WASHINGTON— Federal cybersecurity regulations are creating significant compliance burdens across critical infrastructure sectors, often forcing organizations to devote resources to overlapping reporting requirements rather than strengthening defenses, according to a new report from the Government Accountability Office.
The GAO report summarizes feedback from a panel of industry representatives across seven sectors—including financial services, energy, healthcare and information technology—who said federal efforts to harmonize cybersecurity rules remain limited despite growing threats to digital infrastructure. America’s Credit Unions Director of Innovation and Technology Andrew Morris participated in the panel and provided the credit union perspective.
Participants said multiple regulatory frameworks often require similar cybersecurity controls and reporting but differ in small ways that create confusion and duplication. In some cases, companies must report the same cyber incident to multiple federal agencies under different timelines, definitions and submission formats.
One participant described the impact of these overlapping rules by noting, “We want to spend time responding to an incident instead of checking boxes complying with redundant reporting requirements.”
Industry representatives also said inconsistent reporting timelines can create operational challenges during cyber events. For example, some regulations require reporting within hours, while others allow longer timeframes, forcing organizations to gather detailed data for multiple agencies while still responding to an active threat.
Panelists said the cost and staffing demands of compliance can be particularly difficult for smaller organizations that lack dedicated cybersecurity or regulatory personnel. Larger organizations typically have more compliance resources but may face additional obligations across multiple jurisdictions, including foreign regulations.
Despite the challenges, participants said some federal initiatives have been helpful, including cybersecurity guidance and tools offered by the Cybersecurity and Infrastructure Security Agency and best-practice frameworks developed by the National Institute of Standards and Technology.
Industry representatives suggested several ways federal regulators could improve coordination, including standardizing terminology, consolidating cyber-incident reporting into a single portal, and giving the Office of the National Cyber Director greater authority to align regulatory requirements across agencies.
The GAO said harmonizing cybersecurity regulations could reduce duplication and allow organizations to focus more resources on defending critical systems rather than navigating conflicting compliance obligations.