House Homeland, Oversight Republicans Urge OMB to Cut Burdensome, Duplicative Cyber Regulations

WASHINGTON, D.C. - This week, members of the House Committee on Homeland Security and House Committee on Oversight and Government Reform sent a letter to Office of Management and Budget (OMB) Director Russell Vought, urging OMB to streamline unnecessarily duplicative and resource-intensive cybersecurity regulations, which force critical infrastructure owners and operators to devote resources to complying with burdensome compliance standards instead of defending their networks. Cosigners of the letter include House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN), Committee on Oversight and Government Reform Chairman James Comer (R-KY), Subcommittee on Federal Law Enforcement Chairman Clay Higgins (R-LA), Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-SC), and Committee on Oversight and Government Reform member Andy Biggs (R-AZ).

In March 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule for the bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). If implemented as written, the rule would undermine congressional intent by imposing duplicative incident reporting requirements and covering more entities than necessary. This is just one example of the redundant and counterproductive cyber regulatory landscape.

In the letter, members ask OMB to reduce compliance burdens by reviewing existing and future cyber regulations, identifying opportunities for harmonization within and across agencies, and thoroughly examining the existing cyber regulatory landscape for redundancy in coordination with the Office of the National Cyber Director (ONCD) and CISA. The letter also requests a briefing on OMB's plans to streamline cyber regulations by April 28, 2025. Read the full letter here.

Read more in the Washington Reporter.

In the letter, the members wrote, "Such oppressive requirements force entities of all sizes to choose between spending precious resources on security or on compliance. This unnecessary tradeoff puts entities at risk. The U.S. cyber regulatory regime should facilitate valuable and actionable information sharing that reinforces the security measures companies undertake to defend against, and respond to, cyber incidents. As nation-state and criminal actors increasingly target U.S. networks and critical infrastructure in cyberspace, we can no longer allow compliance burdens to hinder the agility of U.S.-based companies to respond to threats in a timely manner."

The members continued, "Compliance burdens imposed on companies can be reduced by streamlining cybersecurity requirements, which multiple stakeholders have testified as being unnecessarily duplicative. For example, in 2020, four federal agencies established cybersecurity requirements for states aimed at securing data. According to the U.S. Government Accountability Office (GAO), the percentage of conflicting parameters for these requirements ranged from 49 to 79 percent. Entities subject to these requirements should not bear the brunt of the federal government's lack of coordination."

The members concluded, "Specifically, OMB could use existing authority granted under Executive Order (EO) 12866: Regulatory Planning and Review. This EO enables OMB's Office of Information and Regulatory Affairs (OIRA) to periodically review existing significant regulations 'to confirm that regulations are both compatible with each other and not duplicative or inappropriately burdensome in the aggregate'… in line with President Trump's 10-to-1 deregulation initiative, OMB must not issue any new cyber regulations without repealing at least ten existing rules and ensuring the net total cost of new and repealed regulation are less than zero. As Congress continues its work to streamline cyber regulations, we urge OMB to take these steps to rein in the cyber regulatory landscape to dramatically improve the security and resiliency of U.S. networks and critical infrastructure. Eliminating the duplicative landscape of cyber regulations is the fastest, most cost-effective way to materially improve the nation's cybersecurity."

Background:

In a hearing on cyber regulatory harmonization last month, House Homeland members examined opportunities to improve the cyber regulatory regime, including the role CISA should play in cyber regulatory harmonization moving forward. In his opening statement, Chairman Green highlighted the need to streamline, saying: "There are now at least 50 cyber incident reporting requirements in effect across the federal government… This patchwork of conflicting and complex regulations places a significant burden on reporting entities. Let's be clear: improving our nation's cyber regulatory regime will bolster our national security. Current cyber incident reporting regulations require too much of the private sector, drawing their attention away from securing their networks."

Last month, Homeland Republicans sent a letter to Transportation Security Administration (TSA) Acting Administrator Adam Stahl, highlighting the evolving cyber threats facing our nation's transportation infrastructure and the urgent need for an adaptive cybersecurity posture that does not add to the already complex cybersecurity regulatory landscape.

In 2023 , Chairman Green and Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) were joined by Congressman Zach Nunn (R-IA) on a letter to Securities and Exchange Commission (SEC) Chair Gary Gensler, which sounded off on the agency's duplicative cyber rules that increase bureaucratic burden for public companies, risk compromising their confidentiality, and run contrary to CIRCIA.

###