[Federal Register Volume 88, Number 157 (Wednesday, August 16, 2023)]
[Notices]
[Pages 55694-55697]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-17424]



[[Page 55694]]

=======================================================================
-----------------------------------------------------------------------

OFFICE OF THE NATIONAL CYBER DIRECTOR

[Docket ID Number: ONCD-2023-0001]
RIN 0301-AA00


Request for Information on Cyber Regulatory Harmonization; 
Request for Information: Opportunities for and Obstacles To Harmonizing 
Cybersecurity Regulations

AGENCY: Office of the National Cyber Director, Executive Office of the 
President.

ACTION: Request for information (RFI).

-----------------------------------------------------------------------

SUMMARY: The Office of the National Cyber Director (ONCD) invites 
public comments on opportunities for and obstacles to harmonizing 
cybersecurity regulations, per Strategic Objective 1.1 of the National 
Cybersecurity Strategy. ONCD seeks input from stakeholders to 
understand existing challenges with regulatory overlap, and explore a 
framework for reciprocity (the recognition or acceptance by one 
regulatory agency of another agency's assessment, determination, 
finding, or conclusion with respect to the extent of a regulated 
entity's compliance with certain cybersecurity requirements) in 
regulator acceptance of other regulators' recognition of compliance 
with baseline requirements.

DATES: The original comment deadline for this RFI was 5 p.m. EDT 
September 15, 2023. ONCD has extended the deadline for comments to be 
received to 5 p.m. EDT October 31, 2023.

ADDRESSES: Interested parties may submit comments through 
www.regulations.gov. For detailed instructions on submitting comments 
and additional information on this process, see the SUPPLEMENTARY 
INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
may be sent to: Elizabeth Irwin, 202-881-6791, 
[email protected] .

SUPPLEMENTARY INFORMATION: In this RFI, ONCD invites public comments on 
cybersecurity regulatory conflicts, inconsistencies, redundancies, 
challenges, and priorities, in response to the questions below. 
Strategic Objective 1.1 of the National Cybersecurity Strategy \1\ 
recognizes that while voluntary approaches to critical infrastructure 
cybersecurity have produced meaningful improvements, the lack of 
mandatory requirements has resulted in inadequate and inconsistent 
outcomes. The Strategy calls for establishing cybersecurity regulations 
to secure critical infrastructure where existing measures are 
insufficient, harmonizing and streamlining new and existing 
regulations, and enabling regulated entities to afford to achieve 
security. ONCD, in coordination with the Office of Management and 
Budget (OMB), has been tasked with leading the Administration's efforts 
on cybersecurity regulatory harmonization.\2\ We will work with 
independent and executive branch regulators to identify opportunities 
to harmonize baseline cybersecurity requirements for critical 
infrastructure.\3\
---------------------------------------------------------------------------

    \1\ https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
    \2\ Pursuant to the National Cybersecurity Strategy: ``ONCD, in 
coordination with the Office of Management and Budget (OMB), will 
lead the Administration's efforts on cybersecurity regulatory 
harmonization.''
    \3\ Pursuant to the National Cybersecurity Strategy, the Cyber 
Incident Reporting Council will coordinate, deconflict, and 
harmonize Federal incident reporting requirements. ONCD is not 
requesting views from respondents on incident reporting regulations.
---------------------------------------------------------------------------

    ONCD is particularly interested in regulatory harmonization as it 
may apply to critical infrastructure sectors and sub-sectors identified 
in Presidential Policy Directive 21 and the National Infrastructure 
Protection Plan, and providers of communications, IT, and cybersecurity 
services to owners and operators of critical infrastructure. 
``Harmonization'' as used in this RFI refers to a common set of updated 
baseline regulatory requirements that would apply across sectors. 
Sector regulators could go beyond the harmonized baseline to address 
cybersecurity risks specific to their sectors. ONCD is also interested 
in newer technologies, such as cloud services, or other ``Critical and 
Emerging Technologies'' identified by the National Science and 
Technology Council,\4\ that are being introduced into critical 
infrastructure.
---------------------------------------------------------------------------

    \4\ https://www.whitehouse.gov/wp-content/uploads/2022/02/02-2022-Critical-and-Emerging-Technologies-List-Update.pdf.
---------------------------------------------------------------------------

    ONCD strongly encourages academics, non-profit entities, industry 
associations, regulated entities and others with expertise in 
cybersecurity regulation, risk management, operations, compliance, and 
economics to respond to this RFI. We also welcome state, local, Tribal, 
and territorial (SLTT) entities to submit responses in their capacity 
as regulators and as critical infrastructure entities, specifying the 
sector(s) in which they are regulated or regulate.
    Guidance for submitting comments:
     Please limit your narrative response to twenty-five (25) 
pages total. Additional analysis and/or contextual information specific 
to a question(s) may be submitted in a supplemental appendix.
     Respondents are encouraged to comment on any issues or 
concerns you believe are relevant or appropriate for our consideration 
and to submit written data, facts, and views addressing this subject, 
including but not limited to the questions below.
     Respondents do not need to answer all questions listed--
only the question(s) for which you have relevant information. The 
written RFI response should address ONLY the topics for which the 
respondent has knowledge or expertise.
     Wherever possible, please provide credible data and 
specific examples to support your views. If you cite academic or other 
studies, they should be publicly available to be considered.
     Please provide the name of the critical infrastructure 
sector(s) to which you are aligned or support.
     Do not submit comment(s) in this RFI regarding 
harmonization of cyber incident reporting requirements. Such 
requirements are being analyzed through a separate effort led by the 
Cyber Incident Reporting Council established by the Secretary of 
Homeland Security as required by the Cyber Incident Reporting for 
Critical Infrastructure Act of 2022.
     All submissions are public records and may be published on 
www.regulations.gov. Do NOT submit sensitive, confidential, or 
personally identifiable information.
    Questions for respondents:
    1. Conflicting, mutually exclusive, or inconsistent regulations--If 
applicable, please provide examples of any conflicting, mutually 
exclusive, or inconsistent Federal and SLTT regulations affecting 
cybersecurity--including broad enterprise-wide requirements or 
specific, targeted requirements--that apply to the same information 
technology (IT) or operational technology (OT) infrastructure of the 
same regulated entity. Be as clear, specific, and detailed as possible.
    a. Please include specific examples with legal citations or 
hyperlinks to the particular Federal or SLTT cybersecurity rules or 
enforceable guidance that impose conflicting, mutually exclusive, or 
inconsistent requirements, and explain the specific conflicts or 
inconsistencies you identify.
    b. Have these conflicting, mutually exclusive, or inconsistent 
rules or guidance been updated to meet new cybersecurity risks, 
vulnerabilities, or threats (e.g., supply chain risk)? If so,

[[Page 55695]]

were those separate rules or guidance updated at close to the same 
time?
    c. How do regulated entities comply with these conflicting mutually 
exclusive, or inconsistent requirements (e.g., follow the most 
demanding standard)? Please describe your experiences managing such 
compliance requirements.
    d. For entities subject to conflicting, mutually exclusive, or 
inconsistent regulations, what monetary, executive or cyber defense 
team work hours, or other resource costs do they incur as a result of 
managing compliance with the different requirements that apply to them 
from different regulators?
    e. Please identify cybersecurity requirements imposed by industry 
bodies, Federal or SLTT agencies that you believe may be redundant.\5\ 
Please explain in detail how the requirements in question are 
redundant.
---------------------------------------------------------------------------

    \5\ For the purpose of this RFI, ``redundant'' would mean that 
(1) the same regulated entity must comply with more than one Federal 
or SLTT cybersecurity requirements covering the same systems and (2) 
one or more of those regulations could be eliminated while the 
regulating agencies that issued the regulations are still able to 
fulfill the purpose of the regulation.
---------------------------------------------------------------------------

    f. As to the above questions, please provide the estimated annual 
cost over the past three years in terms of expenses or additional staff 
to comply with the conflicting, mutually exclusive, inconsistent, or 
redundant cybersecurity regulatory requirements you cite, and describe 
your methodology for developing those estimates.
    g. Currently, how resource intensive is it for regulated entities 
to achieve cybersecurity compliance?
    h. How often do prohibitive costs of compliance lead to meaningful 
security gaps?
    i. How can future regulations address any prohibitive costs which 
lead to meaningful security gaps?
    j. How can future regulations be implemented in ways which allow 
regulated entities to achieve security improvements at an acceptable 
cost?
    2. Use of Common Guidelines--Through the Federal Financial 
Institutions Examination Council (FFIEC), regulators of certain 
financial institutions have issued common Interagency Guidelines 
Establishing Information Security Standards and have developed a Common 
Self-Assessment Tool and an Information Security Booklet to guide 
examinations of entities in the financial sector.
    a. Is such a model effective at providing harmonized requirements 
and why?
    b. What challenges are associated with such a model?
    c. Are there opportunities to adapt such a model to other sectors--
or across multiple sectors--and if so, how?
    d. Are there sectors or subsectors for which such a model would not 
be appropriate, and if so, why?
    e. How does or could such a model apply outside the context of 
examination-based compliance regimes?
    f. Are there opportunities to improve on such a model through 
common oversight approaches, and, if so, how?
    g. Does your organization voluntarily apply a self-assessment tool 
regularly? What are good examples of helpful tools?
    h. Would a common self-assessment tool improve the ability of 
entities to meet regulatory requirements?
    3. Use of Existing Standards or Frameworks--The practice of using 
existing standards or frameworks in setting regulatory requirements can 
reduce burdens on regulated entities and help to achieve the goals of 
regulatory harmonization. Under existing law,\6\ Federal executive 
agencies use voluntary consensus standards for regulatory activities 
unless use of such standards is inconsistent with law or otherwise 
impractical. In a recent report \7\ from the President's National 
Security Telecommunications Advisory Council (NSTAC) that addressed 
cybersecurity regulatory harmonization, the NSTAC noted that ``even 
though most regulations cite consensus standards as the basis for their 
requirements, variations in implementations across regulators often 
result in divergent requirements.''
---------------------------------------------------------------------------

    \6\ Public Law 104-113.
    \7\ https://www.cisa.gov/sites/default/files/2023-04/NSTAC_Strategy_for_Increasing_Trust_Report_%282-21-23%29_508_0.pdf.
---------------------------------------------------------------------------

    a. To what extent are cybersecurity requirements applicable to your 
industry or sector based on, consistent with, or aligned with existing 
standards or frameworks?
    i. Which standards or frameworks have been applied to your industry 
or sector?
    ii. Have these standards or frameworks been adopted in whole, 
either through the same requirements or incorporation by reference, or 
have they been modified by regulators?
    If modified, how were they modified by particular regulators? Has 
your entity or have others in your sector provided input that the 
regulator used to develop or adapt existing standards for your sector? 
If so, what are the mechanisms, frequency, and nature of the inputs?
    b. Is demonstrating conformity with existing standards or 
frameworks that your industry is required by regulation to use readily 
auditable or verifiable and why?
    c. What, if any, additional opportunities exist to align 
requirements to existing standards or frameworks and, if there are such 
opportunities, what are they?
    4. Third-Party Frameworks--Both the government (for example, 
through the NIST Cybersecurity Framework) and non-government third 
parties have developed frameworks and related resources that map 
cybersecurity standards and controls to cybersecurity outcomes. These 
frameworks and related resources have also been applied to map controls 
to regulatory requirements, including where requirements are leveled by 
multiple agencies.
    a. Please identify such frameworks and related resources, both 
governmental and non-governmental, currently in use with respect to 
mitigating cybersecurity risk.
    b. How well do such frameworks and related resources work in 
practice to address disparate cybersecurity requirements?
    5. Tiered Regulation--Different levels of risk across and within 
sectors may in part be addressed through a tiered model (e.g., low, 
moderate, or high risk),\8\ potentially assisting in tailoring baseline 
requirements for each regulatory purpose. Tiering may also help smaller 
businesses meet requirements commensurate with their risk. For example, 
while these are not regulations, tiering into several baselines is a 
feature of Federal Information Processing Standard 199 and the NIST 
Risk Management Framework.
---------------------------------------------------------------------------

    \8\ FIPS 199, Standards for Security Categorization of Federal 
Information and Information Systems (nist.gov).
---------------------------------------------------------------------------

    a. Could such a model be adapted to apply to multiple regulated 
sectors? If so, how would tiers be structured?
    b. How could this tiered approach be defined across disparate 
operational environments and what might be some of the opportunities 
and challenges associated with doing so?
    6. Oversight--Please provide examples of cybersecurity oversight by 
multiple regulators of the same entity, and describe whether the 
oversight involved IT or OT infrastructure. Some of these questions 
reference a potential ``regulatory reciprocity'' model, under which 
cybersecurity oversight and enforcement as to cross-sector baseline 
cybersecurity requirements would be divided among regulators, with the 
``primary'' or ``principal'' regulator for an entity having authority 
to oversee

[[Page 55696]]

and enforce compliance with that baseline.
    a. Please identify the Federal, state or local agencies that are 
engaged in cybersecurity oversight of the same IT or OT systems, 
components, or data (``infrastructure'') at the same regulated entity. 
This may be multiple Federal regulatory schema or multiple 
intergovernmental bodies (e.g., Federal, state, local, Tribal, 
territorial).
    b. Please describe the method(s) of cybersecurity oversight 
utilized by the agencies identified in your response to the question 
above.
    c. To what extent, if any, are you aware that the agencies engaged 
in cybersecurity oversight of the same IT or OT infrastructure 
coordinate their oversight activities? Please describe.
    d. Where multiple agencies are engaged in cybersecurity oversight 
of the same IT or OT infrastructure:
    i. Is the role of a ``primary'' or ``principal'' agency recognized? 
If so, please describe how.
    ii. To what extent do one or more of these agencies rely on or 
accept the findings, assessments or conclusions of another agency with 
respect to compliance with regard to certain cybersecurity requirements 
(``regulatory reciprocity'')? Please provide specific examples.
    iii. What are the barriers to regulatory reciprocity (legal, 
cultural, sector-specific technical expertise, or other)?
    e. Are there situations in which regulations related to physical 
security, safety, or other matters are intertwined with cybersecurity 
in such a way that baseline cybersecurity regulatory requirements from 
a separate Federal entity might have unintended consequences on 
physical security, safety, or another matter? If so, please provide 
specific examples.
    f. If you are a regulated entity, what is the estimated annual cost 
over the past five years in terms of expenses or additional staff to 
address overlapping cybersecurity oversight of the same IT or OT 
infrastructure? Please describe the methodology used to develop the 
cost estimate.
    g. Do multiple public sector agencies examine or audit your 
cybersecurity compliance for the same IT or OT infrastructure? If so, 
how many entities examine or audit the infrastructure and how often do 
these audits occur?
    h. What, if any, obstacles or inefficiencies have you experienced 
with regard to cybersecurity oversight, examination or enforcement 
related to OT components, systems, or data?
    i. Please provide examples of regulatory reciprocity between two or 
more Federal agencies with respect to cybersecurity, including the 
recognition or acceptance by one regulatory agency of another agency's 
assessment, determination, finding, or conclusion with respect to the 
extent of a regulated entity's compliance with certain IT or OT 
cybersecurity requirements.
    j. Are you aware of examples of regulatory reciprocity in contexts 
other than cybersecurity? If so, please describe briefly the agencies 
and the context.
    k. Please provide examples of self-attestation in cybersecurity 
regulation. What are the strengths and weaknesses of this model?
    l. Please comment on models of third-party assessments of 
cybersecurity compliance that may be effective at reducing burdens and 
harmonizing processes. For example, FedRAMP relies on Third Party 
Assessment Organizations (3PAOs) to perform initial assessments to 
inform decisions on FedRAMP eligibility. 3PAOs are accredited by an 
independent accreditation body.
    i. Are there circumstances under which use of third-party assessors 
would be most appropriate?
    ii. Are there circumstances under which use of third-party 
assessors would not be appropriate?
    7. Cloud and Other Service Providers--Information technology, as a 
sector, is not regulated directly by the Federal government. However, 
regulated entities' use of cloud and other service provider 
infrastructure is often regulated. To date, regulators have typically 
not directly regulated cloud providers operating in their sector. 
Rather, regulatory agencies have imposed obligations on their regulated 
entities that are passed along by contract to the cloud provider/
service provider.
    a. Please provide specific examples of conflicting, mutually 
exclusive, or inconsistent cybersecurity regulatory requirements that 
are passed along by contract to third-party service providers.
    b. Please provide examples of direct cybersecurity regulation of 
third-party service providers.
    c. Please provide information regarding the costs to third-party 
service providers of conflicting, mutually exclusive, or inconsistent 
cybersecurity regulatory requirements that are passed on to them 
through their contracts with regulated customers. Please also provide 
estimated costs to a regulated customer of using a third-party service 
provider when conflicting, mutually exclusive, or inconsistent 
cybersecurity regulatory requirements are passed to the customer 
through contracts. In either case, please detail the methodology for 
developing the cost estimate.
    d. Describe any two or more conflicting, mutually exclusive, or 
inconsistent regulation, one of which permits the use of cloud, while 
another does not. How does this impact your sector? Explain if these 
requirements also restrict the use of Managed Security Service 
Providers (MSSPs) and security tools that utilize the cloud.
    e. Have any non-U.S. governments instituted effective models for 
regulating the use of cloud services by regulated entities in a 
harmonized and consistent manner? Please provide examples and explain 
why these models are effective.
    f. The Department of Defense allows defense industrial base 
contractors to meet security requirements for the use of the cloud by 
using FedRAMP-approved infrastructure. Please provide examples of how 
the FedRAMP process differs, positively or negatively, from other 
requirements. What, if anything, would need to change about the FedRAMP 
certification process and requirements for it to be usable to meet 
other cybersecurity regulatory requirements?
    g. To the extent not included in response to any other question, 
please identify any specific Critical or Emerging Technologies that are 
subject to conflicting, mutually exclusive, or inconsistent regulation 
related to cybersecurity.
    8. State, Local, Tribal, and Territorial Regulation. State, local, 
Tribal and territorial entities often impose regulatory requirements 
that affect critical infrastructure owners and operators across state 
lines, as well as entities that do not neatly fall into a defined 
critical infrastructure sector. The New York Department of Financial 
Services, for example, established cybersecurity requirements for 
financial services companies.\9\ California similarly passed a 
cybersecurity law requiring manufacturers of the internet-of-things 
(IoT) devices to take certain measures.\10\ Dozens of states have 
followed suit to date. Companies that operate in multiple states are 
often required to comply with a variety of overlapping state and 
Federal cybersecurity requirements.
---------------------------------------------------------------------------

    \9\ See 23 NYCRR Part 500.
    \10\ See Senate Bill No. 327.
---------------------------------------------------------------------------

    a. Please provide examples where SLTT cybersecurity regulations are 
effectively harmonized or aligned with Federal regulations.
    b. Please provide examples of regulatory reciprocity between 
Federal and SLTT regulatory agencies.
    c. Please highlight any examples or models for harmonizing 
regulations

[[Page 55697]]

across multiple SLTT jurisdictions, to include Federal support for such 
efforts.
    d. Please provide examples, if any, where regulatory requirements 
related to cybersecurity are conflicting, mutually exclusive or 
inconsistent within one jurisdiction (for example, state regulatory 
requirements that conflict with regulations at the local level).
    9. International--Many regulated entities within the United States 
operate internationally. A recent report from the NSTAC noted that 
foreign governments have been implementing regulatory regimes with 
``overlapping, redundant or inconsistent requirements. . .''.
    a. Identify specific instances in which U.S. Federal cybersecurity 
requirements conflict with foreign government cybersecurity 
requirements.
    b. Are there specific countries or sectors that should be 
prioritized in considering harmonizing cybersecurity requirements 
internationally?
    c. Which international dialogues are engaged in work on harmonizing 
or aligning cybersecurity requirements? Which would be the most 
promising venues to pursue such alignment?
    d. Please identify any ongoing initiatives by international 
standards organizations, trade groups, or non-governmental 
organizations that are engaged in international cybersecurity 
standardization activities relevant to regulatory purposes. Describe 
the nature of those activities. Please identify any examples of 
regulatory reciprocity within a foreign country.
    e. Please identify any examples of regulatory reciprocity between 
foreign countries or between a foreign country and the United States.
    10. Additional Matters--Please provide any additional comments or 
raise additional matters you feel relevant that are not in response to 
the above questions.
    Comments must be received no later than 5 p.m. EDT, October 31, 
2023.
    By October 31, 2023, all interested respondents should submit a 
written RFI response, in MS Word or PDF format, with their answers to 
questions on which they have expertise and insights for the Government 
through regulations.gov.
    Inputs that meet most of the following criteria will be considered 
most valuable:
     Concise: Please limit your narrative response to twenty-
five (25) pages total. Additional analysis and/or contextual 
information specific to a question may be submitted in a supplemental 
appendix.
     Easy to review and understand: Content that is modularly 
organized in the order of the questions in the RFI and presented in 
such a fashion that it can be readily lifted (by topic area) and shared 
with relevant stakeholders in an easily consumable format.
     Expert: The Government, through this effort, is seeking 
insights to understand current best practices and approaches applicable 
to the above topics, as well as new and emerging solutions.
     Clearly worded/not vague: Clear, descriptive, and concise 
language is appreciated. Please avoid generalities and vague 
statements.
     Actionable: Please provide enough detail so that we can 
understand how to apply the information you provide.
     Cost effective & impactful: If applicable, respondents 
should consider whether their suggestions have a clear return on 
investment that can be articulated to secure funding and support.
     Strategic shifts: Challenges that seem to be intractable 
and overwhelmingly complex can often be resolved with a change in 
perspective that unlocks hidden opportunities and aligns stakeholder 
interests. We welcome these ideas as well.

Kemba E. Walden,
Acting National Cyber Director.
[FR Doc. 2023-17424 Filed 8-15-23; 8:45 am]
BILLING CODE 3340-D3-P