Welcome to the Cyber Harmonization Cafe: a BSA proposal to streamline cyber regulation
With the imminent publication of the new US National Cybersecurity Strategy, BSA | The Software Alliance presents a concrete opportunity: that the federal government move forward with regulatory harmonization through a 'single menu' of cybersecurity requirements applicable to all agencies.
The diagnosis is clear: cybersecurity regulations should make us safer, but in practice dozens of regulators across all sectors have promulgated their own rules without coordinating with each other, creating a maze that confuses companies, drains resources and, paradoxically, weakens security.
Financial regulators have one set of rules, healthcare regulators another, transport regulators yet another —each with different definitions, deadlines and compliance requirements. At the US federal level alone there are 52 different cyber incident notification rules, and agencies such as the FTC, HHS, SEC and TSA define 'cyber governance' in incompatible ways. In BSA's words: there are too many regulatory cooks in the cyber kitchen.
The result is a market that under-invests in security engineering and innovation and over-invests in compliance lawyers and box-ticking. That configuration: (i) generates governmental inefficiency by duplicating efforts; (ii) degrades cybersecurity because agencies cannot compare reports or share intelligence; and (iii) hits SMBs particularly hard, as they cannot understand or comply with contradictory obligations.
Welcome to the Cyber Harmonization Cafe. The proposal is to stop asking each regulator to be its own chef and reposition them as 'diners' at the same cafe: coordination between the Office of the National Cyber Director (ONCD) and the Office of Management and Budget (OMB) defining a single government-wide menu of requirements from which each agency can choose. Sectoral flexibility is preserved, but ordering 'off the menu' is no longer allowed.
How the menu is built, according to BSA: (1) map current regulatory requirements against subcategories of the NIST Cybersecurity Framework; (2) have NIST evaluate those maps and have OMB consolidate them into a public map showing overlaps, conflicts and gaps; (3) open an ONCD/OMB rulemaking process to decide which requirements to keep, update or eliminate; (4) have OMB issue a memo requiring each regulator to align its rules with the menu; (5) sustain harmonization through a public process to propose additions, removals and changes to the menu.
The article's closing is forceful: the current regulatory environment is not inevitable. It was built by letting each regulator act without looking at the rest. The Administration, via the new National Cyber Strategy, can dismantle it. A unified Cyber Harmonization Cafe would make government more efficient, companies more competitive, and citizens safer.
BPCM view. Although the debate takes place in Washington, the logic fully applies to the region. In Argentina and Latin America we are also beginning to coexist with cybersecurity regulation fragmented across financial regulator, data protection authority, telecommunications authority, specific regulated sectors, and customs and criminal regulation. The idea of a 'single menu', anchored in a recognized technical framework, is a good trigger for thinking about how to design cyber regulation that adds real security, not just paperwork.
Source: Henry Young, 'Welcome to the Cyber Harmonization Cafe', BSA TechPost, 12/18/2025 — techpost.bsa.org