231031 Comments Cyber Regulatory Harmonization ONCD FINAL
Vice President, Cyber Policy and Operations, U.S. Chamber of Commerce
October 31, 2023
The U.S. Chamber of Commerce welcomes the opportunity to comment on the Office of the National Cyber Director's (ONCD) request for information (RFI) on cyber regulatory harmonization and appreciates ONCD’s extension of time to provide formal comments. Harmonizing the myriad federal cyber regulations is a complex, challenging, and often thankless task. We appreciate your commitment to this endeavor, and your willingness to solicit input from private sector entities like the Chamber and its broad membership base. We believe that improved harmonization of cyber regulations will allow organizations to focus more of their time, people, and resources on improving cyber programs and responding to incidents, rather than addressing overlapping, duplicative—and sometimes contradictory—state, federal, and international regulatory requirements.
Evolving cybersecurity threats are persistent and pervasive challenges to businesses and critical infrastructure across the globe. Governments and regulatory bodies have introduced new cybersecurity regulations to address the growing threat landscape. The U.S. Government (USG) took several significant actions to create or update cybersecurity requirements following the SolarWinds vulnerability exploit and Darkside and REvil ransomware campaigns. These actions included issuing Executive Order 14028, Improving the Nation’s Cybersecurity, and promulgating numerous Security Directives related to pipeline, rail, and aviation security issued by the Department of Homeland Security’s Transportation Security Administration, the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (and forthcoming implementation regulations), the U.S. Securities and Exchange Commission’s new final rule on cyber risk management, governance, and incident disclosure, and Second Amendment to DFS's Cybersecurity Regulation, 23 NYCRR Part 500. However, there still exists a fragmented regulatory environment that needs more cohesion and consistency.
Obstacles, Opportunities, and Recommendation for Harmonizing Cybersecurity Regulations Domestically and Internationally
- Fragmented Regulatory Landscape
- Outcome Focused, Risk-Based, Consensus Standards Are Critical for Driving Regulatory Cohesion
- Case Studies in Harmonization
- International Cooperation is Critical to Creating a Cohesive Global Cyber Regulatory Framework
- Significant Challenges Have Created Barriers to Regulatory Harmonization
- The White House Should Establish a Regulatory Harmonization Office and Create Policies and Procedures for Regulatory Cohesion