Hstoday Office of the National Cybersecurity Director publishes summary of the request for information on the harmonization of cybersecurity regulations for 2023

The Office of the National Cybersecurity Director (ONCD) has published a summary of its response to the 2023 Request for Information (RFI) on the harmonization of cybersecurity regulations. This initiative is part of a broader effort to improve cybersecurity outcomes while reducing costs for companies and their customers. By working closely with industry stakeholders, ONCD aims to create a comprehensive regulatory harmonization policy framework that strengthens cybersecurity preparedness and resilience across all sectors.

The ONCD’s objectives are threefold: to enhance cybersecurity across sectors, to improve the oversight and regulatory responsibilities of cybersecurity regulators, and to significantly reduce the administrative burden and costs of regulated entities. These efforts are consistent with the National Cybersecurity Strategy Version 1 Implementation Plan, which sets out the Core Requirements Reciprocity Framework, developed in collaboration with interagency partners participating in the Cybersecurity Forum for Independent and Executive Regulators.

On August 16, 2023, ONCD issued a Request for Information to gather comments from a wide range of stakeholders, including industry, civil society, academia and other government partners. The RFI collected feedback on existing regulatory overlap challenges and explored the possibility of introducing a reciprocity framework for core requirements. ONCD received 86 unique responses, representing 11 of 16 critical infrastructure sectors, as well as comments from industry associations, nonprofits, and research organizations. These respondents collectively represent more than 15,000 companies, states and other organizations.

Based on feedback received from the RFI, ONCD is currently exploring a pilot reciprocity framework that can be implemented in the critical infrastructure subsector. The purpose of this pilot program, described in the National Cybersecurity Strategy Implementation Plan version 2 (initiative 1.1.5), is to provide insight into achieving reciprocity in the design of cybersecurity regulatory approaches. The pilot is expected to end next year and will form the basis of broader efforts to integrate different regulatory regimes.

Analysis and key findings

The RFI responses highlighted three main findings:

1. Lack of harmonization harms cybersecurity performance: Respondents noted that a lack of regulatory harmonization and reciprocity negatively impacts cybersecurity performance while increasing compliance costs. Resources spent on compliance were often diverted from cybersecurity programs.
2. Cross-sectoral and cross-jurisdictional challenges: Regulatory challenges affect companies of all sizes and sectors and cut across jurisdictional boundaries. Inconsistent or duplicative requirements across international and state regulatory systems were particularly problematic.
3. The role of the U.S. government: Respondents suggested several ways the administration and Congress could increase harmonization and reciprocity. These include setting national standards and including independent regulators in future planning efforts.

For example, the Business Roundtable highlighted the burden of duplicative regulations, stating that they require companies to devote more resources to compliance rather than improving cybersecurity. Similarly, the National Defense Industry Association highlighted barriers to entry for small and medium-sized enterprises resulting from inconsistent regulatory requirements.

The lack of harmonization also affects federal, state and international regulators. Many respondents noted that investments in compliance across systems often resulted in reduced cybersecurity spending. The Financial Services Sector Coordinating Council reported that many chief information security officers spend a significant portion of their time ensuring regulatory compliance.

Respondents proposed several features of a more harmonized regulatory landscape, including alignment with risk management approaches such as the NIST Cybersecurity Framework (CSF), coordination among regulators to reduce overlapping requirements, and collaboration with international allies to ensure reciprocity. It also suggested bringing supply chain security to the same level as cybersecurity to ensure that ICT providers adhere to similar standards to critical infrastructure operators.

Recommendations for action

Respondents made specific recommendations for further harmonization of cybersecurity regulations:

• Federal Leadership: Federal leadership could help state, local, tribal, and territorial governments improve related regulations.
• National Standards Legislation: Several respondents, including the U.S. Chamber of Commerce and the National Electrical Equipment Manufacturers Association, suggested that Congress consider legislation setting high-level national standards for cybersecurity.
• Inclusion of independent regulators: The Chamber of Commerce also recommended the inclusion of independent regulators in future planning activities aimed at improving regulatory harmonisation.

ONCD will use the findings from the RFI and the Pilot to further develop a comprehensive framework for the harmonization of cybersecurity regulations, with the aim of improving cybersecurity outcomes and reducing the burden on regulated entities.

Read the full ONCD and Harry Coker summary report here.