Cybersecurity Regulations: Additional Industry Perspectives on the Impact, Progress, Challenges, and Opportunities of Harmonization
Fast Facts
Cyber-based attacks are becoming more common and disruptive. They threaten essential critical infrastructure systems, such as electricity grids and transportation networks. Much of the infrastructure is privately owned, but federal agencies have established a variety of regulations to help protect it from cyber threats.
This is the second report from our discussions with industry representatives about federal efforts to use more consistent cybersecurity regulations. In this report, some participants noted redundant work because of overlapping regulations.
Our High Risk list recently reiterated our call for a national cybersecurity strategy.
A photo of a person in a business suit in the background, with icons of various regulations illustrated in the foreground.
Highlights
What GAO Found
Our nation depends on computer-based information systems and electronic data to execute fundamental operations and to process, maintain, and report crucial information. Nearly all federal and nonfederal operations, including the nation’s critical infrastructures, are supported by these systems and data. The 16 critical infrastructure sectors provide essential services—such as electricity distribution, transportation, and health care—that underpin American society (see figure). The safety of these systems and data is critical to public confidence and the nation’s security, economy, and welfare.
The 16 Critical Infrastructure Sectors
Federal agencies have issued a variety of regulations to help protect the nation’s critical infrastructure. However, these can result in conflicting guidance, inconsistencies, and redundancies. Harmonization refers to the development and adoption of consistent standards and regulations. Such consistency is important when critical infrastructure sectors are subject to multiple cybersecurity regulations so that these requirements will not overlap, duplicate, or contradict each other. Because the private sector owns most of the nation’s critical infrastructure, it is vital that the public and private sectors work together to protect these assets and systems. To this end, various federal agencies are responsible for assisting the private sector in protecting critical infrastructure, including enhancing cybersecurity.
GAO has long identified cybersecurity as a government-wide high-risk area. In May 2020, we identified adverse impacts that varying cybersecurity requirements issued by selected federal agencies and related compliance assessments had on state government agencies. Of the 12 recommendations we made to improve coordination in this area, agencies have implemented 11 and partially addressed the remaining recommendation. In June 2024, GAO testified on the efforts initiated to harmonize cybersecurity regulations and the adverse impacts that can occur without such harmonization.
GAO convened a panel discussion to gather industry perspectives on the harmonization of cybersecurity regulations. Specifically, participants noted that the Cybersecurity and Infrastructure Security Agency’s effort to provide free guidance, cybersecurity tools, and risk assessments has been helpful. They also said that selected federal agencies have adopted other federal assessment tools to help provide cybersecurity evaluations.
However, participants identified negative impacts that their industries experience with multiple and overlapping cybersecurity regulations and how these can result in redundant work and conflicts. These include:
- Regulation overlap. Sectors are often subject to multiple regulatory frameworks that can result in potentially burdensome and duplicative cybersecurity requirements.
- Definitions and requirements. Different federal frameworks have similar controls and reporting requirements but have small differences within regulations that create overlap and confusion.
- Incident reporting requirements. Differences in the amount of detail, time frames, and thresholds required by agencies for reporting cyber incidents make it difficult and technically burdensome to collect and meet reporting requirements with short time frames.
Participants noted that progress in harmonizing federal cybersecurity regulations has been made, such as federal agencies providing cybersecurity guidance; however, several participants agreed that this progress was limited.
Industry participants discussed challenges federal agencies face in harmonizing cybersecurity regulations. Specifically, they noted that agency reporting requirements can compete with industry priorities.
However, many opportunities for harmonizing federal cybersecurity regulations were identified. For example, in the near-term, participants identified opportunities to harmonize existing regulations by renewing or revising existing legislation such as the Cybersecurity Information Sharing Act of 2015. They also noted that an expected regulation on cyber incident reporting could help streamline various other regulations. Further, participants stated that long-term opportunities include establishing a federal working group and metrics for regulatory effectiveness, focusing on deconflicting existing regulations, standardizing terminology, and making shared cybersecurity information confidential.
Why GAO Did This Study
GAO was asked to gather perspectives of industry participants on the progress that federal agencies are making to harmonize cybersecurity regulations. This report summarizes the perspectives that selected industry participants shared on the impact of federal cybersecurity regulations and federal agencies’ progress, challenges, and opportunities in harmonizing them.
GAO convened a panel discussion on September 17, 2025. The panel included seven representatives from different industry organizations across multiple critical infrastructure sectors. The representatives included directors of information technology and cybersecurity, chief information officers, and general counsel and regulatory affairs specialists.
For more information, contact David (Dave) Hinchman at HinchmanD@gao.gov.