The head of the Senate Homeland Security and Governmental Affairs Committee announced today that he plans to introduce legislation that would establish a regulatory harmonization committee for cybersecurity at the White House.
Sen. Gary Peters, D-Mich., said during a committee hearing today that the Office of the National Cyber Director (ONCD) would helm the panel and be tasked by Congress with harmonizing Federal cybersecurity regulations.
“I’m working on legislation to establish a harmonization committee at ONCD that would require all agencies and regulators to come together, talk about cybersecurity regulations, and work on harmonization,” Sen. Peters said in his opening statement of the hearing titled “Streamlining the Federal Cybersecurity Regulatory Process: The Path to Harmonization.”
“Passing legislation is the only solution,” the chairman continued, “We have to bring independent agencies together and start harmonizing this effort. Only Congress has the power to do so. And if we fail at this mission, we won’t be able to build the most effective response to cyber threats.”
The Senate panel’s hearing followed the White House’s announcement that it is building a pilot reciprocity framework to be used in a critical infrastructure subsector which will give it “valuable insights” into how to best design a harmonized cybersecurity regulatory approach.
The new pilot is based on the findings from a summary report ONCD released on the responses from its July 2023 request for information (RFI) that sought input from stakeholders to understand existing challenges with cybersecurity regulatory overlap and inconsistency.
“It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness,” NCD Harry Coker wrote in a June 4 blog post. “Partners raised concerns not only about a lack of harmonization and reciprocity across Federal agencies, but also between state and Federal regulators and across international borders.”
ONCD’s report defines harmonization as the use of a common set of cybersecurity requirements and defines reciprocity as mutual recognition: if an entity has met the harmonized requirements of one regulator, it will meet the requirements of another.
“Since the Committee’s last hearing on this topic in 2017, the digital interconnectedness of our society has only grown, as has the sophistication of threat actors in cyberspace,” Assistant NCD for Cyber Policy and Programs Nick Leiserson said in his written testimony. “More regulators are stepping up to help manage the unacceptable level of risk that persists in many critical infrastructure sectors, and Congress has granted additional authorities to the government to impose minimum cybersecurity requirements. Yet, our efforts to confront cyber threats aggressively have not been anchored in a comprehensive policy framework for regulatory harmonization.”
“We have made this a priority … because duplicative or contradictory cybersecurity regulations not only pose unnecessary costs on regulated entities, they also drain investment away from improvements in actual cybersecurity,” he added.
ONCD’s RFI yielded several recommendations from organizations for Congress to enact legislation that would set national, high-level standards for cybersecurity.
“The administration supports Chairman Peters’ legislation – consistent with the views previously provided to the committee – that would allow ONCD to better carry out our mission by bringing independent regulatory commissions to the table in a policymaking process, which would act as a catalyst to develop a cross-sector framework more quickly for harmonization and reciprocity,” Leiserson said. “While our current work is piloting a reciprocity framework, our authorities to test harmonization and reciprocity more broadly are limited.”
Leiserson highlighted that Sen. Peters’ bill also includes a limited-scope pilot authority that would allow ONCD to quickly implement proposals and see if they reduce administrative costs while producing the same – or better – cybersecurity outcomes.
