Cybersecurity Regulations: Industry Perspectives on the Impact, Progress, Challenges, and Opportunities of Harmonization
Fast Facts
The nation increasingly relies on computer-based information systems to support critical infrastructure needed for communications, water, energy, and more. Much of the infrastructure is privately owned. Federal agencies have established a variety of regulations to help protect it from cyber threats.
For this report, we asked a group of industry representatives for their views on federal efforts to use more consistent cybersecurity regulations. Some participants cited, for example, overlapping regulations causing unnecessary burdens and diverting resources.
Our High Risk list recently reiterated our call for a national cybersecurity strategy.
Highlights
What GAO Found
Our nation depends on computer-based information systems and electronic data to Call fundamental operations and to process, maintain, and report crucial information. Nearly all federal and nonfederal operations, including the nation's critical infrastructures, are supported by these systems and data. The nation's 16 critical infrastructure sectors provide essential services—such as electricity distribution, transportation, and health care—that underpin American society. These include systems and assets so vital to the United States that their incapacity or destruction would have a debilitating impact on security, national economic security, public health or safety, or any combination of these. The safety of these systems and data is critical to public confidence and the nation's security, economy, and welfare.
Harmonization refers to the development and adoption of more consistent standards and regulations. Such consistency is important when critical infrastructure sectors are subject to multiple cybersecurity regulations so that these guidelines will not overlap, duplicate, or contradict each other. Because the private sector owns most of the nation's critical infrastructure, it is vital that public and private sectors work together to protect these assets and systems. To this end, various federal agencies are responsible for assisting the private sector in protecting critical infrastructure, including enhancing cybersecurity.
GAO has long identified cybersecurity as a government-wide high-risk area. In June 2024, GAO testified on the efforts initiated to harmonize cybersecurity regulations and reported that there could be adverse impacts without harmonization.
GAO convened two panel discussions to gather perspectives of 12 industry participants regarding the progress that federal agencies are making to harmonize cybersecurity regulations. This report summarizes the perspectives that selected participants shared on how industry views the impact of federal cybersecurity regulations and federal agencies' progress, challenges, and opportunities in harmonizing them in accordance with national cybersecurity policy and strategy.
Participants noted that the Cybersecurity and Infrastructure Security Agency's efforts to collaborate and build trust across sectors through the Cybersecurity Information Sharing Act of 2015 have been successful. They also said cybersecurity regulations have helped drive industry behavioral changes leading to more investments in cybersecurity.
However, participants identified negative impacts that their industries experience with multiple and varying cybersecurity regulations and how this can result in overlap, duplication, and conflicts. These include:
- Number of regulations. Several agencies regulating a sector's cybersecurity could result in overlap and duplicative cybersecurity regulations.
- Definitions and requirements. Cybersecurity definitions and requirements can be vague or do not account for sector differences. Federal requirements may also conflict with foreign requirements, which can cause conflict for organizations operating in more than one country.
- Audits and assessments. One participant stated their sector could have up to seven different auditors request the same information. Multiple agencies assessing an organization could indicate overlap and duplication.
Participants also noted that federal agencies have made limited progress in harmonizing various cybersecurity regulations. While progress in aligning federal cybersecurity regulations has been made, there are still gaps, such as regulator knowledge of specific industry risks.
Industry participants discussed challenges federal agencies face in harmonizing cybersecurity regulations. Specifically, they noted a lack of standard definitions and information requirements.
However, near- and long-term opportunities for harmonizing federal cybersecurity regulations were identified. For example, in the near-term, participants identified opportunities to harmonize existing regulations through guidance from the National Institute of Standards and Technology. They also noted that an expected regulation on cyber incident reporting could help streamline various other regulations. Further, participants stated that long-term opportunities include identifying a single entity that has primary authority over various agencies that enforce cybersecurity regulations.
Why GAO Did This Study
GAO was asked to gather perspectives of industry participants on the progress that federal agencies are making to harmonize cybersecurity regulations. This report summarizes the perspectives that selected industry participants shared on the impact of federal cybersecurity regulations and federal agencies' progress, challenges, and opportunities in harmonizing them.
To gather perspectives, GAO convened two panel discussions on May 28 and May 29, 2025. Each panel included six representatives from industry organizations for a total of 12 representatives across the two panels. The representatives included directors of cybersecurity-related functions, chief executive officers, regulatory affairs specialists, and those in similar roles across multiple critical infrastructure sectors.
For more information, contact David (Dave) Hinchman at HinchmanD@gao.gov.