Attacks and Vulnerabilities
Critical infrastructure
Identity and Access Management (IAM)
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Risk & Compliance
Secure Remote Access
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

US Senate Committee holds hearing on harmonizing federal cybersecurity standards to address business challenges

June 10, 2024
US Senate Committee holds hearing on harmonizing federal cybersecurity standards to address business challenges

U.S. Senator Gary Peters, a Democrat from Michigan and chairman of the Homeland Security and Governmental Affairs Committee convened a hearing to examine the efforts of the federal administration to harmonize overlapping federal cybersecurity standards and the challenges U.S. businesses face to meet these standards. The hearing highlighted the need for Congress to pass legislation to require agencies and regulators to coordinate a cohesive approach to regulations meant to strengthen cybersecurity and ensure businesses and entities can comply with critical cybersecurity requirements. 

Nicholas Leiserson, assistant national cyber director for Cyber Policy and Programs for the Office of the National Cyber Director (ONCD) – the lead federal agency for harmonizing cybersecurity regulations – discussed the challenges the office faces when trying to promote harmonization. David Hinchman, director of Information Technology and Cybersecurity at the Government Accountability Office (GAO), discussed how regulators can best tailor cybersecurity requirements to promote a cohesive response to protect themselves and critical infrastructure owners and operators from cyberattacks. 

The witnesses discussed the burdens that businesses can face when working to meet multiple cybersecurity standards across different federal agencies and regulators, and the need for better harmonization of cybersecurity regulations, particularly by independent regulatory agencies. Some businesses have raised concerns that duplicative requirements can lead to cybersecurity professionals being pulled away from their jobs to file paperwork rather than focusing on defending the nation’s critical infrastructure. 

“We need effective regulations on cybersecurity. But we need them to be efficient, adaptable, and coordinated across different agencies,” Peters outlined in his opening statement as prepared for delivery at the Committee hearing on Cyber Regulatory Harmonization. “Harmonizing these guidelines will make our government more efficient, help businesses compete on the global stage, and ensure that we’re addressing cybersecurity threats in the most effective way. That is why I am working on legislation to establish a Harmonization Committee at O-N-C-D that would require all agencies and regulators to come together, talk about cybersecurity regulations, and work on harmonization.” 

Peters pointed out that passing legislation is the only solution. “We have to bring independent agencies together and start harmonizing this effort. Only Congress has the power to do so. If we fail at that mission, we won’t be able to build the most effective response to cyber threats,” he added.

“More regulators are stepping up to help manage the unacceptable level of risk that persists in many critical infrastructure sectors, and Congress has granted additional authorities to the government to impose minimum cybersecurity requirements,” Leiserson said in his statement. “Yet, our efforts to confront cyber threats aggressively have not been anchored in a comprehensive policy framework for regulatory harmonization. In fact, many of the challenges raised in then-Chairman Johnson’s hearing seven years ago continue to ring true.”

He also pointed out that the National Cybersecurity Strategy (NCS) and the recently signed National Security Memorandum 22 (NSM-22) on ‘Critical Infrastructure Security and Resilience’ prioritize cybersecurity regulatory harmonization. “We have made this a priority –in fact, it is the first item in the inaugural National Cybersecurity Strategy Implementation Plan –because duplicative or contradictory cybersecurity regulations not only pose unnecessary costs on regulated entities, they also drain investment away from improvements in actual cybersecurity. By acting strategically, we can achieve better cybersecurity outcomes and lower costs to businesses and their customers,” Leiserson added.

“For the American people, the use of a common cybersecurity baseline with reciprocity would lead to the development of standardized tools or services, increasing compliance with the baseline while decreasing cybersecurity costs and helping drive the adoption of the baseline protections beyond regulated sectors,” according to Leiserson. “For instance, ICT services that were adapted to meet baseline cybersecurity requirements would be available in other contexts, including to consumers or small and medium-sized businesses that are not in critical infrastructure sectors.”

When it comes to regulators, Leiserson identified that harmonization and reciprocity would reduce resources needed to perform oversight activities with respect to the common baseline (reciprocity would mean that regulators could divide the waterfront and not examine every control) and provide an opportunity to focus oversight on their key concerns and areas of greatest expertise. “By avoiding duplication of effort, regulators would have more time and resources to devote to their individual oversight or supervisory responsibilities,” he added.

Pursuant to the National Cybersecurity Strategy Implementation Plan, ONCD began to explore a framework for reciprocity for baseline requirements in conjunction with interagency partners that participate in the Cybersecurity Forum for Independent and Executive Branch Regulators (Cybersecurity Forum). 

The agency also released an RFI intended to gather input from industry, civil society, academia, and other government partners about its approach. The ONCD received 86 unique responses to the RFI, representing 11 of the 16 critical infrastructure sectors, as well as trade associations, nonprofits, and research organizations. In all, the respondents, many of which are membership organizations, represent over 15,000 businesses, states, and other organizations.

In describing the characteristics of a more harmonized and reciprocal cybersecurity regulatory landscape, RFI respondents touched on themes very similar to ONCD’s initial vision, including regulators should continue to focus on aligning to risk management approaches like the National Institute of Standard and Technology (NIST) Cybersecurity Framework. 

It also covers coordinating among regulators to decrease overlapping requirements and collaborating with key allies (such as the United Kingdom, European Union, Canada, and Australia) to drive international reciprocity which would materially improve the status quo; elevating the importance of supply chain security would help ensure ICT vendors are held to the same standards as critical infrastructure operators, and providing federal leadership would be essential to achieve these goals and to guide state, local, Tribal, and territorial (SLTT) governments to streamline related regulations.

Based on feedback from the RFI, Leiserson said that the ONCD has begun to build a pilot reciprocity framework to be used in a critical infrastructure subsector. “We anticipate that this pilot, which we expect to complete early next year, will give us valuable insights as to how best to achieve reciprocity when designing a cybersecurity regulatory approach from the ground up,” he added. 

He also mentioned, “We are also working with the Cybersecurity Forum to move from alignment to harmonization with respect to certain common cybersecurity controls. These initiatives continue to lay the foundation for more comprehensive efforts to knit dozens of regulatory regimes together.”

Hinchman highlighted that the U.S. administration initiated actions to harmonize cybersecurity regulations, but significant work remains. He also focused on NSM-22 which calls for specific actions to be taken in support of the harmonization of cybersecurity regulations, including federal departments and agencies with regulatory authorities to use regulation, drawing on existing consensus standards as appropriate, to establish minimum requirements and effective accountability mechanisms for the security and resilience of critical infrastructure.

Furthermore, Hinchman pointed out that the National Cyber Director, in coordination with the director of the Office of Management and Budget, is to lead the Administration’s efforts for cybersecurity regulatory harmonization concerning security and resilience requirements. 

Also, the Secretary of Homeland Security is to develop and submit to the President by April 30, 2025, and regularly every two years thereafter by June 30, a National Infrastructure Risk Management Plan. The current National Infrastructure Protection Plan for securing critical infrastructure, which provides the overarching approach for integrating the nation’s critical infrastructure protection and resilience activities into a single national effort, has not been updated since 2013.

Among other things, Hinchman identified that “the updated National Infrastructure Risk Management Plan is to include identification, harmonization, and development of recommended national and cross-sector minimum security and resilience requirements to mitigate cross-sector risks not covered under sector-specific requirements; and a plan for harmonizing minimum security and resilience requirements across all sectors based on input from sector risk management agencies and other relevant federal departments and agencies.”

In addition, Congress and the President enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA was intended to help prioritize efforts to combat cyber threats by requiring certain entities to submit cyber incident reports to the Department of Homeland Security (DHS). DHS’s Cybersecurity and Infrastructure Security Agency (CISA) published a Notice of Proposed Rulemaking on April 4, 2024, seeking public comments on implementing CIRCIA’s requirements, including ways to harmonize this regulation with other existing federal reporting requirements. The deadline for comments is July 3, 2024.

“In summary, as work continues on this important effort, it is vital that the stakeholders involved in this process remain focused on resolving the conflicts, inconsistencies, and redundancies currently found in our nation’s cybersecurity regulations,” Hinchman said. “Following through and executing specific plans and meeting established time frames, as supported by key organizations such as ONCD, DHS, and Congress, are essential to achieving harmonization. This, in turn, can better position our country’s critical infrastructure sectors to address cybersecurity from a common perspective and help ensure the future safety and security of our nation.”

After issuing a request for information (RFI) concerning cybersecurity regulatory harmonization and reciprocity, the ONCD published last week a summary highlighting the 86 responses and key findings. These responses originated from delegates across 11 of the 16 identified critical infrastructure sectors, as well as from trade associations, nonprofits, and research organizations. Together, these respondents, many of whom are part of membership organizations, represent over 15,000 businesses, state agencies, and other entities.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix