The Bulletin: ATF Dumps Two Decades of Paper Compliance in One Package

The Justice Department dropped twenty-one gun rule revisions last week, all on the same day, all styled as proposals, several telegraphing interim final status down the road. The package is not an accident. It is an execution plan, and the execution target is compliance overhead at the edge of the firearms supply chain: the dealer, the importer, the special-occupations licensee who makes or transfers NFA items. If you hold a federal firearms license or work in firearms logistics, the question is not whether these rules will land. It is which ones will land in the next thirty days, and which ones will remain open for comment through September while ATF refines the operational details. The weekend read is the Form 4473 revision: nine pages of preamble, a promise to double the transaction window after a NICS check, and a future in which the form itself is a fillable PDF that auto-populates your last three transactions and emails you a receipt. The one that matters more is the electronic recordkeeping rule, which will let you throw away the bound book if you run compliant software. That is the deal on the table: adopt the software, gain the audit trail, and ATF no longer needs to send an inspector to flip through three decades of paper in your back room.

The week, in three lines.

Justice dropped 21 firearms rules at once (electronic recordkeeping, Form 4473 revision, NFA spousal co-ownership) and several will take effect before comment windows close

New York codified mandatory cybersecurity rules for utilities; Ohio adopted mitragynine scheduling; Texas expanded HMO network notification requirements

USDA finalized fluid milk flexibility for school nutrition programs and updated SNAP retailer stocking standards, both effective June

The ATF package is a compliance trade

The headline. The Bureau of Alcohol, Tobacco, Firearms, and Explosives published twenty-one proposed or final rules on May 8, spanning recordkeeping, NFA transactions, import classification, mental-health adjudication definitions, and the Youth Handgun Safety Act notice requirement. Thirteen are proposals open for comment. Eight include final or interim final language. The rules do not arrive in isolation. They arrive as a system, and the system's design is to move compliance burdens from paper rituals and mail-in approvals to digital infrastructure and automated validation.

The recordkeeping rule is the linchpin. The proposed rule on electronic recordkeeping would authorize FFLs to generate, store, and maintain acquisition and disposition records (the bound book, the 4473 archive, the NFA registry) in an electronic system rather than on paper. The rule does not mandate electronic systems. It removes the prohibition. If you adopt compliant software, you can stop maintaining parallel paper records. The software must produce an audit trail, permit ATF access during inspections, and survive a business closure (records transfer to ATF in digital form, not as a pallet of boxes). The compliance burden shifts from manual recordkeeping to software procurement and staff training, but the operational upside is immediate: no more hunting for a 4473 from 2019 in a filing cabinet, no more bound-book entry errors that flag as violations during trace requests. ATF has telegraphed this move for two years. The comment window in this proposal runs through August, but expect interim final status by November.

Form 4473 gets longer transaction windows and electronic filing. The proposed Form 4473 revision would double the performance timeframe following a NICS check from three business days to six business days, permit electronic submission of the form if the dealer uses approved software, allow auto-population of transferee data from prior transactions, and permit the form to be emailed to the buyer as a receipt. The six-day window matters for dealers in states without point-of-contact systems. If NICS returns "delayed," the dealer currently must choose on day four whether to release the firearm or wait. Doubling the window reduces the pressure to release before a final determination. The electronic-filing provision ties directly to the recordkeeping rule: if you are already running compliant software for your bound book, the same software can generate and store 4473s in a format ATF accepts. The auto-population feature reduces transcription errors (a common source of trace failures). The rule is a proposal, not interim final, which means it will not take effect until late 2026 at the earliest. But it signals the direction: less paper, more software, more automated validation.

NFA changes stack up fast. Three NFA-related rules dropped in the same package. The first is interim final and already effective. It conforms ATF's regulations to the statutory elimination of the NFA transfer tax (previously $200) on suppressors and certain other items, enacted as part of the One Big Beautiful Bill Act earlier this year. The second proposes to allow married couples to file joint NFA applications, so that both spouses hold a registered interest in the firearm without requiring a second transfer application when possession shifts between them. The third proposes to eliminate the advance-notice requirement for transporting NFA firearms across state lines for short-term purposes (365 days or fewer). Under current rules, if you own a registered suppressor and want to take it to a shooting competition in another state, you must file ATF Form 5320.20 and wait for approval before crossing state lines. The proposed rule would drop that requirement for trips under a year, replacing it with a 30-day post-transport notification for trips over 365 days. The change matters for competitive shooters, hunters, and collectors who travel with NFA items. It removes a bureaucratic step that has no demonstrated public-safety value but creates compliance risk if you forget to file. Comment window closes in August; interim final status is likely by year-end.

What it means for a small-business dealer. If you are an FFL with fewer than 10 employees and you have been running a paper bound book since 2003, you have a decision point coming. The electronic recordkeeping rule is optional, but the operational case for adopting it is strong: fewer trace failures, faster ATF inspections (the inspector pulls your records on a laptop instead of spending two days in your stockroom), and compatibility with the revised 4473 when that rule goes final. The cost is software. Expect $1,200 to $3,000 annually for compliant systems, plus staff training time. The calculus flips if you do more than 200 transactions a year: the time saved on manual entry and the reduction in compliance violations during traces pay for the software in six months. If you also deal in NFA items, the spousal co-ownership rule and the transport-notice elimination are both operational simplifications worth the cost of updating your customer-education materials. Watch for interim final publication on the transport rule in November. That one will likely take effect immediately, and the first you will hear about it is a customer asking why the form is no longer required.

New York makes cybersecurity enforceable for utilities

New York's Public Service Commission adopted new Part 1200 to Title 16 NYCRR on May 6, establishing mandatory, minimum cybersecurity requirements for covered utility entities. The rule took effect immediately. Covered entities include investor-owned electric, gas, water, steam, and telecommunications utilities operating in New York, with exemptions for small water companies under 10,000 customers and gas utilities under 100,000 customers. The rule is not a recommendation. It is a floor, and the floor includes annual risk assessments, board-approved cybersecurity policies, employment of a qualified Chief Information Security Officer, yearly compliance certifications filed with the Commission, and third-party audits every three years.

The backstory. The Commission has had voluntary cybersecurity guidelines in place since 2016, modeled on the NIST Cybersecurity Framework. Adoption was uneven. The 2021 Colonial Pipeline shutdown and the 2023 targeting of water systems in Pennsylvania and Texas moved the issue from aspirational to operational. The Commission issued a notice of proposed rulemaking in late 2024; this final rule is the output. The Commission's preamble cites "increased sophistication of threat actors targeting critical infrastructure" and notes that voluntary frameworks do not produce uniform baseline security across the utility sector.

Who's affected. If you are a utility operator in New York with more than 100,000 gas customers or more than 10,000 water/electric customers, or if you hold a telecommunications certificate of public convenience and necessity, you are covered. The CISO requirement is the immediate pressure point: the rule requires the CISO to have "appropriate qualifications and experience," and the Commission reserves the right to reject a CISO appointment if the qualifications do not match the utility's risk profile. If you currently delegate cybersecurity to your IT director as a part-time responsibility, that structure will not survive the first compliance certification cycle. The annual risk assessment must be filed with the Commission by March 31 of each year, starting March 31, 2027. The first assessment cycle starts now. The third-party audit requirement phases in over three years, but the Commission can order an earlier audit if it identifies deficiencies in a utility's certification.

What to watch. The Commission has not published guidance on what constitutes "appropriate qualifications" for a CISO, and it has not defined the scope of the third-party audit. Expect a technical conference in late summer, followed by a guidance document in September. The first round of certifications will land in March 2027, and the Commission will almost certainly issue deficiency notices to utilities that file boilerplate certifications without evidence of board engagement or risk-assessment rigor. If you are a telecommunications carrier operating in New York under a CPNC and you have not started a gap analysis against NIST 800-53 or the CIS Critical Security Controls, the clock is running.

Three states moved on small-business compliance this week

Ohio finalized mitragynine scheduling. The State Board of Pharmacy adopted new rule 4729:9-1-01.1 on May 7, classifying mitragynine and 7-hydroxymitragynine as drugs of concern under Ohio law. The rule took effect May 19. Mitragynine is the active alkaloid in kratom, a plant-derived substance sold as a dietary supplement in smoke shops and online. Ohio does not ban kratom outright. It classifies the active compounds as drugs of concern, which triggers labeling and sales restrictions but stops short of controlled-substance scheduling. The rule affects kratom retailers in Ohio and manufacturers who ship into the state. If you sell kratom products in Ohio, you must now ensure that product labels include mitragynine content, comply with adulteration standards under ORC 3719.44, and avoid marketing claims that trigger FDA drug-misbranding enforcement. The rule does not impose a seller's permit requirement, but it does create a pathway for the Board to pull products from the market if a lab analysis shows contamination or mislabeling. Watch for enforcement actions in June. The Board has telegraphed a sweep of smoke shops in Columbus and Cleveland, and the first set of warning letters will clarify how the Board interprets "adulteration" under the new rule.

Texas updated HMO network notification requirements. The Texas Department of Insurance published proposed amendments to 28 TAC §11.1402 on May 8, requiring health maintenance organizations to notify physicians and providers annually of opportunities to join the HMO's networks. The proposal extends the existing physician-notification requirement to vision care providers and clarifies that the notice must include information about credentialing timelines and appeal rights. The rule affects Texas HMOs and expands the pool of providers who must receive network-participation notices. If you operate an HMO in Texas and you currently limit annual network notifications to physicians, you will need to update your notice procedures to include optometrists and ophthalmologists who participate in vision care plans. The comment window closes June 9; final rule is expected in August with an October effective date.

Pennsylvania prohibited AI glasses in courthouses. Montgomery County's Court of Common Pleas issued Administrative Order 2026-00001 on May 9, banning possession or use of smart glasses or AI-enabled glasses with recording capability inside Montgomery County judicial facilities without written permission from the court administrator. The order took effect immediately. The rule affects anyone entering Montgomery County courthouses: lawyers, parties, witnesses, court staff, and the public. If you wear smart glasses for accessibility purposes (e.g., real-time captioning for hearing impairment), you can apply for an exemption, but the default posture is prohibition. The order does not define "AI-enabled," which creates a gray area for augmented-reality eyewear that processes video locally without recording. Expect similar orders in Philadelphia and Allegheny Counties by July. Pennsylvania's courts have been coordinating on courtroom-technology policies since late 2025, and Montgomery's order is the first issued under that coordination framework.

What's binding this week

May 18. New York utilities must begin cybersecurity risk assessments for the first compliance certification cycle (March 31, 2027 filing deadline).
May 19. Ohio's mitragynine scheduling rule takes effect. Kratom retailers must comply with labeling and adulteration standards.
May 20. Sealed bids due for New York State School for the Blind roof replacement project (Project 47779-C, 47779-H, 47779-E). MWBE participation goals: 30% for construction work.
June 4. Pennsylvania DEP opens bids for abandoned mine reclamation project in Venango County (erosion control, grading, site restoration across 23 acres).
June 9. Texas HMO network notification rule comment window closes. Final rule expected August, effective October.
August (estimated). ATF comment windows close for Form 4473 revision, electronic recordkeeping, NFA transport-notice elimination, and spousal co-ownership proposals.

The bottom line

The ATF package is an offer: move your compliance infrastructure to software, and the agency will meet you there with faster approvals, fewer trace failures, and less time spent in your stockroom during inspections. The utilities cybersecurity rule in New York is a notice: voluntary frameworks are over, and the CISO you hire in the next six months will determine whether your March 2027 certification survives Commission scrutiny. The state-level moves on kratom, HMO networks, and courthouse technology are small individually, but they are pattern: regulatory agencies are tightening definitions, expanding notice requirements, and closing loopholes that existed because no one thought to draft a rule. If your compliance checklist still has a line item that says "monitor for guidance," cross it out. Guidance is binding now. Forward this to whoever on your team is still tracking rules in a spreadsheet instead of a database. The volume is past the point where a human can keep up without infrastructure.

New here? Create a free Bizmoon account to get federal and state regulation news matched to your business, quietly, in your inbox, every Monday morning.