The committee will come to order. Cyber security remains one of the greatest challenges facing our nation. As we become more reliant on technology and Digital Infrastructure they can threat of Cyber Attacks has dramatically increased. Every day our citizens, our Critical Infrastructure operators and our federal, state and local governments have to defend against hundreds of thousands of potential Cyber Attacks. These come from criminals who take advantage of our vulnerable people, foreign actors who threaten our Critical Infrastructure, and hackers who try to destabilize american businesses. Cyber attacks are more coordinated and more dangerous than ever. In response to this threat, american regulators have begun to set new standards for Cyber Security and digital safety. They have moved quickly in that work. And in the last four years alone, federal regulators have passed 48 rules on Cyber Security. More than 10 per year. And that doesnt include new policies at the state as well as the local level. The surge of regulations comes from a good place. It represent ours governments response to a new and growing threat that has helped give american businesses some important guidance on how to keep safe from these cyber threats. The challenges that the challenge is that even though all aspects of our society are vulnerable to Cyber Attacks from electric grids to Water Systems to gas pipelines, no one, no one is coordinating this effort. This is a patchwork of new guidelines set bicep rat agencies. Regulators are working to respond to the unique challenges that their sectors certainly face and they often are not looking at the Bigger Picture of how all of these different rules interact with each other. And without that higherrer level of coordination theres no way to ensure these guidelines dont overlap, duplicate or quite simply contradict each other. The results are often confusing and inefficient. Businesses are scrambling to follow a web of new standards, ones that can change quickly with no technological innovations. Airlines have to adhere to three different regulators on Cyber Security. Railroads have six. A bank could have 16 different oversight bodies, all of whom are passing their own standard and expecting those standards to be followed. This is not necessarily a case of where more is better. We must be smart in these regulations to ensure the higher level of Cyber Security. In short, businesses and their employees are spending too many resources trying to understand these new guidelines. Companies with taking their Cyber Security professionals off the line to fill out paperwork, leaving their defenses undermanned and as a rule nerchlt we need effective regulations on Cyber Security. No question about that. But we need them to be efficient, adaptable and coordinated all across different agencies. Harmonization and harr monoizing these guidelines will make our government more efficient, help businesses compete on the global stage and ensure that were addressing Cyber Security threats in the most effective way. And thats why im working on legislation to establish a Harmonization Committee at oncd that would require all agencies and regulators to come together, talk about Cyber Security regulations and work on harmonization. Passing legislation is the only solution. We have to bring independent agencies together and start harr monoizing this effort. Marm onizing this effort harm onizing this effort. Only congress has the ability to do so. If we fail at this mission we wont be able to build the most Effective Response to cyber threats. It is the practice of this committee to swear in witnesses. If youd each stand and raise your right hand. Do you swear that the testimony you give before this committee will be the truth, the whole truth and nothing but the truth so help you god. I do. So help you god. Our first witness is the assistant National Director for cyber policy and programs. He previously served as oncds deputy chief of staff. Prior to that he spent more than a decade on the staff of congressman jims r. Langevin, principal author of the national Cyber Security act. Youre recognized for your opening comments. Nicolas good morning, chairman peters and distinguished member ofs of the committee. Thank you for the opportunity to testify before you today. Todays hearing is about a complex topic, how to set baseline Cyber Security requirements across infrastructure in a harr monoized manner. Despite the complexities, our Value Proposition is simple. In a harmonized environment well see Better Outcomes as we reduce the dollars going into regulatory compliance. Pursuant to the national Cyber Security strategy implementation plan, the office of the National Cyber director, oncd, released a request for information about regulatory harmonization and reciprocity. Oncd received 86 unique responses to the r. F. I. Covering 11 of 16 Critical Infrastructure sectors in. All the respondents represent over 15,000 businesses, states and other organizations. We have analyzed the responses and yesterday we released our summary of the more than 2,000 piefnlings comments we received. There are three key findings. First, the lack of harmonization and reciprocity harms Cyber Security outcomes while increasing compliance costs. Second, challenges with harmonization includes businesses of all sectors and all sizes and crossed jurisdictional boundaries. Third, the United States government is positioned to act to address these challenges. Let me share some of what we heard. The business round table, a group of c. E. O. s whose Companies Support one in four american job, noted that, quote, duplicative, conflicting or unnecessary regulations require companies to devote more resources to fulfilling Technical Compliance requirements without improving Cyber Security outcomes. Close quote. The National Defense industry association, whose more than 65,000 corporate and individual members comprise much of our Defense Industrial base wrote, quote, inconsistencies also pose barriers to entry especially for small and midsized businesses that often have limited resources, close quote. In some cases, respond ins noted that chief Information Security officers were spending 30 to 50 of their time not on security but on compliance activities. Ondc leads the National Cyber policy and strategy. In alignment with our mission, both the national Cyber Security strategy and recent National Security memorandum on Critical Infrastructure, assign ondc for regulation across the government. Improving federal coherence in partnership with interagency and private stakeholders is at the core of our mission. Based on feedback from the r. F. I. , oncd has begun to build a pilot reciprocity framework. We expect this to give us insight into how to best achieve reciprocity when designing a Cyber Security regulatory approach from the ground up. However, hour vision however our vision cannot be fully achieved without help from congress. As the United States chamber of commerce noted in its filing, quote, a significant challenge to u. S. Regulatory harmonization efforts are independent regulatory agency, close quote. Further, quote, the u. S. Chamber urges congress to produce legislation to address this challenge, close quote. The administrate supports chairman peters bill consistent with reports previously provided to the committee that would allow ondc to better carry out our mission by bringing them together in a policymaking process. This would act as a catalyst to develop a crosssector framework for harrer harmonization and reciprocity. Such a framework is foundational which would do three things. First, strengthen Cyber Security readiness and resilience across all sectors. Second, simplify responsibles of cyber regulators will enables them to focus on their arias of expertise. And finally, substantially reduce the Administrative Burden and cost on regulated entities. Mr. Chairman, members of the committee, in closing, legger to harmonization is a hard problem. It is a problem that has existed for decades and the trendline is generally heading toward more fragmentation, not more harmonization. Its a problem that requires leadership from ondc and congress informed by the private sector. We have the opportunity to set the stage for a more harr monoized future and i hope youll do so together. Thank you for the opportunity to testify today. I look forward to your questions. Sen. Peters thank you. Our next witness is david hencerman, director of Cyber Security at the u. S. Government Accountability Office in. That role he oversees audits on Critical Infrastructure, the i. T. And Cyber Security work force, Cloud Computing and the i. T. Modernization effort theats i. R. S. Prior to joining g. A. O. In 2002, he worked as a Business Consultant for several private sector firms and served as a Surface Warfare officer in the United States navy. You are recognize for your opening remarks. David thank you. Chairman peters, members of the committee. Thank you for inviting g. A. O. To discuss our work on the federal governments efforts to harr monoize cyber skirt regulations. Our nation increasingly depends on computerbased Information Systems and data to execute fundamental operations and process and maintain crucial information. Cyber based intrusions and attacks on federal and nonfederal are becoming more common and more disruptive. These attacks threaten the continuity, confidence and integrity of these systems including those that support our nations Critical Infrastructure. Never has there been a greater need to ensure that these vital systems have the appropriate direction and guidance needed to ensure their security. Because the private sector owns the majority of this infrastructure its crucial that the public and private sectors Work Together to protheectz assets and systems. However, when Critical Infrastructure sectors are subject to multiple regulation, the that grow and evolve in a decentralized manner this can result in redunn cant or conflicting requirements. In recent years, interest in harr monoizing these has harmonizing these has gained momentum. I want to summarize our work in this area and share ongoing efforts in. Legislation sponsored by this committee, the 2022 Cyber Reporting for critical infrastrur structure act addressed the need for cyber Incident Reporting in addition to Incident Reporting requirements that are deconflicted and harmonized. The administrate addressed harmonization in the 2023 national Cyber Security strategy. The administration also addressed this Important Information in a request for Information Published by the office of the National Cyber director, oncd, the organization that leads the administrations harmonization efforts. It sought Public Comments on opportunities for and obstacles to harmonizing cyber regulation. Further the april, 2024, National Security memorandum called for an approach to harmonizing cyber regulations as part of a National Plan for infrastructure Risk Management. Taken together these congressional actions provide an important starting point for the harmonization effort. However g. A. O. s past work and ongoing observations offer notes on the challenges faced in this journey in. February2024, in a report ott ondcs national Cyber Security strategy did not define Performance Measures. We have found that welldefined Performance Measures allow for more accurate assessment of the extent to which initiatives such as those found in the National Cyber strategy are achieving their stated objectives. Without identifying the appropriate outcome oriented Performance Measures, ondc may be limited in its ability to deliver the effectiveness of the National Strategy in meeting its goals of better securing cyberspace and the nations Critical Infrastructure. Further, a 2023d. H. S. Report required found Cyber Reporting requirements across our nations Critical Infrastructures. Among those we found substantive differences such as varying definitions, differing report timelines and other mek niches. Notably the report only looked at one aspect of cyber regulations and still found 45 applicable requirements this. Serves as a stark reminder of how many regulations likely exist in the broader realm of general infrastructure Cyber Security and how much work will be required to excuse me, to harmonize these numerous requirements once theyre identified. In summary, given the increasing need for harmonized cyber regulations it will be important for stake holds for the this vital process representing the legislative executive branches to continue to work toward a common goal. It will also be crucial to develop goals for this process based on both realistic time frames as well as measurable performance. This whole of government effort will require two things. One, a continued focus to ensure the performance goals are well defined and outcome oriented and two that the appropriate ground work is laid to fully understand the universe of regulations to be harr monoized. By taking these actions we can better position our nations Critical Infrastructure to successfully defend itself against the growing and everpresent Cyber Security threat. Mr. Chairman, this concludes my state. Thank you. Sen. Peters thank you. As both of you mentioned in your opening comments and i mentioned in mine, we know regulations are used by federal agencies in multiple ways. I mentioned in my opening about making sure we have clean water to drink. Protecting investors from predatory practices, and the list goes on. Cyber security regulations have received a greater amount of attention giving the given the growing threat of Cyber Attacks which is not going down and could argue is going up on our Critical Infrastructure and federal i. T. System which is are a particular target. Why do Cyber Security regulations lend themselves generally to be a good candidate for harmonization across these agencies . We need to do harmonization in a lot of fields but why seuber but why Cyber Security in particular . Nicolas the reason were particularly interested in looking at baseline Cyber Security requirements across Critical Infrastructure sectors is that the information and Communications Technology thats used, whether youre in a bank, a Nuclear Power plant, a Water Treatment facility, the information and Communications Technology is largely the same and the first thing that adversaries are trying to do when they get access, whether they are trying to steal money, drop ransomware or potentially affect our ability to mobilize militarily, the first thing theyre going after is these enterprise i. T. Systems. And for that reason, because the enterprise i. T. Systems are common across sector, we ealy feel strongly that having a harmonized approach with reciprocity acros