HITRUST Responds to RFI on Cybersecurity Regulation Harmonization

November 03, 2023 - HITRUST issued a response to the White House’s request for information (RFI) on the harmonization of cybersecurity regulations, suggesting that regulation alone is not a fix to the ongoing cyber challenges that critical infrastructure entities face.

Rather, HITRUST recommended a shift away from further regulations in favor of a renewed focus on accountability and reciprocity within existing standards. Additionally, HITRUST emphasized the importance of reliable cybersecurity assessments and assurances.

The initial RFI, issued in July 2023, posed questions to stakeholders surrounding opportunities for and challenges to harmonizing cybersecurity regulations. Specifically, the Office of the National Cyber Director (ONCD) sought comments from leaders regarding challenges with regulatory overlap, and on a potential framework for reciprocity, or the recognition by one regulatory agency of another agency’s assessment.

The ONCD posed questions about conflicting or inconsistent regulations, the use of existing frameworks, and how various sectors leverage third-party frameworks to map cybersecurity controls to cybersecurity outcomes.

As a cybersecurity and data privacy standards organization that maintains its own framework, HITRUST was well-equipped to respond to the RFI. HITRUST’s response stressed the importance of harmonizing cybersecurity regulations, but posited that the government’s approach to doing so “should require the minimum necessary while providing maximum flexibility.”

“HITRUST suggests that additional federal and potentially state regulation that would mandate more cybersecurity requirements be minimized and instead encourage the spirit of harmonization and a focus on reciprocity and accountability not only across existing regulations supporting different industries but with private sector assurance systems that can provably and transparently deliver high-quality and reliable outcomes,” said Robert E. Booker, chief strategy officer at HITRUST.

"Such a partnership and approach will improve cybersecurity for our nation through the uptake of public standards across multiple industries, leverage of existing private sector investments to harmonize and unify those standards, and the acceptance of constantly updated, reliable, and transparent assurance mechanisms that guide and demonstrate effective cybersecurity.”

HITRUST also emphasized the importance of recognizing that different sectors have different cybersecurity needs. Industry-specific threats will require unique responses, and regulations that fail to recognize this may cause more harm than good.

A solid approach to mandatory or voluntary standards, HITRUST suggested, is one that provides more than a “check the box” model for compliance and has prescriptive policy and implementation expectations.

What’s more, HITRUST recommended that any future regulation take private sector certification programs into account and focus on actionable and consistent outcomes.

“HITRUST respectfully suggests a focus that addresses how existing frameworks and regulations are embraced and measured to achieve provable, and reliable, cybersecurity outcomes with robust reciprocity based on demonstrated transparency and integrity of results,” Booker added.

“We believe such an approach will yield great benefits in improving cybersecurity outcomes, is aligned with the focus of the Office of the National Cyber Director, is efficient to implement by building on existing standards, regulations and capabilities from both the private and public sector, and will ultimately benefit the whole of government and our nation in the most efficient manner possible.”