[Federal Register Volume 88, Number 157 (Wednesday, August 16, 2023)] [Notices] [Pages 55694-55697] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2023-17424] [[Page 55694]] ======================================================================= ----------------------------------------------------------------------- OFFICE OF THE NATIONAL CYBER DIRECTOR [Docket ID Number: ONCD-2023-0001] RIN 0301-AA00 Request for Information on Cyber Regulatory Harmonization; Request for Information: Opportunities for and Obstacles To Harmonizing Cybersecurity Regulations AGENCY: Office of the National Cyber Director, Executive Office of the President. ACTION: Request for information (RFI). ----------------------------------------------------------------------- SUMMARY: The Office of the National Cyber Director (ONCD) invites public comments on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy. ONCD seeks input from stakeholders to understand existing challenges with regulatory overlap, and explore a framework for reciprocity (the recognition or acceptance by one regulatory agency of another agency's assessment, determination, finding, or conclusion with respect to the extent of a regulated entity's compliance with certain cybersecurity requirements) in regulator acceptance of other regulators' recognition of compliance with baseline requirements. DATES: The original comment deadline for this RFI was 5 p.m. EDT September 15, 2023. ONCD has extended the deadline for comments to be received to 5 p.m. EDT October 31, 2023. ADDRESSES: Interested parties may submit comments through www.regulations.gov. For detailed instructions on submitting comments and additional information on this process, see the SUPPLEMENTARY INFORMATION section of this document. FOR FURTHER INFORMATION CONTACT: Requests for additional information may be sent to: Elizabeth Irwin, 202-881-6791, [email protected] . SUPPLEMENTARY INFORMATION: In this RFI, ONCD invites public comments on cybersecurity regulatory conflicts, inconsistencies, redundancies, challenges, and priorities, in response to the questions below. Strategic Objective 1.1 of the National Cybersecurity Strategy \1\ recognizes that while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. The Strategy calls for establishing cybersecurity regulations to secure critical infrastructure where existing measures are insufficient, harmonizing and streamlining new and existing regulations, and enabling regulated entities to afford to achieve security. ONCD, in coordination with the Office of Management and Budget (OMB), has been tasked with leading the Administration's efforts on cybersecurity regulatory harmonization.\2\ We will work with independent and executive branch regulators to identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure.\3\ --------------------------------------------------------------------------- \1\ https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf. \2\ Pursuant to the National Cybersecurity Strategy: ``ONCD, in coordination with the Office of Management and Budget (OMB), will lead the Administration's efforts on cybersecurity regulatory harmonization.'' \3\ Pursuant to the National Cybersecurity Strategy, the Cyber Incident Reporting Council will coordinate, deconflict, and harmonize Federal incident reporting requirements. ONCD is not requesting views from respondents on incident reporting regulations. --------------------------------------------------------------------------- ONCD is particularly interested in regulatory harmonization as it may apply to critical infrastructure sectors and sub-sectors identified in Presidential Policy Directive 21 and the National Infrastructure Protection Plan, and providers of communications, IT, and cybersecurity services to owners and operators of critical infrastructure. ``Harmonization'' as used in this RFI refers to a common set of updated baseline regulatory requirements that would apply across sectors. Sector regulators could go beyond the harmonized baseline to address cybersecurity risks specific to their sectors. ONCD is also interested in newer technologies, such as cloud services, or other ``Critical and Emerging Technologies'' identified by the National Science and Technology Council,\4\ that are being introduced into critical infrastructure. --------------------------------------------------------------------------- \4\ https://www.whitehouse.gov/wp-content/uploads/2022/02/02-2022-Critical-and-Emerging-Technologies-List-Update.pdf. --------------------------------------------------------------------------- ONCD strongly encourages academics, non-profit entities, industry associations, regulated entities and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics to respond to this RFI. We also welcome state, local, Tribal, and territorial (SLTT) entities to submit responses in their capacity as regulators and as critical infrastructure entities, specifying the sector(s) in which they are regulated or regulate. Guidance for submitting comments:Please limit your narrative response to twenty-five (25) pages total. Additional analysis and/or contextual information specific to a question(s) may be submitted in a supplemental appendix. Respondents are encouraged to comment on any issues or concerns you believe are relevant or appropriate for our consideration and to submit written data, facts, and views addressing this subject, including but not limited to the questions below. Respondents do not need to answer all questions listed-- only the question(s) for which you have relevant information. The written RFI response should address ONLY the topics for which the respondent has knowledge or expertise. Wherever possible, please provide credible data and specific examples to support your views. If you cite academic or other studies, they should be publicly available to be considered. Please provide the name of the critical infrastructure sector(s) to which you are aligned or support. Do not submit comment(s) in this RFI regarding harmonization of cyber incident reporting requirements. Such requirements are being analyzed through a separate effort led by the Cyber Incident Reporting Council established by the Secretary of Homeland Security as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. All submissions are public records and may be published on www.regulations.gov. Do NOT submit sensitive, confidential, or personally identifiable information. Questions for respondents: 1. Conflicting, mutually exclusive, or inconsistent regulations--If applicable, please provide examples of any conflicting, mutually exclusive, or inconsistent Federal and SLTT regulations affecting cybersecurity--including broad enterprise-wide requirements or specific, targeted requirements--that apply to the same information technology (IT) or operational technology (OT) infrastructure of the same regulated entity. Be as clear, specific, and detailed as possible. a. Please include specific examples with legal citations or hyperlinks to the particular Federal or SLTT cybersecurity rules or enforceable guidance that impose conflicting, mutually exclusive, or inconsistent requirements, and explain the specific conflicts or inconsistencies you identify. b. Have these conflicting, mutually exclusive, or inconsistent rules or guidance been updated to meet new cybersecurity risks, vulnerabilities, or threats (e.g., supply chain risk)? If so, [[Page 55695]] were those separate rules or guidance updated at close to the same time? c. How do regulated entities comply with these conflicting mutually exclusive, or inconsistent requirements (e.g., follow the most demanding standard)? Please describe your experiences managing such compliance requirements. d. For entities subject to conflicting, mutually exclusive, or inconsistent regulations, what monetary, executive or cyber defense team work hours, or other resource costs do they incur as a result of managing compliance with the different requirements that apply to them from different regulators? e. Please identify cybersecurity requirements imposed by industry bodies, Federal or SLTT agencies that you believe may be redundant.\5\ Please explain in detail how the requirements in question are redundant. --------------------------------------------------------------------------- \5\ For the purpose of this RFI, ``redundant'' would mean that (1) the same regulated entity must comply with more than one Federal or SLTT cybersecurity requirements covering the same systems and (2) one or more of those regulations could be eliminated while the regulating agencies that issued the regulations are still able to fulfill the purpose of the regulation. --------------------------------------------------------------------------- f. As to the above questions, please provide the estimated annual cost over the past three years in terms of expenses or additional staff to comply with the conflicting, mutually exclusive, inconsistent, or redundant cybersecurity regulatory requirements you cite, and describe your methodology for developing those estimates. g. Currently, how resource intensive is it for regulated entities to achieve cybersecurity compliance? h. How often do prohibitive costs of compliance lead to meaningful security gaps? i. How can future regulations address any prohibitive costs which lead to meaningful security gaps? j. How can future regulations be implemented in ways which allow regulated entities to achieve security improvements at an acceptable cost? 2. Use of Common Guidelines--Through the Federal Financial Institutions Examination Council (FFIEC), regulators of certain financial institutions have issued common Interagency Guidelines Establishing Information Security Standards and have developed a Common Self-Assessment Tool and an Information Security Booklet to guide examinations of entities in the financial sector. a. Is such a model effective at providing harmonized requirements and why? b. What challenges are associated with such a model? c. Are there opportunities to adapt such a model to other sectors-- or across multiple sectors--and if so, how? d. Are there sectors or subsectors for which such a model would not be appropriate, and if so, why? e. How does or could such a model apply outside the context of examination-based compliance regimes? f. Are there opportunities to improve on such a model through common oversight approaches, and, if so, how? g. Does your organization voluntarily apply a self-assessment tool regularly? What are good examples of helpful tools? h. Would a common self-assessment tool improve the ability of entities to meet regulatory requirements? 3. Use of Existing Standards or Frameworks--The practice of using existing standards or frameworks in setting regulatory requirements can reduce burdens on regulated entities and help to achieve the goals of regulatory harmonization. Under existing law,\6\ Federal executive agencies use voluntary consensus standards for regulatory activities unless use of such standards is inconsistent with law or otherwise impractical. In a recent report \7\ from the President's National Security Telecommunications Advisory Council (NSTAC) that addressed cybersecurity regulatory harmonization, the NSTAC noted that ``even though most regulations cite consensus standards as the basis for their requirements, variations in implementations across regulators often result in divergent requirements.'' --------------------------------------------------------------------------- \6\ Public Law 104-113. \7\ https://www.cisa.gov/sites/default/files/2023-04/NSTAC_Strategy_for_Increasing_Trust_Report_%282-21-23%29_508_0.pdf. --------------------------------------------------------------------------- a. To what extent are cybersecurity requirements applicable to your industry or sector based on, consistent with, or aligned with existing standards or frameworks? i. Which standards or frameworks have been applied to your industry or sector? ii. Have these standards or frameworks been adopted in whole, either through the same requirements or incorporation by reference, or have they been modified by regulators? If modified, how were they modified by particular regulators? Has your entity or have others in your sector provided input that the regulator used to develop or adapt existing standards for your sector? If so, what are the mechanisms, frequency, and nature of the inputs? b. Is demonstrating conformity with existing standards or frameworks that your industry is required by regulation to use readily auditable or verifiable and why? c. What, if any, additional opportunities exist to align requirements to existing standards or frameworks and, if there are such opportunities, what are they? 4. Third-Party Frameworks--Both the government (for example, through the NIST Cybersecurity Framework) and non-government third parties have developed frameworks and related resources that map cybersecurity standards and controls to cybersecurity outcomes. These frameworks and related resources have also been applied to map controls to regulatory requirements, including where requirements are leveled by multiple agencies. a. Please identify such frameworks and related resources, both governmental and non-governmental, currently in use with respect to mitigating cybersecurity risk. b. How well do such frameworks and related resources work in practice to address disparate cybersecurity requirements? 5. Tiered Regulation--Different levels of risk across and within sectors may in part be addressed through a tiered model (e.g., low, moderate, or high risk),\8\ potentially assisting in tailoring baseline requirements for each regulatory purpose. Tiering may also help smaller businesses meet requirements commensurate with their risk. For example, while these are not regulations, tiering into several baselines is a feature of Federal Information Processing Standard 199 and the NIST Risk Management Framework. --------------------------------------------------------------------------- \8\ FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (nist.gov). --------------------------------------------------------------------------- a. Could such a model be adapted to apply to multiple regulated sectors? If so, how would tiers be structured? b. How could this tiered approach be defined across disparate operational environments and what might be some of the opportunities and challenges associated with doing so? 6. Oversight--Please provide examples of cybersecurity oversight by multiple regulators of the same entity, and describe whether the oversight involved IT or OT infrastructure. Some of these questions reference a potential ``regulatory reciprocity'' model, under which cybersecurity oversight and enforcement as to cross-sector baseline cybersecurity requirements would be divided among regulators, with the ``primary'' or ``principal'' regulator for an entity having authority to oversee [[Page 55696]] and enforce compliance with that baseline. a. Please identify the Federal, state or local agencies that are engaged in cybersecurity oversight of the same IT or OT systems, components, or data (``infrastructure'') at the same regulated entity. This may be multiple Federal regulatory schema or multiple intergovernmental bodies (e.g., Federal, state, local, Tribal, territorial). b. Please describe the method(s) of cybersecurity oversight utilized by the agencies identified in your response to the question above. c. To what extent, if any, are you aware that the agencies engaged in cybersecurity oversight of the same IT or OT infrastructure coordinate their oversight activities? Please describe. d. Where multiple agencies are engaged in cybersecurity oversight of the same IT or OT infrastructure: i. Is the role of a ``primary'' or ``principal'' agency recognized? If so, please describe how. ii. To what extent do one or more of these agencies rely on or accept the findings, assessments or conclusions of another agency with respect to compliance with regard to certain cybersecurity requirements (``regulatory reciprocity'')? Please provide specific examples. iii. What are the barriers to regulatory reciprocity (legal, cultural, sector-specific technical expertise, or other)? e. Are there situations in which regulations related to physical security, safety, or other matters are intertwined with cybersecurity in such a way that baseline cybersecurity regulatory requirements from a separate Federal entity might have unintended consequences on physical security, safety, or another matter? If so, please provide specific examples. f. If you are a regulated entity, what is the estimated annual cost over the past five years in terms of expenses or additional staff to address overlapping cybersecurity oversight of the same IT or OT infrastructure? Please describe the methodology used to develop the cost estimate. g. Do multiple public sector agencies examine or audit your cybersecurity compliance for the same IT or OT infrastructure? If so, how many entities examine or audit the infrastructure and how often do these audits occur? h. What, if any, obstacles or inefficiencies have you experienced with regard to cybersecurity oversight, examination or enforcement related to OT components, systems, or data? i. Please provide examples of regulatory reciprocity between two or more Federal agencies with respect to cybersecurity, including the recognition or acceptance by one regulatory agency of another agency's assessment, determination, finding, or conclusion with respect to the extent of a regulated entity's compliance with certain IT or OT cybersecurity requirements. j. Are you aware of examples of regulatory reciprocity in contexts other than cybersecurity? If so, please describe briefly the agencies and the context. k. Please provide examples of self-attestation in cybersecurity regulation. What are the strengths and weaknesses of this model? l. Please comment on models of third-party assessments of cybersecurity compliance that may be effective at reducing burdens and harmonizing processes. For example, FedRAMP relies on Third Party Assessment Organizations (3PAOs) to perform initial assessments to inform decisions on FedRAMP eligibility. 3PAOs are accredited by an independent accreditation body. i. Are there circumstances under which use of third-party assessors would be most appropriate? ii. Are there circumstances under which use of third-party assessors would not be appropriate? 7. Cloud and Other Service Providers--Information technology, as a sector, is not regulated directly by the Federal government. However, regulated entities' use of cloud and other service provider infrastructure is often regulated. To date, regulators have typically not directly regulated cloud providers operating in their sector. Rather, regulatory agencies have imposed obligations on their regulated entities that are passed along by contract to the cloud provider/ service provider. a. Please provide specific examples of conflicting, mutually exclusive, or inconsistent cybersecurity regulatory requirements that are passed along by contract to third-party service providers. b. Please provide examples of direct cybersecurity regulation of third-party service providers. c. Please provide information regarding the costs to third-party service providers of conflicting, mutually exclusive, or inconsistent cybersecurity regulatory requirements that are passed on to them through their contracts with regulated customers. Please also provide estimated costs to a regulated customer of using a third-party service provider when conflicting, mutually exclusive, or inconsistent cybersecurity regulatory requirements are passed to the customer through contracts. In either case, please detail the methodology for developing the cost estimate. d. Describe any two or more conflicting, mutually exclusive, or inconsistent regulation, one of which permits the use of cloud, while another does not. How does this impact your sector? Explain if these requirements also restrict the use of Managed Security Service Providers (MSSPs) and security tools that utilize the cloud. e. Have any non-U.S. governments instituted effective models for regulating the use of cloud services by regulated entities in a harmonized and consistent manner? Please provide examples and explain why these models are effective. f. The Department of Defense allows defense industrial base contractors to meet security requirements for the use of the cloud by using FedRAMP-approved infrastructure. Please provide examples of how the FedRAMP process differs, positively or negatively, from other requirements. What, if anything, would need to change about the FedRAMP certification process and requirements for it to be usable to meet other cybersecurity regulatory requirements? g. To the extent not included in response to any other question, please identify any specific Critical or Emerging Technologies that are subject to conflicting, mutually exclusive, or inconsistent regulation related to cybersecurity. 8. State, Local, Tribal, and Territorial Regulation. State, local, Tribal and territorial entities often impose regulatory requirements that affect critical infrastructure owners and operators across state lines, as well as entities that do not neatly fall into a defined critical infrastructure sector. The New York Department of Financial Services, for example, established cybersecurity requirements for financial services companies.\9\ California similarly passed a cybersecurity law requiring manufacturers of the internet-of-things (IoT) devices to take certain measures.\10\ Dozens of states have followed suit to date. Companies that operate in multiple states are often required to comply with a variety of overlapping state and Federal cybersecurity requirements. --------------------------------------------------------------------------- \9\ See 23 NYCRR Part 500. \10\ See Senate Bill No. 327. --------------------------------------------------------------------------- a. Please provide examples where SLTT cybersecurity regulations are effectively harmonized or aligned with Federal regulations. b. Please provide examples of regulatory reciprocity between Federal and SLTT regulatory agencies. c. Please highlight any examples or models for harmonizing regulations [[Page 55697]] across multiple SLTT jurisdictions, to include Federal support for such efforts. d. Please provide examples, if any, where regulatory requirements related to cybersecurity are conflicting, mutually exclusive or inconsistent within one jurisdiction (for example, state regulatory requirements that conflict with regulations at the local level). 9. International--Many regulated entities within the United States operate internationally. A recent report from the NSTAC noted that foreign governments have been implementing regulatory regimes with ``overlapping, redundant or inconsistent requirements. . .''. a. Identify specific instances in which U.S. Federal cybersecurity requirements conflict with foreign government cybersecurity requirements. b. Are there specific countries or sectors that should be prioritized in considering harmonizing cybersecurity requirements internationally? c. Which international dialogues are engaged in work on harmonizing or aligning cybersecurity requirements? Which would be the most promising venues to pursue such alignment? d. Please identify any ongoing initiatives by international standards organizations, trade groups, or non-governmental organizations that are engaged in international cybersecurity standardization activities relevant to regulatory purposes. Describe the nature of those activities. Please identify any examples of regulatory reciprocity within a foreign country. e. Please identify any examples of regulatory reciprocity between foreign countries or between a foreign country and the United States. 10. Additional Matters--Please provide any additional comments or raise additional matters you feel relevant that are not in response to the above questions. Comments must be received no later than 5 p.m. EDT, October 31, 2023. By October 31, 2023, all interested respondents should submit a written RFI response, in MS Word or PDF format, with their answers to questions on which they have expertise and insights for the Government through regulations.gov. Inputs that meet most of the following criteria will be considered most valuable: Concise: Please limit your narrative response to twenty- five (25) pages total. Additional analysis and/or contextual information specific to a question may be submitted in a supplemental appendix. Easy to review and understand: Content that is modularly organized in the order of the questions in the RFI and presented in such a fashion that it can be readily lifted (by topic area) and shared with relevant stakeholders in an easily consumable format. Expert: The Government, through this effort, is seeking insights to understand current best practices and approaches applicable to the above topics, as well as new and emerging solutions. Clearly worded/not vague: Clear, descriptive, and concise language is appreciated. Please avoid generalities and vague statements. Actionable: Please provide enough detail so that we can understand how to apply the information you provide. Cost effective & impactful: If applicable, respondents should consider whether their suggestions have a clear return on investment that can be articulated to secure funding and support. Strategic shifts: Challenges that seem to be intractable and overwhelmingly complex can often be resolved with a change in perspective that unlocks hidden opportunities and aligns stakeholder interests. We welcome these ideas as well. Kemba E. Walden, Acting National Cyber Director. [FR Doc. 2023-17424 Filed 8-15-23; 8:45 am] BILLING CODE 3340-D3-P