As the number of cybersecurity regulations increase, harmonizing them across federal agencies, foreign jurisdictions, state and local governments, and market sectors is complex, to say the least. The White House Office of the National Cyber Director (ONCD) continues to work to advance its National Cybersecurity Strategy it has released a request for information (RFI) that focuses on regulatory harmonization for critical infrastructure, their vendors, and others that support them.

For these regulations to actually improve security,  harmonization will be a key area for this administration to focus. As it stands the landscape is challenging with different regulations based on market sector and geography. For example, the rules for financial services in New York State are different from those in London. Regulated industries have pointed to areas where they already have to undergo eight mandatory cybersecurity audits a quarter. These audits are looking for the same things but require different personnel to run them at the same time. This is clearly a waste of focus and resources for already short-staffed security teams.

The RFI covers the prominent issues around regulatory harmonization to help fix the problem. One interesting area where the ONCD is focused is mutually recognizable certifications, such as FedRAMP. While sectors and geographies may have their own technology certifications the resources to adhere to them can be tricky.

Instead of having to go through the entirely new certification process because of a slight difference or additional requirement as happens today, the Administration seems to support looking at existing certifications, find gaps, and then requiring minimal additional documentation and testing to make sure those gaps have been closed. Cross-sector recognition of certification would enable industry to be able to serve additional markets without additional costs. As we have previously pointed out, FedRAMP certainly has its existing problems and it might be one of the better examples of the existing certifications, but if we can make improvements and they can be adapted successfully, this approach would be an improvement over where we are today.

There are challenges on the horizon for ONCD when it comes to regulatory harmonization. Buy-in from independent federal agencies and others will be necessary as ONCD doesn’t have the authority to impose coordination. It will be interesting to watch ONCD bring stakeholders together and work on aligning regulation across market sectors and geographies. Are state and international regulators willing to work together on harmonizing certifications?

The Center looks forward to continuing to work with ONCD to make something work that is an improvement over the current lack of regulatory coordination.

Ari Schwartz

Read Next

CDM 2.0: Advancing Federal Cybersecurity

As federal agencies modernize IT systems, the Continuous Diagnostics and Mitigation Program must as well. This paper details recommendations on how CDM can evolve to meet new demands and threats.

Digital Evidence in Europe: Persistent Challenges, Practical Solutions

"Digital Evidence in Europe: Persistent Challenges, Practical Solutions" focuses on the transformative opportunity — and challenges ahead — presented by the EU’s upcoming e-Evidence framework.

S3 Ep 02: International Cyber Regulatory Alignment, UK Cyber Resilience

In the latest Distilling Cyber Policy podcast our hosts continue the season’s run of returning guests with a conversation featuring Irfan Hemani, discussing international cyber regulatory alignment and the growing challenge of overlapping rules.