Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance

ONCD summarizes cybersecurity RFI responses, cites harmonization and reciprocity issues across sectors

June 05, 2024
ONCD summarizes cybersecurity RFI responses, cites harmonization and reciprocity issues across sectors

Following up on its request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity, the Office of the National Cyber Director (ONCD) released a summary on Tuesday of the 86 responses received and the key findings. These came from representatives of 11 out of 16 critical infrastructure sectors, alongside trade associations, nonprofits, and research bodies. Collectively, these respondents, many of which are membership organizations, represent more than 15,000 businesses, state entities, and other organizations. 

Three key findings from the responses include lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens. Many respondents noted that compliance spending drew resources from cybersecurity programs. It also found that challenges with cybersecurity regulatory harmonization and reciprocity extend to businesses of all sectors and sizes and that they cross jurisdictional boundaries. Respondents highlighted inconsistent or duplicative requirements across international and state regulatory regimes.

The U.S. government is positioned to act to address these challenges. Respondents provided numerous suggestions for how the administration and Congress could act to increase harmonization and reciprocity. Respondents agreed that the lack of cybersecurity regulatory harmonization and reciprocity posed a challenge to both cybersecurity outcomes and to business competitiveness.

Harry Coker Jr., national cyber director noted that it was overwhelmingly evident that respondents believed that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness. “This was true for businesses of all sectors and of all sizes. Partners raised concerns not only about a lack of harmonization and reciprocity across Federal agencies but also between state and Federal regulators and across international borders.”

He added that many of those who responded lamented a lack of reciprocity to date, noting that investments in compliance across multiple regulatory regimes intended to control the same risk resulted in a net reduction in actual programmatic cybersecurity spending. 

Coker also mentioned that empowered with the feedback of partners, “we are taking steps towards a comprehensive solution that will provide efficiency to our industry partners, clarity to our interagency colleagues, and that will ultimately incentivize better, safer cyber outcomes for the American people.”

The summary identified that to achieve better cybersecurity outcomes while lowering costs to businesses and their customers, the ONCD is working with colleagues across the interagency, and in close collaboration with industry and other key stakeholders, to lay the groundwork for a comprehensive policy framework for regulatory harmonization. The aim is to strengthen cybersecurity readiness and resilience across sectors; simplify oversight and regulatory responsibilities of cyber regulators while enabling them to focus on areas of unique, sector-specific expertise; and substantially reduce the administrative burden and cost on regulated entities.

“These responses have confirmed the scope of the challenge and helped us chart a path forward,” according to Coker. “Already we are working with our partners to build a pilot reciprocity framework to be used in a critical infrastructure subsector. We anticipate that this pilot will give us valuable insights as to how best to design a cybersecurity regulatory approach from the ground up.”

However, Coker pointed out that “we need Congress’s help to bring all the relevant agencies in the government together to develop a cross-sector framework for harmonization and reciprocity for baseline cybersecurity requirements.”

He added that as “we listen and learn from our partners in the public and private sectors, we more clearly see that regulatory harmonization is a hard problem, exactly the kind of hard problem that ONCD was created to solve on behalf of our nation. It involves coordinating dozens of agencies, each implementing its own unique authorities. It’s a problem that has existed for decades. And it is a problem whose trend line is generally heading toward more fragmentation, not more harmonization.”

In describing the characteristics of a more harmonized and reciprocal cybersecurity regulatory landscape, RFI respondents touched on several overarching themes, including regulators should continue to focus on aligning to risk management approaches like the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). It also pointed to coordinating among regulators to decrease overlapping requirements and collaborating with key allies and regional organizations to drive international reciprocity would materially improve the status quo. 

The report focuses on elevating supply chain security on par with cybersecurity, which would help ensure information and communications technology vendors are held to the same standards as critical infrastructure operators. It also provides federal leadership to help achieve these goals and guide state, local, Tribal, and territorial (SLTT) governments to streamline related regulations. Several respondents also provided specific recommendations for action to further harmonize cybersecurity regulations

Some respondents also recommended the administration work with Congress on various ways to improve harmonization. The U.S. Chamber of Commerce, the National Electrical Manufacturers Association, and CTIA –The Wireless Association suggested that Congress consider legislation to set national, high-level standards for cybersecurity. Additionally, the Chamber of Commerce also suggested that Congress consider ways to include independent regulators in future planning efforts on regulatory harmonization.

Last September, the Department of Homeland Security (DHS) outlined a series of actionable recommendations on how the federal government can streamline and harmonize the reporting of cyber incidents to protect the nation’s critical infrastructure. Delivered to Congress, these recommendations permit the government to identify trends in malicious cyber incidents and help organizations prevent, respond to, and recover from attacks. These measures are also mandated by the March 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix