Efforts to Harmonize Cybersecurity Regulations in the Federal Government: Progress and Challenges

The recent report "CYBERSECURITY: Efforts Initiated to Harmonize Regulations, but Significant Work Remains," presented by David B. Hinchman, Director of Information Technology and Cybersecurity at the Government Accountability Office (GAO), before the Committee on Homeland Security and Governmental Affairs of the United States Senate, highlights the ongoing efforts and challenges in harmonizing cybersecurity regulations for critical infrastructure sectors. This program intends to design and implement comparable cybersecurity standards and regulations across several sectors, with the goal of improving security results while lowering costs. The existing landscape, fraught with contradictory cybersecurity regulations, frequently results in extra time and staff hours required to resolve these disparities, emphasizing the significance of harmonization.

Harmonization of cybersecurity rules is vital in critical infrastructure sectors, which face multiple cybersecurity demands. The White House has stated that harmonizing regulatory standards can result in greater security outcomes at reduced costs. However, without harmonization, negative consequences can arise, as outlined in the GAO's 2020 study. The research stated that four federal agencies had issued conflicting cybersecurity rules for states, which resulted in a considerable increase in the time and personnel hours required to resolve these differences. The GAO issued 12 recommendations to these agencies, eight of which have been adopted, while four, including two priority ones, remain unresolved.

Recognizing the need to harmonize cybersecurity regulations, the Administration and Congress have launched a number of important efforts. The National Cybersecurity Strategy, launched in March 2023, and the associated implementation plan, presented in July 2023, recognize the necessity to launch a cyber regulatory harmonization project. However, these documents do not specify a timetable for completing follow on activities to unify regulations. In August 2023, the Office of the National Cyber Director (ONCD) published a request for information seeking public input on the difficulties of cybersecurity regulatory overlap, which received over 100 responses. However, ONCD has not yet released a summary of these remarks.

Furthermore, in April 2024, the Administration issued National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which directs the Department of Homeland Security (DHS) to create a plan to harmonize cybersecurity regulations as part of a national infrastructure risk management strategy. This proposal is planned to be released by April 2025. Furthermore, the Cyber Incident Reporting for Critical Infrastructure Act, passed in 2022, attempts to better prioritize efforts to address cyber threats by forcing certain companies to report cyber incidents to DHS. In September 2023, DHS produced a study outlining eight suggestions and three recommended legislation amendments to improve and harmonize cyber incident reporting.

Despite these important starting steps, more work has to be done. The work to standardize cybersecurity regulations is ongoing, and no completion date has yet been set. The Administration's measures, such as establishing minimum cybersecurity requirements for key infrastructure sectors, boosting agency use of frameworks and international standards to inform regulatory alignment, and investigating reciprocity pilot programs, are currently ongoing. The ONCD's request for public input is a great beginning toward understanding existing difficulties with regulatory overlap, but it is critical to follow through with real actions and timetables to achieve harmonization.

For nearly 25 years, the GAO has designated cybersecurity as a high-risk area across the government. The growing threat of cyber-based invasions and attacks on government and non-federal systems emphasizes the need for immediate response. These attacks jeopardize the continuity, confidence, integrity, and accountability of critical systems, and the risks to these systems—including insider threats, rising global threats, and the emergence of new and more destructive attacks—combine to compromise sensitive data and destabilize critical operations.

The majority of the nation's essential infrastructure is owned by the private sector, hence collaboration between the public and private sectors is critical in securing these assets and systems. Various federal agencies are responsible for supporting the private sector in improving cybersecurity, however the existing situation of multiple competing cybersecurity legislation can lead to inconsistencies and redundancy. The White House has acknowledged that harmonizing regulatory standards can result in better security outcomes at a reduced cost, and recent initiatives by the Administration and Congress are positive milestones.

However, stakeholders must remain focused on resolving the conflicts, inconsistencies, and redundancies that currently exist in the nation's cybersecurity rules. Following through on specified plans and following established timetables, with assistance from important institutions such as ONCD, DHS, and Congress, is critical to attaining harmonization. As a result, the country's vital infrastructure sectors will be better positioned to address cybersecurity from a shared perspective and secure the nation's future safety and security.

In conclusion, attempts to standardize cybersecurity rules are vital for ensuring the security of the country's critical infrastructure. While the first steps have been taken, more work has to be done. The continuing focus on resolving regulatory issues and implementing precise strategies and timelines will be vital to achieving harmonization and better positioning the country's key infrastructure sectors to effectively address cybersecurity challenges. The GAO's report emphasizes the necessity of these efforts, as well as the need for continued coordination between the public and private sectors to safeguard the nation's key assets and systems.

FedFeather Frank says:

“This blog post is significant because it highlights the critical ongoing efforts to harmonize cybersecurity regulations for the nation's critical infrastructure, emphasizing the importance of consistent standards to improve security outcomes and reduce operational costs amid increasing cyber threats. It underscores the need for continued focus and collaboration between public and private sectors to address these challenges effectively.”

Previous
Previous

CIGIE Annual Report 2023: Federal Oversight Yields $93.1 Billion in Savings

Next
Next

New Article Release: A Comprehensive Primer on Contract Types for Federal Government Contractors