule compliance, backed by managed cybersecurity that hardens and monitors edge devices and cyber-insurance readiness that produces the evidence underwriters expect. We serve commercial businesses across Texas, Tennessee, and the United States.

Sources

[CISA
Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting (AA26-194A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a)
[NSA
NSA and Partners Release Guidance on Improving Router Hygiene to Protect Against Russian State-Sponsored Targeting](https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4541059/nsa-and-partners-release-guidance-on-improving-router-hygiene-to-protect-agains/)
[FBI IC3
Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure (I-082025-PSA)](https://www.ic3.gov/PSA/2025/PSA250820)