When U.S. officials began publicly discussing the threat actor known as Salt Typhoon, it was clear this was something beyond mere disorganized attacks. But for compliance leaders, the more important question was how a campaign of this scale could operate for so long within systems that were supposed to be compliant?
At the center of this gap is a concept many organizations believe they have already addressed… namely, rootkits.
Why Salt Typhoon Is a Compliance Threat
Salt Typhoon (aka Earth Estrie, Ghost Emperor, FamousSparrow, and UNC2286) is the name given by U.S. intelligence and cybersecurity agencies to a China-linked cyber espionage campaign that came to public attention in late 2024 and early 2025. Unlike many high-profile cyber incidents, Salt Typhoon was not associated with ransomware or obvious data theft. Instead, it represented a quiet, long-term effort to gain persistent access to telecommunications and network infrastructure in the United States and allied countries.
Salt Typhoon targeted core telecommunications infrastructure rather than individual endpoints or applications. By getting inside network management layers and identity systems, the attackers were able to observe and potentially influence communications without triggering traditional alarms.
This is a problem for compliance experts. Most compliance frameworks assume that risk can be managed through a combination of documented controls, access restrictions, logging, and periodic assessment. Salt Typhoon demonstrated that an adversary can meet all of those conditions and still operate undetected. It wasn’t a security issue; it was a governance problem.
Why Rootkits Are a Compliance Problem
For many compliance and governance leaders, the term rootkit feels like a relic of an earlier era of cybersecurity, something associated with malware and old operating systems. Salt Typhoon is an example of how these tactics have evolved.
Salt Typhoon exemplifies this evolution. Rather than installing malware or modifying system files, the campaign relied on trusted access paths and administrative tools. The attackers did not need to hide files or processes because they were operating in places that most organizations inherently trust.
This is what makes modern rootkit-style activity so dangerous from a compliance perspective. Traditional security models assume that malicious behavior will violate policies, trigger alerts, or leave forensic artifacts. Salt Typhoon demonstrated that a sophisticated adversary can do none of those things and still maintain deep, long-term access. The attackers did not bypass controls so much as operate comfortably within them.
The Compliance Blind Spot Salt Typhoon Exposed
Most compliance frameworks are designed around the common assumption that security failures will be visible. That assumption is increasingly wrong.
Salt Typhoon revealed several structural blind spots that exist across regulated environments.
- First, many compliance programs emphasize verification rather than effectiveness. Policies exist, logs are collected, and access reviews occur. But these controls are often evaluated in isolation, not in terms of whether they would detect an adversary.
- Second, compliance frameworks often rely on theoretical rather than practical boundaries. Network perimeters and authorization boundaries are still used to define responsibility, even as attackers operate across them.
- Third, compliance assessments are typically static exercises. Salt Typhoon demonstrated the danger of this model. An organization can pass an audit and still be compromised the next day, or already compromised during the audit itself.
These issues become especially clear when examining how major compliance frameworks address rootkit-like behavior.
How NIST Addresses Rootkit-Style Threats
NIST publications form the foundation of many U.S. compliance programs, including FedRAMP and CMMC. On paper, NIST provides strong coverage for the types of threats Salt Typhoon represents. In practice, however, the controls are often interpreted too narrowly.
NIST SP 800-53
NIST 800-53 includes extensive controls related to access control, system integrity, monitoring, and incident response. Relevant control families include:
- AC (Access Control) governs privileged access and the separation of duties.
- AU (Audit and Accountability) defines expectations for logging and monitoring.
- IA (Identification and Authentication) addresses identity assurance.
- SC (System and Communications Protection) covers network security.
- SI (System and Information Integrity) addresses malware and anomaly detection.
The issue is that they are often implemented incorrectly or at the wrong layer. For example, your organization might secure end-user devices and apps without addressing crucial network infrastructure and governance policies outside of these control families.
NIST SP 800-171 and 800-172
NIST 800-171 and its enhanced counterpart, NIST 800-172, are particularly relevant because they explicitly address advanced persistent threats.
These frameworks emphasize:
- Continuous monitoring rather than periodic review.
- Detection of anomalous behavior.
- Protection against sophisticated adversaries.
- Enhanced logging and auditability.
- Threat hunting and proactive defense.
However, in many compliance programs, these controls are treated as goals rather than processes. They are documented, but not fully resourced. Salt Typhoon demonstrates what happens when adversaries operate precisely in that gap.
CMMC and the Challenge of Persistent Access
CMMC is designed to raise the security baseline for organizations handling controlled unclassified information. At higher maturity levels, it explicitly addresses advanced threats and persistent adversaries.
Salt Typhoon highlights a practical challenge for CMMC compliance: meeting controls to defend against APTs doesn’t happen by default.
An organization may be fully compliant with CMMC (and, by definition, NIST 800-171 and 800-172) and still fail to detect an adversary operating quietly within trusted systems.
FedRAMP and the Illusion of Boundary Security
FedRAMP has made significant progress in recent years, particularly in emphasizing zero-trust principles, continuous monitoring, and supply chain risk management. However, Salt Typhoon highlights an ongoing challenge for cloud and infrastructure providers.
FedRAMP 20x relies heavily on defined system boundaries, continuous monitoring artifacts, log aggregation and analysis, and periodic assessments.
But sophisticated adversaries increasingly operate outside those boundaries while still influencing systems within them. When attackers compromise identity infrastructure, network routing, or telecommunications layers, they may never interact directly with the systems under FedRAMP authorization. This creates a false sense of assurance where controls appear effective, but the environment as a whole is compromised.
What Compliance Leaders Should Take Away
Salt Typhoon is a new reality for compliance leaders in 2026. Threats emerge through patiently exploiting trusted systems.
Salt Typhoon underscores why frameworks like NIST, CMMC, and FedRAMP continue to evolve toward continuous monitoring, zero-trust principles, and behavior-based oversight. For compliance leaders, the future of compliance is about getting away from checklists and understanding how those controls behave under pressure.
We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- FedRAMP
- GovRAMP
- GDPR
- NIST 800-53
- DFARS NIST 800-171, 800-172
- CMMC
- SOC 1, SOC 2
- HIPAA
- PCI DSS 4.0
- IRS 1075, 4812
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
- CJIS
- 100+ Frameworks
And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cybersecurity® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect your systems and ensure compliance.
[wpforms id= “43885”]