Cybersecurity Regulatory Harmonization

Zscaler Blog

Cybersecurity Regulatory Harmonization

Cybersecurity has taken on ever-increasing importance, cybersecurity programs have been designed and implemented to cover requirements of federal, state and local governments. As well, cybersecurity and compliance programs have been created and enacted to protect critical information focused on specific industries or use cases, such as healthcare, credit card and financial transactions, and law enforcement. Additionally, as one would expect, other nations and regions have created and adopted cybersecurity and compliance regimes to address cyber threats. All this is good in that these efforts are directed at addressing the same problem however, there is a lack of harmonization and reciprocity even between U.S.-based government and industry requirements.

Recognizing the issue and working to address the lack of harmonization and reciprocity between cybersecurity regulations and programs, the Office of the National Cyber Director (ONCD) began exploring a framework for reciprocity baseline requirements with various stakeholder groups. As a part of this effort, ONCD posted a Request for Information (RFI) to gain feedback on cybersecurity initiatives. In June of 2024, ONCD published the findings of the RFI in the "Summary of the 2023 Cybersecurity Regulatory Harmonization Request for Information'', with the intent for ONCD to work with stakeholders to find ways to collectively achieve better cybersecurity outcomes across various domains. The stated aim of harmonization is to:

1. Strengthen cybersecurity readiness and resilience across all sectors
2. Simplify oversight and regulatory responsibilities of cyber regulators while enabling them to focus on areas of sector-specific expertise
3. Substantially reduce administrative burden and cost on regulated entities

Data from the RFI revealed that the proliferation of various cybersecurity regulations and compliance programs has led to "duplicative, conflicting, or unnecessary regulations that require commercial enterprises to devote resources to fulfilling technical compliance requirements without necessarily improving cybersecurity outcomes".

Why is Regulatory Harmonization important?

Businesses, specifically cloud service providers, that engage with the U.S. Federal government are likely going to have to meet multiple security and compliance regimes - there is no one standard that covers Federal Civilian Executive Branch agencies and the Department of Defense - understandably, but this requirement is compounded by the industry/domain specific requirements, and even more so if the business is working internationally. Harmonization and reciprocity will go a long way to easing the burden on commercial entities to continue to protect critical information. As well, harmonization and reciprocity will likely help to lower the barriers of entry for small businesses into multiple markets. Data received from ONCD through the issued RFI reenforces some of these points.

ONCD's RFI report, referenced earlier, shared three key findings:

1. The lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.
   This results in companies being forced to meet multiple compliance/security regimes that are intended to control the samerisk, and are perhaps enforced differently, imposes a cost that translates to a significant amount of resources, roughly 30 to 50 percent as reported in the document, t of a company's compliance teams' time being spent on managing various required security and compliance programs.
2. Challenges with cybersecurity regulatory harmonization and reciprocity extend to business of all sectors and sizes and they cross jurisdictional boundaries.
   Industries have created cybersecurity and compliance programs that address specific-industry/domain needs, such as in healthcare, law enforcement, and much work has been done translating those industry specific requirements back to a commonly recognized standard. For example, the Cloud Security Alliance, through their Cloud Controls Matrix, has mapped various security and compliance regimes against each other and back to the National Institutes of Standards and Technology (NIST) published control catalog, the standard used in the U.S. Federal Government. However, there is no mandate for harmonization or reciprocity to these different frameworks.
3. The U.S. Government is positioned to act and address these challenges.
   Steps have already been taken by the U.S. Federal government to address reciprocity and harmonization such as in President Biden's May, 2021 "Executive Order on Improving the Nation's Cybersecurity", and "The National Cybersecurity Strategy Implementation Plan" published in July, 2023 states the intent to, "increase agency use of frameworks and standards to inform regulatory alignment".

Use Case: StateRAMP and CJIS

In the absence of a formal government mandate for harmonization and reciprocity, there are efforts between states and the U.S. Federal Government to address this issue. Recently, StateRAMP announced the establishment of the StateRAMP CJIS-Aligned Task Force, a historic collaboration between the leading authority in cloud security standards for state and local governments and the Federal Bureau of Investigation's Criminal Justice Information Services (CJIS). The goal of this collaboration is to develop an overlay to StateRAMP baseline controls that aligns seamlesslyto CJIS requirements, ensuring robust security measures tailored to the unique needs of the criminal justice community.

"While there will be no official CJIS certification, the StateRAMP CJIS-aligned overlay represents a significant step forward in providing clear guidance on a product's likelihood for CJIS conformity," said Leah McGrath, Executive Director of StateRAMP, in the announcement. "Achieving a StateRAMP Authorization with the CJIS-aligned overlay will offer invaluable directional guidance, empowering agencies to make informed decisions about their cloud security solutions."

Building upon the foundation laid by StateRAMP's Standards and Technical Committee, this initiative marks a pivotal moment in furthering framework harmonization of cloud security practices tailored to the needs of state and local governments. Read the full details of this announcement here.

Zscaler fully supports the work undertaken by the U.S. Government of its recognition that harmonization and reciprocity of cybersecurity regulations and requirements, to include collaborative efforts like the StateRAMP CJIS-Aligned Task Force. As one of the first cloud security companies to achieve FedRAMP JAB High and Moderate authorizations, Zscaler has long been a proponent of the regulatory frameworks that give agencies the assurances related to cybersecurity needed to choose partners in protecting critical data at all levels of government.

We have invested in achieving multiple frameworks so that we can support our government customers in meeting their requirements for mission success, compliance, and improved security posture. All stakeholders in the government sector will benefit from framework harmonization to meet the ultimate goal of reducing risk and safeguarding the confidentiality, integrity and availability of information.

Explore more Zscaler blogs

Get the latest Zscaler blog updates in your inbox