CR-001
May 11, 2026
Fabricated HIPAA Security Rule subsection 45 CFR 164.308(b)(4)
Article: HIPAA Risk Assessment, HIPAA Risk Analysis Documentation, HIPAA Asset Inventory Requirement, and the HIPAA evaluation series
What changed. Four HIPAA articles cited 45 CFR 164.308(b)(4) as the source for written contract requirements with business associates. That subsection does not exist. 164.308(b) terminates at paragraph (3). The written contract requirement lives at 164.308(b)(2) and the implementation specifications at 164.314(a).
Before
“45 CFR 164.308(b)(4) requires a written contract with each business associate that obtains, creates, receives, maintains, or transmits ePHI.”
After
45 CFR 164.308(b)(2) requires a written contract with each business associate. The contract content requirements are spelled out at 45 CFR 164.314(a) (Business Associate Contracts).
Primary source
eCFR Title 45 Part 164 Subpart C, 45 CFR 164.308(b) and 45 CFR 164.314(a) (current text)
Why it matters. A compliance officer verifying our citation against eCFR would have hit a 404 on a fabricated subsection. The error appeared in four articles and two paired meta files. Every instance is now corrected.
CR-002
May 11, 2026
HIPAA civil money penalty schedule stale at 2009 HITECH-era figures
Article: HIPAA Breach Notification Requirements, HIPAA Encryption Requirements 2026, Is ChatGPT HIPAA Compliant, Is Slack HIPAA Compliant
What changed. Four HIPAA articles published the 2009 HITECH-era penalty schedule ($100 to $50,000 per violation, $1.5M annual cap) as current. The Department of Justice and HHS apply annual inflation adjustments under the Federal Civil Penalties Inflation Adjustment Act. The 2026 figures are $145 to $2,190,294 per violation, with tier-specific annual enforcement-discretion caps per HHS 2019 Notification (84 FR 18151) and 2026 inflation adjustments (90 FR 6537, multiplier 1.02598).
Before
“HIPAA civil money penalties range from $100 per violation to $50,000 per violation, with a $1.5 million annual cap per identical provision.”
After
HIPAA civil money penalties for 2026 range from $145 to $2,190,294 per violation, with tier-specific annual enforcement-discretion caps ($36,505 for Tier 1, $146,053 for Tier 2, $365,052 for Tier 3, $2,190,294 for Tier 4) per HHS' 2019 Notification of Enforcement Discretion (84 FR 18151) as adjusted by 2026 inflation factors (Federal Register 2026-01688, Jan 28, 2026).
Primary source
45 CFR 160.404; HHS 2019 Notification of Enforcement Discretion (84 FR 18151); Federal Register 2026-01688 (Jan 28, 2026)
Why it matters. A covered entity sizing breach exposure against the stale schedule would understate maximum liability by roughly 43x at the top tier. The penalty range is also the basis for board reporting and cyber insurance underwriting questions. Wrong numbers, wrong board memo.
CR-003
May 14, 2026
SOC 2 attestation standard cited as AT-C Section 320 (which governs SOC 1)
Article: Healthcare SaaS SOC 2 Audit Failures, SOC 2 Audit Cost 2026, SOC 2 vs ISO 27001 for Startups, Do I Need SOC 2 Certification
What changed. Four SOC 2 articles cited AT-C Section 320 as the operative attestation standard. AT-C 320 governs SOC 1 reporting (Reporting on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting). SOC 2 examinations are conducted under AT-C Sections 105 and 205, with reporting performed per the AICPA SOC 2 Reporting Guide. A former Big 4 partner would catch this in 30 seconds.
Before
“SOC 2 examinations are conducted under SSAE 18 AT-C Section 320.”
After
SOC 2 examinations are conducted under SSAE 18 AT-C Sections 105 (Concepts Common to All Attestation Engagements) and 205 (Examination Engagements), with reporting performed in accordance with the AICPA Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
Primary source
AICPA AT-C Section 105; AT-C Section 205; AICPA SOC 2 Reporting Guide
Why it matters. Reading the wrong attestation standard misframes the entire engagement. AT-C 320 imposes requirements that do not apply to SOC 2 (financial-statement audit linkage, ICFR carve-out treatment). Practitioners using the wrong standard would build evidence procedures that do not match what the SOC 2 auditor actually applies.
CR-004
May 11, 2026
CISA BOD 22-01 remediation windows framed as 14 days for "high-priority" and 60 days for "all others"
Article: CISA Binding Operational Directives Compliance and CISA KEV Catalog Compliance Guide
What changed. Two cybersecurity articles described BOD 22-01's remediation timeline as 14 days for high-priority KEV entries and 60 days for all others. The actual directive sets the cutoff by CVE-ID issuance year, not priority. CVE-IDs assigned in 2021 or later carry a 14-day remediation window. CVE-IDs assigned prior to 2021 carry a 6-month window. There is no "high-priority" subset and no 60-day window.
Before
“BOD 22-01 requires federal civilian agencies to remediate high-priority KEV entries within 14 days and all other entries within 60 days.”
After
BOD 22-01 requires federal civilian agencies to remediate KEV catalog entries on the following schedule. For vulnerabilities with CVE-IDs assigned in 2021 or later, remediation is due within two weeks (14 days) of catalog inclusion. For vulnerabilities with CVE-IDs assigned prior to 2021, remediation is due within six months of catalog inclusion.
Primary source
CISA Binding Operational Directive 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities), cisa.gov/news-events/directives/bod-22-01
Why it matters. A federal agency planning patch SLAs around the wrong framing would either under-resource for the 2021-and-later catalog or over-resource for a fictional 60-day track. The same window applies to FedRAMP-authorized cloud providers via continuous monitoring.
CR-005
May 11, 2026
SPRS canonical URL and the partial-credit scoring methodology for §3.5.3 and §3.13.11
Article: SPRS Score Calculation Guide
What changed. The article published the SPRS URL as sprs.pm.mil (incorrect domain) and stated that §3.5.3 (MFA) and §3.13.11 (FIPS) have no partial-credit scoring. Both statements were wrong. The canonical SPRS domain is sprs.csd.disa.mil. Both §3.5.3 and §3.13.11 have partial-credit scoring per DoD Assessment Methodology v1.2.1: §3.5.3 deducts 5 points when MFA is fully missing, 3 points when MFA is implemented for privileged or remote access only. §3.13.11 applies analogous partial-credit logic for FIPS-validated cryptography.
Before
“Submit your self-assessment score at sprs.pm.mil. Two requirements have no partial-credit option: §3.5.3 (multifactor authentication) and §3.13.11 (FIPS-validated cryptography). Either you implement them fully or you take the full deduction.”
After
Submit your self-assessment score at sprs.csd.disa.mil. §3.5.3 (multifactor authentication) and §3.13.11 (FIPS-validated cryptography) DO carry partial-credit scoring per DoD Assessment Methodology v1.2.1. §3.5.3 deducts 5 points when MFA is fully absent, 3 points when MFA is implemented for privileged or remote access only. §3.13.11 follows the same logic.
Primary source
DoD Assessment Methodology v1.2.1 (June 24, 2020), §3.5.3 and §3.13.11; sprs.csd.disa.mil
Why it matters. A contractor reading the wrong URL would land on a domain that does not exist. More substantively, a contractor with MFA implemented for privileged access only would over-deduct (5 points instead of 3), pushing the SPRS score lower than the methodology actually requires. That difference moves the contractor across the joint-surveillance threshold.
CR-006
May 11, 2026
Deloitte report name and the framing of the 21% mature-governance statistic
Article: NIST AI RMF Explained
What changed. The article cited "Deloitte State of AI 2026" with the 21% figure presented as the share of all surveyed companies with mature AI governance. The actual report is "Deloitte State of AI in the Enterprise, 8th Edition, 2026" (n=3,235). The 21% figure applies to the subset of 85% planning moderate-to-significant generative AI deployment, not to all surveyed companies. Both the title and the denominator were wrong.
Before
“Only 21% of companies have mature AI governance programs in place [Deloitte State of AI 2026].”
After
Of the 85% of organizations planning moderate-to-significant generative AI deployment, only 21% report mature AI governance programs in place. Survey data from Deloitte State of AI in the Enterprise, 8th Edition, 2026 (n=3,235).
Primary source
Deloitte State of AI in the Enterprise, 8th Edition, 2026, deloitte.com
Why it matters. A board memo citing the original framing would overstate the maturity gap across the whole market. The denominator matters. 21% of an active-deployer subset is a different signal than 21% of everyone.