IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

It's Time to Consolidate Cybersecurity Regulations

An ever-growing number of regulations and standards leaves many government cyber experts wondering if more guidelines necessarily equate to better cybersecurity.

cybersecurity_shutterstock_715107220
Shutterstock
"Another agency, another cybersecurity regulation to comply with.” That is the sentiment of many government cyber professionals.

But do more regulations, standards and security to-do lists automatically mean better cybersecurity? Many industry experts think the answer is “no,” and the time is right for harmonization, and perhaps even consolidation of cybersecurity standards.

When I was the Michigan chief security officer more than a decade ago, our cyber and technology teams were constantly working with auditors to ensure that we complied with a long list of regulatory requirements. Whether we were trying to meet Criminal Justice Information Services standards, Internal Revenue Service standards or Centers for Medicare and Medicaid Services privacy and security requirements, there seemed to always be another big team heading into town to keep everyone busy for months.

Sadly, the number of regulations and corresponding workload problems have only gotten worse over the past decade. When you add private-sector requirements, government organizations can be overwhelmed.

Redundant and conflicting cybersecurity regulations burden federal agencies and private industry with billions of dollars in costs annually. More than 25 fragmented frameworks create inefficiencies, draining resources without improving defenses. Federal agencies often lack skilled personnel, modern processes and systems to manage cybersecurity risks effectively. Regulations are inconsistently monitored, outdated, and unresponsive to the fast pace of technological advancements.

These issues are exacerbated by duplicative audits that also impact state governments. To address these challenges, we need decisive action to streamline regulations, align them with modern threats, and improve overall cybersecurity effectiveness.

A NEW OPPORTUNITY



When Donald Trump was elected president again in November 2024, he announced the creation of the Department of Government Efficiency. Specific measures involve conducting audits, implementing budget cuts and modernizing outdated systems to achieve a more efficient government. With this new department striving to bring better government outcomes for less money, could this be the time to reduce the number of cyber regulations? Many experts (including this CISO) think the answer is “yes.”

Many public- and private-sector cyber experts recommend unifying federal cybersecurity regulations into a single baseline framework, based on NIST’s Special Publication 800-53, instead of maintaining multiple frameworks mapped together through harmonization. A unified baseline, adaptable to sector-specific risks, reduces the complexity and cost of managing multiple compliance frameworks.

This new approach could refocus efforts on evidence-based best practices, enhancing security by eliminating compliance distractions and enabling private-sector solutions tailored to actual threats. Consolidating frameworks into one cohesive standard shifts the emphasis from superficial compliance to meaningful, risk-driven cybersecurity measures.

No doubt, there are differences between the current frameworks that may become options in this new consolidated framework. But the reality is that upward of 80 percent of these cyber requirements are the same across frameworks, and we can no longer afford to keep re-examining the same security controls.

HOW COULD THIS WORK?



The StateRAMP and FedRAMP teams are already working on harmonization efforts across state governments and federal agencies, and those teams could help guide next steps and overall coordination.

Any presidential action should establish a unified, adaptable cybersecurity standard integrated into existing laws, enabling agencies to transition seamlessly. It will need to offer outcomes that strengthen key areas, such as data protection, privacy, breach notification and incident response by promoting uniformity and clarity without compromising critical protections or requiring a legislative overhaul.

An executive directive by the new Trump administration could create an executive group to move much faster than is currently possible. A new framework would be the basis for cybersecurity compliance consolidation, with one lead agency having authority. This approach would save money and time and enable better security overall.

This story originally appeared in the Winter 2025 issue of Government Technology magazine. Click here to view the full digital edition online.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.