On July 19, 2023, the Office of the National Cyber Director (ONCD) issued a request for information (RFI) on cybersecurity regulatory harmonization.1 The RFI is intended to be a step toward the Biden Administration’s goal, as stated in the National Cybersecurity Strategy, to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” It supports Initiative Number 1.1.1 of the Strategy’s recently released Implementation Plan2: “engage non-governmental stakeholders to understand existing challenges with regulatory overlap and explore a framework for reciprocity for baseline requirements” by the first quarter of 2024.
ONCD encourages academics, non-profits, and private sector entities to provide feedback on the current state of cyber regulation in response to an extensive list of open-ended questions focused on commenters’ experiences with existing cybersecurity frameworks and requirements. The RFI seeks specific examples of conflicts among state, local, and federal regulations of a particular sector, overlapping regulatory oversight, regulatory reciprocity among multiple federal agencies with respect to cybersecurity, and costs associated with compliance, among other topics. It also solicits feedback on existing models, such as the FFIEC’s3 Common Self-Assessment Tool and Information Security Booklet. The RFI explicitly excludes comments about Federal incident reporting regulations from its scope, however.4
The National Cybersecurity Strategy highlights the importance of federal regulators working together to “minimize [the] harms” of federal regulations that are “in conflict, duplicative, or overly burdensome.”5 The RFI, in contrast, uses the term “harmonization” to mean a “common set of updated baseline regulatory requirements that would apply across sectors.”6 This definition suggests that ONCD may use this process of identifying existing conflicts or tensions to detect potential elements of an overarching, broadly applicable baseline cybersecurity regulation that do not currently exist in the United States. In this way, while presenting an opportunity to reduce undue regulatory burden, the RFI may prove to be a step toward filling gaps in cybersecurity regulation that the Administration identifies. Notably, the RFI also makes clear that “[s]ector regulators could go beyond the harmonized baseline to address cybersecurity risks specific to their sectors.”
Given ONCD’s focus on a potential regulatory baseline that could apply across sectors, it will be valuable for private sector stakeholders to identify regulatory conflicts, and to describe the pros and cons of different potential regulatory approaches. Feedback from key stakeholders on existing frameworks and obstacles may help drive a solution that further strengthens cybersecurity across the critical infrastructure sectors, while limiting regulatory overlap and unnecessary compliance burdens.
Update: The deadline for comments, originally September 15, 2023, was subsequently extended to October 31, 2023.