Under the ISA-proposed draft legislation to prevent redundancies in federal cybersecurity regulations and reinforce our nation’s cyber resilience as a whole, the Director of the Office of Management and Budget (OMB) would have the authority to withhold funding for the enforcement of identified redundant or duplicative cybersecurity regulations while they are under review. OMB derives this statutory authority from established laws, previous executive orders, and administrative practices.
Statutory Authority
The OMB’s authority is rooted in several legislative acts:
Budget and Accounting Act of 1921: This law established the Bureau of the Budget, which later became the OMB. It grants the OMB the responsibility to assist the President in overseeing the preparation of the federal budget and to supervise its administration in executive branch agencies. This role includes evaluating the effectiveness of agency programs, policies, and procedures, which extends to regulatory practices. Section 203 of the Act, in particular requires “every department and establishment … [to] furnish to the to the Bureau such information as the Bureau may from time to time require, and when duly authorized, shall, for the purpose of securing such information, have access to, and the right to examine, any books, documents, papers, or records of any such department or establishment” to realize the President’s agenda.
- The full text of the Act is available here.
44 U.S.C. §3504: This act established the “Authority and Functions of Director” of OMB:
“(a)(1) The Director shall oversee the use of information resources to improve the efficiency and effectiveness of governmental operations to serve agency missions, including burden reduction and service delivery to the public. In performing such oversight, the Director shall—
(A) develop, coordinate and oversee the implementation of Federal information resources management policies, principles, standards, and guidelines; and
(B) provide direction and oversee—
(i) the review and approval of the collection of information and the reduction of the information collection burden;”
Paperwork Reduction Act of 1995: This law mandates that the OMB oversee federal information collection activities to reduce burdens on the public and private sectors. It specifically empowers the OMB to ensure that agencies avoid redundant or conflicting requirements in their regulations. The Act specifically requires the Director of the OMB to develop and implement Federal information policies and standards including policies concerning: (1) reducing the burden of government paperwork on the public; (2) records management activities; (3) the privacy of records pertaining to individuals; and (4) reviewing federal government information collection requests.
Given that many cybersecurity regulations contain stringent and often duplicative, redundant reporting requirements that is generating enormous waste in resources and adding an extra burden to those fighting cyber attacks every day, this legislation provides solid authority for the OMB to require agency review of redundancies in cybersecurity regulations by withholding enforcement funding. The full text of the Act is available here.
Federal Information Security Modernization Act (FISMA): FISMA codified the OMB’s role in overseeing federal cybersecurity practices to ensure agencies provide appropriate levels of information security for the data held by the federal government. The Act directed the OMB to revise policies and required a report to “eliminate inefficient and wasteful reporting” to ensure consistent implementation of cybersecurity measures across agencies.
- The full text of the Act is available here.
Congressional Review Act of 1996: This act empowers the OMB to play a role in the review of new federal regulations by giving the OMB the authority to designate new agency rules “major” based on the projected economic impact, thus subjecting the rules to increased scrutiny and congressional oversight. Agencies are required to submit new rules to both Congress and the OMB before they can take effect, allowing the OMB to assess and, if necessary, recommend the disapproval of regulations that are both major and potentially redundant or overly burdensome. While not directly giving the OMB the authority to approve or disapprove the rules, this Act clearly shows the OMB’s statutory authority in oversight of federal regulations in general.
- The full text of the Act is available here.
Executive Orders
Executive Order 12866 of 1993: Issued by President Clinton, this order outlines the principles of regulatory planning and review. It designates OIRA within the OMB as the central authority for reviewing federal regulations to ensure they are consistent with the President’s priorities and do not conflict with other agencies’ actions. The EO emphasizes the need for regulations to be cost-effective and to avoid unnecessary duplication.
According to the EO, “Coordinated review of agency rulemaking is necessary to ensure that regulations are consistent with applicable law, the President’s priorities, and the principles set forth in this Executive order, and that decisions made by one agency do not conflict with the policies or actions taken or planned by another agency. The Office of Management and Budget (OMB) shall carry out that review function.”
Further, the EO empowers the OMB, “To the extent permitted by law, OMB shall provide guidance to agencies and assist the President, the Vice President, and other regulatory policy advisors to the President in regulatory planning and shall be the entity that reviews individual regulations, as provided by this Executive order.”
- The full text of the executive order is available here.
Executive Order 14192 of 2025, Unleashing Prosperity Through Deregulation: This EO builds on the emphasis on reducing regulatory burdens from the previous EO signed by President Clinton and cites it to reinforce the OMB’s role in overseeing the deregulation process. It mandates that agencies work with the OMB to identify and eliminate outdated or unnecessary regulations, including those related to cybersecurity.
“The Director shall provide the heads of agencies with guidance on the implementation of this section. Such guidance shall address, among other things, processes for standardizing the measurement and estimation of regulatory costs; standards for determining what qualifies as new and offsetting regulations; standards for determining the costs of existing regulations that are considered for elimination; processes for accounting for costs in different fiscal years; methods to oversee the issuance of rules with costs offset by savings at different times or different agencies; and emergencies and other circumstances that might justify individual waivers of the requirements of this section. The Director shall consider phasing in and updating these requirements.”
“Each regulation approved by the Director during the Presidential budget process shall be included in the Unified Regulatory Agenda required under Executive Order 12866, as amended, or any successor order. Unless otherwise required by law, no regulation shall be added to or removed from the Unified Regulatory Agenda without the approval of the Director. To accomplish the purposes of this order, the Director may also require additions to the Unified Regulatory Agenda and Regulatory Plan.”
- The full text of the executive order is available here.
Executive Order 13771 of 2017, Reducing Regulation and Controlling Regulatory Costs: Signed by President Trump, this order requires that for every new regulation issued, at least two prior regulations be identified for elimination. It assigns the OMB the responsibility to provide guidance on the implementation of this policy, thereby directly involving the OMB in efforts to reduce regulatory redundancies.
“It is the policy of the executive branch to be prudent and financially responsible in the expenditure of funds, from both public and private sources. In addition to the management of the direct expenditure of taxpayer dollars through the budgeting process, it is essential to manage the costs associated with the governmental imposition of private expenditures required to comply with Federal regulations. Toward that end, it is important that for every one new regulation issued, at least two prior regulations be identified for elimination, and that the cost of planned regulations be prudently managed and controlled through a budgeting process.”
- The full text of the executive order is available here.
Executive Order 14028 of 2021, Improving the Nation’s Cybersecurity: This order emphasizes the need for enhanced cybersecurity across federal agencies and tasks OMB with ensuring compliance with security guidelines for critical software, emphasizing the OMB’s role in cybersecurity regulation oversight in general.
- The full text of the executive order is available here.
Executive Order 14239 of 2025, Achieving Efficiency Through State and Local Preparedness: This order emphasizes the need for streamlining preparedness operations to assist State and Local governments to secure infrastructure and to increase efficiency and resiliency within government. It gives OMB the authority to assist in this efficiency pursuit, in coordination with APNSA (Assistant to the President for National Security Affairs) and heads of relevant agencies to come together to create a National Risk Register that “identifies, articulates, and quantifies natural and malign risks to our national infrastructure, related systems, and their users.”
“Federal policy must rightly recognize that preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government. Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyber attacks, wildfires, hurricanes, and space weather. When States are empowered to make smart infrastructure choices, taxpayers benefit.”
“In addition, it is the policy of the United States that my Administration streamline its preparedness operations; update relevant Government policies to reduce complexity and better protect and serve Americans; and enable State and local governments to better understand, plan for, and ultimately address the needs of their citizens.”
- The full text of the executive order is available here.
Other Sources Reinforcing OMB’s Authority
The 2023 National Cybersecurity Strategy Implementation Plan: The implementation plan for President Joe Biden’s National Cybersecurity Strategy reinforces OMB’s role in eliminating redundancies in cybersecurity regulations and affirms the importance of this policy for the nation’s cyber defense:
Initiative Number 1.1.1
Initiative Title: Establish an initiative on cyber regulatory harmonization
“The Office of the National Cyber Director (ONCD), in coordination with OMB, will work with independent and executive branch regulators, including the Cybersecurity Forum for Independent and Executive Branch Regulators, to identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure.”
“ONCD, in coordinating with the Office of Management and Budget (OMB), will lead the Administration’s efforts on cybersecurity regulatory harmonization.”
- The full implementation plan is available here.
Presidential Memo M-24-14 from July 10, 2024 regarding the Biden Administration’s Cybersecurity Priorities for the FY 2026 budget: The Administration highlighted OMB’s role in harmonizing regulatory regimes across critical infrastructure sectors. Agencies were instructed to consult with OMB when establishing baseline cybersecurity requirements to ensure consistency and avoid duplication. This memo underscores OMB’s leadership in aligning agency cybersecurity efforts with broader national strategies.
