The Office of the National Cyber Director (ONCD) released its request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity today, seeking input from stakeholders to understand existing challenges with regulatory overlap and inconsistency.
The White House’s end goal for the RFI is to create a framework that represents reciprocity of baseline cyber requirements that are aligned across all critical infrastructure sectors. The document defines harmonization as “a common set of updated baseline regulatory requirements that would apply across sectors.”
The July 19 RFI builds on the commitment the administration made in the National Cybersecurity Strategy to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” The RFI advances one of the 69 initiatives that were released last week as part of the National Cybersecurity Strategy Implementation Plan.
“When cybersecurity regulations of the same underlying technology are inconsistent or contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers,” the RFI reads.
“Duplicative regulation leads to companies focusing more on compliance than on security, which results in their passing higher costs on to customers, working families, and state, local, Tribal, and territorial governments,” it adds. “Harmonizing baseline regulatory requirements can therefore produce better security outcomes at lower costs.”
ONCD is particularly interested in regulatory harmonization as it may apply to critical infrastructure sectors, and is calling on academics, non-profit entities, industry associations, regulated entities, and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics to respond to this RFI – as well as state, local, Tribal, and territorial (SLTT) entities in their capacity as regulators and as critical infrastructure entities.
“ONCD is seeking input from stakeholders to understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements,” the RFI states.
“Unlike many other fields, at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors,” it adds. “While regulated sectors may engage in distinct activities, they often use the same software, hardware, and information and communications technology and services to enable interconnectivity or automation.”
ONCD defines reciprocity as “the recognition or acceptance by one regulatory agency of another agency’s assessment, determination, finding, or conclusion with respect to the extent of a regulated entity’s compliance with certain cybersecurity requirements.”
The White House is seeking comments on ten different topic areas to begin its process of creating a framework for cybersecurity regulatory harmonization.
Primarily, ONCD wants to know about conflicting, mutually exclusive, or inconsistent regulations that cybersecurity stakeholders are required to meet across sectors, and how much it costs them annually.
The agency is also seeking feedback on regulation surrounding newer technologies, such as cloud services, or other critical emerging technologies that are being introduced into critical infrastructure.
Specifically, ONCD wants to know how the FedRAMP process can improve.
Finally, ONCD is seeking feedback from stakeholders on how SLTT and international cyber regulations conflict with Federal requirements. The agency noted that this can get confusing because “companies that operate in multiple states are often required to comply with a variety of overlapping state and federal cybersecurity requirements” – and the same goes for international regulations.
Comments to the RFI are due by 5 p.m. EST on Sept. 15.
Nicholas Leiserson, the assistant NCD for cyber policy and programs, said last week that as his team prepares to take on the large and potentially thorny task of harmonizing cybersecurity regulations, the process may take years to complete.
“What we’re looking for first is developing the framework,” Leiserson said on July 13. “We’re looking to do a request for information to hear from industry about where there are areas that are overlapping regulation, that are duplicative, that are conflicting, or – hopefully not, but sometimes – contradictory.”
Leiserson said the information that ONCD gathers from the RFI will be used as a roadmap to build a framework that represents reciprocity of baseline cyber requirements that are aligned across all sectors.
“I think it will be a years-long process, but one that if we are deliberate about it, and if we build a good framework, we can get to a much better outcome domestically and then hopefully leverage that in an international context as well.”