The White House has extended the deadline to submit comments for its request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity to Oct. 31.
Feedback for the RFI was originally due on Sept. 15, but as of today, the administration has received only one comment.
The Office of the National Cyber Director (ONCD) released its RFI on cybersecurity regulatory harmonization and regulatory reciprocity on July 19, seeking input from stakeholders to understand existing challenges with regulatory overlap and inconsistency.
ONCD’s end goal for the RFI is to create a framework that represents reciprocity of baseline cyber requirements that are aligned across all critical infrastructure sectors. The document defines harmonization as “a common set of updated baseline regulatory requirements that would apply across sectors.”
The document builds on the commitment the administration made in the National Cybersecurity Strategy to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” The RFI advances one of the 69 initiatives that were released as part of the National Cybersecurity Strategy Implementation Plan.
“When cybersecurity regulations of the same underlying technology are inconsistent or contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers,” the RFI reads.
“Duplicative regulation leads to companies focusing more on compliance than on security, which results in their passing higher costs on to customers, working families, and state, local, Tribal, and territorial governments,” it adds. “Harmonizing baseline regulatory requirements can therefore produce better security outcomes at lower costs.”
ONCD is particularly interested in regulatory harmonization as it may apply to critical infrastructure sectors, and is calling on academics, non-profit entities, industry associations, regulated entities, and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics to respond to this RFI – as well as state, local, Tribal, and territorial (SLTT) entities in their capacity as regulators and as critical infrastructure entities.
“Unlike many other fields, at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors,” the RFI states. “While regulated sectors may engage in distinct activities, they often use the same software, hardware, and information and communications technology and services to enable interconnectivity or automation.”
The White House is seeking comments on ten different topic areas to begin its process of creating a framework for cybersecurity regulatory harmonization.
Primarily, ONCD wants to know about conflicting, mutually exclusive, or inconsistent regulations that cybersecurity stakeholders are required to meet across sectors, and how much it costs them annually.
The agency is also seeking feedback on regulation surrounding newer technologies, such as cloud services, or other critical emerging technologies that are being introduced into critical infrastructure. Specifically, ONCD wants to know how the FedRAMP process can improve.
Finally, ONCD is seeking feedback from stakeholders on how SLTT and international cyber regulations conflict with Federal requirements. The agency noted that this can get confusing because “companies that operate in multiple states are often required to comply with a variety of overlapping state and federal cybersecurity requirements” – and the same goes for international regulations.
Comments are now due by 5 p.m. EST on Oct. 31.
