The Honorable Russell T. Vought
Director, Office of Management and Budget
Executive Office of the President
1650 Pennsylvania Avenue, NW
Washington, DC 20503
April 8, 2025
Dear Director Vought,
Adversaries launch cyberattacks against our government and industry systems thousands of times daily. These attacks put operational continuity of critical infrastructure at risk, and result in economic losses that, to date, amount to trillions of dollars, which ultimately threatens our national and economic security.
As we attempt to defend ourselves against these attacks, we find our efforts undercut by a convoluted and contradictory regulatory environment. Defenders are subject to a complex system of overlapping regulatory regimes at the federal level, in the states, and internationally. These regimes target the same underlying technologies but are often inconsistent, contradictory, or enforced differently. This siphons resources away from bolstering security outcomes and redirects them towards compliance, auditing, and duplicative requirements. Consequently, end users pay more, while cybersecurity outcomes suffer. Some estimates suggest that about 40-70% of our scarce cybersecurity resources are being diverted by duplicative regulations12.
Given the urgency of the nation’s need to maximize scarce cybersecurity resources against constant sophisticated and nation-state attacks, and the OMB’s unique ability to quickly and effectively eliminate duplicative regulatory process in service of our national security we are writing to ask that you use the OMB’s authority to eliminate the waste generated by duplicative cybersecurity regulations.
With this in mind, we are writing to ask that you use the OMB’s authority to eliminate the waste generated by duplicative cybersecurity regulations. Doing so will immediately strengthen our national defense against nation-state and criminal cyber-attacks.
Specifically, we recommend that OMB instruct all regulatory agencies to use the best available technology to systematically identify all redundant cyber regulations across federal agencies within 180 days. Wherever duplications are identified, OMB should identify which ones to keep in place and direct appropriate regulators to work with industry stakeholders to eliminate the duplicative regulations within 180 days, after which the streamlined regulations would effectively and efficiently maintain essential oversight while eliminating waste.
Eliminating duplication in our cyber regulations is one of the fastest, most cost-effective ways to materially improve our nation’s cybersecurity at the operational level. We urgently seek your support in quickly addressing this issue and defending our nation’s security.
Internet Security Alliance (ISA)
Information Technology Industry Council (ITI)
Business Software Alliance (BSA)
American Railroad Association
ACT – The App Association
NCTA – The Internet & Television Association
