{"id":231012,"date":"2026-06-12T13:00:00","date_gmt":"2026-06-12T17:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/12\/cyber-framework-harmonization-is-a-thorny-yet-not-intractable-issue-experts-say\/"},"modified":"2026-06-13T04:10:24","modified_gmt":"2026-06-13T08:10:24","slug":"cyber-framework-harmonization-is-a-thorny-yet-not-intractable-issue-experts-say","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/12\/cyber-framework-harmonization-is-a-thorny-yet-not-intractable-issue-experts-say\/","title":{"rendered":"Cyber framework harmonization is a thorny, yet not intractable issue, experts say"},"content":{"rendered":"

Cyber framework harmonization is a thorny, yet not intractable issue, experts say<\/a><\/p>\n

https:\/\/www.route-fifty.com\/cybersecurity\/2026\/06\/cyber-framework-harmonization-thorny-yet-not-intractable-issue-experts-say\/414148\/<\/a><\/p>\n

Publish Date: 2026-06-12 13:00:00<\/a><\/p>\n

Source Domain: www.route-fifty.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\nIt\u2019s hard to pinpoint exactly when the federal government started regulating cybersecurity, but it can trace its origins back many decades to when computers and the internet started becoming more widely available.The National Institute of Standards and Technology\u2019s work dates back to 1972, when,\u00a0 under its previous title as the National Bureau of Standards, its Institute for Computer Sciences and Technology established a computer security program. Then a raft of new laws came in, including the Privacy Act of 1974, the landmark Computer Fraud and Abuse Act of 1986, then privacy protection laws like the Health Insurance Portability and Accountability Act in 1996.States eventually got involved with their own data breach laws, starting in California in 2002, while the federal Homeland Security Act passed that same year established the Department of Homeland Security, an agency that would soon play a key role in cybersecurity regulation and policy, especially after the creation of its Cybersecurity and Infrastructure Security Agency and, among other rules, its various information-sharing requirements.These regulations and many more have created a complex web of rules for state and local governments to follow. And sometimes those regulations overlap in their compliance requirements, with similarities in some areas but differences in others. Keeping up with all these requirements is a challenge, both in terms of cost and time.\u201cIt takes a tremendous amount of studying and a tremendous amount of knowledge to be able to navigate the broad regulatory and legal aspects of cybersecurity,\u201d Iowa Chief Information Security Officer Shane Dwyer told Route Fifty in an interview at the April Google Cloud Next conference in Las Vegas. \u201cAnd I would say that’s universal across the board. It’s not just in government.\u201dGovernment ConcernsThat web of related and unrelated regulations has been a source of concern for governments at all levels. It\u2019s prompted hearings, research papers from think tanks and nonprofits, and a slew of reports from the Government Accountability Office, especially in the last 15 years.In 2010, GAO said agencies had \u201cmade progress\u201d in harmonizing IT security policies both for national security and non-national security systems. The watchdog then in a 2020 report called on various agencies to coordinate more on the requirements and assessments for states\u2019 cybersecurity. In that report, the GAO examined four federal agencies and found that as many as 79% of security requirement parameters were in conflict.GAO also surveyed state chief information security officers and found great increases in the staff hours, costs of acquiring materials, software and equipment and time it takes to comply with federal agency rules due to the variances in their cybersecurity requirements.That 2020 report evaluated four agencies: the Centers for Medicare and Medicaid Services, the Federal Bureau of Investigation, the Internal Revenue Service and the Social Security Administration.It found that states were required to share a variety of data with them, all with differing security standards and conflicting parameters, including a variety of technical thresholds for related controls. GAO also found that some agency requirements did not fully address guidelines from the National Institute of Standards and Technology, meaning there were further inconsistencies away from accepted standards.Those warnings continued in a 2024 GAO report, which again recognized that efforts to harmonize cyber regulations have been \u201cinitiated\u201d but noted the \u201csignificant work\u201d that remained.The agency noted that the federal government under former President Joe Biden had taken various steps towards better harmonization, including through its 2023 National Cybersecurity Strategy, a national security memorandum on critical infrastructure security and resilience, and a request for information on regulatory harmonization from the Office of the National Cyber Director. But it noted that the cyber strategy did not have a timeline for implementation, and that ONCD did not publish a summary of the comments it received to its RFI.For its part, ONCD under President Donald Trump released a new National Cyber Strategy in which officials pledged to streamline cyber regulations \u201cto reduce compliance burdens, address liability, and better align regulators and industry globally.\u201d\u201cCyber defense should not be reduced to a costly checklist that delays preparedness, action, and response,\u201d the strategy says.In testimony before the Senate Homeland Security Committee June 5, David Hinchman, GAO\u2019s director of IT and cybersecurity, said various efforts need to be completed, including setting minimum cybersecurity requirements across infrastructure sectors; increasing agency use of frameworks and international standards to inform regulatory alignment; and leveraging reciprocity pilot programs.\u201cAs work continues on this important effort, it is vital that the stakeholders involved in this process remain focused on resolving the conflicts, inconsistencies and redundancies currently found in our nation\u2019s cybersecurity regulations,\u201d Hinchman said. \u201cFollowing through and executing specific plans and meeting established time frames, as supported by key organizations such as ONCD, [the Department of Homeland Security] and Congress, are essential to achieving harmonization. This, in turn, can better position our country\u2019s critical infrastructure sectors to address cybersecurity from a common perspective and help ensure the future safety and security of our nation.\u201dWitnesses and lawmakers at various hearings in Congress have bemoaned in the past how high their compliance costs are, and how they spend most of their time completing compliance checklists, which force them to divert resources away from investing in cybersecurity defenses.\u201cThe deluge of cybersecurity incident notification regulations perfectly illustrates the scope of the over-regulation problem and serves as a reminder that, to date, while we have studied the issue for years, not much has been done to drive actionable solutions \u2013 to actually harmonize cybersecurity regulatory requirements,\u201d John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, told a House subcommittee in 2024.Suggested SolutionsIn response to the growing discord between cyber regulations and the desire to harmonize them, lawmakers and outside groups have suggestions, with some areas of commonality emerging.U.S. Sens. Gary Peters, a Michigan Democrat, and James Lankford, an Oklahoma Republican,\u00a0 pushed their Streamlining Federal Cybersecurity Regulations Act two years ago, which received committee approval but then died on the Senate floor. That bill would have established an interagency harmonization committee at ONCD, with that committee required to develop a framework to align cybersecurity and information security regulations, rules, examinations and other compliance requirements.It also would have established a pilot program to test the developed framework on substantially similar regulations, and would have required all federal agencies to consult with the committee before issuing or updating regulations. At the time, Lankford said in a statement that harmonization would \u201cmake sure that federal requirements are focused on actually improving security instead of imposing a convoluted set of compliance challenges.\u201dVarious outside groups have made their own suggestions. The National Association of State Chief Information Officers has argued for years in favor of cyber framework harmonization, which remains one of the group\u2019s top advocacy priorities.Alex Whitaker, NASCIO\u2019s government affairs director, acknowledged during a briefing at NASCIO\u2019s Mid-Year Conference in April in Philadelphia that it is a topic that can make \u201ceyes glaze over,\u201d but it is important. He said the Office of Management and Budget \u201cis really the only entity in the federal government that has the convening power to get these agencies together,\u201d while Congress could play some kind of role too.\u201cAt the end of the day, I do feel there is probably less disagreement among agencies than we think about what the standards are for harmonization,\u201d Whitaker continued. \u201cIt’s just having someone in the room to get them on the same page, to say, \u2018Here, look, let’s find where the commonalities are.\u2019\u201dSeparately, the nonprofit Government Risk and Authorization Management Program, known as GovRAMP, released its own path forward for framework harmonization in April, having spent several years working on the effort with its various members from across government. GovRAMP also argued that OMB has a big role to play in harmonizing cyber regulations and requirements by issuing formal guidance.\u201cThat is going to be step one, because the agencies need that leadership and direction to say, \u2018This is where we’re going, as a whole, this is where we need to go,\u2019 not just for the federal government but for all government agencies and industries so we have a common set of standards for accountability,\u201d said GovRAMP Executive Director Leah McGrath in a recent interview. \u201cJust doing that, you’re going to see security outcomes improve, because rather than completing different audits and assessments, we’re able to, as a whole, go forward.\u201dGovRAMP also called for a harmonization working group similar to what would have been mandated in Peters\u2019 and Lankford\u2019s Senate bill. McGrath said that would help produce a \u201ccommon baseline\u201d of cyber standards, as well as common ways to demonstrate that agencies have met those standards.\u201cIf you get these folks in the room, we can find some common agreement,\u201d McGrath said.Given the growing importance of technology in government operations, the rise of artificial intelligence and the corresponding rise in cybersecurity threats, McGrath said that now presents the perfect opportunity to harmonize cybersecurity requirements.\u201cThere are so many opportunities, and these regulations are really the thing that could hold us back, not only from achieving the best security outcomes that we could achieve, but from also being able to achieve our greatest potential from leveraging these innovations,\u201d she said. \u201cAs we’re seeing all these advancements, it feels like now’s the time. Let’s remove these burdens through harmonization, without sacrificing security. Most people agree, if we do this right, we are going to see better security as a result. So let’s just do it.\u201d<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Cyber framework harmonization is a thorny, yet not intractable issue, experts say https:\/\/www.route-fifty.com\/cybersecurity\/2026\/06\/cyber-framework-harmonization-thorny-yet-not-intractable-issue-experts-say\/414148\/ Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":231013,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.route-fifty.com\/media\/img\/cd\/2026\/06\/12\/20260612_Cyber_SmileStudioAP\/open-graph.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[20,30,33,24],"class_list":["post-231012","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-artificial-intelligence","tag-breach","tag-computer-security","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231012"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=231012"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231012\/revisions"}],"predecessor-version":[{"id":231014,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231012\/revisions\/231014"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/231013"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=231012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=231012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=231012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}