Federal cybersecurity requirements for critical infrastructure remain fragmented and costly despite years of government efforts to better coordinate them, according to a new Government Accountability Office (GAO) report.
GAO said agencies have taken steps since 2020 to reduce burdens on state governments, and industry has responded positively to free guidance, tools, and risk assessments from agencies. But a panel of representatives from seven critical infrastructure sectors told GAO that little progress has been made in harmonizing federal regulations.
The result, GAO said, is a patchwork of overlapping requirements, inconsistent definitions, and incident reporting mandates that vary in terms of detail, timing, and reporting thresholds, which creates redundant work and conflicts for critical infrastructure operators.
For example, GAO reported that several critical infrastructure representatives said that regulations often use similar definitions, but without standard terminology it is difficult to fully understand and address requirements under competing standards.
“In addition, several participants stated that different frameworks have similar controls and reporting requirements but have small differences that can create unnecessary overlap and confusion,” GAO said.
The panel participants told GAO that those challenges have resulted in higher costs and required more time and staff expertise to address.
GAO explained that those costs divert “resources away from the critical mission of securing systems,” and especially impact smaller companies with fewer resources.
Large organizations face pressures as well, GAO said, because they are often subject to foreign requirements in addition to federal rules.
“Participants noted that standardizing foreign and federal requirements and definitions would help to reduce regulatory burdens for businesses that operate internationally,” GAO said.
The industry representatives made recommendations to harmonize federal cybersecurity regulations, including:
- Use the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) to streamline incident reporting
- Renew and update older laws to reflect new technology
- Create a cross-agency mechanism to resolve conflicting terms and reporting requirements
- Give the Office of the National Cyber Director a clearer mandate to reduce overlap and inconsistencies across regulations.
Recommendations encouraged the creation of metrics to evaluate regulatory effectiveness; consolidation of reporting into a single system for each sector; standardization of key terminology and deadlines across frameworks; and confidentiality of shared information.