The Government Accountability Office (GAO) is asking Congress to address a patchwork of varying cybersecurity regulations and requirements across critical infrastructure sectors, saying that while cybersecurity has evolved, standardizing related regulations has not.
In a report published on July 30, GAO said it convened two separate panels with a total of 12 industry cybersecurity and administrative experts to discuss existing cybersecurity issues and how to harmonize them.
Those experts said that while cybersecurity regulations can be helpful, inconsistent patchworks of requirements cause overlap, duplication, and conflicts when developing cyber defenses.
“While difficult to estimate the impact of cyber regulations due to variances among sector entities, several participants generally agreed that industry expends significant resources handling overlapping, duplicative, or conflicting federal cybersecurity regulations,” said GAO.
Other challenges presented by inconsistencies include the number of regulations each sector has – in some instances as little as one, and in others up to 13 – and vague definitions and requirements within regulations.
Conflicting opinions from different agencies on what specific industries must meet standards-wise – in addition to conflicting foreign requirements – and the ways that incidents are reported and what information and timelines are expected, also cause issues for industry trying to maintain compliance.
Audits and assessments required by regulatory authorities also pose roadblocks, with GAO noting that a few participants said “regulatory compliance audits and assessments can vary from no assessment required to self-attestations or independent reviews by the regulatory agency or a third-party,” while another participant said, “an organization in their sector could have up to seven different auditors request the same information.”
Despite cybersecurity processes and standards evolving over years, GAO reported that Federal moves to harmonize those efforts haven’t kept up.
“We are no closer today than we were 10 years ago on creating a solution for harmonization,” GAO attributed to one industry official, while adding that another said, “we suffer from an absence of meaningful evolution in the regulations, and an absence of support in implementing them.”
Opportunities to harmonize regulations include prioritizing standardization through current and forthcoming regulations, effectively implementing the Cyber Incident Reporting for Critical Infrastructure Act, and reauthorizing the Cybersecurity and Information Sharing Act of 2015, GAO said.
A more long-term solution could include identifying or establishing a single entity that has authority to oversee Federal agencies that implement and enforce cybersecurity regulations, GAO’s conference participants said. That entity would need to have “the leadership and centralized authority to direct other agencies to further harmonize and reciprocate,” according to GAO.
Liability protections should also be considered while writing regulations and standards, GAO said, explaining that participants said “requirements may be harmful if it costs a company greatly to be in full compliance while competing with companies who do not invest in being fully compliant.”
Participants also noted that progress has been made in more consistent terminology and developing Federal resources such as the National Institute of Standards and Technology’s Cybersecurity Framework and the Federal Financial Institutions Examinations Council IT handbook, reported GAO.