The Trump Administration’s new National Cyber Strategy makes one thing clear: cybersecurity is foundational to both economic growth and national security. By focusing on a targeted set of priorities, the Strategy elevates cybersecurity as a core strategic domain — not merely a compliance function.
The Strategy rightly prioritizes reauthorizing the Cybersecurity Information Sharing Act of 2015, adopting AI for cybersecurity and securing AI systems, upgrading to post-quantum cryptography, modernizing and upgrading Federal Government IT systems, and building and sustaining a strong cyber workforce.
Among its targeted priorities, regulatory harmonization stands out as the most impactful, as it will improve cybersecurity, government efficiency, and American competitiveness.
How Regulatory Fragmentation Harms Cybersecurity
Regulatory fragmentation is the predictable consequence of agencies issuing cybersecurity requirements independently, without coordination across the Federal government. In effect, each agency was allowed to operate as its own chef, developing distinct cybersecurity “recipes” without coordination.
The results are predictable: duplicative and inconsistent requirements, barriers to collaborative action across agencies, and compliance burdens that divert resources away from measurable cybersecurity improvements. Just as one example, a pretty foundational concept and term – “cyber incident” – means one thing under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, something slightly different at the Transportation Security Administration, Office of Management and Budget (OMB), US Securities and Exchange Commission, Federal Trade Commission, and the Health Insurance Portability and Accountability Act, something else again to New York regulators, and still something else in the National Institute of Standards and Technology (NIST) and ISO standards, so the same event can change definitions depending on which government form you are filling out.
In contrast, by harmonizing cybersecurity requirements the Administration can:
- Improve cybersecurity. Aligning requirements reduces duplication and shifts resources toward measurable risk reduction rather than repetitive compliance exercises.
- Strengthen national security. Harmonized definitions, reporting requirements, and baseline security expectations enable more effective tracking, comparison, and sharing of information about cyber incidents and malicious campaigns across agencies and with international partners.
- Increase government efficiency. Agencies can rely on a coordinated baseline framework rather than each maintaining separate teams promulgating separate regulations producing fragmentation.
- Enhance American competitiveness. Companies can invest more in innovation and building the most secure products and services, rather than navigating inconsistent compliance obligations.
Incremental Reform Is Too Slow
The National Cyber Strategy makes clear that a regulation-by-regulation approach will not meet the moment. Instead, the Administration should pursue an ambitious, government-wide process to deliver and sustain harmonization.
That process must redefine the role of each regulator: shifting from chefs running separate, uncoordinated kitchens to diners selecting from a single, coordinated menu of cybersecurity requirements led by the Office of the National Cyber Director.
Building How to Achieve Harmonization
- Map existing regulatory requirements. Direct each regulator to identify each of its cybersecurity regulatory requirements and map each to a subcategory within the NIST Cybersecurity Framework.
- Assess, consolidate, and publish the maps. Direct NIST to assess each regulator’s map and consider how each requirement aligns with its standards and guidelines, and OMB to consolidate and publish a final consolidated map, which will reveal where requirements overlap, conflict, or leave gaps.
- Create the menu. Direct the Office of the National Cybersecurity Director (ONCD) and OMB to run a rulemaking process to decide which requirements to keep, update, or eliminate to ensure that each requirement is justified and harmonized.
- Adopt the menu. Direct OMB to issue a memo requiring each regulator to update its existing regulations to align with the menu and, moving forward, only use items from the menu which will achieve harmonization which they can select based on their unique mission needs.
- Sustain harmonization. Allow regulators to propose additions, removals, or updates to the menu through a public process managed by ONCD and OMB which will maintain the menu’s relevance without sacrificing alignment.
The menu of harmonized cybersecurity requirements produces harmonization while also enabling regulators to choose requirements based on their unique missions and needs.
Path Forward
The National Cyber Strategy provides an opportunity for industry and government to work together to answer the call on a few, priority activities. The Strategy sets the direction. Now is the moment for government and industry to operationalize it. Ultimately, building a single coordinated menu of cybersecurity requirements achieves the goal of the National Cyber Strategy to deliver the most dynamic economy and national security.
