Companies in virtually every critical infrastructure sector have to navigate the maze of duplicative, inconsistent, and fragmented cybersecurity regulations imposed by federal and state governments. For example, as we have discussed in previous posts, organizations are subject to a wide range of affirmative cybersecurity requirements from government entities including regulatory agencies, Sector Risk Management Agencies (SMRAs), the Securities and Exchange Commission (SEC), and federal procurement agencies. And on the federal cyber incident reporting front, there are 52 in-effect or proposed federal requirements, with 45 requirements in effect over 22 agencies, according to the 2023 Report on Cyber Incident Reporting Harmonization.
Congress and the Administration have heard industry's message on the need for cyber regulatory harmonization, but significant uncertainty remains as to whether and how such harmonization will be achieved. Below, we take a deep dive into the current state of play—exploring key developments and upcoming decision points for policymakers considering how to make harmonization a reality.
CIRCIA Still Offers a Path Toward Harmonizing Incident Reporting, But Time Is Running Out.
The harmonization of cybersecurity incident reporting requirements for critical infrastructure was a key bipartisan driver of the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022. As former Senator Rob Portman (R-OH), one of the bill's sponsors, has explained, it was "Congress's intent that [CIRCIA] be the primary mechanism for companies to report cyber incidents" to the federal government. However, whether and how CIRCIA will be leveraged to meaningfully promote harmonization is still a looming open question, as CISA's plan to implement that law remains in a state of flux with the deadline for final rules approaching while there is widespread agreement over the need to revisit or rescind the rules.
In March of this year, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection convened a hearing to examine how to improve the cyber regulatory regime through harmonization. The subcommittee's leaders on both sides of the aisle agreed that harmonization of cybersecurity requirements and cyber incident reporting is vital to our national security. Of note:
- Witnesses testified to reporting cyber incidents to a dozen different federal agencies including the SEC under its controversial cyber incident disclosure rule.
- Committee members and witnesses criticized the excessive scope and requirements under the CIRCIA Notice of Proposed Rulemaking (NPRM), which deviates from Congress' express purpose of harmonizing cyber incident reporting requirements to reduce unnecessary burdens on organizations from redundant reporting that pulls valuable resources away from security.
- Witnesses testified the broad definitions under the NPRM are a barrier to CISA reaching harmonization agreements with SRMAs.
During the March hearing, Rep. Andrew Garbarino (R-NY) – who at the time was the House Homeland Security Cybersecurity Subcommittee Chairman and has since been selected as the Chairman of the full Committee – committed to working with CISA to address industry's concerns with the NPRM and the process. This commitment is promising, but with the October 2025 deadline fast approaching for CISA to issue the final CIRCIA rules, such work is becoming more and more urgent. To complicate matters further, CISA remains without a Director due to delays in the confirmation process.
Sens. Peters and Lankford Continue The Push to Streamline Cyber Regulations, But Relief Would Not Be Immediate.
Harmonization relief may also be on the horizon via the bipartisan Streamlining Federal Cybersecurity Regulations Act – but any relief from this effort will likely be slow-moving. On June 22, 2025, Senate Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-MN) and Sen. Jim Lankford (R-OK) reintroduced the bill (S. 1875), which was considered but ultimately not enacted in the last Congress. Rep. Clay Higgins (R-LA) has stated he intends to reintroduce the House companion legislation. The bill's sponsors have been responsive to stakeholder feedback, and it has undergone significant changes since the last Congress – reflecting input from critical infrastructure sectors, industry associations, federal agencies, and others.
The bill proposes a multilayered approach to the harmonization process, which would include a harmonization committee, a set of baseline cybersecurity regulatory requirements that apply across sectors developed by the committee, a pilot program on harmonization, a report to the Office of Management and Budget (OMB) on the results, and OMB guidance for agencies on harmonization. While promising, this complex process will necessarily be multi-staged and unlikely to produce relief for years.
That said, the bill does propose one relatively simple and straightforward mechanism for harmonization: regulatory reciprocity or mutual recognition between agencies when a regulated entity satisfies a common requirement. This is a concept that has been contemplated under other harmonization efforts, including under CIRCIA. Here, the proposed Streamlining Federal Cybersecurity Regulations Act provides for the use of reciprocity between regulators requiring a commonly regulated organization to meet or satisfy similar criteria, such as a cybersecurity standard or reporting a cyber incident.
Homeland Security Appropriations May Add Pressure on CISA to Drive Meaningful Harmonization.
Most recently, the House Appropriations Committee, in its Report accompanying the House version of the Fiscal Year 2026 Homeland Security Appropriations bill, included language identifying cyber harmonization as a priority due to "the proliferation of cybersecurity regulations from multiple government entities and the potential impacts on effective and efficient compliance." Specifically, the Committee directs CISA to continue its efforts to promote cybersecurity regulatory harmonization in collaboration with the Office of the National Cyber Director "with the goal of strengthening security while reducing duplicative and conflicting cybersecurity requirements to minimize time, expense, and complexity of compliance."
The Committee also requests a briefing from CISA, within 90 days of the bill's enactment, on "harmonizing and streamlining duplicate rules and regulations" as well as any barriers to harmonization and solutions to those barriers.
If this language remains in the final version of the FY 2026 Homeland Security Appropriations bill enacted into law, it may contribute additional pressure on CISA to pursue harmonization agreements with SRMAs and new harmonization lines of effort, both pursuant to Congress's direction in CIRCIA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
