Senate panel advances cyber regulatory harmonization bill
Sen. Gary Peters, D-Mich, shown here departing the Senate chamber after a vote on July 31, 2024, is co-sponsor of a bill that would harmonize various federal agency cybersecurity rules to support easier compliance. Kent Nishimura/Getty Images
The bill aims to address overlapping cyber laws that CISOs say have caused compliance headaches.
A Senate panel advanced a forerunner cybersecurity regulatory overhaul bill on Wednesday aimed at synchronizing federal-level cybersecurity laws.
The Streamlining Federal Cybersecurity Regulations Act, helmed by Sens. Gary Peters, D-Mich. and James Lankford, R-Okla., advanced out of the Homeland Security Committee in a 10 to 1 vote. It would create an interagency group in the White House’s Office of the National Cyber Director focused on harmonizing U.S. cyber regulatory regimes and establish a pilot program to test new regulatory frameworks.
Academics and officials have touted the Biden administration as a strong player in U.S. cybersecurity policy, which has aimed to stick private firms with requirements that force them to be more transparent and responsive about neverending cyberattacks. But industry feedback has said requirements like notification deadlines and other procedures create cost and time burdens because of inconsistencies or duplicate rules.
Many of the regulatory mainstays were ushered in by a sweeping national cybersecurity strategy implementation plan first unveiled last year, which assigned agencies tasks to shore up U.S. cyber posture, including regulators who oversee sectors like energy, telecommunications and financial services.
The Federal Communications Commission, for instance, has teed up rules to bolster the security of a core data transmission protocol, known as BGP. It’s also working with NIST and the National Security Council to set standards for a Cyber Trust Mark, which would help consumers shop for products that are less prone to cyberattacks.
Not every regulation has received praise, such as an SEC mandate that requires publicly traded firms to file with the agency within four business days of discovering a cybersecurity incident.
Broad feedback to ONCD signaled that inconsistent or duplicative requirements that force firms to draw money away from cybersecurity programs into compliance spending are preventing the private sector — including critical infrastructure owners and operators — from fully shoring up its cyberdefenses.
But the White House cyber czar’s office is limited in its ability to sway independent regulatory commissions to the discussion table, an ONCD official previously said, noting that it will need congressional help to direct entities like the Consumer Product Safety Commission or National Labor Relations Board — designed to operate autonomously from the executive branch — to discuss streamlining cyber laws.
The measure, which passed out of committee alongside a slew of other cyber and technology bills, will now need full Senate approval before being taken up in the House.