Changeflow GovPing Government Accountability GAO Report on Cybersecurity Regulation Harmoniz...
Priority review Notice Added Final

GAO Report on Cybersecurity Regulation Harmonization

Favicon for www.gao.gov GAO Reports & Testimonies
Published March 5th, 2026
Detected March 6th, 2026
Email

Summary

The GAO has released a report highlighting industry perspectives on the challenges and opportunities in harmonizing federal cybersecurity regulations for critical infrastructure. The report identifies redundancies and conflicts arising from overlapping regulations, impacting private sector entities responsible for essential services.

View original document View source feed page

What changed

This GAO report, GAO-26-108685, examines the perspectives of industry representatives regarding the harmonization of federal cybersecurity regulations impacting critical infrastructure. The report details how multiple, overlapping, and sometimes conflicting regulations from various federal agencies create redundant work and inefficiencies for private sector entities that own and operate most of the nation's critical infrastructure, such as electricity grids and transportation networks.

The findings suggest a need for greater consistency in cybersecurity requirements to reduce the burden on regulated industries. While acknowledging efforts by agencies like CISA, the report underscores the negative impacts of unharmonized regulations. Compliance officers should review this report to understand the ongoing challenges in regulatory compliance for critical infrastructure cybersecurity and to inform potential advocacy or internal policy adjustments. The report reiterates the GAO's call for a national cybersecurity strategy to address these systemic issues.

What to do next

  1. Review GAO report GAO-26-108685 for insights into cybersecurity regulation harmonization challenges.
  2. Assess internal compliance processes for potential redundancies or conflicts arising from overlapping federal cybersecurity regulations.
  3. Consider industry feedback on regulatory harmonization in discussions with relevant government agencies.

Source document (simplified)

GAO-26-108685 Published: Mar 05, 2026. Publicly Released: Mar 05, 2026.

Fast Facts

Cyber-based attacks are becoming more common and disruptive. They threaten essential critical infrastructure systems, such as electricity grids and transportation networks. Much of the infrastructure is privately owned, but federal agencies have established a variety of regulations to help protect it from cyber threats.

This is the second report from our discussions with industry representatives about federal efforts to use more consistent cybersecurity regulations. In this report, some participants noted redundant work because of overlapping regulations.

Our High Risk list recently reiterated our call for a national cybersecurity strategy.

A photo of a person in a business suit in the background, with icons of various regulations illustrated in the foreground.

Highlights

What GAO Found

Our nation depends on computer-based information systems and electronic data to execute fundamental operations and to process, maintain, and report crucial information. Nearly all federal and nonfederal operations, including the nation’s critical infrastructures, are supported by these systems and data. The 16 critical infrastructure sectors provide essential services—such as electricity distribution, transportation, and health care—that underpin American society (see figure). The safety of these systems and data is critical to public confidence and the nation’s security, economy, and welfare.

The 16 Critical Infrastructure Sectors

Federal agencies have issued a variety of regulations to help protect the nation’s critical infrastructure. However, these can result in conflicting guidance, inconsistencies, and redundancies. Harmonization refers to the development and adoption of consistent standards and regulations. Such consistency is important when critical infrastructure sectors are subject to multiple cybersecurity regulations so that these requirements will not overlap, duplicate, or contradict each other. Because the private sector owns most of the nation’s critical infrastructure, it is vital that the public and private sectors work together to protect these assets and systems. To this end, various federal agencies are responsible for assisting the private sector in protecting critical infrastructure, including enhancing cybersecurity.

GAO has long identified cybersecurity as a government-wide high-risk area. In May 2020, we identified adverse impacts that varying cybersecurity requirements issued by selected federal agencies and related compliance assessments had on state government agencies. Of the 12 recommendations we made to improve coordination in this area, agencies have implemented 11 and partially addressed the remaining recommendation. In June 2024, GAO testified on the efforts initiated to harmonize cybersecurity regulations and the adverse impacts that can occur without such harmonization.

GAO convened a panel discussion to gather industry perspectives on the harmonization of cybersecurity regulations. Specifically, participants noted that the Cybersecurity and Infrastructure Security Agency’s effort to provide free guidance, cybersecurity tools, and risk assessments has been helpful. They also said that selected federal agencies have adopted other federal assessment tools to help provide cybersecurity evaluations.

However, participants identified negative impacts that their industries experience with multiple and overlapping cybersecurity regulations and how these can result in redundant work and conflicts. These include:

  • Regulation overlap. Sectors are often subject to multiple regulatory frameworks that can result in potentially burdensome and duplicative cybersecurity requirements.
  • Definitions and requirements. Different federal frameworks have similar controls and reporting requirements but have small differences within regulations that create overlap and confusion.
  • Incident reporting requirements. Differences in the amount of detail, time frames, and thresholds required by agencies for reporting cyber incidents make it difficult and technically burdensome to collect and meet reporting requirements with short time frames. Participants noted that progress in harmonizing federal cybersecurity regulations has been made, such as federal agencies providing cybersecurity guidance; however, several participants agreed that this progress was limited.

Industry participants discussed challenges federal agencies face in harmonizing cybersecurity regulations. Specifically, they noted that agency reporting requirements can compete with industry priorities.

However, many opportunities for harmonizing federal cybersecurity regulations were identified. For example, in the near-term, participants identified opportunities to harmonize existing regulations by renewing or revising existing legislation such as the Cybersecurity Information Sharing Act of 2015. They also noted that an expected regulation on cyber incident reporting could help streamline various other regulations. Further, participants stated that long-term opportunities include establishing a federal working group and metrics for regulatory effectiveness, focusing on deconflicting existing regulations, standardizing terminology, and making shared cybersecurity information confidential.

Why GAO Did This Study

GAO was asked to gather perspectives of industry participants on the progress that federal agencies are making to harmonize cybersecurity regulations. This report summarizes the perspectives that selected industry participants shared on the impact of federal cybersecurity regulations and federal agencies’ progress, challenges, and opportunities in harmonizing them.

GAO convened a panel discussion on September 17, 2025. The panel included seven representatives from different industry organizations across multiple critical infrastructure sectors. The representatives included directors of information technology and cybersecurity, chief information officers, and general counsel and regulatory affairs specialists.

For more information, contact David (Dave) Hinchman at HinchmanD@gao.gov.

Full Report

Full Report (15 pages)

GAO Contacts

David (Dave) Hinchman Director Information Technology and Cybersecurity HinchmanD@gao.gov

Media Inquiries

Sarah Kaczmarek Managing Director Office of Public Affairs media@gao.gov

Public Inquiries

Contact Us

Topics

Information Technology Cybersecurity Critical infrastructure Reporting requirements Federal agencies Compliance oversight Information technology Health care standards Critical infrastructure protection Public health High-risk issues

Related changes

Favicon for sam.gov SAM.gov Entity Exclusions Unavailable Due to Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Registration and Exclusions Unavailable
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Exclusions Unavailable During Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.gao.gov
GAO Reports & Testimonies gao.gov/reports-testimonies
Government Accountability
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various Federal Agencies
Published
March 5th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Energy companies Transportation companies Healthcare providers Government agencies
Geographic scope
National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
Compliance
Topics
Critical Infrastructure Regulatory Harmonization

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Government Accountability alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when GAO Reports & Testimonies publishes new changes.

Free. Unsubscribe anytime.