Public Policy Comments

M3AAWG submitted Comments  on October 24, 2025, in response to the United States Office of Science and Technology Policy (OSTP)'s Notice of Request for Information; Regulatory Reform on Artificial Intelligence.

M3AAWG's position is grounded in the belief that tackling CSAM requires solutions that are both operationally effective and respectful of fundamental rights, ensuring that interventions do not create new avenues for abuse or significantly deleterious side effects.

Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) has submitted a letter in response to the Request for Information for the .US Top Level Domain (TLD). We make these comments in our capacities as cybersecurity professionals and researchers committed to ensuring the security and stability of the internet, including the domain name ecosystem. 
 

M³AAWG has submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Request for Comment on Product Security Bad Practices Guidance. M³AAWG generally supports the stated goals of reducing customer risk by prioritizing security throughout the product development process and discouraging the use of bad security practices, particularly where critical infrastructure and national critical functions are potentially impacted. However, the document lacks clarity on its role and purpose in relation to other CISA publications and comments. The draft guidance does not specify who is responsible for taking action, what specific actions are required, and which level of the security management stack this document is meant to address. These elements should be clarified throughout. Merely avoiding bad practices will not be sufficient to meet security standards. Avoiding bad practices must be supplemented with industry-standard security best practices. In addition, since CISA has previously issued advice on many of the areas covered, it would be helpful to clarify the objectives of this new draft guidance, the context for its release, and how it modifies or complements past guidance. For example, if the intent is to reinforce or summarize existing recommendations, this should be stated explicitly. Conversely, if the document introduces new recommendations or updates, those changes should be clearly highlighted. 

M3AAWG has submitted comments to the Department of Homeland Security's (DHS) Proposed Rulemaking on “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements”. M3AAWG recognizes the key role effective cyber incident reporting can have in addressing the impacts of cybersecurity incidents and combating online abuse. Cyber incident reporting can minimize consequences to victims, capture lessons learned, and improve cybersecurity nationwide, thereby increasing the likelihood that perpetrators will be held accountable. However, overly broad cyber incident reporting rules often do not, on balance, yield benefits commensurate with the significant costs those rules impose on both reporting entities and the government.

We generally support CISA’s efforts to craft a proposed rule that seeks to achieve the intended goals of the CIRCIA mandates. However, M3AAWG urges CISA to consider the following suggestions to clarify or modify its proposed rule, as detailed below. We note that our comments today are focused on certain critical areas of concern to our members and do not represent a comprehensive discussion of all issues covered in the expansive CIRCIA NPRM.

M3AAWG has submitted Comments on the NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. With the growing importance of AI in society and the challenges of AI-related security and abuse issues, appropriate management of AI risk is becoming ever more pertinent, which is why M3AAWG welcomes the opportunity to submit comments.

Comments Submission Date: May 29, 2024

M3AAWG has submitted Comments on NIST AI 100-5, A Plan for Global Engagement on AI Standards. AI is a global phenomenon which impacts various countries and a number of industry sectors at high risk of abuse by cybercriminals and other threat actors. Thus, international and cross-sector engagement and involvement in standard-setting is of paramount importance.

Comments Submission Date: May 29, 2024

M3AAWG has submitted Comments on the NIST SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models. The increasing importance of secure development of software and AI systems carries specific risks associated with the abuse of AI systems and AI tools used in software development. As a group of anti-abuse specialists, M3AAWG thus welcomed the opportunity to comment on the current version of NIST SP 800-218A.

Comments Submission Date: May 29, 2024

M3AAWG has submitted Comments on the transposition of the Revised Directive on Security of Network and Information Systems (NIS2) into EU national law. 

Countries Submitted: Sweden, Netherlands
 

The Messaging Malware Mobile Anti-Abuse Working Group (M³AAWG) made recommendations to the Office of the National Cyber Director (ONCD) regarding the security of open-source software (OSS) in comments submitted to that office on Oct. 3rd, 2023 in response to the Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization. 

Comments Submitted: October 3, 2023