Deadline Extended: ONCD Seeking Public Feedback on Ways to Harmonize Cybersecurity Regulations

The Office of the National Cyber Director (ONCD) has extended the deadline to respond to its Request for Information (RFI) seeking public comment on "opportunities for and obstacles to harmonizing" cybersecurity regulations. According to a White House fact sheet accompanying the to the RFI, ONCD is seeking input on existing regulatory overlap and inconsistency among cybersecurity regulations to explore "a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements." Although the RFI provides little detail on how such a framework might operate, the RFI indicates that "harmonized" baseline cybersecurity requirements would apply across sectors and regulatory regimes, allowing federal agencies to accept each others' determinations that an entity is compliant with those baselines. Companies subject to multiple overlapping cybersecurity regulations then could focus compliance efforts on those shared baselines. As the White House fact sheet recognizes, while companies in different economic sectors may have very different operations, "the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors," and cyber risk mitigation measures tend to be similar across companies and industries. At the same time, however, the RFI notes that sector-specific regulators could "go beyond" harmonized cybersecurity baselines to address cyber risks specific to their sectors.

While the RFI requests input on harmonization of cyber regulations generally, it states that the ONCD is particularly interested in regulatory harmonization for critical infrastructure sectors and sub-sectors as defined in the Obama Administration's Presidential Policy Directive 21 and the National Infrastructure Protection Plan, providers of communications, IT, and cybersecurity services to critical infrastructure, and "critical and emerging technologies" as identified by the National Science and Technology Council, including cloud services, AI, autonomous vehicles, financial technologies (including payment technologies and digital assets), and quantum computing.

The RFI was issued on July 19, 2023, shortly after the Biden Administration's publication of its National Cybersecurity Strategy Implementation Plan. The deadline for public input, which originally was September 15, 2023, has now been set for October 31, 2023.

Background

The ONCD operates within the Executive Office of the President and advises the President on cybersecurity policy and strategy. ONCD, which was created by Section 1751 of National Defense Authorization Act for FY 2021, has been instrumental in advancing the Biden Administration's cybersecurity initiatives in 2023. This year alone, ONCD led development of the Administration's National Cybersecurity Strategy (we discussed the National Cybersecurity Strategy in a prior blog post), National Cyber Workforce and Education Strategy, and National Cybersecurity Strategy Implementation Plan. ONCD also has issued a request for information on open-source software security.

Strategic Objective 1.1 of the National Cybersecurity Strategy calls for use of existing federal authorities to regulate cybersecurity for critical infrastructure, establishment of new authorities to fill regulatory gaps, adoption of performance-based cyber rules leveraging existing frameworks and standards, and harmonization and streamlining of new and existing requirements. Strategic Objective 1.1 specifically directs ONCD, in coordination with the Office of Management and Budget (OMB) to "lead the Administration's efforts on cybersecurity regulatory harmonization." The National Cybersecurity Strategy Implementation Plan seeks to implement Strategic Object 1.1. by directing ONCD to issue the RFI and explore the reciprocity framework.

Notably, the RFI does not request input on harmonization of cyber incident reporting requirements. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) created the National Cyber Incident Reporting Council (NCIRC) within the Department of Homeland Security (DHS) specifically for the purpose of periodically reviewing cyber incident reporting requirements and ensuring that they "avoid conflicting, duplicative, or burdensome requirements." CIRCIA concurrently tasked the Cybersecurity and Infrastructure Security Agency (CISA), which also resides within DHS, with developing cyber incident notification regulations for critical infrastructure operators (we discuss CIRCIA in detail here). Following CIRCIA, the National Cybersecurity Strategy directs the NCIRC to lead harmonization efforts for cyber incident reporting.

Questions for Respondents

The RFI poses nine requests (as well as a tenth asking for any further information commentors would like to provide), each of which have a series of detailed questions. The RFI asks commenters to provide information including:

• Examples of conflicting, mutually exclusive, or inconsistent federal and state, local, Tribal or territorial (SLTT) regulations, and information regarding how entities comply with these regulations simultaneously. Among other things, the RFI asks for information about the time, money and resources entities expend to comply with conflicting, mutually exclusive or inconsistent cyber regulations, and whether entities have gaps in their security programs due to compliance burdens.
• Input on whether the Interagency Guidelines Establishing Information Security Standards and related examination and assessment guidance adopted by multiple federal banking regulators provide an effective model for cross-agency harmonization. The Federal Reserve Board, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation adopted the Interagency Guidelines to implement data security requirements under the Gramm-Leach-Bliley Act applicable to the various types of financial institutions they regulate.
• Examples and feedback on the use of existing cybersecurity standards or frameworks to establish regulatory requirements. Among other things, the RFI asks how regulations have incorporated existing standards or frameworks (i.e., whether in whole or in part as modified by regulators), and how entities are required to verify compliance with those standards or frameworks.
• Information on how entities use third-party cybersecurity frameworks, such as the NIST Cybersecurity Framework, to mitigate cybersecurity risk.
• Input on whether a "tiered" regulation model, which would allow for tailoring of cybersecurity baselines to specific cyber risks, could provide regulatory harmonization across sectors.
• Examples of cybersecurity oversight by multiple regulators—including federal, or SLTT—of the same information technology or operational technology systems at the same entity. The RFI asks specifically for information about how overlapping agencies coordinate their regulatory efforts (such as by appointing a "primary" regulator), whether they practice some form of regulatory "reciprocity," and the burdens of complying with overlapping regulatory regimes. The RFI also requests information about the effectiveness of third-party cybersecurity assessments, such as those performed by Third Party Assessment Organizations (3PAOs) under the Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity authorization program for cloud service providers to the federal government. Under FedRAMP, a cloud service provider can leverage a single 3PAO assessment to establish its eligibility to provide services to multiple agencies (we discuss FedRAMP and some recent statutory changes to the program here).
• For cloud and other service providers, specific examples of conflicting, mutually exclusive, or inconsistent cybersecurity regulations that are passed along by contract to third-party service providers, as well as examples of direct cyber regulations of such service providers. The RFI specifically requests information about regulations that restrict use of cloud services, managed security service providers and cloud-based security tools. The RFI also asks for information about burdens faced by service providers in complying with these regulations, and for input on how FedRAMP might be used to meet other cybersecurity regulations.
• Examples of effective harmonization between cybersecurity regulations at the SLTT level and those at the federal level, and examples of conflicting, mutually exclusive, or inconsistent regulations at these levels.
• Examples of conflicts between U.S. and foreign cybersecurity regulations and input on how U.S. and foreign regulations might be effectively harmonized.

At this early stage, it is unclear what will come out of the ONCD's efforts to promote harmonization of cybersecurity regulations. But as the patchwork of federal, state, local and other requirements grows, those efforts may become increasing vital, particularly for critical infrastructure operators, cloud service providers, and others. DWT's Privacy and Security team will continue to monitor the ONCD's cybersecurity harmonization efforts, as well as the Biden Administration's broader initiatives to implement its National Cybersecurity Strategy.