{"id":194248,"date":"2026-03-09T15:59:00","date_gmt":"2026-03-09T19:59:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/09\/conflicting-definitions-and-timelines-causing-cybersecurity-regulation-morass-industry-reps-say\/"},"modified":"2026-03-09T16:15:11","modified_gmt":"2026-03-09T20:15:11","slug":"conflicting-definitions-and-timelines-causing-cybersecurity-regulation-morass-industry-reps-say","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/09\/conflicting-definitions-and-timelines-causing-cybersecurity-regulation-morass-industry-reps-say\/","title":{"rendered":"Conflicting definitions and timelines causing cybersecurity regulation morass, industry reps say"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cybersecurity-regulation-industry-feedback-gao-panel\/814215\/\">Conflicting definitions and timelines causing cybersecurity regulation morass, industry reps say<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cybersecurity-regulation-industry-feedback-gao-panel\/814215\/\">https:\/\/www.cybersecuritydive.com\/news\/cybersecurity-regulation-industry-feedback-gao-panel\/814215\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-09 15:59:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>        Listen to the article<br \/>\n        5 min<\/p>\n<p>            This audio is auto-generated. Please let us know if you have feedback.<\/p>\n<p>Dive Brief:<\/p>\n<p>Inconsistent definitions, overly burdensome information demands and duplicative requirements are some of the problems that U.S. businesses face in dealing with cybersecurity regulations, according to a recent Government Accountability Office report.<br \/>\nCritical infrastructure organizations want federal agencies to work together to streamline their rules, according to the March 5 summary of a GAO panel discussion with infrastructure representatives.<br \/>\nBusinesses recommended several possible solutions to the regulatory sprawl, including agencies converging on common definitions of key terms.<\/p>\n<p>Dive Insight:<br \/>\nIn response to requests from the main House and Senate committees overseeing cybersecurity, GAO convened two panels, in May and September 2025, to solicit industry input on the cybersecurity regulatory environment. The agency\u2019s new report summarizes the findings from its Sept. 17, 2025, panel, with seven industry leaders representing the communications, energy, financial services, healthcare, information technology, transportation, and water sectors.<br \/>\n\u201cIndustry participants identified mostly negative impacts experienced by their industries because of multiple and overlapping cybersecurity regulations and how this has resulted in redundant work and conflicts,\u201d GAO said in its report.<br \/>\nOne problem participants identified was the overlapping regulatory frameworks to which many sectors are subject. Financial-services firms must comply with rules from banking regulators and the Securities and Exchange Commission, one participant said, with the resulting requirements being \u201cduplicative and overly burdensome.\u201d<br \/>\nAccording to GAO, another industry representative said federal regulations that exceed their industry\u2019s baseline level of security \u201care duplicative and do not result in a better outcome.\u201d<br \/>\nMultiple people said agencies sometimes adopt definitions \u2014 or even specific requirements \u2014 that are vague or don\u2019t account for the peculiarities of a specific sector. \u201cSeveral participants stated that different frameworks have similar controls and reporting requirements but have small differences that can create unnecessary overlap and confusion,\u201d the GAO report observed.<br \/>\nOne industry official said it seemed like agencies regulating the same sector weren\u2019t coordinating with each other while developing rules.<br \/>\nParticipants also criticized how the federal government handles cybersecurity incident reporting, describing the overlapping web of requirements as often duplicative or inconsistent. Industry representatives complained that regulatory agencies sometimes ask for different amounts of information within different periods of time, in addition to establishing different standards for when a business needs to report an incident.<br \/>\n\u201cOne participant stated that it can be both difficult and technically burdensome to collect information for multiple entities within a short amount of time to meet reporting requirements,\u201d according to the GAO report.<br \/>\nThe industry leaders who met with GAO represented a wide range of roles inside critical infrastructure organizations, including cybersecurity and IT directors, general counsels and chief information officers. GAO granted them anonymity to encourage them to speak candidly with its staff.<br \/>\nAccording to the panelists, the overlapping and sometimes conflicting web of cybersecurity regulations costs companies in several ways. In addition to the literal costs of employee salaries and technology expenses, companies spend valuable time reporting information to federal agencies \u2014 time they can\u2019t spend on improving their cyber defenses or dealing with intrusions.<br \/>\nThe expertise required for compliance also disadvantages small companies, panelists told GAO, because small firms often lack dedicated cybersecurity teams, despite facing many of the same requirements as large firms.<br \/>\nFederal agencies have made only limited progress in harmonizing their cybersecurity regulations, according to industry leaders, who cited several reasons for the difficulty. One of the most significant impediments, GAO said, is that the lack of coordinated definitions has produced \u201cinconsistent terminologies that cannot be widely applied and reused.\u201d<br \/>\nIndustry representatives encouraged agencies to convene a working group or other coordination mechanism to begin standardizing terminology, aligning reporting requirements and developing reciprocity agreements, with the goal of letting businesses use one process to meet multiple agencies\u2019 information needs.<br \/>\nThe federal government has been working on harmonization. The Office of the National Cyber Director (ONCD) solicited feedback on the best approach during the Biden administration, and the Cybersecurity and Infrastructure Security Agency\u2019s draft Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule envisions CISA establishing reciprocity agreements with other regulators. (CISA also plans to update the CIRCIA rule based on upcoming industry feedback.)<br \/>\nDuring the GAO panel, industry leaders encouraged the Trump administration to give ONCD \u201ca clear mandate to address differences within federal agency terminology, reporting regimes, and guidance to work toward harmonizing federal regulations.\u201d<br \/>\nSeveral panelists encouraged agencies to develop metrics that quantified the effectiveness of their regulations. Some even said that one regulator should manage all incident reporting for each sector.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Conflicting definitions and timelines causing cybersecurity regulation morass, industry reps say https:\/\/www.cybersecuritydive.com\/news\/cybersecurity-regulation-industry-feedback-gao-panel\/814215\/ Publish Date: 2026-03-09&#8230;<\/p>\n","protected":false},"author":1,"featured_media":194249,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/oe2m4MyhZ2S9IEMFO9td7IisQ6gDZ9TuC_WUPk7l3qw\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS8yMDEzX0dBT19FeHRlcmlvcl8wMS5KUEcud2VicA==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-194248","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/194248"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=194248"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/194248\/revisions"}],"predecessor-version":[{"id":194250,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/194248\/revisions\/194250"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/194249"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=194248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=194248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=194248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}