WASHINGTON — Federal cybersecurity regulations affecting critical infrastructure are often overlapping, inconsistent and burdensome for companies, even as the federal government has made limited progress in coordinating the rules, according to a report released by the Government Accountability Office.
The report summarizes the views of seven industry representatives from sectors including financial services, energy, communications, healthcare, information technology, transportation and water systems who participated in a GAO panel discussion in September 2025.
Panelists said federal cybersecurity rules can provide some benefits, such as guidance, tools and assessments offered by agencies like the Cybersecurity and Infrastructure Security Agency and frameworks developed by the National Institute of Standards and Technology. In the financial sector, for example, one participant cited cybersecurity assessment tools developed by the National Credit Union Administration that help institutions evaluate risks, GAO reported.
Impact is ‘Largely Negative’
However, most participants said the impact of the regulations is largely negative because organizations must comply with multiple overlapping regulatory frameworks issued by different federal agencies. Those requirements often contain slightly different definitions, reporting timelines and technical requirements, forcing companies to duplicate compliance efforts.
Industry representatives also said incident-reporting rules can be inconsistent and burdensome, with varying deadlines and data requirements across agencies. Some participants said complying with multiple reporting mandates diverts time and resources away from responding to cyber incidents or strengthening security systems.
Cost and staffing challenges were also cited. Smaller organizations, in particular, often lack the personnel and technical expertise needed to manage complex compliance requirements, while larger firms may face additional foreign regulatory obligations that add to costs, GAO said.
‘Significant Work Remains’
The GAO said several federal initiatives have sought to improve coordination, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and the White House’s national cybersecurity strategy. Still, panelists said progress toward harmonizing regulations has been limited and significant work remains.
According to the GAO report, industry participants suggested several potential improvements, including creating standardized definitions and terminology, consolidating cyber-incident reporting into a single mechanism, establishing metrics to evaluate regulatory effectiveness, and giving the Office of the National Cyber Director a clearer mandate to align regulations across agencies.
The GAO said it conducted the study between August 2025 and March 2026 as part of an ongoing series examining industry perspectives on federal cybersecurity regulatory harmonization.
