ONCD seeks input on cybersecurity regulatory harmonization, addressing overlap and inconsistency

The U.S. administration announced Wednesday a request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity and invited input from stakeholders to understand existing challenges with regulatory overlap and inconsistency. The document also works to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements. The RFI builds on the commitment the administration made in the National Cybersecurity Strategy to ‘harmonize not only regulations and rules but also assessments and audits of regulated entities.’ 

Issued by the Office of the National Cyber Director (ONCD), comments to the RFI must be received in writing by 5 p.m. EDT Sept. 15, 2023. ONCD encourages academics, non-profit entities, industry associations, regulated entities, and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics to respond to this RFI. The agency also welcomes State, Local, Tribal, and Territorial (SLTT) entities to submit responses in their capacity as regulators and as critical infrastructure entities, specifying the sector(s) in which they are regulated or they regulate.

The ONCD is particularly interested in regulatory harmonization as applicable to critical infrastructure sectors and sub-sectors identified in Presidential Policy Directive 21 and the National Infrastructure Protection Plan and providers of communications, IT, and cybersecurity services to owners and operators of critical infrastructure. The document refers to ‘harmonization’ in this RFI as a common set of updated baseline regulatory requirements that would apply across sectors. Sector regulators could go beyond the harmonized baseline to address cybersecurity risks specific to their sectors.

“Unlike many other fields, at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors,” according to a Fact Sheet released by the White House. “While regulated sectors may engage in distinct activities, they often use the same software, hardware, and information and communications technology and services to enable interconnectivity or automation. The technological commonalities also mean that baseline risk mitigation measures are likely to be common among entities and sectors.”

The ONCD, in coordination with the Office of Management and Budget (OMB), has been tasked with leading the Administration’s efforts on cybersecurity regulatory harmonization. The RFI is looking for inputs on conflicting, mutually exclusive, or inconsistent regulations – if applicable, please provide examples of any conflicting, mutually exclusive, or inconsistent federal and SLTT regulations affecting cybersecurity. This also includes broad enterprise-wide requirements or specific, targeted requirements that apply to the same information technology (IT) or operational technology (OT) infrastructure of the same regulated entity.

Addressing the use of common guidelines, the RFI identified that through the Federal Financial Institutions Examination Council (FFIEC), regulators of certain financial institutions have issued common Interagency Guidelines Establishing Information Security Standards. They have also developed a common self-assessment tool and an information security booklet to guide examinations of entities in the financial sector. 

The ONCD seeks input on the effectiveness of a model for harmonized requirements, challenges, adaptability, appropriateness, application outside examination-based compliance regimes, improvement through common oversight approaches, and the use of self-assessment tools. The model should consider whether organizations voluntarily apply self-assessment tools and if a common self-assessment tool could improve entities’ compliance with regulatory requirements.

The agency is also seeking feedback on the practice of using existing standards or frameworks in setting regulatory requirements that can reduce burdens on regulated entities and help achieve the goals of regulatory harmonization. 

Under existing law, federal executive agencies use voluntary consensus standards for regulatory activities unless the use of such standards is inconsistent with law or otherwise impractical. In a recent report from the President’s National Security Telecommunications Advisory Council (NSTAC) that addressed cybersecurity regulatory harmonization, the NSTAC noted that ‘even though most regulations cite consensus standards as the basis for their requirements, variations in implementations across regulators often result in divergent requirements.’

Looking into third-party frameworks, the ONCD RFI calls for input from both the government (for example, through the NIST Cybersecurity Framework) and non-government third parties that have developed frameworks and related resources that map cybersecurity standards and controls to cybersecurity outcomes. These frameworks and related resources have also been applied to map controls to regulatory requirements, including where requirements are leveled by multiple agencies.

The agency calls for feedback on identifying such frameworks and related resources, both governmental and non-governmental, currently in use concerning mitigating cybersecurity risk. It also looks into how well such frameworks and related resources work in practice to address disparate cybersecurity requirements. 

Addressing tiered regulation, the ONCD RFI calls for feedback on different levels of risk across and within sectors that may in part be addressed through a tiered model, potentially assisting in tailoring baseline requirements for each regulatory purpose. Tiering may also help small businesses meet requirements commensurate with their risk. For example, while these are not regulations, tiering into several baselines is a feature of Federal Information Processing Standard 199 and the NIST Risk Management framework. 

The document seeks input on whether such a model can be adapted to apply to multiple regulated sectors, and if, so whether these tiers be structured. It also looks for detail on how this tiered approach be defined across disparate operational environments and what might be some of the opportunities and challenges associated with doing so. 

The ONCD also wants stakeholders to provide examples of cybersecurity oversight by multiple regulators of the same entity and describe whether the oversight involved IT or OT infrastructure. Some of these questions reference a potential ‘regulatory reciprocity model, under which cybersecurity oversight and enforcement as to cross-sector baseline cybersecurity requirements would be divided among regulators, with the ‘primary’ or ‘principal’ regulator for an entity having authority to oversee and enforce compliance with that baseline.

The document also identified that SLTT entities often impose regulatory requirements that affect critical infrastructure owners and operators across state lines, as well as entities that do not neatly fall into a defined critical infrastructure sector. 

The agency seeks input from stakeholders with examples where SLTT cybersecurity regulations are effectively harmonized or aligned with federal regulations; demonstrating regulatory reciprocity between federal and SLTT regulatory agencies; highlights any examples or models for harmonizing regulations across multiple SLTT jurisdictions to include federal support for such efforts; and provide examples, if any, where regulatory requirements related to cybersecurity are conflicting, mutually exclusive or inconsistent within one jurisdiction.

Identifying that many regulated entities within the U.S. operate internationally, the ONCD document pointed to a recent report from the President’s National Security Telecommunications Advisory Council (NSTAC), which noted that foreign governments have been implementing regulatory regimes with ‘overlapping, redundant or inconsistent requirements…’

The RFI seeks input on identifying instances where U.S. Federal cybersecurity requirements conflict with foreign government cybersecurity requirements. It seeks to prioritize countries or sectors for international harmonization and to identify international dialogues and promising venues for alignment. It also seeks to identify ongoing initiatives by international standards organizations, trade groups, and non-governmental organizations, as well as examples of regulatory reciprocity within and between foreign countries and the U.S.

The ONCD calls upon stakeholders to provide easy-to-review and understand inputs on best practices, approaches, and emerging solutions for the government. The agency is also looking for clear, descriptive, and concise language with enough detail to be actionable. If applicable, respondents should consider whether their suggestions have a clear return on investment that can be articulated to secure funding and support. 

Furthermore, the ONCD looks into the challenges that seem to be intractable and overwhelmingly complex and can often be resolved with a change in perspective that unlocks hidden opportunities and aligns stakeholder interests.

On Wednesday, member states of the Council of the EU (European Council) announced that they reached a common position on security requirements for digital products. The draft regulation introduces mandatory cybersecurity requirements for the design, development, production, and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in European Union (EU) member states. These shared requirements ensure that digital products meet the highest level of security and protect users’ sensitive information.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.