GAO shares industry perspectives on cybersecurity regulation

(Glenn Carstens Peters / Unsplash)

By GAO • Mar 06, 2026

Federal agencies have issued a variety of regulations to help protect the nation’s critical infrastructure. However, these can result in conflicting guidance, inconsistencies and redundancies. Harmonization refers to the development and adoption of consistent standards and regulations. Such consistency is important when critical infrastructure sectors are subject to multiple cybersecurity regulations so that these requirements will not overlap, duplicate, or contradict each other. Because the private sector owns most of the nation’s critical infrastructure, it is vital that the public and private sectors work together to protect these assets and systems. To this end, various federal agencies are responsible for assisting the private sector in protecting critical infrastructure, including enhancing cybersecurity.

GAO has long identified cybersecurity as a government-wide high-risk area. In May 2020, it identified adverse impacts that varying cybersecurity requirements issued by selected federal agencies and related compliance assessments had on state government agencies. Of the 12 recommendations GAO made to improve coordination in this area, agencies have implemented 11 and partially addressed the remaining recommendation. In June 2024, GAO testified on the efforts initiated to harmonize cybersecurity regulations and the adverse impacts that can occur without such harmonization.

GAO convened a panel discussion to gather industry perspectives on the harmonization of cybersecurity regulations. Specifically, participants noted that the Cybersecurity and Infrastructure Security Agency’s effort to provide free guidance, cybersecurity tools and risk assessments has been helpful. They also said that selected federal agencies have adopted other federal assessment tools to help provide cybersecurity evaluations. However, participants identified negative impacts that their industries experience with multiple and overlapping cybersecurity regulations and how these can result in redundant work and conflicts.