As the number of cybersecurity regulations increase, harmonizing them across federal agencies, foreign jurisdictions, state and local governments, and market sectors is complex, to say the least. The White House Office of the National Cyber Director (ONCD) continues to work to advance its National Cybersecurity Strategy it has released a request for information (RFI) that focuses on regulatory harmonization for critical infrastructure, their vendors, and others that support them.

For these regulations to actually improve security,  harmonization will be a key area for this administration to focus. As it stands the landscape is challenging with different regulations based on market sector and geography. For example, the rules for financial services in New York State are different from those in London. Regulated industries have pointed to areas where they already have to undergo eight mandatory cybersecurity audits a quarter. These audits are looking for the same things but require different personnel to run them at the same time. This is clearly a waste of focus and resources for already short-staffed security teams.

The RFI covers the prominent issues around regulatory harmonization to help fix the problem. One interesting area where the ONCD is focused is mutually recognizable certifications, such as FedRAMP. While sectors and geographies may have their own technology certifications the resources to adhere to them can be tricky.

Instead of having to go through the entirely new certification process because of a slight difference or additional requirement as happens today, the Administration seems to support looking at existing certifications, find gaps, and then requiring minimal additional documentation and testing to make sure those gaps have been closed. Cross-sector recognition of certification would enable industry to be able to serve additional markets without additional costs. As we have previously pointed out, FedRAMP certainly has its existing problems and it might be one of the better examples of the existing certifications, but if we can make improvements and they can be adapted successfully, this approach would be an improvement over where we are today.

There are challenges on the horizon for ONCD when it comes to regulatory harmonization. Buy-in from independent federal agencies and others will be necessary as ONCD doesn’t have the authority to impose coordination. It will be interesting to watch ONCD bring stakeholders together and work on aligning regulation across market sectors and geographies. Are state and international regulators willing to work together on harmonizing certifications?

The Center looks forward to continuing to work with ONCD to make something work that is an improvement over the current lack of regulatory coordination.

‍