Enhancing Cybersecurity by Harmonizing and Streamlining New and Existing Regulations

Microsoft is a strong supporter of the recent U.S. National Cybersecurity Strategy, and we aim to help foster implementation of its objectives. As the Office of the National Cyber Director (ONCD) and partner agencies move forward on implementation, we’re committed to offering our perspective on challenges as well as opportunities for the private sector and government to work together on advancing solutions.

While raising the need to establish new requirements and responsibilities, the Strategy brings much-needed focus to the importance of harmonizing and streamlining new and existing regulations. It also recognizes the ONCD as the Administration’s lead for pursuing cybersecurity regulatory harmonization. Assigning accountability is a welcome and necessary step, but further action is needed.

Achieving meaningful harmonization will require the government to establish a framework and binding policy and procedures that facilitate drafting cybersecurity regulations and assessing whether they’re harmonized. Microsoft supports advancing recommendations consistent with the recent National Security Telecommunications Advisory Committee (NSTAC) Report to the President to accomplish these goals. We would also support legislative efforts to ensure independent regulators developing cybersecurity rules are governed by the same harmonization policies as the rest of the Executive Branch.

The Strategy appropriately identifies harms caused by regulatory divergence, including increased compliance costs, added complexity, and reduced investments in resilience and cybersecurity. It also identifies frequently cited solutions for harmonizing regulations: ensuring regulators are using international standards and maximizing the reuse of third-party assessments and audits.

These regulatory harms, and proposed solutions to address them, have been contemplated for some time; now is the time for action.

Regulators frequently reference international or National Institute of Standards and Technology (NIST) standards that provide guidance to help organizations make risk-based decisions about their cybersecurity posture. But when regulators want to mandate particular activities to reduce risk, they write requirements based on a standard without using its exact language. When multiple regulators independently take this approach, divergence can result. For example, recent EPA and TSA regulations based on NIST 800-53’s Identification and Authentication Control diverge, with EPA requiring multi-factor authentication (MFA) “whenever possible” and TSA allowing for controls “commensurate to MFA.”

Driving harmonization – and limiting divergence to only necessary occasions – will require a shared framework that can provide regulators with common approaches to and language for applying standards in a regulatory context. But even if a well-developed, flexible framework is available for regulators to use, organizational inertia could prevent progress toward harmonization. Therefore, the government will also need binding policy that requires regulators to align to a framework during the rulemaking process.

Two key actions, consistent with those recommended by the NSTAC report, could support the development and evaluation of harmonized requirements.

First, agencies’ efforts to develop harmonized requirements could be facilitated by an existing or new office that (1) establishes expertise on cybersecurity regulations across sectors, (2) creates resources that regulators can use to more easily develop cybersecurity requirements that leverage consensus standards where possible, and (3) provides technical assistance to regulators during the rulemaking process.

One key resource could be a shared framework for applying standards in a harmonized way. The NIST Cybersecurity Framework, currently undertaking a 2.0 revision, and the Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals, which are aligning to the Framework, could be drawn upon to build a shared lexicon for requirements.

Second, the government could build on E.O. 12866 to recognize cybersecurity harmonization as a regulatory principle and create procedures that advance harmonization. One new procedure could not only obligate regulators to explain how cybersecurity requirements in their rulemaking align to (or reasonably diverge from) consensus standards and government-developed regulatory resources but also require the office responsible for establishing expertise, creating resources, and providing technical assistance to conduct an independent assessment of alignment.

As the lead for regulatory harmonization, ONCD could review the regulators’ explanations and office’s independent assessments and, as warranted, require changes to a rule before its publication.

These recommended actions would create binding policy and procedures to strengthen cybersecurity harmonization across the activities of most regulators.

However, the NSTAC report also identifies one further challenge: independent regulatory agencies are excluded from E.O. 12866's regulatory review requirements. Because the NSTAC’s remit is to provide recommendations that the President can implement, it suggested that independent regulators can be encouraged to voluntarily adhere to the new policy and procedures.

Congress could also act to ensure that all regulators developing cybersecurity rules, including independent regulatory agencies increasingly active on cybersecurity, adhere to these policies and procedures. Legislation could also authorize and fund efforts to support regulators with guidance and technical assistance as well as independently assess their regulatory proposals, helping to underline the importance of this mission and accelerate its implementation.

Microsoft looks forward to working with the Administration and Congress to achieve our shared vision for cybersecurity regulatory harmonization.