October 12, 2023
Kemba E. Walden
Acting National Cyber Director
Office of the National Cyber Director
The White House
1600 Pennsylvania Avenue, NW
Washington, DC 20500
Comments of Business Roundtable on the Request for Information on Cybersecurity Regulatory Harmonization
Docket No. ONCD–2023–0001 // 88 Fed. Reg. 55694 (Aug. 16, 2023).
Dear Acting National Cyber Director Walden:
This letter is submitted on behalf of Business Roundtable, an association of more than 200 chief executive officers (CEOs) of America’s leading companies representing every sector of the U.S. economy. Business Roundtable CEOs lead U.S.-based companies that support one in four American jobs and almost a quarter of U.S. GDP. We appreciate the opportunity to respond to the Office of the National Cyber Director’s (ONCD) Request for Information (RFI) on Cybersecurity Regulatory Harmonization.
Introduction
Business Roundtable member companies across sectors—financial services, communications, energy, health, public safety and security, defense, manufacturing, technology, retail, hospitality, insurance, and others—face significant and growing cyber threats. As the RFI notes, companies across the economy have an interest in regulatory harmonization. This includes a significant number of businesses, such as online retailers, that do not qualify as critical infrastructure. Given the RFI’s particular interest in critical infrastructure, we would note that BRT member companies own or operate infrastructure in at least eleven of the sixteen critical infrastructure sectors identified in Presidential Policy Directive 21: Chemicals; Commercial Facilities; Communications; Critical Manufacturing; Defense Industrial Base; Energy; Financial Services; Food and Agriculture; Healthcare and Public Health; Information Technology; and Transportation Systems. BRT member companies also provide technology solutions to owners and operators in the remaining critical infrastructure sectors.
BRT member companies operate comprehensive risk-based cybersecurity programs to address cybersecurity threats and regularly collaborate with the U.S. government to strengthen the cybersecurity of private and public systems. Our member companies, for example, have partnered with the federal government on the development, implementation and refinement of the NIST Cybersecurity Framework, voluntary sharing of cyber threat information under the Cybersecurity Information Sharing Act of 2015, and collaborative sector-specific partnerships developed in the defense industrial base, the energy industry, communications and IT, and other key sectors. Several of our member companies also served as founding partners in CISA’s Joint Cyber Defense Collaborative, which has since expanded to cover most critical infrastructure systems.
These collaborative partnerships between the public and private sectors have greatly strengthened our collective cybersecurity posture. The NIST Cybersecurity Framework has become a market baseline for cyber risk management, for example. The voluntary information sharing regime likewise has enabled the successful development of information sharing and analysis centers (or “ISACs”) that support virtually every industry. These collaborative, risk-based approaches have allowed companies to maintain cybersecurity programs that are tailored to the specific use cases and risks that they face. They are also sufficiently flexible to support continuous innovation in information technology, operational technology and cyber-physical and other systems, which drives tangible advances in cybersecurity capabilities and outcomes. We believe that such collaborative, flexible, technology neutral and risk-based approaches to cybersecurity policy are the best way to address the cyber threats ahead.
In contrast, duplicative, conflicting or unnecessary regulations require companies to devote more resources to fulfilling technical compliance requirements without improving cybersecurity outcomes or customer protection. They also incentivize companies to treat cybersecurity as a checklist-based compliance activity, rather than maintaining tailored cyber risk management programs. This is a real and present concern. Companies are subject to an ever-expanding web of cybersecurity regulations imposed at the state and federal level, as well as internationally. As the National Cybersecurity Strategy acknowledges, it is important to address these concerns: “Where Federal regulations are in conflict, duplicative or overly burdensome, regulators must work together to minimize these harms.”
Business Roundtable consequently applauds ONCD for soliciting comments on cybersecurity regulatory harmonization. Below, we provide specific responses to ONCD’s questions posed in the RFI.