R Street sees opportunity through new request for information to inform cyber regulatory harmonization efforts
Issuing a new request for information through the Office of the National Cyber Director to guide the Trump administration’s approach to cyber regulatory harmonization would be helpful amid a push by several federal agencies to explore opportunities for deregulation, according to the R Street Institute’s Haiman Wong.
“A pulse check would be very helpful moving forward before any further direct cutting, streamlining or drastic actions are done,” Wong told Inside Cybersecurity. Wong is an R Street resident fellow focused on cybersecurity and emerging threats, with a background in financial sector incident response work.
Cyber regulatory harmonization is a key issue for R Street in 2025, according to a January position paper outlining the think tank’s legislative and regulatory priorities for the Trump administration and the 119th Congress.
R Street released a report in June 2024 reviewing responses to a 2023 RFI issued by the ONCD asking for input on how to approach harmonizing cyber regulations. The report found stakeholders were interested in streamlining cyber requirements with a specific focus on auditing and incident reporting.
Wong compared the RFI issued under the Biden administration to “trying to find a needle in a haystack” through its broad framing. She said, “It was a very good first step, but with AI picking up so drastically, with a new Congress as well, and certainly a new administration, I think the approaches are probably going to be a little bit different.”
For this reason, Wong argued the new administration should not jump right into making sweeping changes aimed at cyber regulatory streamlining without first taking the industry’s pulse.
The government should instead issue “targeted RFIs to gain more insights and usher toward specific focuses or priorities that the ONCD or CISA are interested in,” according to Wong.
Feedback from industry should inform an approach to regulatory harmonization based on a shared understanding of goals for harmonization, Wong said, as well as “baseline security requirements” that can be applied across all sectors.
Comments should be used to “define some sort of end goal for what harmonization means, [and] what the scope should be,” Wong argued. She pointed to findings from R Street’s review of the ONCD comments that “no one really has a crystal clear understanding of what the government means by harmonization.”
Wong said a realistic approach would be framing harmonization around establishing a baseline of “security standards everyone must have and then build up from there.” She noted, “Some sectors who are more sensitive will obviously need to have more stringent standards than others, but having that baseline would be a good starting point”
Wong explained, “The idea of harmonizing is to make sure that we’re not being duplicative, and that we’re also not hampering defenders to the point where they’re trying to comply with seven different agencies when they’re really more of the same thing than they are different.”
While every sector has a different regulatory environment, Wong said early efforts should focus on identifying “very rudimentary cyber hygiene practices” that the National Security Council, ONCD, CISA and the National Institute of Standards and Technology have identified in baseline guidance.
A cross-sector approach would not need to “go all the way in terms of agreeing on the specific language,” Wong said. For example, she said agencies could reach a consensus that multifactor authentication is “an important thing to use across all sectors, and how people implement that can be more voluntary.”
Vulnerability patching is another area where a baseline standard could be used, according to Wong, and sector-specific regulators can “disagree later on about the actual mandated time to remediate it or patch it.”
Wong added the targeted RFIs should make sure to have “a special eye toward smaller organizations who might actually lack resources to respond.” She emphasized that small businesses face a significant compliance burden and can be under-represented in government engagements.
Convening authority
A key issue for pursuing cyber regulatory harmonization is giving an entity the authority to convene regulators for necessary discussions, according to Wong.
She said there “seems to be a lack of a coordinating authority around cyber regulatory harmonization.”
One path to creating that convening authority is the reintroduction of a closely-watched regulatory harmonization bill from the 118th Congress sponsored by Senate Homeland Security ranking member Gary Peters (D-MI) and Sen. James Lankford (R-OK) to create an interagency committee at ONCD tasked with developing a reciprocity framework.
Peters has plans to reintroduce the bill and is working to generate support from potential co-sponsors.
Wong said Congress “could certainly grant empowered authority to an entity like the ONCD” to drive regulatory harmonization work. She raised CISA as another option, while noting that the cyber agency may have some trouble given that “CISA has kind of been dragged in through some political fights recently.”
Role for DOGE
Wong also sees a role for the “Department of Government Efficiency” to play in regulatory harmonization through framing high-level priorities and generating agency buy-in. President Trump issued a Jan. 20 executive order to establish the “U.S. DOGE Service” at the White House by reorienting and renaming the U.S. Digital Service.
Wong said, “Having some sort of messaging from the top-down could be helpful in helping agencies steer towards that, even if they’re doing it independently on their own.”
She noted, “Saying DOGE might have a role to play in this will certainly give some people on Capitol Hill a little bit of heartburn – probably rightfully so – but I would say we are really focused on the idea of voluntary paths forward.”
The role of DOGE here would be to “pitch” regulatory harmonization as a priority in addition to their mission focused on spending cuts, according to Wong.