Today, the White House Office of the National Cyber Director (ONCD) is announcing a request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity. The RFI builds on the commitment the Administration made in the National Cybersecurity Strategy to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” The RFI advances one of the 69 initiatives that were released last week as part of the National Cybersecurity Strategy Implementation Plan.
When cybersecurity regulations of the same underlying technology are inconsistent or contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers. Duplicative regulation leads to companies focusing more on compliance than on security, which results in their passing higher costs on to customers, working families, and state, local, Tribal, and territorial governments. Harmonizing baseline regulatory requirements can therefore produce better security outcomes at lower costs.
ONCD is seeking input from stakeholders to understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements. Unlike many other fields, at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors. While regulated sectors may engage in distinct activities, they often use the same software, hardware, and information and communications technology and services to enable interconnectivity or automation. The technological commonalities also mean that baseline risk mitigation measures are likely to be common among entities and sectors.
# # #