Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 10123 (Introduced in House) — To establish an interagency committee to harmonize regulatory regimes in the United States relating to cybersecurity,... · Sec. 3

Sec. 3. Establishment of interagency committee to harmonize regulatory regimes in the United States relating to cybersecurity

1,026 words·~5 min read·/bill/118/hr/10123/ih/section-3·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The National Cyber Director shall establish an interagency committee to be known as the Harmonization Committee to enhance the harmonization of cybersecurity requirements that are applicable within the United States. The National Cyber Director shall provide the Committee with administrative and management support as appropriate. The Committee shall be composed of— the National Cyber Director; the head of each regulatory agency; the head of the Office of Information and Regulatory Affairs of the Office of Management and Budget; and the head of other appropriate agencies, as determined by the chair of the Committee.
The Committee shall maintain, on a publicly available website, a list of the agencies that are represented on the Committee, and shall update the list as members are added or removed. The National Cyber Director shall be the chair of the Committee. The Committee shall develop, deliver to Congress, and make publicly available a charter, which shall— include the processes and rules of the Committee; and detail— the objective and scope of the Committee; and other items as necessary.
Not later than 1 year after the date of enactment of this Act, the Committee shall develop a regulatory framework for achieving harmonization of the cybersecurity requirements of each regulatory agency. The process for developing such regulatory framework shall include the opportunity for public comment and consultation with industry experts and other stakeholders. In developing the framework under subparagraph (A), the Committee shall account for existing sector-specific cybersecurity requirements that are identified as unique or critical to a sector.
The framework shall contain, at a minimum, processes for— establishing a reciprocal compliance mechanism for minimum requirements relating to information security or cybersecurity for entities regulated by more than 1 regulatory agency; identifying cybersecurity requirements that are overly burdensome, inconsistent, or contradictory, as determined by the Committee; and developing recommendations for updating regulations, guidance, and examinations to address overly burdensome, inconsistent, or contradictory cybersecurity requirements identified under subparagraph
(B)to achieve harmonization. Upon completion of the regulatory framework, the Committee shall publish the regulatory framework in the Federal Register. Not fewer than 3 regulatory agencies, selected by the Committee, shall carry out a pilot program to implement the regulatory framework with respect to not fewer than 3 cybersecurity requirements. Participation in the pilot program by a regulatory agency shall be voluntary and subject to the consent of the regulatory agency following selection by the Committee under paragraph (1). Participation in the pilot program by a regulated entity shall be voluntary. Cybersecurity requirements selected for the pilot program under paragraph
(1)shall contain substantially similar or substantially related requirements such that not fewer than 2 of the selected cybersecurity requirements govern the same regulated entity with substantially similar or substantially related requirements relating to information security or cybersecurity. Notwithstanding any provision of subchapter II of chapter 5, and chapter 7, of title 5, United States Code (commonly known as the Administrative Procedure Act ) and subject to the consent of any participating regulated entity, in implementing the pilot program under paragraph (1), a regulatory agency participating in the pilot program shall have the authority, as the regulatory agency determines appropriate, to both issue waivers and establish alternative procedures for regulated entities participating in the pilot program with respect to the cybersecurity requirements included under the pilot program. A regulated entity that notifies a regulator of the entity’s participation in a pilot program shall be deemed in compliance with the waived requirements to the extent that the entity complies with requirements of the pilot program. The Committee may only authorize an additional pilot program after the later of— the date of the conclusion of all 3 initial pilot programs under paragraph (1); and the date of submission of all reports required under subsection
(i)for each initial pilot program. Notwithstanding any other provision of law— except when an exigent circumstance described in paragraph
(3)exists, before prescribing any cybersecurity requirement, the head of a regulatory agency shall consult with the Committee regarding such requirement and the regulatory framework; and independent regulatory agencies, when updating any existing cybersecurity requirement or issuing a potential new cybersecurity requirement, shall consult the Committee during the development of the updated cybersecurity requirement or the new cybersecurity requirement to ensure that the requirement is aligned to the greatest extent possible with the regulatory framework. Following a consultation under paragraph (1), the Committee, in coordination with the Office of Management and Budget as necessary, shall provide to the agency a report that shall— include to what degree the proposed cybersecurity requirement or update to the cybersecurity requirement aligns with the regulatory framework, taking into consideration the authorities of the agency; and provide a list of recommendations to improve the cybersecurity requirement and to align the cybersecurity requirement with the regulatory framework. In the case of an exigent circumstance where an agency is authorized by law to act expeditiously, the agency shall notify the Committee as soon as possible. The Committee shall consult with appropriate Sector Risk Management Agencies in the development of the regulatory framework and the implementation of the pilot program under subsection
(f)and shall consult with members of industry and critical infrastructure, as appropriate, for the development of the regulatory framework and pilot program. Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Committee shall submit to the appropriate congressional committees a report detailing— member participation, including the rationale for any nonparticipation by Committee members; the application of the regulatory framework, once developed, on cybersecurity requirements, including consultations or discussions with regulators; and any report made under subsection (g)(2). Not later than 1 year after the date on which a pilot program under subsection
(f)begins, the Committee shall submit to the appropriate congressional committees a report detailing— the cybersecurity requirements selected for the program, including— the reasons that the regulatory agency and cybersecurity requirement were selected; a list of the pilot programs considered by the Committee; and the rationale for selecting the pilot program; the information learned from the program; any obstacles encountered during the program; and an assessment of the applicability of expanding the program to other agencies and cybersecurity requirements.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.