New Innovations for Agility in Cyber Regulation and Compliance

The Trump administration has a unique opportunity for a fresh start in cyber regulation to achieve enhanced security with improved effectiveness and reduced cost.

Regulation needs to work at the speed of the technology industry itself, where agile methods empower enterprises to rapidly deploy and maintain complex systems and applications.

Until recently, regulators could not easily solve the trade-offs between requirements that are specific enough to satisfy regulators but general enough to allow the regulated entities flexibility to reduce risks and rapidly adapt to technological and business changes.

Over the coming years, a new regulatory regime could be built around emerging innovations such as the Open Security Controls Assessment Language (OSCAL), a machine-readable format for security policies; chaos engineering; continuous offensive testing; risk-based assessments of vulnerabilities; and, of course, the adoption of artificial intelligence (AI).

Not all of these technologies are mature or affordable enough for widespread adoption. But regulatory embrace of these innovations can incentivize uptake, building a market for vastly improved security and resilience.

Regulators’ Goals Versus Reality

Regulation of a company’s information technology (IT) goes back to at least 1970 when the Federal Deposit Insurance Corporation formalized electronic data processing examination requirements for banks. Their goal was to ensure “the integrity of electronic data systems, internal controls, and physical security,” to counter computer-based fraud or embezzlement.

Since then, of course, regulations have expanded to cover the multiplying cybersecurity and broader IT security risks to cover all aspects of security and resilience for individual companies in all critical infrastructure sectors. Sector-by-sector cybersecurity regulations have driven substantial improvements. But they have also created major drawbacks. Regulations have too often generated “checklist compliance,” a form of compliance that creates more paperwork than security.

The lack of harmonization across regulatory agencies imposes further costs, at the expense of genuine security. FedRAMP (for cloud service providers selling to the federal government) and NERC CIP (for electricity) are notorious for prioritizing compliance over security. For example, just the template for a FedRAMP security plan is over 50 pages, even before the entity adds data, while NERC CIP requires documenting every person who accesses a server room and retaining that log for 90 days. Put simply, this increases costs, not security.

In 2023, representatives of the finance sector told the White House’s Office of the National Cyber Director that “Chief Information Security Officers and other senior cyber leaders within firms … report spending 30 percent to upwards of 50 percent of their time on regulatory compliance.” A group of defense companies likewise reported that “prohibitive costs [of compliance] may drive a strategy of risk acceptance, which may lead to meaningful security gaps,” and that “no regulation today or pending directive allows for systems risk management based upon evolving ecosystem criticality.”

Such compliance requirements are decades out of date with how modern enterprises can address security. Innovative practices such as DevSecOps (development, security, operations), infrastructure-as-code, and continuous integration/continuous delivery (CI/CD) allow technology teams to continuously commit and deploy code with security built into the entire software life cycle, with fewer boundaries between infrastructure teams, developers, and security. This is significantly more efficient and less costly than checklist compliance. Regulation must adapt or it will hobble this agility and cause far more security problems than it fixes.

Unsolvable Trade-Offs

National Cyber Director Sean Cairncross has argued for a “more unified and efficient approach” as “cyber defense cannot, and should not, be a checklist that increases costs and slows incident preparedness or response effectiveness.”

Unfortunately, harmonization alone will not overcome the tension between prescription and flexibility. Being specific about outcomes (such as “achieving recovery and resumption within two hours after” a disruptive technology event) is usually a poor fit for cybersecurity, for which outcomes are “immensely difficult to measure.” However, regulating for means, such as giving pipeline operators just 15 days to patch critical vulnerabilities, is measurable but far too specific.

More recently, regulators have often preferred avoiding any such specificity with more general principles-based regulations. These mandate management processes, such as establishing a vulnerability disclosure program or maintaining an asset inventory of all critical IT assets, rather than specifying how exactly to handle vulnerabilities or deciding on a regulated entity’s behalf which assets it should consider critical.

But this has its own problems. The Pentagon told companies in the defense industrial base to “identify, report, and correct information and information system flaws in a timely manner.” Such vague guidance (since retracted) offers no suggestions on how serious a flaw needs to be to require fixing and just how long is “timely.” A company might patch the flaw in a month only to be punished retroactively by the Pentagon because it wasn’t done in a week.

Shaking Up Cyber Regulation

In the face of these trade-offs, one set of innovations—those driven by AI and OSCAL—are available that can streamline compliance. More importantly, there is a second set of exciting new technologies and practices—such as chaos engineering—that can actually achieve long-desired security outcomes while allowing the regulated entities the required flexibility to meet those goals. Some of these innovations are ready now. Others can be implemented only by companies with high-performing cyber and IT teams or when their cost and complexity have been brought down to more reasonable levels—a goal that regulation should aim to promote.

Because these merely simplify the process of complying with existing rules, the relatively easy task for regulators is to ensure that these innovative approaches are not significantly limited, and to nudge mature entities—those with robust cybersecurity and regulatory compliance teams—in this direction. Regulators may, for example, offer a safe harbor provision allowing the use of these innovations either to answer or to be exempt from specific checklist requirements.

Innovations to Simplify and Streamline Compliance

In the near term, the most achievable innovations are those driven by AI, which can simplify compliance and other regulatory tasks. Agentic AI excels at automating the routine compliance tasks that usually require major effort from regulated entities.

Among many improvements, Google has found that AI has helped the company complete first drafts of incident reports by just over half and that AI assists in mapping controls to compliance frameworks. Using AI has also allowed Google to ensure compliance earlier in its CI/CD workflow. Companies such as Kovr.ai and Sprinto use AI (sometimes powered by OSCAL) to help companies automate their compliance tasks, substantially simplifying time-consuming activities like generating compliance reports.

OSCAL puts cybersecurity policy and compliance documents into universal, machine-readable formats. IT systems can report their own compliance with cybersecurity policies, automatically generating documents, such as system security plans, which would take dozens of hours to assemble without this technology. OSCAL greatly reduces costs and complexity to deal with specific regulatory mandates.

These uses of OSCAL and AI should reduce the harms of unharmonized regulations and the costs of duplicative reporting. This, of course, does not mean that governments should cease their efforts at harmonization. Still, entities embracing these innovations can automate much of the compliance-reporting burden and create separate reports for different regulators.

For companies with more robust cybersecurity and IT teams, regulators can explore more advanced techniques that shift from checklist compliance to a mode of continuous security improvement. Companies such as Pentera and Praetorian (for which I serve on the advisory board) provide constant, proactive offensive security to continuously discover their attack surfaces, detect misconfigurations and vulnerabilities, and close off attack paths. AI and more traditional automation allow for nonstop offensive testing, rather than periodic penetration testing, which usually occurs just once or twice a year.

Innovations to Rethink Regulation

Other innovations are more revolutionary, with the potential to redefine how regulated entities can successfully assert they are meeting the broad public policy goals of regulators. These might be more long-term aspirations for regulators, since few regulated entities could likely implement them successfully with massive investments that could have negative knock-on effects to other areas of their resilience and security.

Take Netflix as an example. Over the past 15 years, Netflix and other companies have been perfecting chaos engineering, the process of randomly knocking parts of their technology infrastructure offline—from single servers up to entire regions of the network. The goal of this outlandish plan? To constantly respond to all of these self-imposed outages.

By implementing chaos engineering, Netflix is ensuring that its system will be resilient in unplanned failures and against attacks. As the company has written, knowing that its systems would be assaulted at random “created strong alignment among our engineers to build in the redundancy and automation to survive this type of incident without any impact to the millions of Netflix members around the world.”

Such innovations are not widespread, but they are already being used in other leading technology companies, such as Amazon, Microsoft, and LinkedIn. They not only substantially improve cybersecurity and resilience, but they also allow companies to more confidently assert they are meeting the policy goals of regulators, breaking the trade-offs between compliance and true security.

If a regulator demands, for example, proof of an assertion that a regulated entity can respond to an outage in a timely manner, the entity can show evidence that the company has already responded to 10 such outages that day, with no disruptions.

Next Steps

Getting to this future—which is more secure and more tied to modern IT operations, with easier compliance that satisfies regulator’s goals—is worthwhile, necessary, and achievable.

The Office of the National Cyber Director, working with key congressional committees, should explore how to embrace such new innovations as well as ensure that existing regulations do not somehow forbid such innovations from being used.

Most regulated entities do not have the maturity and resources to fully implement innovations such as OSCAL, chaos engineering, and continuous penetration testing. But some do.

A key first step is getting such innovations fully adopted by cloud service providers, which can then offer them as a service to clients of all levels of maturity. Companies that have built out agility in their IT and business operations can rely on their cloud providers for the same speed in regulatory compliance.

Financial regulations can make distinctions between financial institutions of different maturities to manage risks. Basel II, for example, allowed sophisticated banks to use an “advanced measurement approach” to measure and manage their operational risks (including cybersecurity and resilience), thereby reducing imposed requirements. New cybersecurity regulations might follow a similar approach for companies that can prove they are using the innovations described above, among others.

These innovations are far more likely to be successful and affordable if provisions are made for them in regulations.

As Evan Wolff and Rob Knake put it, “technology forcing regulations” are pivotal to creating a more secure future. Take the Clean Air Act as an example. This 1970 law required a massive 90 percent reduction in emissions, even though the required technology did not yet exist, driving the invention of the needed control technologies, like the catalytic converter in 1975. As a result, the noxious emissions from automobiles dropped even as cars were driven more miles. Technology-forcing regulations, if properly designed, might have a similar effect for cybersecurity.

Though the Trump administration has taken a mostly anti-regulatory approach to governance, revamping regulations in this way is well aligned with the administration’s overall goals. Regulations built around modern innovations may be far less cumbersome, allowing reams of regulations to be revoked and substituted by far simpler guidance, thus meeting the White House requirement that “whenever an agency promulgates a new rule, regulation, or guidance, it must identify at least 10 existing rules, regulations, or guidance documents to be repealed.”

Moreover, the Department of Defense, at the direction of acting Chief Information Officer Katie Arrington, has already been hard at work implementing related innovations, such as continuous authorizations to operate and radically simplifying risk management requirements to more rapidly acquire secure software.

FedRAMP has started down this path as well, switching to continuous validation that controls are working, rather than periodic compliance reports, and using OSCAL to improve automation.

The combination of new innovations and an administration willing to take risks means the United States has a chance to drive its cyber regulations away from compliance and to more security-enhancing practices.