The cybersecurity regulatory landscape is out of control with the patchwork of inconsistent and overlapping regulations that define our current environment. Organizations are often subject to multiple regulators across all levels of government, including local, state, federal, and even across international borders.
In an announcement published this week, the White House has acknowledged the increasing fragmentation of cybersecurity regulation as a decades old problem that requires action.
The Office of the National Cyber Director (ONCD) is launching a new pilot program aimed at achieving better cybersecurity outcomes with fewer compliance dollars. After collecting feedback from the private sector through a request for information (RFI) last August, ONCD received 86 responses, representing 11 of the 16 critical infrastructure sectors, along with membership organizations that represent over 15,000 businesses. The RFI includes 2,000 pages of comments.
CISOs Overwhelmed by Regulatory Compliance Burden#
Respondents to the RFI agreed that the fragmentation of cybersecurity regulation has led to poor security outcomes and a stifling of business competitiveness. One example cited in the summary includes comments from the Business Roundtable, an association of more than 200 chief executive officers of America’s leading companies:
Duplicative, conflicting, or unnecessary regulations require companies to devote more resources to fulfilling technical compliance requirements without improving cybersecurity outcomes.
The National Defense Industry Association, which represents ~1,750 corporate members and 65,000 individual members from small and mid-sized contractors, commented: “Inconsistencies also pose barriers to entry, especially for small and mid-sized businesses that often have limited resources available to establish multiple compliance schemes.”
The summary states that the Financial Services Sector Coordinating Council highlighted that many sector CISOs report spending 30 to upwards of 50 percent of their time on regulatory compliance.
The reason compliance activities eat up a disproportionate amount of time is because examiners’ questions are not standardized in any way and every regulator requires developing different reports for managing the same risk. Having a single framework would remove some of the reporting requirements, streamline compliance, and reduce the burden so that CISO’s are not spending more time on paperwork than on securing their systems.
White House Aims to Establish Regulatory Harmonization and Reciprocity to Get Better Cybersecurity Outcomes and Reduce Burden on Businesses#
Nick Leiserson, ONCD Assistant National Cyber Director for Cyber Policy, testified in a Senate hearing held today, outlining the challenges that fragmented regulation poses for the private sector.
The problem stems from the lack of harmonization and reciprocity across federal, state, and international regulators. Organizations are making significant investments in compliance to control the same risk, which reduces actual programmatic cybersecurity spending.
Leiserson’s testimony references two concepts that work hand in hand: regulatory harmonization and regulatory reciprocity.
Harmonization requires establishing a common set of cybersecurity requirements for regulators that are controlling the same type of risk, to reduce overlapping.
Reciprocity would allow these harmonized requirements to be recognized across various regulatory bodies:
If one regulator found that a company’s multifactor authentication was being appropriately used on an information system, another regulator would use the first regulator’s finding – not their own, independent assessment – as the necessary proof that the company was complying.
The ONCD believes reciprocity “can drastically reduce the portion of compliance costs spent on administrative burdens by allowing entities to demonstrate conformance to a regulation once and then reuse that finding for multiple regulators.”
During the hearing, Leiserson said the biggest challenge in establishing these frameworks is the breadth of regulators. This requires getting all the relevant parties to the table to ensure they design a framework that is applicable across sectors.
The ONCD will need Congress’ help to establish this framework. The agency already has a coalition of the willing but a clear mandate from Congress would be necessary to enlist the cooperation of all relevant regulators.
David Hinchman, U.S. Government Director of Information Technology and Cybersecurity, said Congress will need to consider expanding regulatory authority - not passing wholesale power but rather agencies will need to approach Congress with specific proposals for this initiative.
During the hearing, when asked what is being done to streamline reporting requirements across state and federal levels, Hinchman said this effort is “very much in its infancy.”
Small businesses are apprehensive these reporting requirements will crush them under the burden. He gave an example of a school district managing contrasting regulations for incident reporting rules, including local reports and CISA’s requirements. IT is generally underfunded, where you may have one person who does IT for the entire district, including cybersecurity. Regulatory fragmentation is unsustainable under these demands.
Timeline and Next Steps#
Both officials who testified at the hearing gave compelling arguments for bringing this patchwork of regulation into a common framework. Instead of forcing companies to invest in multiple systems to meet a hodgepodge of different regulations, the federal government will need to lead the way in harmonizing these requirements.
Leiserson said the ONCD has strong confidence that state governments will look to federal leadership as the gold standard and move in that direction. The federal government will need to partner with Congress to set that standard and begin reducing duplicative requirements.
Based on RFI feedback, ONCD is developing a pilot reciprocity framework for a critical infrastructure subsector, expected to be completed early in 2025. This pilot aims to provide insights for achieving reciprocity in cybersecurity regulation. Additionally, ONCD is collaborating with the Cybersecurity Forum to harmonize common cybersecurity controls, laying the groundwork for unifying various regulatory regimes.