The White House Office of the National Cyber Director (ONCD) announced today that it is building a pilot reciprocity framework to be used in a critical infrastructure subsector which will give ONCD “valuable insights” into how to best design a harmonized cybersecurity regulatory approach.
The new pilot is based off the findings from a summary report ONCD released today on the responses from its July 2023 request for information (RFI) that sought input from stakeholders to understand existing challenges with cybersecurity regulatory overlap and inconsistency.
According to ONCD, the RFI – which advances one of the 69 initiatives in the National Cybersecurity Strategy Implementation Plan – received more than 2,000 pages in responses from 86 organizations representing 11 of the 16 critical infrastructure sectors.
“It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness,” NCD Harry Coker wrote in a June 4 blog post. “Partners raised concerns not only about a lack of harmonization and reciprocity across Federal agencies, but also between state and Federal regulators and across international borders.”
ONCD’s report defines harmonization as the use of a common set of cybersecurity requirements, and is subsequent to efforts to align requirements – meaning that once there is alignment of regulations, harmonization of those regulations can take place. ONCD defines reciprocity as mutual recognition: if an entity has met the harmonized requirements of one regulator, it will meet the requirements of another regulator.
In its 57-page report, ONCD said the responses solicited a few key findings: The lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens; and challenges with cybersecurity regulatory harmonization and reciprocity extend to businesses of all sectors and sizes and that they cross jurisdictional boundaries – including international and state regimes.
RFI respondents described what regulatory harmonization and reciprocity in cybersecurity would consist of, with ONCD noting four overarching themes:
- Regulators should continue to focus on aligning to risk management approaches like the National Institute for Standards and Technology Cybersecurity Framework.
- Coordinating among regulators to decrease overlapping requirements and collaborating with key allies and regional organizations (e.g., the United Kingdom, European Union, Canada, and Australia) to drive international reciprocity would materially improve the status quo.
- Elevating supply chain security on par with cybersecurity would help ensure information and communications technology vendors are held to the same standards as critical infrastructure operators.
- Providing Federal leadership would help guide state, local, Tribal, and territorial governments to streamline related regulations.
ONCD noted that several respondents also provided specific recommendations for action to further harmonize cybersecurity regulations, with many highlighting ways the White House – or interagency bodies such as the Cyber Incident Reporting Council – could continue to drive progress toward harmonization and reciprocity.
For example, the National Defense Industry Association recommends that ONCD work with the president to codify the cybersecurity executive order to prevent varying requirements being changed with each new administration.
The report also notes that some respondents recommended the administration work with Congress on ways to improve harmonization. For example, several organizations suggested that Congress consider legislation to set national, high-level standards for cybersecurity.
In its response, Microsoft proposed that “ONCD should establish a single regulatory framework for applying cybersecurity standards within regulations.” Microsoft added that “ONCD should also advance a legislative proposal to enact policies and procedures that would require all regulators, including independent ones, to use the regulatory framework to ensure broad adoption.”
Building on the findings from the RFI, ONCD said it has begun to explore a pilot reciprocity framework to be used in a critical infrastructure subsector. This pilot program effort is captured in the National Cybersecurity Strategy Implementation Plan Version 2 released last month.
“The purpose of this pilot, which projects to complete next year, is to surface insights on how to achieve reciprocity when designing a cybersecurity regulatory approach from the ground up,” the report says. “ONCD will use findings from the pilot as well as the responses to the RFI to continue to lay the foundation for more comprehensive efforts to knit together dozens of regulatory regimes.”
NCD Coker noted today that in addition the office will “need Congress’s help to bring all the relevant agencies in the government together to develop a cross-sector framework for harmonization and reciprocity for baseline cybersecurity requirements.”
