Dive Brief:
- The Biden administration outlined a comprehensive plan Tuesday to harmonize a bevy of federal, state and international regulations designed to boost cyber resilience among the nation’s private sector and critical infrastructure providers. Industry stakeholders want the administration to simplify the reporting process to cut back on duplicative disclosure requirements.
- National Cyber Director Harry Coker Jr. said the administration is working on a pilot reciprocity framework to determine how best to streamline the administrative load on critical infrastructure subsectors, in a Tuesday blog post.
- The administration will also seek additional help from Congress to find legislative authorities to reduce administrative redundancies.
Dive Insight:
The push for harmonization is designed to reduce the regulatory burden on companies and critical infrastructure providers that are increasingly required to disclose cybersecurity incidents and mitigation strategies to various federal, state and, in many cases, foreign agencies.
The ONCD outlined the plan following months of input from private sector partners, including industry associations, nonprofits and private sector companies.
After issuing a request for information last August, industry stakeholders and other interested parties submitted 86 responses suggesting steps to streamline the administrative burden and costs associated with the various rules and regulations.
“It was overwhelmingly evident that respondents believe there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness,” Coker said in the blog post.
Companies are up against a growing regulatory burden for cybersecurity disclosures from the Securities and Exchange Commission, the Cybersecurity and Infrastructure Security Agency, New York State and various other government bodies looking to ensure compliance and share intel.
“There’s no reciprocity between these regulatory agencies, so it’s really becoming cumbersome for a lot of companies to try and comply with all these different regulations,” said Amy Chang, resident senior fellow, cybersecurity and emerging threats at R Street.
The responses represent 11 of the federal government’s 16 designated critical infrastructure sectors and the companies and organizations that responded represent a total of more than 15,000 businesses, states and other organizations, according to Coker.
For many companies, the concern is they are spending countless hours and resources responding to duplicative information requests from different agencies, rather than having those agencies share the provided information.
