Cybersecurity Regulations: Additional Industry Perspectives on the Impact, Progress, Challenges, and Opportunities of Harmonization

What GAO Found

Our nation depends on computer-based information systems and electronic data to execute fundamental operations and to process, maintain, and report crucial information. Nearly all federal and nonfederal operations, including the nation's critical infrastructures, are supported by these systems and data. The 16 critical infrastructure sectors provide essential services-such as electricity distribution, transportation, and health care-that underpin American society (see figure). The safety of these systems and data is critical to public confidence and the nation's security, economy, and welfare.

The 16 Critical Infrstructure Sectors

Federal agencies have issued a variety of regulations to help protect the nation's critical infrastructure. However, these can result in conflicting guidance, inconsistencies, and redundancies. Harmonization refers to the development and adoption of consistent standards and regulations. Such consistency is important when critical infrastructure sectors are subject to multiple cybersecurity regulations so that these requirements will not overlap, duplicate, or contradict each other. Because the private sector owns most of the nation's critical infrastructure, it is vital that the public and private sectors work together to protect these assets and systems. To this end, various federal agencies are responsible for assisting the private sector in protecting critical infrastructure, including enhancing cybersecurity.

GAO has long identified cybersecurity as a government-wide high-risk area. In May 2020, we identified adverse impacts that varying cybersecurity requirements issued by selected federal agencies and related compliance assessments had on state government agencies. Of the 12 recommendations we made to improve coordination in this area, agencies have implemented 11 and partially addressed the remaining recommendation. In June 2024, GAO testified on the efforts initiated to harmonize cybersecurity regulations and the adverse impacts that can occur without such harmonization.

GAO convened a panel discussion to gather industry perspectives on the harmonization of cybersecurity regulations. Specifically, participants noted that the Cybersecurity and Infrastructure Security Agency's effort to provide free guidance, cybersecurity tools, and risk assessments has been helpful. They also said that selected federal agencies have adopted other federal assessment tools to help provide cybersecurity evaluations.

However, participants identified negative impacts that their industries experience with multiple and overlapping cybersecurity regulations and how these can result in redundant work and conflicts. These include:

• Regulation overlap. Sectors are often subject to multiple regulatory frameworks that can result in potentially burdensome and duplicative cybersecurity requirements.
• Definitions and requirements. Different federal frameworks have similar controls and reporting requirements but have small differences within regulations that create overlap and confusion.
• Incident reporting requirements. Differences in the amount of detail, time frames, and thresholds required by agencies for reporting cyber incidents make it difficult and technically burdensome to collect and meet reporting requirements with short time frames.

Participants noted that progress in harmonizing federal cybersecurity regulations has been made, such as federal agencies providing cybersecurity guidance; however, several participants agreed that this progress was limited.

Industry participants discussed challenges federal agencies face in harmonizing cybersecurity regulations. Specifically, they noted that agency reporting requirements can compete with industry priorities.

However, many opportunities for harmonizing federal cybersecurity regulations were identified. For example, in the near-term, participants identified opportunities to harmonize existing regulations by renewing or revising existing legislation such as the Cybersecurity Information Sharing Act of 2015. They also noted that an expected regulation on cyber incident reporting could help streamline various other regulations. Further, participants stated that long-term opportunities include establishing a federal working group and metrics for regulatory effectiveness, focusing on deconflicting existing regulations, standardizing terminology, and making shared cybersecurity information confidential.

Why GAO Did This Study

GAO was asked to gather perspectives of industry participants on the progress that federal agencies are making to harmonize cybersecurity regulations. This report summarizes the perspectives that selected industry participants shared on the impact of federal cybersecurity regulations and federal agencies' progress, challenges, and opportunities in harmonizing them.

GAO convened a panel discussion on September 17, 2025. The panel included seven representatives from different industry organizations across multiple critical infrastructure sectors. The representatives included directors of information technology and cybersecurity, chief information officers, and general counsel and regulatory affairs specialists.

For more information, contact David (Dave) Hinchman at [email protected].