EXCLUSIVE: Top Republicans want OMB to streamline America's cyber security
THE LOWDOWN:
Top Republicans in Congress are eager to see the Trump administration’s Office of Management and Budget (OMB) roll back Biden-era regulations that leaders in the private sector have said are both duplicative and counterproductive, the Washington Reporter can reveal.
The Reporter exclusively obtained a letter from House Homeland Security and Oversight Committees chairmen Mark Green and James Comer calling on OMB Director Russ Vought to “address the burdensome and conflicting cyber regulatory landscape.”
Reps. Clay Higgins (R., La.), Nancy Mace (R., S.C.), and Andy Biggs (R., Ariz.) joined the chairmen on the letter.
According to President Donald Trump’s 10-to-1 deregulation initiative, OMB “must not issue any new cyber regulations without repealing at least ten existing rules and ensuring the net total cost of new and repealed regulation are less than zero.”
Top Republicans in Congress are eager to see the Trump administration’s Office of Management and Budget (OMB) roll back Biden-era regulations that leaders in the private sector have said are both duplicative and counterproductive, the Washington Reporter can reveal.
In a letter exclusively obtained by the Reporter, House Homeland Security Committee Chairman Mark Green (R., Tenn.) and House Oversight Committee Chairman James Comer (R., Ky.) wrote to OMB Director Russ Vought urging his agency to “address the burdensome and conflicting cyber regulatory landscape.” Reps. Clay Higgins (R., La.), Nancy Mace (R., S.C.), and Andy Biggs (R., Ariz.) joined the chairmen on the letter.
“As nation-state and criminal actors increasingly target U.S. networks and critical infrastructure in cyberspace, we can no longer allow compliance burdens to hinder the agility of U.S.-based companies to respond to threats in a timely manner,” they wrote, adding that the dichotomy between spending on security and compliance is an “unnecessary tradeoff.”
“The U.S. cyber regulatory regime should facilitate valuable and actionable information sharing that reinforces the security measures companies undertake to defend against, and respond to, cyber incidents,” the lawmakers wrote.
The lawmakers wrote that there “is ample evidence that cybersecurity regulatory compliance is unnecessarily sprawling and resource-intensive,” and that the “Cybersecurity and Infrastructure Security Agency (CISA) estimates there are more than three dozen federal requirements for cyber incident reporting alone — a number that does not capture specific state, local, Tribal, territorial, or international requirements.”
One example the lawmakers point to is “a proposed change to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule aimed to improve cybersecurity [which] would cost regulated entities and health-plan sponsors an astounding $9 billion combined in just the first year.”
While Congress has passed numerous bipartisan measures to attempt to streamline cybersecurity requirements, the lawmakers note that Vought’s OMB can play a critical role too.
“We urge OMB to act now by prioritizing the review of existing and future federal cyber regulations,” the letter reads. “OMB, in coordination with [the Office of the National Cyber Director] and [the Cybersecurity and Infrastructure Security Agency], must thoroughly examine the existing cyber regulatory landscape for duplication and redundancy across the federal government, and identify opportunities for reciprocity within and between agencies.”
According to President Donald Trump’s 10-to-1 deregulation initiative, OMB “must not issue any new cyber regulations without repealing at least ten existing rules and ensuring the net total cost of new and repealed regulation are less than zero,” they note.
However, OMB has the ability and authority to “periodically review existing significant regulations ‘to confirm that regulations are both compatible with each other and not duplicative or inappropriately burdensome in the aggregate,’” and the Republicans on the Green-led letter hope Vought exercises that authority.
Following this letter, the lawmakers wrote to Vought that they would like to be briefing on OMB’s plans no later than April 28th.
“The Trump administration is rightfully working to roll back the burdensome, bureaucratic red tape across industries that ballooned under the Biden-Harris administration,” Green told the Reporter. “In line with that mission, Chairman Comer and I urge Director Vought to use OMB’s existing authorities to closely examine the cyber regulatory regime, which is now forcing the private sector to spend more time meeting duplicative compliance standards than securing their networks from growing cyber threats.”
“Harmonizing and streamlining cyber requirements throughout the federal government will enable America’s cyber defenders to focus on network security,” he added.
The Trump administration has placed a priority on rolling back unnecessary regulations, which these Republicans think aligns squarely with reforming America’s cybersecurity infrastructure. Under the status quo, they note, “the resources required for regulated entities to comply are immense.”
Testimony heard by both committees has shown the extent of the problems.
“Bank Chief Information Security Officers [CISOs] now spend 30-50 percent of their time on compliance and examiner management,” one witness told the Subcommittee on Cybersecurity and Infrastructure Protection. “The cyber teams they oversee spend as much as 70 percent of their time on those same functions.”
Another witness told the Subcommittee on Cybersecurity, Information Technology, and Government Innovation that “managing compliance obligations with disparate regulations and across agencies may in fact harm the cybersecurity posture of organizations, particularly where limited resources are allocated to compliance activities over managing risk, maturing capabilities, and creating effective security programs.”
Comer told the Reporter that the findings by the two GOP-led committees should lead to plenty of opportunities for collaboration with the administration.
“Cyberattacks against our government and U.S.-based companies pose a serious threat to our national security and critical infrastructure,” he said. “We must ensure that cybersecurity regulations help prevent these attacks, not enable them.”
“We look forward to working with the Trump Administration to streamline and harmonize duplicative and bureaucratic regulations so they are effective and efficient,” Comer added.