Dive Brief:
- Inconsistent definitions, overly burdensome information demands and duplicative requirements are some of the problems that U.S. businesses face in dealing with cybersecurity regulations, according to a recent Government Accountability Office report.
- Critical infrastructure organizations want federal agencies to work together to streamline their rules, according to the March 5 summary of a GAO panel discussion with infrastructure representatives.
- Businesses recommended several possible solutions to the regulatory sprawl, including agencies converging on common definitions of key terms.
Dive Insight:
In response to requests from the main House and Senate committees overseeing cybersecurity, GAO convened two panels, in May and September 2025, to solicit industry input on the cybersecurity regulatory environment. The agency’s new report summarizes the findings from its Sept. 17, 2025, panel, with seven industry leaders representing the communications, energy, financial services, healthcare, information technology, transportation, and water sectors.
“Industry participants identified mostly negative impacts experienced by their industries because of multiple and overlapping cybersecurity regulations and how this has resulted in redundant work and conflicts,” GAO said in its report.
One problem participants identified was the overlapping regulatory frameworks to which many sectors are subject. Financial-services firms must comply with rules from banking regulators and the Securities and Exchange Commission, one participant said, with the resulting requirements being “duplicative and overly burdensome.”
According to GAO, another industry representative said federal regulations that exceed their industry’s baseline level of security “are duplicative and do not result in a better outcome.”
Multiple people said agencies sometimes adopt definitions — or even specific requirements — that are vague or don’t account for the peculiarities of a specific sector. “Several participants stated that different frameworks have similar controls and reporting requirements but have small differences that can create unnecessary overlap and confusion,” the GAO report observed.
One industry official said it seemed like agencies regulating the same sector weren’t coordinating with each other while developing rules.
Participants also criticized how the federal government handles cybersecurity incident reporting, describing the overlapping web of requirements as often duplicative or inconsistent. Industry representatives complained that regulatory agencies sometimes ask for different amounts of information within different periods of time, in addition to establishing different standards for when a business needs to report an incident.
“One participant stated that it can be both difficult and technically burdensome to collect information for multiple entities within a short amount of time to meet reporting requirements,” according to the GAO report.
The industry leaders who met with GAO represented a wide range of roles inside critical infrastructure organizations, including cybersecurity and IT directors, general counsels and chief information officers. GAO granted them anonymity to encourage them to speak candidly with its staff.
According to the panelists, the overlapping and sometimes conflicting web of cybersecurity regulations costs companies in several ways. In addition to the literal costs of employee salaries and technology expenses, companies spend valuable time reporting information to federal agencies — time they can’t spend on improving their cyber defenses or dealing with intrusions.
The expertise required for compliance also disadvantages small companies, panelists told GAO, because small firms often lack dedicated cybersecurity teams, despite facing many of the same requirements as large firms.
Federal agencies have made only limited progress in harmonizing their cybersecurity regulations, according to industry leaders, who cited several reasons for the difficulty. One of the most significant impediments, GAO said, is that the lack of coordinated definitions has produced “inconsistent terminologies that cannot be widely applied and reused.”
Industry representatives encouraged agencies to convene a working group or other coordination mechanism to begin standardizing terminology, aligning reporting requirements and developing reciprocity agreements, with the goal of letting businesses use one process to meet multiple agencies’ information needs.
The federal government has been working on harmonization. The Office of the National Cyber Director (ONCD) solicited feedback on the best approach during the Biden administration, and the Cybersecurity and Infrastructure Security Agency’s draft Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule envisions CISA establishing reciprocity agreements with other regulators. (CISA also plans to update the CIRCIA rule based on upcoming industry feedback.)
During the GAO panel, industry leaders encouraged the Trump administration to give ONCD “a clear mandate to address differences within federal agency terminology, reporting regimes, and guidance to work toward harmonizing federal regulations.”
Several panelists encouraged agencies to develop metrics that quantified the effectiveness of their regulations. Some even said that one regulator should manage all incident reporting for each sector.
