The Office of the National Cyber Director (ONCD) requests public comments to identify opportunities to harmonize cybersecurity regulations for critical infrastructure. The request for information (RFI)—which references voluntary consensus standards—supports the administration’s National Cybersecurity Strategy Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety.
The RFI builds on the National Cybersecurity Strategy declaration to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” The goal of the RFI, published in the Federal Register, is to understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements.
The ONCD is particularly interested in regulatory harmonization as it may apply to critical infrastructure sectors and sub-sectors identified in Presidential Policy Directive 21 and the National Infrastructure Protection Plan, and providers of communications, IT, and cybersecurity services to owners and operators of critical infrastructure.
“When cybersecurity regulations of the same underlying technology are inconsistent or contradictory—or where they are duplicative but enforced differently by different regulators—consumers pay more, and our national security suffers,” the administration announced. “Duplicative regulation leads to companies focusing more on compliance than on security, which results in their passing higher costs on to customers, working families, and state, local, Tribal, and territorial governments. Harmonizing baseline regulatory requirements can therefore produce better security outcomes at lower costs.”
The RFI references a recent report from the President’s National Security Telecommunications Advisory Council (NSTAC) that addressed cybersecurity regulatory harmonization, wherein the NSTAC noted that “even though most regulations cite consensus standards as the basis for their requirements, variations in implementations across regulators often result in divergent requirements.”
Use of Existing Standards and Frameworks
To that end, the RFI requests information about industry use of standards, and inquires:
The ONCD is also interested in newer technologies, such as cloud services, or other ‘‘Critical and Emerging Technologies’’ identified by the National Science and Technology Council, that are being introduced into critical infrastructure.
ANSI encourages relevant stakeholders to respond to the RFI—with an extended deadline to October 31. The RFI may be relevant to academics, non-profit entities, industry associations, regulated entities, and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics.