With the release of the US National Cybersecurity Strategy expected soon, there is an opportunity for the federal government to advance regulatory harmonization through a single menu of cybersecurity requirements across government.
Cybersecurity regulations are supposed to make us more secure. Instead, dozens of regulators across all sectors of the economy have promulgated their own regulations, without coordinating with one another, and created a labyrinth that confuses businesses, drains resources, and ultimately weakens security. As the administration moves from the recently published National Security Strategy and toward the forthcoming National Cyber Strategy, it has an opportunity to address this challenge and improve cybersecurity.
The Strategy should explicitly prioritize the creation of a single, coherent menu of cybersecurity requirements that federal agencies can draw from, thereby providing a single foundation for regulation and giving industry a clear path to compliance.
Financial regulators have one set of rules, health care regulators another, and transportation yet another — each using different definitions, timelines, and compliance requirements. For example, there are 52 separate cyber incident reporting rules across US Government, and agencies like FTC, HHS, SEC, and TSA all define “cyber governance” differently.
In short, there are too many regulatory cooks in the cyber kitchen.
The resulting marketplace undervalues investing in security engineers and innovation and overvalues spending on compliance attorneys and checking boxes.
Allowing so many regulatory cooks in the kitchen:
- Creates government inefficiency, wasting money as each regulator duplicates efforts instead of having a holistic, coordinated approach.
- Degrades cybersecurity as agencies can’t easily compare incident reports, share intelligence, or access the most secure services.
- Hurts American businesses, especially smaller ones, as they struggle to understand or meet complex or conflicting obligations.
Rather than address the situation a single regulation at a time, a holistic solution is needed.
The good news is that just as we chose to allow each regulator into the kitchen to act as a chef, we can choose a different role for them: diners at the Cyber Harmonization Cafe.
Welcome to the Cyber Harmonization Cafe
Instead of having every regulator craft its own approach to cybersecurity, having a coordinated approach between the Office of the National Cyber Director (ONCD) and the Office of Management and Budget (OMB) helps set a single, government-wide “menu” of cybersecurity requirements from which agencies can choose.
This approach maintains flexibility – each regulator can choose the requirements that meet its needs – while also ensuring harmonization (i.e., no ordering “off menu”).
Here’s how the Administration can build the menu:
- Map existing regulatory requirements. Direct each regulator to identify each of its cybersecurity regulatory requirements and map each to a subcategory within the NIST Cybersecurity Framework.
- Assess, consolidate, and publish the maps. Direct National Institute of Standards and Technology (NIST) to assess each regulator’s map and consider how each requirement aligns with its standards and guidelines, and OMB to consolidate and publish a final consolidated map, which will reveal where requirements overlap, conflict, or leave gaps.
- Create the menu. Direct ONCD and OMB to run a rulemaking process to decide which requirements to keep, update, or eliminate to ensure that each requirement is justified and harmonized.
- Adopt the menu. Direct OMB to issue a memo requiring each regulator to update its existing regulations to align with the menu and, moving forward, only use items from the menu which will achieve harmonization.
- Sustain harmonization. Allow regulators to propose additions, removals, or updates to the menu through a public process managed by ONCD and OMB which will maintain the menu’s relevance without sacrificing alignment.
The current regulatory environment isn’t inevitable. We built it by allowing each regulator to act, without considering other regulators or the overall environment, as its own chef. The Administration, through the National Cyber Strategy, can, and should, choose to dismantle it. A unified Cyber Harmonization Cafe menu gives us a way to do just that — making government more efficient, businesses more competitive, and Americans more secure.
