Cyber framework harmonization is a thorny, yet not intractable issue, experts say

SmileStudioAP via Getty Images

Featured eBooks
Artificial Intelligence and Efficiency
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
Future-Proofing Your Finance Cycle Management
Presented By ClearGov
Download Now
Accessible PDFs Made Easy: A Compliance Guide for State & Local Governments
Presented By CivicPlusNEW
Download Now
Chris Teale By Chris Teale,
Managing Editor, Route Fifty

By Chris Teale

|

Those inside and outside government agree harmonizing and streamline cyber regulations would save time and compliance costs. A consensus might be emerging around what to do next.

It’s hard to pinpoint exactly when the federal government started regulating cybersecurity, but it can trace its origins back many decades to when computers and the internet started becoming more widely available.

The National Institute of Standards and Technology’s work dates back to 1972, when,  under its previous title as the National Bureau of Standards, its Institute for Computer Sciences and Technology established a computer security program. Then a raft of new laws came in, including the Privacy Act of 1974, the landmark Computer Fraud and Abuse Act of 1986, then privacy protection laws like the Health Insurance Portability and Accountability Act in 1996.

States eventually got involved with their own data breach laws, starting in California in 2002, while the federal Homeland Security Act passed that same year established the Department of Homeland Security, an agency that would soon play a key role in cybersecurity regulation and policy, especially after the creation of its Cybersecurity and Infrastructure Security Agency and, among other rules, its various information-sharing requirements.

Related articles

Calls for cyber framework harmonization ramp up

Senate panel advances cyber regulatory harmonization bill

Feds seek help on harmonizing cyber regulations

These regulations and many more have created a complex web of rules for state and local governments to follow. And sometimes those regulations overlap in their compliance requirements, with similarities in some areas but differences in others. Keeping up with all these requirements is a challenge, both in terms of cost and time.

“It takes a tremendous amount of studying and a tremendous amount of knowledge to be able to navigate the broad regulatory and legal aspects of cybersecurity,” Iowa Chief Information Security Officer Shane Dwyer told Route Fifty in an interview at the April Google Cloud Next conference in Las Vegas. “And I would say that's universal across the board. It's not just in government.”

Government Concerns

That web of related and unrelated regulations has been a source of concern for governments at all levels. It’s prompted hearings, research papers from think tanks and nonprofits, and a slew of reports from the Government Accountability Office, especially in the last 15 years.

In 2010, GAO said agencies had “made progress” in harmonizing IT security policies both for national security and non-national security systems. The watchdog then in a 2020 report called on various agencies to coordinate more on the requirements and assessments for states’ cybersecurity. In that report, the GAO examined four federal agencies and found that as many as 79% of security requirement parameters were in conflict.

GAO also surveyed state chief information security officers and found great increases in the staff hours, costs of acquiring materials, software and equipment and time it takes to comply with federal agency rules due to the variances in their cybersecurity requirements.

That 2020 report evaluated four agencies: the Centers for Medicare and Medicaid Services, the Federal Bureau of Investigation, the Internal Revenue Service and the Social Security Administration.

It found that states were required to share a variety of data with them, all with differing security standards and conflicting parameters, including a variety of technical thresholds for related controls. GAO also found that some agency requirements did not fully address guidelines from the National Institute of Standards and Technology, meaning there were further inconsistencies away from accepted standards.

Those warnings continued in a 2024 GAO report, which again recognized that efforts to harmonize cyber regulations have been “initiated” but noted the “significant work” that remained.

The agency noted that the federal government under former President Joe Biden had taken various steps towards better harmonization, including through its 2023 National Cybersecurity Strategy, a national security memorandum on critical infrastructure security and resilience, and a request for information on regulatory harmonization from the Office of the National Cyber Director. But it noted that the cyber strategy did not have a timeline for implementation, and that ONCD did not publish a summary of the comments it received to its RFI.

For its part, ONCD under President Donald Trump released a new National Cyber Strategy in which officials pledged to streamline cyber regulations “to reduce compliance burdens, address liability, and better align regulators and industry globally.”

“Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response,” the strategy says.

In testimony before the Senate Homeland Security Committee June 5, David Hinchman, GAO’s director of IT and cybersecurity, said various efforts need to be completed, including setting minimum cybersecurity requirements across infrastructure sectors; increasing agency use of frameworks and international standards to inform regulatory alignment; and leveraging reciprocity pilot programs.

“As work continues on this important effort, it is vital that the stakeholders involved in this process remain focused on resolving the conflicts, inconsistencies and redundancies currently found in our nation’s cybersecurity regulations,” Hinchman said. “Following through and executing specific plans and meeting established time frames, as supported by key organizations such as ONCD, [the Department of Homeland Security] and Congress, are essential to achieving harmonization. This, in turn, can better position our country’s critical infrastructure sectors to address cybersecurity from a common perspective and help ensure the future safety and security of our nation.”

Witnesses and lawmakers at various hearings in Congress have bemoaned in the past how high their compliance costs are, and how they spend most of their time completing compliance checklists, which force them to divert resources away from investing in cybersecurity defenses.

“The deluge of cybersecurity incident notification regulations perfectly illustrates the scope of the over-regulation problem and serves as a reminder that, to date, while we have studied the issue for years, not much has been done to drive actionable solutions – to actually harmonize cybersecurity regulatory requirements,” John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, told a House subcommittee in 2024.

Suggested Solutions

In response to the growing discord between cyber regulations and the desire to harmonize them, lawmakers and outside groups have suggestions, with some areas of commonality emerging.

U.S. Sens. Gary Peters, a Michigan Democrat, and James Lankford, an Oklahoma Republican,  pushed their Streamlining Federal Cybersecurity Regulations Act two years ago, which received committee approval but then died on the Senate floor. That bill would have established an interagency harmonization committee at ONCD, with that committee required to develop a framework to align cybersecurity and information security regulations, rules, examinations and other compliance requirements.

It also would have established a pilot program to test the developed framework on substantially similar regulations, and would have required all federal agencies to consult with the committee before issuing or updating regulations. At the time, Lankford said in a statement that harmonization would “make sure that federal requirements are focused on actually improving security instead of imposing a convoluted set of compliance challenges.”

Various outside groups have made their own suggestions. The National Association of State Chief Information Officers has argued for years in favor of cyber framework harmonization, which remains one of the group’s top advocacy priorities.

Alex Whitaker, NASCIO’s government affairs director, acknowledged during a briefing at NASCIO’s Mid-Year Conference in April in Philadelphia that it is a topic that can make “eyes glaze over,” but it is important. He said the Office of Management and Budget “is really the only entity in the federal government that has the convening power to get these agencies together,” while Congress could play some kind of role too.

“At the end of the day, I do feel there is probably less disagreement among agencies than we think about what the standards are for harmonization,” Whitaker continued. “It's just having someone in the room to get them on the same page, to say, ‘Here, look, let's find where the commonalities are.’”

Separately, the nonprofit Government Risk and Authorization Management Program, known as GovRAMP, released its own path forward for framework harmonization in April, having spent several years working on the effort with its various members from across government. GovRAMP also argued that OMB has a big role to play in harmonizing cyber regulations and requirements by issuing formal guidance.

“That is going to be step one, because the agencies need that leadership and direction to say, ‘This is where we're going, as a whole, this is where we need to go,’ not just for the federal government but for all government agencies and industries so we have a common set of standards for accountability,” said GovRAMP Executive Director Leah McGrath in a recent interview. “Just doing that, you're going to see security outcomes improve, because rather than completing different audits and assessments, we're able to, as a whole, go forward.”

GovRAMP also called for a harmonization working group similar to what would have been mandated in Peters’ and Lankford’s Senate bill. McGrath said that would help produce a “common baseline” of cyber standards, as well as common ways to demonstrate that agencies have met those standards.

“If you get these folks in the room, we can find some common agreement,” McGrath said.

Given the growing importance of technology in government operations, the rise of artificial intelligence and the corresponding rise in cybersecurity threats, McGrath said that now presents the perfect opportunity to harmonize cybersecurity requirements.

“There are so many opportunities, and these regulations are really the thing that could hold us back, not only from achieving the best security outcomes that we could achieve, but from also being able to achieve our greatest potential from leveraging these innovations,” she said. “As we're seeing all these advancements, it feels like now's the time. Let's remove these burdens through harmonization, without sacrificing security. Most people agree, if we do this right, we are going to see better security as a result. So let's just do it.”

NEXT STORY: Lawmaker proposes overhaul of critical infrastructure cyber plans as AI threats rise

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.