R Street encourages federal government to consolidate requirements for cyber reporting, auditing

The federal government should streamline its cyber requirements with a specific focus on auditing and reporting, according to a new report from the R Street Institute offering recommendations on harmonization in response to an Office of the National Cyber Director request for information.

“[C]omplying with government requirements while maintaining robust cybersecurity measures and improving cyber resilience can be a monumental challenge. In addition to an ever-evolving cyber threat landscape, organizations face a complex web of overlapping and often inconsistent cybersecurity regulations across federal, state, and local levels,” resident senior fellow Amy Chang and resident fellow Haiman Wong say in a June 27 blog post summarizing the report findings.

The report analyzes responses to a July 2023 RFI from ONCD on regulatory harmonization, identifying “aggregate-level trends” in stakeholder feedback and providing five specific recommendations for the federal government.

The RFI focused on ways to improve the regulatory landscape under President Biden’s national cyber strategy It asked for feedback from stakeholders on how to approach harmonizing cybersecurity regulations, including addressing conflicting requirements and the use of common guidelines.

ONCD released its own report going into comment filings on June 4, ahead of a Senate Homeland Security Committee hearing on harmonizing the cybersecurity regulatory process.

The R Street post says, “There was a common belief that consolidating reporting and auditing requirements under fewer regulatory bodies could significantly reduce compliance burdens.”

To address this finding, the think tank report says, a “coordinating body is needed to harmonize across agencies, regulators, state/local governments, and the organizations subject to those regulations. ONCD, CISA, and other contributing entities’ have existing efforts and commitments to harmonize cyber incident reporting requirements and other cyber regulations, but designating a federal entity to coordinate regulations across regulators and agencies may be an option to consider.”

Other recommendations call for a greater focus on stakeholder engagement to “align priorities and expectations,” conducting outreach to “smaller entities” to identify compliance challenges and leveraging analysis of the RFI to “create more targeted RFIs to elaborate on key areas of interest.”

R Street also calls for a broader focus on defining the goals of harmonization efforts. The report says, “Our analysis revealed the potential for misunderstanding the meaning and intent of harmonization. Although all stakeholders can agree that cyber regulations are too numerous and duplicative, the federal government’s end goal remained unclear until recent testimony and ONCD reporting.”

“To avoid having an ever-moving goalpost as the cyber threat landscape evolves, the government should clarify what foundational cybersecurity looks like and how baselines can be updated in a timely and effective manner,” R Street says.