Navigating the Complexities of U.S. Cybersecurity Regulation Harmonization

Cybersecurity is an essential part of every organization’s technological hygiene. In some cases, a resilient cybersecurity posture is even a critical element of an organization’s compliance with regulations and laws. Yet complying with government requirements while maintaining robust cybersecurity measures and improving cyber resilience can be a monumental challenge. In addition to an ever-evolving cyber threat landscape, organizations face a complex web of overlapping and often inconsistent cybersecurity regulations across federal, state, and local levels. The challenge of this situation was acknowledged in President Joe Biden’s 2023 National Cybersecurity Strategy, and, in July 2023, the White House Office of the National Cyber Director (ONCD) issued a request for information (RFI) on regulatory harmonization. Regulatory harmonization aims to simplify and align conflicting or overlapping regulations and ease the administrative burdens and costs on regulated entities. This RFI ultimately received 86 unique responses from various sectors.

Our Analysis
The R Street Institute has released a new report, “Decoding Organizations’ Responses to U.S. Cybersecurity Regulatory Harmonization Efforts with Data Science,” which analyzes these responses to reveal important insights for policymakers to consider while undertaking the onerous task of cybersecurity regulatory harmonization. Specifically, our report focuses on the RFI responses and proposes recommendations pertinent to clarifying intent and providing a roadmap for the federal government’s future efforts; it does not propose or analyze solutions for harmonizing regulations. Additionally, our report focuses only on the scope of the RFI on minimum cybersecurity requirements (i.e., not incident response requirements or other actions that must be taken after a cyber incident has occurred).

Our analysis of the RFI responses revealed the following aggregate-level trends:

• Desire to Consolidate Requirements: There was a common belief that consolidating reporting and auditing requirements under fewer regulatory bodies could significantly reduce compliance burdens.
• Preference for Sector-Specific Approaches: Most respondents expressed a preference for sector-specific, collaborative cybersecurity regulations over a one-size-fits-all approach. This contrasts with ONCD’s apparent intent to develop baseline cybersecurity measures across sectors.
• Concerns over Prescriptive Regulations: Respondents highlighted that overly prescriptive, checklist-based regulations often divert resources from addressing real cybersecurity threats and struggle to keep pace with the rapidly evolving cyber landscape.
• Misalignment in Understanding of RFI: There seemed to be a disconnect between the government’s definition of harmonization and respondents’ interpretations. Many suggestions did not fully align with the proposed goal of harmonization as outlined in the RFI.

We then suggested five key recommendations based on our analysis of the RFI responses and our understanding of the regulatory environment: 

• Harmonize Definitions and Intent: The government should clarify the meaning and intent of harmonization to avoid misunderstandings and ensure alignment with stakeholders.
• Align Priorities with Stakeholders: ONCD and other agencies should continue engaging with policymakers, regulatory bodies, industry professionals, and cybersecurity experts to determine next steps and build consensus.
• Engage Smaller Entities: Efforts should be made to account for the perspectives of smaller organizations that may lack resources to respond to RFIs.
• Streamline Regulatory Coordination: Consider designating a federal entity to coordinate regulations across agencies and regulators, potentially enhancing the existing efforts of ONCD and the Cybersecurity and Infrastructure Security Agency.
• Conduct Further Analysis: Pursue additional targeted RFIs and apply more sophisticated data science techniques on the current RFI’s responses to identify deeper insights into key areas of interest.

ONCD’s Analysis and Next Steps
Recently, ONCD released their own summary report on the RFI responses and provided congressional testimony, which addressed some of the same concerns we raised. ONCD has acknowledged the widespread concern over the lack of cybersecurity regulatory harmonization and reciprocity.

Notably, ONCD is working with partners to build a pilot reciprocity framework for a critical infrastructure subsector. If it proves successful, this pilot framework would provide valuable insights into effective cybersecurity regulatory approaches, although it would require broader regulatory agency buy-in to be uniformly applicable across sectors. 

Fortunately, both Congress and the Biden administration recognize that this challenge affects businesses of all sectors and sizes, impacting cybersecurity outcomes and business competitiveness. We are hopeful that congressional support can help bring relevant agencies together to develop a cross-sector framework for harmonization and reciprocity of baseline cybersecurity requirements.

A Path Forward for Harmonization
The path to cybersecurity regulatory harmonization is complex, requiring a delicate balance between establishing consistent baselines and accommodating sector-specific needs. ONCD’s acknowledgment of these challenges and commitment to addressing them is a positive step forward. Their planned pilot program and call for congressional support demonstrate a proactive approach to this long-standing issue. To support ONCD’s efforts, government, industry, and cybersecurity experts must engage in ongoing dialogue that focuses on the effectiveness, efficiency, and adaptability of any proposed cybersecurity regulatory framework. In addition, government efforts to improve reciprocity and foster collaboration will be essential.  In short, policymakers—including those at ONCD—should prioritize regulations that facilitate cybersecurity risk mitigation and improve resiliency while maintaining transparency and avoiding overreach. Any steps taken toward solving this “hard problem” provide hope for a more streamlined, effective cybersecurity regulatory environment that enhances national resilience while accommodating sector-specific concerns.