With the increased prevalence of cybersecurity in the public sector, cybersecurity programs have been designed and implemented to cover requirements of federal, state, and local governments. As well, cybersecurity and compliance programs have been created and enacted to protect critical information focused on specific industries or use cases, such as healthcare, credit card and financial transactions, and law enforcement. Additionally, as one would expect, other nations and regions have created and adopted cybersecurity and compliance regimes to address cyberthreats. These efforts are directed at addressing the same problem, but there is a lack of harmonization and reciprocity, even between U.S.-based government and industry requirements.

In an effort to address this issue, the Office of the National Cyber Director (ONCD) began exploring a framework for reciprocity baseline requirements with various stakeholder groups. As a part of this effort, ONCD posted a Request for Information (RFI) to gain feedback on cybersecurity initiatives. In June of 2024, ONCD published the findings of the RFI in the “Summary of the 2023 Cybersecurity Regulatory Harmonization Request for Information”, with the intent for ONCD to work with stakeholders to find ways to collectively achieve better cybersecurity outcomes across various domains. The stated aim of harmonization is to:

Strengthen cybersecurity readiness and resilience across all sectors
Simplify oversight and regulatory responsibilities of cyber regulators while enabling them to focus on areas of sector-specific expertise
Substantially reduce administrative burden and cost on regulated entities
Data from the RFI revealed that the proliferation of various cybersecurity regulations and compliance programs has led to “duplicative, conflicting, or unnecessary regulations that require commercial enterprises to devote resources to fulfilling technical compliance requirements without necessarily improving cybersecurity outcomes.”

Why is Regulatory Harmonization important?

Businesses, specifically cloud service providers, that engage with the U.S. Federal government are likely going to have to meet multiple security and compliance regimes. This is because there is (understandably) no one standard that covers Federal Civilian Executive Branch agencies and the Department of Defense. Having said that though, this requirement is compounded by the industry/domain specific requirements, particularly if the business in question has an international presence. To this end, harmonization and reciprocity will go a long way to easing the burden on commercial entities to continue to protect critical information. As well, harmonization and reciprocity will likely help to lower the barriers of entry for small businesses into multiple markets. Data received from ONCD through the issued RFI reenforces some of these points.

ONCD’s RFI report, referenced earlier, shared three key findings:

A lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens. This results in companies being forced to meet multiple compliance/security regimes that are intended to control the same risk, and are perhaps enforced differently. This imposes a cost that translates to significantly increased resource usage, roughly 30-50% per the document, with much of a company’s compliance team’s time being spent on managing various security and compliance programs.
Challenges with cybersecurity regulatory harmonization and reciprocity extend to business of all sectors and sizes, crossing jurisdictional boundaries. Industries have created cybersecurity and compliance programs that address specific-industry/domain needs, such as in healthcare and law enforcement, and much work has been done translating those industry-specific requirements into a commonly recognized standard. For example, the Cloud Security Alliance, through their Cloud Controls Matrix, has mapped various security and compliance regimes against each other and back to the National Institutes of Standards and Technology (NIST) published control catalog, the standard used in the U.S. Federal Government. However, there is no mandate for harmonization or reciprocity to these different frameworks.
The U.S. Government is positioned to act and address these challenges. Steps have already been taken by the U.S. Federal government to address reciprocity and harmonization, such as in President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, and “The National Cybersecurity Strategy Implementation Plan” published in July 2023, which states the intent to, “increase agency use of frameworks and standards to inform regulatory alignment”.
Use Case: StateRAMP and CJIS

In the absence of a formal government mandate for harmonization and reciprocity, there are efforts between states and the U.S. Federal Government to address this issue. Recently, StateRAMP announced the establishment of the StateRAMP CJIS-Aligned Task Force, a historic collaboration between the leading authority in cloud security standards for state and local governments and the Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS). The goal of this collaboration is to develop an overlay to StateRAMP baseline controls that aligns seamlessly to CJIS requirements, ensuring robust security measures tailored to the unique needs of the criminal justice community.

“While there will be no official CJIS certification, the StateRAMP CJIS-aligned overlay represents a significant step forward in providing clear guidance on a product’s likelihood for CJIS conformity,” said Leah McGrath, Executive Director of StateRAMP, in the announcement. “Achieving a StateRAMP Authorization with the CJIS-aligned overlay will offer invaluable directional guidance, empowering agencies to make informed decisions about their cloud security solutions.”

Building upon the foundation laid by StateRAMP’s Standards and Technical Committee, this initiative marks a pivotal moment in furthering framework harmonization of cloud security practices tailored to the needs of state and local governments. Read the full details of this announcement here.

Improving Security Posture

Zscaler fully supports the work undertaken by the U.S. Government of its recognition that harmonization and reciprocity of cybersecurity regulations and requirements, to include collaborative efforts like the StateRAMP CJIS-Aligned Task Force. As one of the first cloud security companies to achieve FedRAMP JAB High and Moderate authorizations, Zscaler has long been a proponent of the regulatory frameworks that give agencies the assurances related to cybersecurity needed to choose partners in protecting critical data at all levels of government.

We have invested in achieving multiple frameworks so that we can support our government customers in meeting their requirements for mission success, compliance, and improved security posture. All stakeholders in the government sector will benefit from framework harmonization to meet the ultimate goal of reducing risk and safeguarding the confidentiality, integrity and availability of information.  

Use Case: StateRAMP and CJIS

In the absence of a formal government mandate for harmonization and reciprocity, there are efforts between states and the U.S. Federal Government to address this issue. Recently, StateRAMP announced the establishment of the StateRAMP CJIS-Aligned Task Force, a historic collaboration between the leading authority in cloud security standards for state and local governments and the Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS). The goal of this collaboration is to develop an overlay to StateRAMP baseline controls that aligns seamlessly to CJIS requirements, ensuring robust security measures tailored to the unique needs of the criminal justice community.

“While there will be no official CJIS certification, the StateRAMP CJIS-aligned overlay represents a significant step forward in providing clear guidance on a product’s likelihood for CJIS conformity,” said Leah McGrath, Executive Director of StateRAMP, in the announcement. “Achieving a StateRAMP Authorization with the CJIS-aligned overlay will offer invaluable directional guidance, empowering agencies to make informed decisions about their cloud security solutions.” 

Building upon the foundation laid by StateRAMP’s Standards and Technical Committee, this initiative marks a pivotal moment in furthering framework harmonization of cloud security practices tailored to the needs of state and local governments. Read the full details of this announcement here.

 [[{“value”:”With the increased prevalence of cybersecurity in the public sector, cybersecurity programs have been designed and implemented to cover requirements of federal, state, and local governments. As well, cybersecurity and compliance programs have been created and enacted to protect critical information focused on specific industries or use cases, such as healthcare, credit card and financial transactions, and law enforcement. Additionally, as one would expect, other nations and regions have created and adopted cybersecurity and compliance regimes to address cyberthreats. These efforts are directed at addressing the same problem, but there is a lack of harmonization and reciprocity, even between U.S.-based government and industry requirements.

In an effort to address this issue, the Office of the National Cyber Director (ONCD) began exploring a framework for reciprocity baseline requirements with various stakeholder groups. As a part of this effort, ONCD posted a Request for Information (RFI) to gain feedback on cybersecurity initiatives. In June of 2024, ONCD published the findings of the RFI in the “Summary of the 2023 Cybersecurity Regulatory Harmonization Request for Information”, with the intent for ONCD to work with stakeholders to find ways to collectively achieve better cybersecurity outcomes across various domains. The stated aim of harmonization is to:

Strengthen cybersecurity readiness and resilience across all sectors
Simplify oversight and regulatory responsibilities of cyber regulators while enabling them to focus on areas of sector-specific expertise
Substantially reduce administrative burden and cost on regulated entities
Data from the RFI revealed that the proliferation of various cybersecurity regulations and compliance programs has led to “duplicative, conflicting, or unnecessary regulations that require commercial enterprises to devote resources to fulfilling technical compliance requirements without necessarily improving cybersecurity outcomes.”

Why is Regulatory Harmonization important?

Businesses, specifically cloud service providers, that engage with the U.S. Federal government are likely going to have to meet multiple security and compliance regimes. This is because there is (understandably) no one standard that covers Federal Civilian Executive Branch agencies and the Department of Defense. Having said that though, this requirement is compounded by the industry/domain specific requirements, particularly if the business in question has an international presence. To this end, harmonization and reciprocity will go a long way to easing the burden on commercial entities to continue to protect critical information. As well, harmonization and reciprocity will likely help to lower the barriers of entry for small businesses into multiple markets. Data received from ONCD through the issued RFI reenforces some of these points.

ONCD’s RFI report, referenced earlier, shared three key findings:

A lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens. This results in companies being forced to meet multiple compliance/security regimes that are intended to control the same risk, and are perhaps enforced differently. This imposes a cost that translates to significantly increased resource usage, roughly 30-50% per the document, with much of a company’s compliance team’s time being spent on managing various security and compliance programs.
Challenges with cybersecurity regulatory harmonization and reciprocity extend to business of all sectors and sizes, crossing jurisdictional boundaries. Industries have created cybersecurity and compliance programs that address specific-industry/domain needs, such as in healthcare and law enforcement, and much work has been done translating those industry-specific requirements into a commonly recognized standard. For example, the Cloud Security Alliance, through their Cloud Controls Matrix, has mapped various security and compliance regimes against each other and back to the National Institutes of Standards and Technology (NIST) published control catalog, the standard used in the U.S. Federal Government. However, there is no mandate for harmonization or reciprocity to these different frameworks.
The U.S. Government is positioned to act and address these challenges. Steps have already been taken by the U.S. Federal government to address reciprocity and harmonization, such as in President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, and “The National Cybersecurity Strategy Implementation Plan” published in July 2023, which states the intent to, “increase agency use of frameworks and standards to inform regulatory alignment”.
Use Case: StateRAMP and CJIS

In the absence of a formal government mandate for harmonization and reciprocity, there are efforts between states and the U.S. Federal Government to address this issue. Recently, StateRAMP announced the establishment of the StateRAMP CJIS-Aligned Task Force, a historic collaboration between the leading authority in cloud security standards for state and local governments and the Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS). The goal of this collaboration is to develop an overlay to StateRAMP baseline controls that aligns seamlessly to CJIS requirements, ensuring robust security measures tailored to the unique needs of the criminal justice community.

“While there will be no official CJIS certification, the StateRAMP CJIS-aligned overlay represents a significant step forward in providing clear guidance on a product’s likelihood for CJIS conformity,” said Leah McGrath, Executive Director of StateRAMP, in the announcement. “Achieving a StateRAMP Authorization with the CJIS-aligned overlay will offer invaluable directional guidance, empowering agencies to make informed decisions about their cloud security solutions.”

Building upon the foundation laid by StateRAMP’s Standards and Technical Committee, this initiative marks a pivotal moment in furthering framework harmonization of cloud security practices tailored to the needs of state and local governments. Read the full details of this announcement here.

Improving Security Posture

Zscaler fully supports the work undertaken by the U.S. Government of its recognition that harmonization and reciprocity of cybersecurity regulations and requirements, to include collaborative efforts like the StateRAMP CJIS-Aligned Task Force. As one of the first cloud security companies to achieve FedRAMP JAB High and Moderate authorizations, Zscaler has long been a proponent of the regulatory frameworks that give agencies the assurances related to cybersecurity needed to choose partners in protecting critical data at all levels of government.

We have invested in achieving multiple frameworks so that we can support our government customers in meeting their requirements for mission success, compliance, and improved security posture. All stakeholders in the government sector will benefit from framework harmonization to meet the ultimate goal of reducing risk and safeguarding the confidentiality, integrity and availability of information.”}]]