The Office of the National Cyber Director (ONCD) has released a summary of responses to its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). This initiative is part of a broader effort to improve cybersecurity outcomes while reducing costs for businesses and their customers. By collaborating closely with industry stakeholders, the ONCD aims to create a comprehensive policy framework for regulatory harmonization that will strengthen cybersecurity readiness and resilience across all sectors.
The ONCD’s goals are threefold: to enhance cybersecurity across various sectors, to streamline oversight and regulatory responsibilities for cyber regulators, and to significantly reduce the administrative burden and costs on regulated entities. This effort is in line with the National Cybersecurity Strategy Implementation Plan Version 1, which outlines a framework for reciprocity for baseline requirements, developed in conjunction with interagency partners participating in the Cybersecurity Forum for Independent and Executive Branch Regulators.
On August 16, 2023, ONCD issued an RFI to gather input from a wide range of stakeholders, including industry, civil society, academia, and other government partners. The RFI sought feedback on existing challenges related to regulatory overlap and explored the possibility of a reciprocity framework for baseline requirements. ONCD received 86 unique responses, representing 11 of the 16 critical infrastructure sectors, as well as input from trade associations, nonprofits, and research organizations. These respondents collectively represent over 15,000 businesses, states, and other organizations.
Building on the feedback from the RFI, ONCD is now exploring a pilot reciprocity framework to be implemented in a critical infrastructure subsector. This pilot program, outlined in the National Cybersecurity Strategy Implementation Plan Version 2 (initiative 1.1.5), aims to provide insights on achieving reciprocity in designing cybersecurity regulatory approaches. The pilot is expected to be completed next year and will inform broader efforts to integrate various regulatory regimes.
Analysis & Key Findings
The RFI responses highlighted three primary findings:
- Lack of Harmonization Harms Cybersecurity Outcomes: Respondents noted that the lack of regulatory harmonization and reciprocity negatively impacts cybersecurity outcomes while increasing compliance costs. Resources spent on compliance were often diverted from cybersecurity programs.
- Cross-Sector and Cross-Jurisdictional Challenges: Regulatory challenges extend across businesses of all sizes and sectors and cross jurisdictional boundaries. Inconsistent or duplicative requirements across international and state regulatory regimes were particularly problematic.
- Role of the U.S. Government: Respondents suggested several ways the Administration and Congress could enhance harmonization and reciprocity. These include setting national standards and including independent regulators in future planning efforts.
For instance, the Business Roundtable emphasized the burden of duplicative regulations, stating that they require companies to allocate more resources to compliance rather than improving cybersecurity. Similarly, the National Defense Industry Association highlighted the barriers to entry for small and mid-sized businesses due to inconsistent regulatory requirements.
The lack of harmonization also extends to federal, state, and international regulatory bodies. Multiple respondents noted that investments in compliance across different regimes often resulted in reduced cybersecurity spending. The Financial Services Sector Coordinating Council reported that many chief information security officers spend a significant portion of their time on regulatory compliance.
Respondents proposed several characteristics for a more harmonized regulatory landscape, including aligning with risk management approaches like the NIST Cybersecurity Framework (CSF), coordinating among regulators to reduce overlapping requirements, and collaborating with international allies to drive reciprocity. Elevating supply chain security to the same level as cybersecurity was also suggested to ensure information and communications technology vendors are held to similar standards as critical infrastructure operators.
Recommendations for Action
Respondents provided specific recommendations for further harmonizing cybersecurity regulations:
- Federal Leadership: Federal leadership could help guide state, local, Tribal, and territorial governments to streamline related regulations.
- Legislation for National Standards: Several respondents, including the U.S. Chamber of Commerce and the National Electrical Manufacturers Association, suggested that Congress consider legislation to set high-level national standards for cybersecurity.
- Inclusion of Independent Regulators: The Chamber of Commerce also recommended including independent regulators in future planning efforts to improve regulatory harmonization.
The ONCD will use the findings from the RFI and the pilot program to continue developing a comprehensive framework for cybersecurity regulatory harmonization, aiming to improve cybersecurity outcomes and reduce the burden on regulated entities.
Read the full summary report from the ONCD and Harry Coker here.
This post was originally published on 3rd party site mentioned in the title of this site
