07/01/2024 | News release | Distributed by Public on 07/01/2024 10:32
Zscaler Blog
Get the latest Zscaler blog updates in your inbox
SubscribeContents
Cybersecurity has taken on ever-increasing importance, cybersecurity programs have been designed and implemented to cover requirements of federal, state and local governments. As well, cybersecurity and compliance programs have been created and enacted to protect critical information focused on specific industries or use cases, such as healthcare, credit card and financial transactions, and law enforcement. Additionally, as one would expect, other nations and regions have created and adopted cybersecurity and compliance regimes to address cyber threats. All this is good in that these efforts are directed at addressing the same problem however, there is a lack of harmonization and reciprocity even between U.S.-based government and industry requirements.
Recognizing the issue and working to address the lack of harmonization and reciprocity between cybersecurity regulations and programs, the Office of the National Cyber Director (ONCD) began exploring a framework for reciprocity baseline requirements with various stakeholder groups. As a part of this effort, ONCD posted a Request for Information (RFI) to gain feedback on cybersecurity initiatives. In June of 2024, ONCD published the findings of the RFI in the "Summary of the 2023 Cybersecurity Regulatory Harmonization Request for Information'', with the intent for ONCD to work with stakeholders to find ways to collectively achieve better cybersecurity outcomes across various domains. The stated aim of harmonization is to:
Data from the RFI revealed that the proliferation of various cybersecurity regulations and compliance programs has led to "duplicative, conflicting, or unnecessary regulations that require commercial enterprises to devote resources to fulfilling technical compliance requirements without necessarily improving cybersecurity outcomes".
Why is Regulatory Harmonization important?
Businesses, specifically cloud service providers, that engage with the U.S. Federal government are likely going to have to meet multiple security and compliance regimes - there is no one standard that covers Federal Civilian Executive Branch agencies and the Department of Defense - understandably, but this requirement is compounded by the industry/domain specific requirements, and even more so if the business is working internationally. Harmonization and reciprocity will go a long way to easing the burden on commercial entities to continue to protect critical information. As well, harmonization and reciprocity will likely help to lower the barriers of entry for small businesses into multiple markets. Data received from ONCD through the issued RFI reenforces some of these points.
ONCD's RFI report, referenced earlier, shared three key findings:
Use Case: StateRAMP and CJIS
In the absence of a formal government mandate for harmonization and reciprocity, there are efforts between states and the U.S. Federal Government to address this issue. Recently, StateRAMP announced the establishment of the StateRAMP CJIS-Aligned Task Force, a historic collaboration between the leading authority in cloud security standards for state and local governments and the Federal Bureau of Investigation's Criminal Justice Information Services (CJIS). The goal of this collaboration is to develop an overlay to StateRAMP baseline controls that aligns seamlesslyto CJIS requirements, ensuring robust security measures tailored to the unique needs of the criminal justice community.
"While there will be no official CJIS certification, the StateRAMP CJIS-aligned overlay represents a significant step forward in providing clear guidance on a product's likelihood for CJIS conformity," said Leah McGrath, Executive Director of StateRAMP, in the announcement. "Achieving a StateRAMP Authorization with the CJIS-aligned overlay will offer invaluable directional guidance, empowering agencies to make informed decisions about their cloud security solutions."
Building upon the foundation laid by StateRAMP's Standards and Technical Committee, this initiative marks a pivotal moment in furthering framework harmonization of cloud security practices tailored to the needs of state and local governments. Read the full details of this announcement here.
Zscaler fully supports the work undertaken by the U.S. Government of its recognition that harmonization and reciprocity of cybersecurity regulations and requirements, to include collaborative efforts like the StateRAMP CJIS-Aligned Task Force. As one of the first cloud security companies to achieve FedRAMP JAB High and Moderate authorizations, Zscaler has long been a proponent of the regulatory frameworks that give agencies the assurances related to cybersecurity needed to choose partners in protecting critical data at all levels of government.
We have invested in achieving multiple frameworks so that we can support our government customers in meeting their requirements for mission success, compliance, and improved security posture. All stakeholders in the government sector will benefit from framework harmonization to meet the ultimate goal of reducing risk and safeguarding the confidentiality, integrity and availability of information.
By submitting the form, you are agreeing to our privacy policy.