Cybersecurity regulations for many companies can be redundant, inconsistent, and, at times, contradictory. Organizations scramble to comply with multiple requirements, investing vast amounts of effort and increasing the financial cost of operating their cybersecurity program. Recognizing this, the White House Office of the National Cyber Director (ONCD) aims to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” This goal, when achieved, will empower organizations and their regulators with needed clarity on how they should achieve and demonstrate cybersecurity outcomes.
ONCD aims to understand the challenges and identify opportunities to reduce the barriers to cyber regulatory harmonization. It seeks to understand existing challenges with regulatory overlap and explore a framework for reciprocity.
Harmonization has always been fundamental to HITRUST and its mission. Since its inception in 2007, HITRUST has worked closely with leaders from the privacy, information security, and risk management fields. HITRUST submitted its response to the ONCD based on its experience and expertise.
Here are quick takeaways from HITRUST’s response.
Consistent cybersecurity outcomes require evaluation.
Securing critical infrastructure is crucial in progressing toward cybersecurity goals. There are existing standards and regulations to support this, and additional ones may not necessarily be needed. However, there is a lot of inconsistency. Measuring results and evaluating them will help achieve consistency. HITRUST encourages true harmonization with a focus on accountability and reciprocity.
Best practices should align with reliable assurances.
Organizations perceived to have robust cybersecurity programs get breached. This makes it even more important to have trustworthy assurances that adequately assess the organization’s preparedness. Cybersecurity assurance demonstrates the depth and breadth of controls. It ensures efficient risk management, compliance, and protection against potential threats. Reliable assessments also ensure that controls are implemented correctly and monitored constantly to operate as expected in an ever-changing threat environment. HITRUST recommends upcoming regulations to mandate the use and acceptance of reliable security certifications and assurances.
Reciprocity is critical.
HITRUST believes public and private partnerships foster cybersecurity. Standards set by the public sector keep industries in check. Investments by the private sector support the unification of the standards. As more industries accept reliable assurance mechanisms, more organizations are encouraged to adopt them and boost cybersecurity improvements.
Third-party assessors must be accredited.
Third-party assessors offer scalability. However, they add value only if they operate within an accredited system. Such a system ensures that assessors are qualified, trained, and have the expertise to perform an assessment. Additionally, assessors offer validated and consistent results across different industries and parameters.
Cybersecurity assurances must be reliable.
Only reliable reports can be good for cybersecurity reliance. For cybersecurity assurances to be trustworthy, they need to possess the following qualities.
- Transparency: Are the assessment approach and scoring model open and transparent for all? Can a recipient understand the methodology for the selection and evaluation of controls?
- Consistency: Is the assessment result consistent for an organization, irrespective of the third-party assessor they use?
- Accuracy: Does the assessment approach accurately evaluate the implemented controls? What mechanisms are in place to ensure that?
- Integrity: Did the assessor conduct the assessment faithfully? What is the process to verify that?
- Scalability: Is the approach appropriate for the type and size of the assessed organization?
HITRUST has more than 15 years of experience harmonizing standards, creating a cybersecurity assurance program, and reviewing tens of thousands of assessments. HITRUST believes that an approach to cyber regulatory harmonization must include minimum standards and maximum flexibility. HITRUST promotes the adoption and acceptance of robust assurances using recognized standards and frameworks, proven assurances from public and private sectors, and reciprocity with reliable third-party approaches, including assessment, certification, and reporting.