Redundant and conflicting cybersecurity regulations are burdensome for business compliance and can make security programs less effective. The 2023 National Cyber Strategy recognized that these burdens exist and tasked the Office of the National Cyber Director (ONCD) with an initiative to make it easier for organizations by harmonizing security regulations. 

To gather input from industry, ONCD released a Request for Information (RFI) on Cybersecurity and Regulatory Harmonization. The Cybersecurity Coalition submitted comments to the RFI and appreciates ONCD and the Office of Management and Budget (OMB) for their openness and commitment to working with industry stakeholders to address cybersecurity regulatory fragmentation. Our response to this RFI is organized into the following sections:

1. Support for Harmonization
2. Using the FedRAMP Model for Reciprocity
3. Coregulatory Models to Drive Harmonization 

Support for Harmonization

The Cybersecurity Coalition advocates for the simplification of cybersecurity compliance processes, emphasizing that redundant regulations undermine investments in security and innovation. The growing number of security regulations in the U.S. and around the globe burdens the private sector and complicates aligning regulations across different jurisdictions and industries. Reducing duplication and redundancies in regulatory and administrative requirements will empower organizations to deploy security measures aligned with their needs and allocate resources for enhanced resilience. 

While conflicting regulations are less common, the primary challenge arises from various independent agencies, which ONCD might find difficulty trying to influence. Nevertheless, greater federal coordination is crucial, as demonstrated by a 2020 Government Accountability Office (GAO) report revealing a lack of federal interagency coordination, highlighting the potential benefits of streamlined regulatory models that incorporate multi-level agency communication. 

The Coalition recommends that ONCD’s harmonization efforts prioritize interagency collaboration, industry-informed consensus standards, and coregulatory models to create more efficient compliance schemes focused on consistent standards, enabling automation and the reuse of compliance artifacts. 

Using the FedRAMP Model for Reciprocity

The Coalition recommends that ONCD consider the Federal Risk and Authorization Management Program (FedRAMP) structure as a potential model to simplify cybersecurity regulations and reduce redundancy. Despite facing implementation challenges, FedRAMP offers a structured, standardized approach for security assessment and authorization of cloud services used by the federal government, minimizing duplication of compliance efforts. Key features include basing certification on common National Institute of Standards and Technology (NIST) standards, allowing a single authorization process for recognition across federal agencies, and a collaborative governance structure to prevent miscommunication and duplicative requirements. 

However, FedRAMP is known to have a long and costly certification process that poses barriers for entry, which is why the Coalition suggested allowing entities to either self-certify or obtain a pre-certification by a third-party assessment organization. The Coalition is also aware of the latest proposed updates to FedRAMP and are supportive of the changes to accept external frameworks and certifications as well as the reorganization of the FedRAMP Board to include other government agencies. Overall, the Coalition recommends ONCD incorporate lessons learned from the FedRAMP governance model, streamlined approach to certifications, and grounding of security requirements in common standards. 

Coregulatory Models to Drive Harmonization 

Finally, the Coalition supports the use of coregulatory models such as the Federal Financial Institutions Examination Council (FFIEC) as effective approaches for establishing uniform requirements and oversight across multiple regulatory bodies. The FFIEC’s consistency in requirements helps reduce redundant compliance efforts for entities subject to various financial services regulators. The FFIEC’s common cybersecurity assessment tool (CAT) enables entities to measure their cybersecurity readiness in line with examiner criteria, and was developed to be consistent with the NIST Cybersecurity Framework and the FFIEC Information Technology Examination Handbook.

However, due to limitations such as infrequent updates to the CAT, the Financial Services Sector Coordination Council developed the Cyber Risk Institute (CRI) Profile. The CRI Profile integrates the CAT, is based on the NIST Cybersecurity Framework, and harmonizes over 2,400 regulatory expectations into 277 control objectives. The Profile is also regularly updated to reflect cybersecurity regulatory developments. 

The Coalition urges ONCD to promote wider adoption of coregulatory models like FFIEC and the use of unified compliance frameworks like the CAT and CRI profile, which can also help government agencies in hiring examiners more efficiently due to their alignment with widely recognized standards and examination expectations. 

The Coalition appreciates the opportunity to contribute towards this effort of cybersecurity regulatory harmonization and hopes its responses will be useful in informing ONCD. For more details on the Coalition’s input, please see our comments to ONCD. 

‍