[Senate Hearing 118-353]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 118-353

                 STREAMLINING THE FEDERAL CYBERSECURITY
             REGULATORY PROCESS: THE PATH TO HARMONIZATION

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS


                             SECOND SESSION

                               __________

                              JUNE 5, 2024

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 

                               __________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
56-046 PDF                  WASHINGTON : 2024                    
          
----------------------------------------------------------------------------------- 

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut      JOSH HAWLEY, Missouri
LAPHONZA BUTLER, California          ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
         Christopher J. Mulkins, Director of Homeland Security
              Emily A, Ferguson, Professional Staff Member
           William E. Henderson III, Minority Staff Director
              Christina N. Salazar, Minority Chief Counsel
          Kendal B. Tigner, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Ashley A. Gonzalez, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Hassan...............................................     8
    Senator Lankford.............................................    13
    Senator Rosen................................................    15
    Senator Blumenthal...........................................    17
Prepared statements:
    Senator Peters...............................................    23

                               WITNESSES
                        WEDNESDAY, JUNE 5, 2024

Nicholas Leiserson, Assistant National Cyber Director for Cyber 
  Policy and Programs, Office of the National Cyber Director, 
  Executive Office of the President..............................     3
David Hinchman, Director, Information Technology and 
  Cybersecurity, U.S. Government Accountability Office...........     4

                     Alphabetical List of Witnesses

Hinchman, David:
    Testimony....................................................     4
    Prepared statement...........................................    32
Leiserson, Nicholas:
    Testimony....................................................     3
    Prepared statement...........................................    25

                                APPENDIX

Statements submitted for the Record:
    American Public Power Association............................    48
    Bank Policy Institute........................................    50
    U.S. Chamber of Commerce.....................................    53

 
                        STREAMLINING THE FEDERAL.
                   CYBERSECURITY REGULATORY PROCESS:
                       THE PATH TO HARMONIZATION

                              ----------                              


                        WEDNESDAY, JUNE 5, 2024

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SD-342, Dirksen Senate Office Building, Hon. Gary Peters, Chair 
of the Committee, presiding.
    Present: Senators Peters [presiding], Hassan, Rosen, 
Blumenthal, and Lankford.

             OPENING STATEMENT OF SENATOR PETERS\1\

    Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appears in the 
Appendix on page 23.
---------------------------------------------------------------------------
    Cybersecurity remains one of the greatest challenges facing 
our Nation. As we have become more reliant on technology and 
digital infrastructure, the threat of cyberattacks has 
dramatically increased. Every day, our citizens, our critical 
infrastructure operators, and our Federal, State, and local 
governments have to defend against hundreds of thousands of 
potential cyberattacks.
    These come from criminals who take advantage of our 
vulnerable people, foreign actors who threaten our critical 
infrastructure, and hackers who try to destabilize American 
businesses. Cyberattacks are more coordinated and more 
dangerous than ever.
    In response to this threat, American regulators have begun 
to set new standards for cybersecurity and digital safety. They 
have moved quickly in that work. In the last four years alone, 
Federal regulators have passed 48 rules on cybersecurity, more 
than 10 per year. That does not include new policies at the 
State as well as the local level.
    This surge of regulations comes from a good place. It 
represents our government's response to a new and growing 
threat and has helped give American businesses some important 
guidance on how to keep safe from these cyber threats.
    The challenge is that even though all aspects of our 
society are vulnerable to cyberattacks from electric grids to 
water systems to gas pipelines--no one, no one is coordinating 
this effort. This is a patchwork of new guidelines set by 
separate agencies. Regulators are working to respond to the 
unique challenges their sectors certainly face, and they are 
often not looking at the bigger picture of how all of these 
different rules interact with each other. Without that higher 
level coordination, there is no way to ensure that these 
guidelines do not overlap, duplicate, or, quite simply, 
contradict each other.
    The results are often confusing and inefficient. Businesses 
are scrambling to follow a web of new standards, ones that can 
change quickly with new technological innovations. Airlines 
have to adhere to three different regulators on cybersecurity. 
Railroads have six. A bank could have 16 different oversight 
bodies, all of whom are passing their own standards and 
expecting those standards to be followed. This is not 
necessarily a case where more is better. We must be smart in 
these regulations to ensure the higher level of cybersecurity.
    In short, businesses and their employees are spending too 
many resources trying to understand these new guidelines. 
Companies are taking their cybersecurity professionals off the 
line to fill out paperwork, leaving their defenses undermanned 
and vulnerable.
    We need effective regulations on cybersecurity, no question 
about that. But we need them to be efficient, adaptable, and 
coordinated all across different agencies. Harmonization and 
harmonizing these guidelines will make our government more 
efficient, help businesses compete on the global stage, and 
ensure that we are addressing cybersecurity threats in the most 
effective way. That is why I am working on legislation to 
establish a Harmonization Committee at Office of the National 
Cyber Director (ONCD) that would require all agencies and 
regulators to come together, talk about cybersecurity 
regulations, and work on harmonization.
    Passing legislation is the only solution. We have to bring 
independent agencies together and start harmonizing this 
effort. Only Congress has the power to do so. If we fail at 
this mission, we will not be able to build the most effective 
response to cyber threats.
    It is the practice of the Homeland Security and 
Governmental Affairs Committee (HSGAC) to swear in witnesses, 
so if each of you would please stand and raise your right hand.
    Do you swear that the testimony that you will give before 
this Committee will be the truth, the whole truth, and nothing 
but the truth, so help you, God?
    Mr. Leiserson. I do.
    Mr. Hinchman. I do.
    Chairman Peters. You may be seated. Thank you.
    Our first witness, Nicholas Leiserson, is an Assistant 
National Cyber Director for Cyber Policy and Programs. He 
previously served as ONCD's Deputy Chief of Staff, and prior to 
joining ONCD, Nicholas spent more than a decade on the staff of 
Congressman James R. Langevin, principal author of the National 
Cyber Director Act.
    Mr. Leiserson, you are now recognized for your opening 
comments.

 TESTIMONY OF NICHOLAS LEISERSON,\1\ ASSISTANT NATIONAL CYBER 
DIRECTOR FOR CYBER POLICY AND PROGRAMS, OFFICE OF THE NATIONAL 
       CYBER DIRECTOR, EXECUTIVE OFFICE OF THE PRESIDENT

    Mr. Leiserson. Good morning, Chairman Peters and 
distinguished Senators of the Committee. Thank you for the 
opportunity to testify before you today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Leiserson appears in the Appendix 
on page 25.
---------------------------------------------------------------------------
    Today's hearing is about a complex topic, how to set 
baseline cybersecurity requirements across critical 
infrastructure in a harmonized manner. It involves coordinating 
dozens of agencies, each implementing its own unique 
authorities. Yet, despite the complexity, our value proposition 
is simple. In a harmonized regulatory environment we will see 
better cybersecurity outcomes as we reduce the dollars that are 
going into regulatory compliance.
    Pursuant to the National Cybersecurity Strategy (NCS) 
Implementation Plan, the Office of the National Cyber Director 
released a request for information last year about 
cybersecurity regulatory harmonization and reciprocity. ONCD 
received 86 unique responses to the request for information 
(RFI), covering 11 of 16 critical infrastructure sectors. In 
all, the respondents represent over 15,000 businesses, States, 
and other organizations.
    We have analyzed the responses, and yesterday we released 
our summary of the more than 2,000 pages of comments we 
received. There are three key findings. First, the lack of 
harmonization and reciprocity harms cybersecurity outcomes 
while increasing compliance costs. Second, challenges with 
harmonization extend to businesses of all sectors and all 
sizes, and cross jurisdictional boundaries. Third, the United 
States government is positioned to act to address these 
challenges.
    Let me share some of what we heard.
    The Business Roundtable, a group of Chief Executive 
Officers (CEOs) whose companies support one in four American 
jobs, noted that, ``Duplicative, conflicting, or unnecessary 
regulations require companies to devote more resources to 
fulfilling technical compliance requirements without improving 
cybersecurity outcomes.''
    The National Defense Industry Association (NDIA), whose 
more than 65,000 corporate and individual members comprise much 
of our defense industrial base, wrote, ``Inconsistencies also 
pose barriers to entry, especially for small and midsized 
businesses that often have limited resources.''
    In some cases, respondents noted that Chief Information 
Security Officers (CISO) were spending 30 to 50 percent of 
their time not on security but on compliance activities.
    ONCD leads the coordination of implementation of national 
cyber policy and strategy. In alignment with our mission, both 
the National Cybersecurity Strategy and the recent National 
Security Memorandum (NSM) on Critical Infrastructure assign 
ONCD the responsibility for coordinating cybersecurity 
regulatory harmonization across the government. Improving 
Federal coherence, in partnership with our interagency and 
private sector stakeholders, is at the core of our mission. 
Based on feedback from the RFI, ONCD has begun to build a pilot 
reciprocity framework. We anticipate that this pilot will give 
us valuable insights as to how best achieve reciprocity when 
designing a cybersecurity regulatory approach from the ground 
up.
    However, our vision cannot be fully achieved without help 
from Congress. As the United States Chamber of Commerce noted 
in its filing, ``A significant challenge to U.S. regulatory 
harmonization efforts are independent regulatory agencies,'' 
and further, ``The U.S. Chamber urges Congress to consider 
legislation to address this challenge.''
    The Administration supports Chair Peters' bill, consistent 
with the views previously provided to the Committee, that would 
allow ONCD to better carry out our mission by bringing 
independent regulatory commissions to the table together, with 
the interagency, in a policymaking process. This would act as a 
catalyst to develop a cross-sector framework for harmonization 
and reciprocity.
    Such a framework is foundational to our desired end state, 
which would do three things: first, strengthen cybersecurity 
readiness and resilience across all sectors; second, simplify 
responsibilities of cyber regulators while enabling them to 
focus on their areas of expertise; and finally, substantially 
reduce the administrative burden and cost on regulated 
entities.
    Mr. Chair, Members of the Committee, in closing, regulatory 
harmonization is a hard problem. It is a problem that has 
existed for decades. The trend line is generally heading toward 
more fragmentation, not more harmonization. It is a problem 
that requires leadership from ONCD and Congress, informed by 
the private sector. We have the opportunity to set the stage 
for a more harmonized future, and I hope we will do so 
together.
    Thank you for the opportunity to testify today. I look 
forward to your questions.
    Chairman Peters. Thank you. Thank you for your testimony.
    Our next witness is David Hinchman. He is the Director of 
Information Technology and Cybersecurity at the U.S. Government 
Accountability Office (GAO). In that role, he oversees audits 
on critical infrastructure, the information technology (IT) and 
cybersecurity workforce, cloud computing, and the IT 
modernization efforts at the Internal Revenue Service (IRS). 
Prior to joining GAO in 2002, Mr. Hinchman worked as a business 
consultant for several private sector firms and served as a 
Surface Warfare officer in the United States Navy.
    Mr. Hinchman, you are now recognized for your opening 
remarks.

     TESTIMONY OF DAVID HINCHMAN,\1\ DIRECTOR, INFORMATION 
 TECHNOLOGY AND CYBERSECURITY, U.S. GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Mr. Hinchman. Thank you. Chair Peters, Members of the 
Committee, thank you for inviting GAO to discuss our work on 
the Federal Government's efforts to harmonize cybersecurity 
regulations. Our nation increasingly depends on computer-based 
information systems and electronic data to execute fundamental 
operations and to process and maintain crucial information.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Hinchman appears in the Appendix 
on page 32.
---------------------------------------------------------------------------
    Cyber-based intrusions and attacks on both Federal and non-
Federal systems by malicious actors are becoming more common 
and more disruptive. These attacks threaten the continuity, 
confidence, and integrity of these essential systems, including 
those that support our nation's critical infrastructure. Never 
has there been a greater need to ensure that these vital 
systems have the appropriate direction and guidance needed to 
ensure their security.
    Because the private sector owns the majority of this 
infrastructure, it is crucial that the public and private 
sectors work together to protect these assets and systems. 
However, when critical infrastructure sectors are subject to 
multiple regulations that grow and evolve in a decentralized 
manner, this can result in conflicting, inconsistent, or 
redundant requirements.
    In recent years, interest in harmonizing these regulations 
has gained momentum, with several actions taken both by 
Congress and the Executive Branch. Today I would like to 
briefly summarize the findings of GAO's work in this area as 
well as share our current observations on ongoing efforts.
    In legislation sponsored by this Committee, the 2022 Cyber 
Incident Reporting for Critical Infrastructure Act (CIRCIA), 
addressed the need for standardized cyber incident reporting, 
in addition to incident reporting requirements that both 
deconflicted and harmonized. Additionally, the Administration 
specifically addressed harmonization as a core strategic 
objective in the 2023 National Cybersecurity Strategy. The 
Administration also addresses important information in a 
request for information published by the Office of the National 
Cyber Director, the organization that leads the 
Administration's harmonization efforts. This request for 
information sought to gather public comments on opportunities 
for and obstacles to harmonizing cyber regulations. Further, 
the April 2024 National Security Memorandum on Critical 
Infrastructure Security and Resilience called for an approach 
to harmonizing cyber regulations as part of a national plan for 
infrastructure risk management.
    Taken together, these congressional executive actions 
provide an important starting point for the harmonization 
effort. However, GAO's past work and ongoing observations offer 
cautionary notes on the challenges that will be faced on this 
journey.
    In February 2024, GAO reported that the ONCD's National 
Cyber Strategy did not define outcome-oriented performance 
measures. Our past work has consistently found, across the 
government, that well-defined performance measures allow for 
more accurate assessment of the extent to which an initiative, 
such as those found in the National Cyber Strategy, are 
achieving their stated objectives.
    Without identifying appropriate outcome-oriented 
performance measures, ONCD may be limited in its ability to 
deliver the effectiveness of the national strategy and meeting 
its goals of better securing cyberspace and the nation's 
critical infrastructure.
    Further, a 2023 Department of Homeland Security (DHS) 
report, required by CIRCIA, found 45 existing incident cyber 
reporting requirements across our nation's critical 
infrastructures. Among these 45 requirements, DHS found 
substantive differences such as varying definitions, differing 
report timelines, and inconsistent reporting mechanisms. 
Notably, this report looked at only one aspect of cyber 
regulations and still found these 45 applicable requirements. 
This serves as a stark reminder of how many regulations likely 
exist in the broader realm of general infrastructure 
cybersecurity and how much work will be required to harmonize 
those numerous requirements once they are identified.
    In summary, given the increasing need for harmonized cyber 
regulations, it will be important for stakeholders in this 
vital process, representing both the Legislative and Executive 
Branches, to continue to work toward a common goal. It will 
also be crucial to develop definitive goals for this process 
based on both realistic timeframes as well as measurable 
performance.
    This whole-of-government effort will require two things: 
one, a continued focus to ensure that performance goals are 
well defined and outcome oriented; and two, that the 
appropriate groundwork is laid to fully understand the universe 
of regulations to be harmonized. By taking these actions we can 
better position our nation's critical infrastructure to 
successfully defend itself against the growing and ever-present 
cybersecurity threat.
    Mr. Chairman, this concludes my statement. Thank you.
    Chairman Peters. Thank you.
    As both of you mentioned in your opening comments, and I 
mentioned in mine, we know that regulations are used by Federal 
agencies in multiple ways. I mentioned in my opening about 
making sure we have clean water to drink, protecting investors 
from predatory practices, and the list goes on.
    Cybersecurity regulations have received a greater amount of 
attention given the growing threat of cyberattacks, which is 
not going down, and probably would argue exponentially going 
up, and on our critical infrastructure and Federal IT systems, 
which are a particular target.
    Mr. Leiserson, why do cybersecurity regulations lend 
themselves generally to be a good candidate for harmonization 
all across these agencies? We need to do a lot of harmonization 
in a lot of fields, but why cybersecurity, in particular?
    Mr. Leiserson. Thank you, Mr. Chair. It is a great 
question. From our standpoint, the reason that we are 
particularly interested in looking at baseline cybersecurity 
requirements across critical infrastructure sectors is that the 
information and communications technology (ICT) That is used, 
whether you are in a bank, a nuclear power plant, a water 
treatment facility, the information and communications 
technology is largely the same, and the first thing that 
adversaries are trying to do when they get access, whether they 
are trying to steal money, drop ransomware, or potentially 
affect our ability to mobilize militarily, the first thing they 
are going after is these enterprise IT systems.
    For that reason, because the enterprise IT systems are 
common across sectors, we really feel strongly that having a 
harmonized approach with reciprocity across different 
regulators will help ensure that we get both better 
cybersecurity outcomes and less money spent on compliance.
    Chairman Peters. Very good. Several public comments at 
ONCD's request for information on harmonization discuss the 
difficulties of understanding and implementing cybersecurity 
requirements, which I think leads to a compliance culture as 
opposed to dedicating resources to actually protecting our 
systems from cyberattacks.
    Mr. Hinchman, this question is for you. How can regulators 
better tailor their requirements to promote cybersecurity 
rather than just a check-the-box exercise that only 
incrementally increases security but unfortunately does not 
move us forward, and in the process significantly increases the 
compliance burden while now moving us forward?
    Mr. Hinchman. Thank you, Senator. I think one way to think 
of this, it is not a lot different from our duplication overlap 
and fragmentation work that we do for the Committee, which the 
Comptroller General (CG) was up here several weeks ago talking 
about. The idea of redundant, conflicting requirements is not 
different. It is on a much greater scale, and it is something 
that is national, and something that we are still struggling to 
understand the real breadth of.
    But I think the general idea that because regulations have 
run patchwork here and there, specific sectors will pass rules 
because it is important to them, they are dealing with a 
certain threat, and then when you have organizations that work 
across sectors or across State lines or across international 
boundaries you run into a lot of things that they have to do in 
addition to what they may do with what I will call their home 
set of rules and regulations.
    That compliance issue becomes a real cost burden, and some 
of the work that we have done, we did a job in 2020, looking at 
States, and dealing with four agencies--Federal Bureau of 
Investigation (FBI), IRS, Social Security Administration (SSA), 
and Centers for Medicare and Medicaid Services (CMS). Thirty 
five of the States reported a moderate to significant increase 
in costs related to the compliance that they had to do to meet 
the different regulations of each of those four agencies.
    To remove that I think you need to look for a common 
framework. People have talked about whether the National 
Institute of Standards and Technology's (NIST) Cybersecurity 
Framework offers that possibility. But a common set of minimum 
standards that stretch across the government that can then be 
customized to meet the needs of individual sectors.
    Chairman Peters. Very good. As noted, Mr. Leiserson, in 
your opening statement, the Office of the National Cyber 
Director is designated as the Federal lead for addressing 
cybersecurity regulatory harmonization. My question for you, 
you have raised some of this, but to clarify for the Committee, 
what are the biggest challenges ONCD is now facing in 
harmonizing cyber regulations?
    Mr. Leiserson. Certainly, Mr. Chair. Thanks for the 
question. There are two things that I would highlight as the 
challenges. One is the breadth that we have here, where you see 
dozens of regulators who have dozens more regulations--you 
mentioned the 48 that we have seen just in the past four 
years--which means that from our perspective you really need a 
strategic approach, a top-down approach that says this is the 
framework that we are aiming at and gives that guidance to 
regulators.
    But that gets into the second challenge. So the first 
challenge is the breadth of the problem and getting our hands 
around it, the second challenge is getting all of the relevant 
parties to the table. As I mentioned, from our perspective, the 
most important part of ensuring that we have a framework, that 
is applicable across sectors and does appropriately address the 
concerns that different regulators have, is to ensure all of 
them are participants in a policymaking process to design such 
a framework. But doing so at the moment we are limited in our 
ability to do so with respect to independent regulatory 
commissions, which is something that we truly need Congress' 
help with.
    Chairman Peters. Mr. Leiserson, again, you stated in your 
testimony that the Administration supports legislation that 
would require all agencies, including our independent 
regulatory agencies, to come up to the table, basically, and 
work on harmonizing their regulations with everybody else. My 
specific question for you, sir, is how would having this 
convening authority help the ONCD actually address this issue? 
What are going to be the strengths of getting this done?
    Mr. Leiserson. Thank you, Mr. Chair. It would help 
enormously, frankly, and it would help because right now when 
we want to talk to our independent regulatory commission 
partners, which we do as much as we can, we basically have a 
coalition of the wiling. We have the folks who want to come to 
the table, who believe that this is an important problem, and 
have a conversation about it. But having a clear mandate from 
Congress to bring everyone to the table will let us do what we 
do best at ONCD, which is listen to our partners, work with 
them to address the challenges, and as I say, design a 
comprehensive framework that allows for harmonization, yes, but 
just as importantly, reciprocity, the idea that once I have 
proven, as an entity, that I have met the requirements once, I 
do not need to do so, no matter how many other regulators are 
asking the same questions. That is what will allow us to both 
get better cybersecurity outcomes and, at the same time, reduce 
the burden on businesses.
    Chairman Peters. Great. Thank you.
    Senator Hassan, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you very much, Mr. Chair, and I 
appreciate you and the Ranking Member holding this hearing. I 
appreciate not only our witnesses being here today, but thank 
you and the teams you work with for the work you do.
    Mr. Leiserson, I wanted to start with some questions about 
kind of where we are on certain issues. Recent cyberattacks, 
like the attack on Change Healthcare just a few months ago, 
have highlighted the impact that a cyberattack can have on 
critical services. In the Change Healthcare attack, we saw that 
an attack on a single major service provider could result in a 
really major disruption to the whole national health network.
    What steps have your office, Cybersecurity and 
Infrastructure Security Agency (CISA), and the agencies 
overseeing different infrastructure sectors taken to identify 
potential single points of failure in critical infrastructure?
    Mr. Leiserson. Thank you, ma'am, for that question. It is 
one that actually is very important to our work in the 
Administration. When I was on the Hill, I actually worked with 
the Cyberspace Solarium Commission (CSC), where we talked about 
systemically important critical infrastructure. if you look at 
the President's letter to Congress, delivering CISA's report on 
Section 9002 of the fiscal year (FY) 2021 National Defense 
Authorization Act (NDAA), in response to Congress' request, he 
specifically highlighted the fact that we need more policy on 
systemically important entities as a key goal of the policy 
process that we kicked off in November 2022.
    That has produced this new National Security Memorandum, 
and right now sector risk management agencies are working to, 
within their sectors, identify exactly, as you describe, these 
critical points of failure, and then working with CISA as the 
national coordinator to help ensure that once we have them 
identified we can provision resources appropriately and ensure 
that we are appropriately managing that risk.
    Senator Hassan. Thank you for that. Another question for 
you. Effective implementation of cybersecurity laws requires a 
Federal workforce with the appropriate expertise and skills. 
What is the National Cyber Director doing to expand the Federal 
workforce of cybersecurity professionals so that government 
agencies have the expertise needed to safeguard our country's 
cybersecurity?
    Mr. Leiserson. Thank you, Senator. There are two things 
that I think I will highlight for this, something that is a key 
priority of National Cyber Director Harry Coker, Jr. The first 
is that we recognize that our regulatory partners need capacity 
building for cybersecurity regulations. We are talking about 
how we need harmonization. We also need to ensure they have the 
appropriate expertise. That is something that we, at the Office 
of the National Cyber Director, with our partners and the 
Office of Management and Budget (OMB), in our annual budget 
guidance that we provide to agencies, have specifically 
highlighted for the fiscal year 2025 budget as a key priority, 
that they are making investments in the personnel that they 
need in order to do their jobs effectively.
    More broadly, one of the key goals of implementing the 
National Cyber Workforce and Education Strategy we released 
last year is both removing barriers and broadening pathways to 
entry. A key initiative we are focused on right now is skills-
based hiring. It is removing the barrier of saying ``if you 
have the appropriate skills to do a cybersecurity job, but you 
do not have a four-year college degree that should not be a 
barrier, in terms of your being able to join the Federal 
Government.'' At the end of April we announced that next year 
the 2210 Series, which is the largest series of Federal IT 
positions, the Office of Personnel Management (OPM) is working 
to ensure that all 2210's you can hire using a skills-based 
process, which we believe is incredibly important to getting 
the talent that we need into Federal jobs.
    Senator Hassan. That is really helpful, and please stay in 
touch if there are additional strategies that we can employ to 
help bring people in from the private sector to work for the 
Federal Government.
    Mr. Hinchman, your written testimony discusses the need to 
harmonize cybersecurity requirements with national 
infrastructure risk management planning. Last year, I 
introduced bipartisan legislation with Senator Romney to codify 
the Department of Homeland Security's national risk management 
process. I am pleased to see that the White House's recent 
National Security Memorandum includes a requirement to 
implement part of our bill. The memorandum requires the 
Department of Homeland Security to develop a National 
Infrastructure Risk Management Plan and to update it 
periodically.
    How could this plan improve cybersecurity across U.S. 
critical infrastructure, and how could the plan help harmonize 
current cybersecurity regulations?
    Mr. Hinchman. I think that this plan is going to go a long 
way toward all of those things. The National Infrastructure 
Protection Plan (NIPP) was last updated in 2013. An update is 
desperately needed. The world has changed so much in the last 
11 years, both in terms of technology, how it is used, as well 
as the threat we face on a daily basis. I think that the 
National Cyber Strategy's approach of building up from a risk 
management plan that starts at the sectors, very sector 
specific, makes them go out, understand what does their threat 
landscape look like, which then all come in to DHS, which then 
inform the development of the national plan, which is then 
submitted to the White House, is a very important first step 
for understanding what it is that we are facing and what we 
need to have out there so that we can ensure that individual 
sectors have the customized cybersecurity standards that they 
need, in addition to the national framework that is developed.
    Senator Hassan. As they have the customized cybersecurity 
infrastructure that they need, you are also able to identify 
things that they have in common, and as we are talking about 
harmonizing efforts, trying to make sure that the regulatory 
framework really is reflective of those specific needs.
    Mr. Hinchman. Absolutely. I think the way I think of it 
right now is we do not yet understand what we do not know, and 
until that work is done and as these efforts, as Mr. Leiserson 
has been describing, that is all going to start to come 
together, and we are going to start to understand the landscape 
a lot better, and that is what is going to enable the really 
positive developments, like the framework, the customized 
specialties within sectors, as well as the commonalities that 
the sectors share, as you mentioned.
    Senator Hassan. OK. Thank you. One more question to you 
again, Mr. Hinchman. There are important reporting requirements 
for companies that are targeted by a cyberattack. For example, 
some companies must inform the Department of Homeland Security 
about cyberattacks on critical infrastructure. These reporting 
requirements provide the Federal Government with important 
information to prevent cyberattacks on other companies.
    One way to improve reporting requirements is to streamline 
them across State and Federal levels which will help ensure 
that companies are aware of and able to fulfill their 
obligations. How is the Federal Government coordinating the 
efforts of various Federal agencies to streamline reporting 
requirements for cyberattacks?
    Mr. Hinchman. I would argue that that effort is very much 
in its infancy. I think the press that you see every day about 
the U.S. Securities and Exchange Commission (SEC) rule that 
came out last year in addition to CISA's Notice of Proposed 
Rulemaking (NPR) has a lot of people very concerned about just 
what you mentioned. There is not that harmonization that is 
happening yet.
    A lot of the small businesses are very scared that these 
reporting requirements will crush them under administrative 
burden. I think that there is some work still to be done to 
make sure that we are imposing the right requirements on the 
right organizations with the right threshold of burden.
    There is going to be burden. We cannot get around that. But 
I think there needs to be sensitivity to what that burden is to 
different sized organizations.
    Senator Hassan. Thank you very much. Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Hassan.
    Mr. Leiserson, this next question will be for you. In July 
2023, the Office of the National Cyber Director released a 
request for information on cybersecurity regulatory 
harmonization. The main theme of a lack of coordination amongst 
the regulators, particularly independent regulatory agencies 
such as the Securities and Exchange Commission, the Federal 
Communications Commission (FCC), the Federal Trade Commission 
(FTC) certainly stands out to me.
    My question for you is how the ONCD incorporating the 
feedback from the RFI into their work?
    Mr. Leiserson. Thank you, Mr. Chair. The reason that we put 
out the RFI in the first place is absolutely that we rely on 
the input from all of our partners, both in the private sector 
and in the interagency, to inform our work.
    There are a couple of things that I think really stood out 
to us in terms of the RFI and have crystallized how we are 
approaching our regulatory harmonization and reciprocity work 
going forward. One element, in particular, is the fact that 
reciprocity, which we had theorized should probably be part of 
the solution, was really highlighted in the RFI respondents as 
something that is absolutely critical to our getting this 
right. The focus on the compliance burden really points to the 
fact that, yes, you want a harmonized baseline because that 
gives you the simplicity, the clarity of understanding what 
specifically it is that you need to do. But you need the 
reciprocity to ensure that also translates into less compliance 
costs.
    The other thing that I think I will highlight is the amount 
of focus on supply chain risk management and the fact that for 
a number of companies they are right now trying to figure out 
how do they manage risk in their supply chains, cyber risks 
that can come because there are either connections back into 
their networks or the fact that a disruption in their supply 
chain could materially impact their business. Having a 
harmonized framework would also help them do their own internal 
risk management processes, which I will admit was not something 
that we were really thinking through at the outset. Now we look 
and say, well, this actually could be a catalyst for businesses 
too. You may have regulation that actually helps them manage 
their own business risk by being able to look and say, oh, 
these folks have met the baseline standards. That helps us 
understand what their posture is for our own internal business 
focus supply chain risk management.
    Chairman Peters. Mr. Hinchman, in your testimony you 
highlighted that the Federal Government should adopt model 
definitions and consider setting minimum cybersecurity 
requirements. How do conflicting definitions and requirements 
contribute to the difficulties in overall compliance?
    Mr. Hinchman. Any time that an organization is subject to 
multiple--the word of art is regime--reporting regime, you run 
into compliance burdens. We have done work in the financial 
sector where CISA, from financial services firms, has reported 
their folks spend 30 to 40 percent of their time on compliance 
rather than focusing on cybersecurity.
    It gets back to the point I had initially made about 
duplication and overlap, that when you have multiple reporting 
regimes with multiple requirements that are not alike you spend 
a lot of time doing paperwork rather than focusing on your job, 
because you need to meet the requirements of both of these 
frameworks that you are subject to.
    A single overarching framework, which is then customized as 
appropriate within a sector, ideally would remove a lot of that 
burden, so that there is a single point of reference that 
everyone starts from when thinking about cybersecurity in their 
organizations, and that includes reporting requirements, 
anything else.
    Yet when we talk about reporting requirement there is a 
whole framework beyond that, identification management, 
protection of data, response recovery. I think it is really 
important that people be able to go to one place, know where 
that starts, and then figure out what they are required to do 
from there, so that you can streamline those compliance 
requirements. There will always be some compliance burden, as I 
mentioned a moment ago, but we can do a lot to streamline that 
and minimize it.
    Chairman Peters. Yes. Very good. Mr. Leiserson, to what 
extent has disharmonization of cyber regulations and compliance 
mechanisms actually impacted the ability of companies to 
compete internationally?
    Mr. Leiserson. Thank you, Mr. Chair. That has absolutely 
been something that we have heard, for a number of reasons, I 
would say. First and foremost, it can mean that companies need 
to invest in multiple systems. You are basically forcing them 
to duplicate some of their information and communications 
technology spend because they are subject to disharmonious 
regulatory regimes. When that is the case, if they are 
competing against a company in, say Europe, that is only 
operating under an European Union (EU) framework, they will be 
at a competitive disadvantage.
    I think that really points to part of what we are hoping to 
get out of this effort. If we have a strong Federal framework 
for baseline cybersecurity requirements it is developed by all 
of the relevant parties in the interagency, including the 
independent regulatory commissions. That actually is very 
helpful for us in digital trade negotiations, in other export 
of American businesses, because we can then go forth and say, 
hey, now we are looking for mutual recognition with our 
international partners, and we can give folks an understanding 
of what exactly that means because we have a single framework 
to point to, whereas right now when you look at mutual 
recognition it is often challenging because we are pointing 
back to what we are doing, that is a kind of hodge-podge of 
different regulatory requirements.
    Chairman Peters. Thank you. Senator Lankford, you are 
recognized for your questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. For my 19 minutes of questions?
    Chairman Peters. Your 19 minutes, yes. Senator Rosen is 
here. She will want you to be briefer.
    Senator Lankford. It will be a little more brief than that. 
Thank you both. Thanks for the information and the background 
on it. I apologize I have had to run in and out through this 
hearing, as well.
    You gave a stat earlier that I want to be able to drill 
down a little bit on it. You gave a stat that one of the 
business organizations said they spend 30 to 50 percent of 
their time not on security but on compliance.
    Let's drill down on that a little bit. Do they give you 
information or do you have a sense of what that compliance is 
that could not be done so they could spend more time on 
security?
    Mr. Leiserson. Absolutely, Senator, and thanks very much 
for that question. That 30 to 50 percent number is for chief 
information security officers and their time. That was in 
response to our RFI last year. More recent testimony, actually, 
that was given in April, before the Committee on Homeland 
Security, said that when you look at CISA's teams' times, 
sometimes it is up to 70 percent. Seventy percent of the human 
capital that, in this case this is the financial services 
sector that had done this survey, 70 percent of their teams' 
time were spent on compliance activities.
    The concern that I think we have is not that there should 
not be requirements. There absolutely must be. The financial 
services system, for instance, is absolutely vital to our 
economy, to our national security.
    However, when you have time spent on developing reports, on 
responding to examiners' question, not in a standardized, 
harmonized way, that is a challenge. A further challenge is if 
another regulator then comes in, after you have just finished 
an examination with the first, the second regulator comes in 
and says, ``Hey, yes, you have all of these reports that you 
have developed for the first, but we have a different opinion 
with respect to risk.''
    The Chair had asked earlier about why cybersecurity is 
particularly amenable to harmonization, and the reason is the 
risk that we are talking about here is the same. It is the same 
information systems.
    That is really one of the challenges that we see out there 
any why we believe the approach here is so important.
    Senator Lankford. What is the right percentage of time, do 
you think, to be able to do compliance? Because they are going 
to have to do some. You are right. But 70 percent is clearly 
not the right number on this, to try to get it down to that 
level. It is going to be just a ballpark. I get that.
    Mr. Leiserson. Yes. I am more of a cybersecurity guy, 
Senator, than a compliance guy, but I would be happy to take 
that back and get some sense. But 70 percent is not correct.
    Senator Lankford. It is not correct. I will tell you, I met 
with some folks that were in rural health care yesterday, and 
nursing homes and skilled nursing. They are frustrated because 
their compliance requirements continue to go up. They are 
adding additional nurses, not to see patients but to fill out 
forms that are now being requested by CMS. It is the same issue 
here. They do not have the same issue of multiple regulators. 
They just have increased amount of compliance to be able to 
fill out forms. When you take nurses away from patients to be 
able to fill out forms you have got more forms but not more 
care.
    We have the same situation, my fear is, and I know we have 
duplication, but we also have increased requirements to be able 
to do some of these completed forms to be able to turn in, for 
someone to be able to put in a drawer so that later, if there 
is a problem, they can show, yes, here is your problem. You did 
not fill out this form correctly, rather than helping them with 
compliance. That is my perspective on that, but that one I want 
to be able to push on.
    I need to ask, though, why OMB does not already have the 
authority to do this? Obviously there is a lot of authority 
that OMB has, to be able to coordinate against all agencies. 
What is unique about this legislation that gives authority that 
OMB does not have right now?
    Mr. Leiserson. Senator, thanks very much for that question. 
I will say a couple of things. First of all, we are lockstep 
with the Office of Information and Regulatory Affairs (OIRA), 
at OMB. We work very closely with them.
    Part of the challenge that they have is they do not have a 
gold standard that they can point to when it comes to Executive 
Branch regulators and say this is not harmonized with 
something, right. The challenge right now is you can come to a 
regulator and say, ``This doesn't look like other 
regulations,'' but there is not a policy that says this is what 
good, baseline cybersecurity requirements, cross-sectorally for 
enterprise IT looks like. That is part of what we are trying to 
solve.
    The other challenge, though, is the independent regulatory 
commissions, which we do not have the authority, neither OMB 
nor the Office of the National Cyber Director, to bring to the 
table to help design that framework. From our standpoint it 
needs to be an inclusive process. We need to hear from everyone 
in order to design something effectively, and that is something 
that, from the Administration's perspective, not just ONCD's, 
the Administration supports the approach that Chair Peters has 
laid out.
    Senator Lankford. I am going to defer the time and actually 
be done earlier rather than later. That is shocking, I know, 
for everybody. But Chair Peters, this is an area we need to 
work on, the independent agencies, not just in this area but in 
a broader area. My perspective--and I am not going to force GAO 
to be able to make a comment about this--my perspective on 
this, there are independent agencies that feel like they are 
independent from everybody. They are not independent from 
everybody. They still need additional oversight. They still 
need to be able to go through the OIRA review. There are still 
some boundaries that need to be there when they are creating 
new regulations, that they are not a completely independent 
fourth branch of government, that they do need to have some 
kind of oversight.
    This is something that I think we need to look at, not only 
in this area but in a broader area, in the days ahead, and the 
authority that this Committee has.
    Chairman Peters. I agree with you, and this is, I think, a 
very meaningful step. It will set an example of how we have to 
bring them together in a key area. But I am with you all the 
way, Senator, on that.
    Senator Rosen, you are recognized for your questions early.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, and I am going to say, as a 
former software developer and systems analyst, I can tell you 
IT modernization can really help with compliance issues, it can 
streamline the process, and it can remove those duplicative 
reportings because it can see what you are doing. You should 
not have to, say, put this in this form. It should populate in 
all the forms, just like we use when we use our phone. I think 
there are a lot of things that can happen concurrently, not 
necessarily consecutively. There are a lot of ways that we can 
work on this, and I look forward to working on that, as well.
    But I am going to talk about cyber incident trends, because 
implementing these Federal cybersecurity regulations, they 
really create large datasets of cyber incidents and information 
about the state of private sector cybersecurity. When this data 
is analyzed--like I said, I am a former analyst and software 
developer--the aggregated data, it can bolster the resilience 
of both the public and private sectors by identifying 
widespread vulnerabilities, malicious cyber campaigns, emerging 
threats, et cetera. It can also be used in other ways against 
people, as well, because you can de-aggregate the data, in some 
cases, so we have to be mindful of that.
    But here, how are agencies collaborating, Mr. Leiserson, to 
leverage the cyber incident data to identify these trends and 
help us move forward faster to target the entities?
    Mr. Leiserson. Thank you, Senator, very much for that 
question. As a former programmer myself it is absolutely 
something that is of interest to us in conversations that we 
have been having as we work to implement the legislation that 
this Committee pushed forward, the Cyber Incident Reporting for 
Critical Infrastructure Act, to ensure that we are seeing 
exactly those gains in terms of an understanding of the cyber 
landscape.
    One of the things that I remember General Alexander said 
from the beginning of his time at the National Security Agency 
(NSA), as the Director of NSA, was we need a common operating 
picture of what is going on in cyberspace. CIRCIA allows us to 
get there, but only if we are properly positioned to do the 
appropriate data analytics once we get there. I have had 
conversations with DHS's new Office of Statistics, Homeland 
Security Statistics, which has a cybersecurity program, about 
looking at exactly this challenge. I think it is one that as we 
move toward CIRCIA implementation in September 2025, we 
absolutely need to take advantage of what we can, from the 
broader analytics landscape, is also something we, at ONCD, in 
partnership with CISA and the Department of Treasury's Federal 
Insurance Office are working on for cyber insurance data, as 
well, because the insurers see a lot of these trends too.
    Senator Rosen. I think it is important that we share some 
of the data in smart ways so we are not in the silos, where 
maybe the insurance data sees one thing in some other ways 
electric companies see another, whatever that is. You are 
missing these common threads, as you know, if you are working 
as a programmer, as well.
    Speaking of working as programmers, there is a workforce 
shortage--we know it--especially in the private sector, and 
there are currently nearly 470,000 cybersecurity jobs open in 
the United States, across the tech industry, even more. But 
compounding this challenge, cybersecurity teams, like I said, 
what James was saying, they really are spending too much time 
on compliance.
    Do you want to add anything else about what he said about 
how we use our staff in smart ways, how we use artificial 
intelligence (AI), how we create easier reporting, and how do 
we populate data across to avoid those duplicative efforts? If 
there is any last thing you want to say about that, I would 
like that, and then what additional support you might need from 
us to help you do that.
    Mr. Leiserson. Thank you, Senator, for that question. It is 
a topic, the cyber workforce issue, is one that all of us at 
the Office of the National Cyber Director are passionate about 
and implementing the National Cyber Workforce and Education 
Strategy. I got into cyber policy personally because as a 
programmer, I did not get trained on secure software 
development whatsoever. I was in public policy classes and 
listening to my compatriots say, ``Hey, we have all these 
concerns about cybersecurity.'' I looked at them and I was 
like, ``I think I am the problem.'' [Laughter.]
    It is absolutely a challenge that we see, I think. A lot of 
the work that we are doing on regulatory harmonization and 
reciprocity I would say is focused on actually reducing the 
demand side. As Senator Lankford mentioned, right, we are 
really interested in saying we want our cybersecurity personnel 
focused not on delivering reports to multiple regulators but 
instead focused on how are we going to actually secure systems. 
There are a lot of gains that we can see in terms of reduction 
on the demand side. That is still not going to deal with those 
470,000 open jobs.
    Senator Rosen. That is right.
    Mr. Leiserson. The things that we are focused on right now 
at ONCD, in particular, are broadening pathways and removing 
barriers. I had mentioned earlier that we are doing a lot of 
work to ensure that skills-based hiring for the Federal 
Government is the way we look at things going forward. We are 
also looking to do that in contracts. That has been a major 
focus of ours is to say there should not be requirements in 
Federal contracts if you are going to provide IT support to the 
Federal Government, that you need to have any particular 
degree.
    Senator Rosen. That is right.
    Mr. Leiserson. That is a great way, from our perspective, 
to broaden the base that needs to come in.
    Senator Rosen. In addition to expanding the private sector 
workforce we know we have to implement the National 
Cybersecurity Strategy, like I said, adding trained personnel 
to so many agencies. Everybody needs it. Last Congress I was 
proud to lead, with Chair Peters, the Federal Rotational 
Cybersecurity Workforce Program to help Federal agencies better 
enhance their cyber workforce.
    Mr. Hinchman, which agencies that are required to oversee 
the implementation of Federal cybersecurity regulations 
themselves face significant cyber personnel shortages or 
training deficiencies, and what do you think we can help with?
    Mr. Hinchman. Certainly. That is a big unknown right now, 
Senator. I do lead our IT and cyber workforce work at GAO. I 
will be doing the GAO mandate that is in your bill that was 
passed, that is due, I think, at the end of next year, after 
the program has had a time to get up and operate for a bit.
    One of the things that the Federal Government really 
struggles with is not understanding what our cyber workforce 
looks like within Federal agencies. We have a job that we are 
doing under our broad Federal Information Security 
Modernization Act (FISMA) mandate for this Committee, that is 
looking at five of the largest consumers of cyber workforce and 
trying to understand how they are managing their workforce 
across the department, at the department level. We are finding 
that in terms of the general practices that need to be applied 
there is work that needs to be done.
    There is also a job we are doing for Chairman Green at 
House Homeland Security, looking at the cost of the Federal 
cyber workforce, and that is going to be looking at all 24 
Chief Financial Officers (CFO) Act agencies and comparing that 
cost versus how much is spent on cyber as a service, when you 
hire contractors to do your cybersecurity, as well as looking 
for initiatives that different agencies have to try to get 
Federal cyber workers into the workforce for us.
    But overall, the government is really just now starting to 
try to understand what the Federal cyber workforce looks like. 
It is hard to answer where those holes are. I am looking 
forward to this work. It is exciting. I think it is going to be 
a body of work that is going to add a lot of value to this 
conversation the government is having because there is a lot 
that we need to be doing better to fill these cyber workforce 
gaps.
    Senator Rosen. If I had my way I would be down in every 
elementary school teaching all the fun things about robotics 
and computing and science, technology, engineering and 
mathematics (STEM) and logic, things I carry with me every 
single day, and show young folks the path forward and what 
great, exciting careers they are, and hopefully get them early 
and they get the bug--no pun intended--for software. But that 
would be my hope, to really invest in our young folks in 
bringing them along.
    Thank you, Chair.
    Chairman Peters. Thank you, Senator Rosen. We appreciate 
your passion for that. Thank you so much.
    Senator Blumenthal, you are recognized for your questions.

            OPENING STATEMENT OF SENATOR BLUMENTHAL

    Senator Blumenthal. Thank you very much, Mr. Chair. Thank 
you both for your work. I think we are all becoming more and 
more aware of the need for standard setting and rules in this 
area of cyber. I think the general public is becoming more 
aware of it, as well, as we see the effects of ransomware 
throughout our economy and our society.
    Just last February, as you well know, a ransomware group 
launched an attack on Change Healthcare, one of our nation's 
largest online health care claims and payments processors. We 
are still seeing the effects of it in Connecticut, and I think 
probably around the country.
    Russia, China, Iran, and other foreign adversaries are 
targeting our critical infrastructure and probing for 
vulnerabilities for even more catastrophic attacks. Again, very 
recently, just this past Monday, the head of our cyber team, 
General Haugh, expressed his fears that China is, to use his 
word, ``prepositioning'' itself in our critical infrastructure. 
Essentially it is creating beachheads in case there is greater 
conflict between our countries. A really scary set of 
developments. We have already seen the immense costs and 
disruption of attacks not only change health care but Colonial 
Pipeline, Maersk, other major companies.
    We have been warned. We need to treat this crisis like a 
national emergency. We need to give it the urgency that 
Americans should feel as a Nation, in effect, under attack. We 
should be ramping up our efforts to make sure that Russia and 
China cannot keep exploiting this critical infrastructure.
    My question to both of you is, where are we falling behind 
on setting cybersecurity rules that counter these efforts by 
Russia and China, set the bar higher so that we are more 
invulnerable to their creating havoc?
    Mr. Leiserson. Senator, that is a very good point, and I 
really appreciate the question. Let me do a little bit of 
framing, I think, and then I will talk about some of the 
specific sectors and what we are up to and then why we think 
that regulatory harmonization will help.
    On the framing side, I think we, at the Office of the 
National Cyber Director, could not agree more that this is 
something that the American people need to understand and know 
about. I have heard my boss, the National Cyber Director, Harry 
Coker, Jr., say he was so grateful for the opportunity to 
testify in January in front of the House about the Volt Typhoon 
activity. This is the People's Liberation Army and the People's 
Republic of China (PRC) targeting our critical infrastructure 
for exactly as General Haugh suggested, prepositioning, and the 
fact that that is putting America at unacceptable risk. It is 
unacceptable risk, and we need to take action as a government 
to address that risk.
    One of the ways to do so is to put in place baseline 
cybersecurity requirements. I think what you have seen this 
Administration do leading on, in particular, the transportation 
sector, where we have emergency directives from the 
Transportation Security Administration (TSA). Those are turning 
into Notices of Proposed Rulemaking to solidify the significant 
gains that we have seen there. There was an Executive Order 
(EO) that the President signed out earlier this year giving the 
U.S. Coast Guard (USCG) additional authorities in the maritime 
sector. I think one of the areas that we are most interested in 
right now is seeing what we can do in the water and wastewater 
system sector, where there are still significant deficiencies 
and work that we need to do.
    I think foundational to our approach at ONCD is knowing 
that we need to see better cybersecurity outcomes if we have a 
framework and we can say, across sectors, here is how you 
should be approaching securing your enterprise IT systems, 
which are what the adversaries are targeting to get that 
initial access, to set those beachheads, we will see better 
cybersecurity outcomes. In fact, you will be able to invest 
more in cybersecurity instead of in compliance. We will 
actually see better cybersecurity outcomes with a harmonized 
baseline.
    That is why we are so focused on this at ONCD. We are a 
cyber office. Our concern is cybersecurity outcomes. When we 
see the amount of time and effort that is being spent on 
compliance from duplicative regulations that is not helping us 
get cybersecurity outcomes, and we need to have better ones.
    Senator Blumenthal. Thank you.
    Mr. Hinchman. I would echo Mr. Leiserson's comments. The 
single cybersecurity framework is the important starting point, 
and I do not have much to add that he did not say. But I also 
think that Congress needs to consider expanding regulatory 
authority for some agencies in charge.
    As I mentioned in my oral comments that the private and 
public sector have to work together in critical infrastructure, 
and in many cases we cannot compel private organizations to do 
certain things absent regulatory authority. That does not mean 
that we should be passing wholesale power out there, but very 
targeted specific, and the number of different plans have been 
put forward by the Administration talking about the need for 
those agencies to approach Congress with specific proposals for 
what they need to increase that.
    I think to echo the water and wastewater thought, I have a 
review looking at cybersecurity in the water and wastewater 
sector that we are doing for two subcommittees on House 
Homeland Security. That is exactly the problem they ran into. 
This past fall there was a much publicized snafu that the 
Environmental Protection Agency (EPA) ran into trying to impose 
cybersecurity requirements through sort of a back door, because 
they did not want to go through the onerous rulemaking process. 
They were met with a lot of resistance, a number of lawsuits, 
both from States and organizations. They withdrew their 
requirements.
    I think that there needs to be a different thinking about 
how we get the private sector to come along with these 
requirements once they are in place.
    Senator Blumenthal. Thank you. Thank you both for your work 
and your answers to those questions, and thank you, Mr. Chair, 
for having this hearing. There are a lot of multi-syllable 
words in the title to this hearing--harmonization, 
cybersecurity, regulatory--but it really is a matter of 
national security, and we need to pay attention more vigorously 
than we have done.
    Thank you both. Thanks, Mr. Chair.
    Chairman Peters. Thank you, Senator Blumenthal.
    A couple of final questions here for both of you. Federal 
agencies, as you know very well, are not the only agencies that 
have cybersecurity regulations. We have State regulations, 
local cities, other localities across the Nation have all sorts 
of requirements for businesses that operate in their areas.
    I will give you a couple of examples. For example, 
Massachusetts State law requires all persons who own or license 
personal information about Massachusetts residents to develop, 
implement, and maintain a comprehensive information security 
program. The New York Department of Financial Services (DFS) 
has also adopted a robust set of cybersecurity rules with 
significant requirements for any company that provides a 
financial or credit service within the State of New York. I 
could just go on and on with that list.
    Mr. Leiserson, how is the Federal Government working to 
coordinate with State, local, Tribal, territorial (SLTT) 
governments all across the government landscape to harmonize 
these regulations?
    Mr. Leiserson. Thank you, Mr. Chair. I will highlight a 
couple of points. First of all, both the New York Department of 
Financial Services and the State of New York responded to our 
RFI, our request for information, and one of the things that 
stood out to me was the fact that they really were asking for 
Federal leadership in this space. DFS and the State said having 
strong Federal guidelines, which a harmonized set of baseline 
requirements would do, would help them significantly in terms 
of how they would model their work. DFS, the Department of 
Financial Services, has worked with Federal regulators. It is 
something that we are concerned about. Again, like when we see 
duplicative requirements that are attempting to control the 
same risks, whether they are at the State level, at the Federal 
level, or the international level, that gives us pause.
    But if we can get the Federal house in order, if we can set 
a strong Federal baseline requirement, if we can lead, we do 
have strong confidence that both our State governments will 
look at that as a gold standard and also start to move in that 
direction, and also our international partners.
    One of the things that the National Cyber Director, Harry 
Coker, Jr., has consistently impressed upon me is in his 
conversations with international counterparts they bring up 
regulatory harmonization. They ask what is it that we are doing 
to help control risks to critical infrastructure, and they say, 
``Gee, it would be great to see Federal leadership here. We 
need the United States to help us understand. You have the most 
sophisticated tech sector. You have the most reliance on 
technology. If you can set a gold standard that would help us. 
That would give something for us to shoot for, as well.''
    I think it really is incumbent upon us, in the Federal 
Government, partnering between the Administration and Congress, 
to set that standard.
    Chairman Peters. Mr. Hinchman, how does this contrasting 
Federal, State, local regulations, how does that impact 
businesses in our country?
    Mr. Hinchman. I think very similar to the problems we have 
with just sort of Federal agencies. It is the multiple 
requirements and who do you need to do, and for what. I think 
the examples you drew are great.
    I live in Texas. The Texas Department of Information 
Resources has an incident reporting rule that schools are 
required to follow in an attack. The CISA Notice of Proposed 
Rulemaking also includes schools. Now you are going to have 
schools that are trying to figure out how to do their local 
reporting as well as the national reporting, and these are 
organizations that traditionally do not have resources for 
this. They are already undermanned. IT is probably underfunded. 
In a small district you may have one person that does IT for 
the entire district, including the cyber side. I do not know 
that that is sustainable.
    I think we really need to think about how those State and 
local rules are impacted by perhaps the Federal leadership that 
has been called for, so that they have more of a benchmark to 
follow. I think there are also things like privacy. States are 
increasingly passing privacy laws, which may be conflicting 
with guidance they are getting from the Federal level. How does 
a business operating manage both of those? It is similar to how 
sort the patchwork of Federal regulations has popped up, is the 
patchwork of State laws pop up, as well. That all needs to be 
managed and sort of brought into a common framework so that 
folks know who they are operating from and what the standards 
are.
    Chairman Peters. Very good. I want to thank both of our 
witnesses. Thank you for being here today and sharing your 
thoughts. Congress and the entire Federal Government must work 
together to harmonize our country's cybersecurity regulations. 
I think the testimony from both of you was very clear to that 
point, and it is, without question, a critical step in 
protecting both our citizens as well as our businesses from 
cyber threats.
    I look forward to continuing to work together with both of 
you and others to strengthen cybersecurity standards and make 
sure that they are also coordinated, effective, and efficient 
and give our industries the guidance that they need.
    The record for this hearing will remain open for 15 days, 
until 5 p.m. on June 20, 2024, for the submission of statements 
and questions for the record.
    This hearing is now adjourned.
    [Whereupon, at 11:05 a.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]