The White House recently announced “a request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity. The RFI builds on the commitment the Administration made in the National Cybersecurity Strategy to ‘harmonize not only regulations and rules, but also assessments and audits of regulated entities.’ 

TLDR

The Office of the National Cyber Director (ONCD) strongly encourages academics, non-profit entities, industry associations, regulated entities and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics to respond to this RFI. We also welcome State, Local, Tribal, and Territorial (SLTT) entities to submit responses in their capacity as regulators and as critical infrastructure entities, specifying the sector(s) in which they are regulated or regulate. (1)  

The RFI can be found at this link and will soon be posted to Regulations.gov.  Responses are due by 5:00 p.m. EDT on September 15, 2023.”

RFI Cybersecurity Regulatory Harmonization Request for Information (RFI) 

The RFI advances one of the 69 initiatives that were released…as part of the  National Cybersecurity Strategy Implementation Plan.  When cybersecurity regulations of the same underlying technology are inconsistent or  contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers. Duplicative regulation leads to  companies focusing more on compliance than on security, which results in their passing higher  costs on to customers, working families, and state, local, Tribal, and territorial governments.  Harmonizing baseline regulatory requirements can therefore produce better security outcomes at  lower costs. (1)

From the RFI

ONCD is seeking input from stakeholders to understand existing challenges with regulatory  overlap and inconsistency in order to explore a framework for reciprocal recognition by  regulators of compliance with common baseline cybersecurity requirements. Unlike many other  fields, at a technical level, the cybersecurity of one sector is inherently similar to the  cybersecurity of other sectors. While regulated sectors may engage in distinct activities, they  often use the same software, hardware, and information and communications technology and  services to enable interconnectivity or automation. The technological commonalities also mean  that baseline risk mitigation measures are likely to be common among entities and sectors. 

Summary

The Office of the National Cyber Director (ONCD) invites public comments on opportunities for and obstacles to harmonizing cybersecurity regulations. Strategic Objective 1.1 of the National Cybersecurity Strategy recognizes that while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. The Strategy calls for establishing cybersecurity regulations to secure critical infrastructure where existing measures are insufficient, harmonizing and streamlining new and existing regulations, and enabling regulated entities to afford to achieve security. ONCD, in coordination with the Office of
Management and Budget (OMB), has been tasked with leading the Administration’s efforts on cybersecurity regulatory harmonization.  We will work with independent and executive branch regulators to identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure.

ONCD seeks input from stakeholders to understand existing challenges with regulatory overlap, and explore a framework for reciprocity (the recognition or acceptance by one regulatory agency of another agency’s assessment, determination, finding, or conclusion with respect to the extent of a regulated entity’s compliance with certain cybersecurity requirements) in regulator acceptance of other regulators’ recognition of compliance with baseline requirements.

Supplementary Information 

In this RFI, the ONCD invites public comments on cybersecurity regulatory conflicts, inconsistencies, redundancies, challenges, and priorities, in response to the questions below. ONCD is particularly interested in regulatory harmonization as it may apply to critical infrastructure sectors and sub-sectors identified in Presidential Policy
Directive 21 and the National Infrastructure Protection Plan, and providers of communications, IT, and cybersecurity services to owners and operators of critical infrastructure. “Harmonization” as used in this RFI refers to a common set of updated baseline regulatory requirements that would apply across sectors. Sector regulators could go beyond the harmonized
baseline to address cybersecurity risks specific to their sectors. ONCD is also interested in newer technologies, such as cloud services, or other “Critical and Emerging Technologies” identified by the National Science and Technology Council, that are being introduced into critical infrastructure.  

What Next?  

ONCD strongly encourages academics, non-profit entities, industry associations, regulated entities and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics to respond to this RFI. We also welcome State, Local, Tribal, and Territorial (SLTT) entities to submit responses in their capacity as regulators and as critical infrastructure entities, specifying the sector(s) in which they are regulated or regulate. 

The RFI can be found at this link and will soon be posted to Regulations.gov.  Responses are due by 5:00 p.m. EDT on September 15, 2023.” (2)