A top official at the Office of the National Cyber Director (ONCD) said today that his team is preparing to take on the large and potentially thorny task that sits at the very top of the list for implementing the White House’s National Cybersecurity Strategy (NCS) – harmonizing cybersecurity regulations – and offered that the process may take years to complete.
ONCD said in its newly published National Security Strategy Implementation Plan (NCSIP) that the organization is preparing a request for information (RFI) on “cybersecurity regulatory harmonization” for critical infrastructure, with a plan to publish the RFI in the “near future.”
“What we’re looking for first is developing the framework,” said Nicholas Leiserson, the assistant NCD for cyber policy and programs, at an Information Technology Industry Council (ITI) event this morning to discuss the new implementation plan.
“We’re looking to do a request for information to hear from industry about where there are areas that are overlapping regulation, that are duplicative, that are conflicting, or – hopefully not, but sometimes – contradictory.”
Leiserson said the information that ONCD gathers from the RFI will be used as a roadmap to build a framework that represents reciprocity of baseline cyber requirements that are aligned across all sectors.
The ONCD official explained that harmonization is a great concept, but what they’re really after is regulatory reciprocity.
“We don’t just want to see that the requirements are the same,” he said. “What we want to see is that there is some degree of reciprocity.”
“We’re working very closely with independent regulatory commissions through the cybersecurity forum for executive branch and independent regulators to talk through these framework ideas and where are we going with that,” Leiserson continued.
“I think it will be a years-long process, but one that if we are deliberate about it, and if we build a good framework, we can get to a much better outcome domestically and then hopefully leverage that in an international context as well.”
The cyber regulatory harmonization initiative (number 1.1.1.) is the first item in the 57-page implementation document and falls under the first pillar in the plan – defend critical infrastructure – and strategic objective 1.1: establish cybersecurity requirements to support national security and public safety.
“The Office of the National Cyber Director (ONCD), in coordination with OMB, will work with independent and executive branch regulators, including through the Cybersecurity Forum for Independent and Executive Branch Regulators, to identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure. Through a request for information, ONCD will also engage non-governmental stakeholders to understand existing challenges with regulatory overlap and explore a framework for reciprocity for baseline requirements,” the initiative reads.
ONCD is the primary agency responsible for this initiative, but the NCSIP says ONCD will also work with the Federal Communications Commission (FCC) and the Office of Management and Budget (OMB) – for a targeted completion date of the first quarter of fiscal year 2024.
During ITI’s event today, ONCD’s Acting National Cyber Director Kemba Walden said the NCSIP is a “living document,” and that allows for her team to continuously update the rules of the road with frameworks like the one they will create for initiative 1.1.1.
“We will continue to update the plan. In practice, that means ONCD will take what we learn from the request for information on regulatory harmonization that we are developing and turn into actionable steps to help us live in a world where we are providing that you met baseline requirements to one regulator will suffice for all of them,” Walden said.
“We have an inkling as to some of those steps, but we need to hear from our stakeholders about the inconsistent regulations they see and the concerns they have before putting them into action,” she said. “And that’s exactly what an iterative approach to implementation allows us to do.”
Walden noted that while the implementation plan was just released today, it is “already well underway across the administration.” Several initiatives, such as the issuance of the administration’s cybersecurity priorities for the FY 2025 budget, have already been completed ahead of schedule, the acting head of ONCD said.
Separately, Rep. Gerry Connolly, D-Va., said in a statement, “Through the release of the ONCD’s latest National Cybersecurity Strategy Implementation Plan (NCSIP), the Biden-Harris Administration has further demonstrated their steadfast commitment to expanding and strengthening our nation’s cybersecurity capabilities.”
“ONCD recognizes the reality of our ever-changing cyberthreat landscape, and this ‘living document’ ensures our federal strategy remains flexible and responsive to the myriad of evolving threats,” he said.