Three key federal cyber regulations to watch under Trump

GOP lawmakers are focused on harmonizing key cyber regulations, including CISA’s proposed incident reporting rule and HHS’ new cyber update to HIPAA.

Justin Doubleday@jdoubledayWFED

April 10, 2025 6:29 pm

3 min read

The second Trump administration’s cybersecurity policy is still coming into view, but GOP lawmakers are calling for the White House to kick off a review of existing and future cyber regulations.

Lawmakers and policy experts are particularly focused on three key rules: the Cybersecurity and Infrastructure Security Agency’s incident reporting requirements; the Department of Health and Human Services’ proposed update to health care security requirements; and the Securities and Exchange Commission’s 2023 cybersecurity risk management requirements.

CISA released a notice of proposed rulemaking for the Cyber Incident Reporting Act for Critical Infrastructure, or CIRCIA, last April. Under the law, CISA is required to publish the final rule within 18 months of releasing the NRPM. The rule will set incident reporting requirements for entities across all 16 critical infrastructure sectors.

Meanwhile, in January, HHS released long-anticipated cybersecurity updates to the Health Insurance Portability and Accountability Act, or HIPAA. The rule sets baseline cybersecurity standards for protecting sensitive health care data, which has been a major target for ransomware thieves.

The Biden administration had been moving to set stronger minimum cybersecurity standards for industry in response to rising cyberattacks. But it’s now up to the Trump administration to determine how to move forward with both CISA’s and HHS’s rules, respectively.

In an April 7 letter to Office of Management and Budget Director Russell Vought, Republican leaders on the House Homeland Security Committee and the House Oversight and Government Reform Committee referenced both rules. They urged Vought to immediately prioritize the review of existing and future federal cyber regulations.

“OMB, in coordination with [the Office of the National Cyber Director] and CISA, must thoroughly examine the existing cyber regulatory landscape for duplication and redundancy across the federal government, and identify opportunities for reciprocity within and between agencies,” they wrote.

The lawmakers reference the projected cost of implementing HHS’s cybersecurity rule. Meanwhile, they argue that CISA’s proposed CIRCIA rule “as written, undermines Congressional intent by imposing another layer of duplication by increasing compliance costs and capturing more entities than envisioned by lawmakers.”

The lawmakers want a briefing on OMB’s efforts to streamline cyber regulations by the end of the month.

“As Congress continues its work to streamline cyber regulations, we urge OMB to take these steps to rein in the cyber regulatory landscape to dramatically improve the security and resiliency of U.S. networks and critical infrastructure,” they wrote. “Eliminating the duplicative landscape of cyber regulations is the fastest, most cost-effective way to materially improve the nation’s cybersecurity.”

Meanwhile, while the letter doesn’t directly reference the SEC requirements, GOP lawmakers have separately hammered the rules, which the commission adopted in 2023. They require public companies to notify investors of major cyber incidents and detail their cyber risk management plans in annual reports.

“Federal regulations like the SEC’s public cyber disclosure rule clearly illustrate the urgent need for harmonization,” House Homeland Security Committee Chairman Mark Green (R-Tenn.) said at a hearing last month. “This rule in particular is riddled with ambiguity and sets constrictive reporting timelines for organizations that experience cyber incidents. Ambiguous and conflicting standards like the SEC rule are allowing compliance to take priority over security, leaving our critical infrastructure more vulnerable to subsequent attacks.”

The Senate on Thursday confirmed Paul Atkins, President Donald Trump’s pick to serve as chairman of the SEC. Atkins hasn’t publicly stated his position on the SEC’s cyber rule.

But John Reed Stark, former chief of the SEC’s Office of Internet Enforcement and a critic of the cyber rule, has said he expects Atkins to “slow down dramatically the SEC’s enforcement program relating to cybersecurity disclosure and order the enforcement staff to instead focus on cybersecurity-related disclosure fraud — and refrain from deploying precious SEC resources against firms who have experienced good faith mishaps that had no real-world consequences.”