A group of House Republicans is calling on the White House Office of Management and Budget (OMB) to review overlapping cybersecurity regulations, arguing that the current fragmented approach is raising costs on industry and possibly undermining national cyber resilience.
In a letter to OMB Director Russell Vought, the lawmakers explained that the Cybersecurity and Infrastructure Security Agency (CISA) estimates there are over three dozen Federal requirements for cyber incident reporting. They stressed that this number does not include state, local, Tribal, territorial, or international requirements.
“The resources required for regulated entities to comply are immense,” they wrote. “Such oppressive requirements force entities of all sizes to choose between spending precious resources on security or on compliance. This unnecessary tradeoff puts entities at risk.”
The letter cites a Government Accountability Office report from 2020 that found conflicting cybersecurity requirements issued by four Federal agencies overlapped by as much as 79 percent.
Additionally, the lawmakers took aim at the bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which will require organizations to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
“CISA’s proposed CIRCIA rule, if enacted as written, undermines Congressional intent by imposing another layer of duplication by increasing compliance costs and capturing more entities than envisioned by lawmakers,” they wrote.
The group of Republicans urged OMB to review existing and future Federal cyber regulations “for duplication and redundancy” in coordination with the Office of the National Cyber Director (ONCD) and CISA. They also want the agencies to “identify opportunities for reciprocity within and between agencies.”
They also cited President Donald Trump’s recently launched 10-to-1 deregulation initiative, calling on OMB to avoid issuing any new cybersecurity rules “without repealing at least ten existing rules and ensuring the net total cost of new and repealed regulation are less than zero.”
The lawmakers requested a briefing on OMB’s plans to harmonize cyber regulations by April 28.
House Committee on Homeland Security Chairman Mark Green, R-Tenn.; Committee on Oversight and Government Reform Chairman James Comer, R-Ky.; Subcommittee on Federal Law Enforcement Chairman Clay Higgins, R-La.; Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace, R-S.C., and Committee on Oversight and Government Reform member Andy Biggs, R-Ariz., signed the letter.
Cybersecurity harmonization was also a key goal of the Biden administration and a core tenet of the White House’s National Cybersecurity Strategy published in March 2023.
Before departing in January, former National Cyber Director Harry Coker urged the new administration and Congress to work toward the ONCD’s long-term goal of Federal cybersecurity regulation “harmonization,” noting that the lack of harmonization impedes industry and government’s cybersecurity posture.
Additionally, Coker was a vocal proponent of legislative activity to achieve cyber harmonization.
Those efforts include the Streamlining Federal Cybersecurity Regulations Act introduced in July by Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., that would task the national cyber director to lead a regulation harmonization committee and publish a harmonization framework within a year.
The bill was approved by the Senate Homeland Security and Governmental Affairs Committee but failed to gather traction with the full Senate.