On July 19, 2023, the Office of the National Cyber Director (ONCD) issued a request for information (RFI) on cybersecurity regulatory harmonization.1 The RFI is intended to be a step toward the Biden Administration's goal, as stated in the National Cybersecurity Strategy, to "harmonize not only regulations and rules, but also assessments and audits of regulated entities." It supports Initiative Number 1.1.1 of the Strategy's recently released Implementation Plan2: "engage non-governmental stakeholders to understand existing challenges with regulatory overlap and explore a framework for reciprocity for baseline requirements" by the first quarter of 2024.

ONCD encourages academics, non-profits, and private sector entities to provide feedback on the current state of cyber regulation in response to an extensive list of open-ended questions focused on commenters' experiences with existing cybersecurity frameworks and requirements. The RFI seeks specific examples of conflicts among state, local, and federal regulations of a particular sector, overlapping regulatory oversight, regulatory reciprocity among multiple federal agencies with respect to cybersecurity, and costs associated with compliance, among other topics. It also solicits feedback on existing models, such as the FFIEC's3 Common Self-Assessment Tool and Information Security Booklet. The RFI explicitly excludes comments about Federal incident reporting regulations from its scope, however.4

The National Cybersecurity Strategy highlights the importance of federal regulators working together to "minimize [the] harms" of federal regulations that are "in conflict, duplicative, or overly burdensome."5 The RFI, in contrast, uses the term "harmonization" to mean a "common set of updated baseline regulatory requirements that would apply across sectors."6 This definition suggests that ONCD may use this process of identifying existing conflicts or tensions to detect potential elements of an overarching, broadly applicable baseline cybersecurity regulation that do not currently exist in the United States. In this way, while presenting an opportunity to reduce undue regulatory burden, the RFI may prove to be a step toward filling gaps in cybersecurity regulation that the Administration identifies. Notably, the RFI also makes clear that "[s]ector regulators could go beyond the harmonized baseline to address cybersecurity risks specific to their sectors."

Given ONCD's focus on a potential regulatory baseline that could apply across sectors, it will be valuable for private sector stakeholders to identify regulatory conflicts, and to describe the pros and cons of different potential regulatory approaches. Feedback from key stakeholders on existing frameworks and obstacles may help drive a solution that further strengthens cybersecurity across the critical infrastructure sectors, while limiting regulatory overlap and unnecessary compliance burdens. Comments are due on September 15, 2023.


1. ONCD-Reg-Harm-RFI-Final-July-19.2023.pdf (whitehouse.gov)

2. See National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov).

3. Federal Financial Institutions Examination Council.

4. The Cyber Incident Reporting Council will be responsible for coordinating, deconflicting, and harmonizing Federal incident reporting requirements.

5. See National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov).

6. RFI at 2-3.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.