The Government Accountability Office (GAO) is urging Congress to address the fragmented landscape of cybersecurity regulations affecting U.S. critical infrastructure. 

GAO said that while cybersecurity practices have evolved, federal regulatory efforts remain inconsistent and duplicative.

“Cyber-based intrusions and attacks on both federal and non-federal systems by malicious actors are becoming more common and more disruptive. These attacks threaten the continuity, confidence, integrity, and accountability of essential systems. Moreover, the risks to these

systems—including insider threats from witting or unwitting employees, mounting threats from around the globe, and the rise of new and more destructive attacks—collectively threaten to compromise sensitive data and destabilize critical operations,” GAO stated in a report.

The report is based on input from two expert panels comprising 12 industry and cybersecurity professionals. Participants highlighted issues such as vague requirements, differing agency standards, and redundant audits—some companies reportedly face up to seven auditors requesting the same data.

GAO recommends prioritizing regulatory harmonization, reauthorizing key legislation, and possibly establishing a central authority to oversee cybersecurity rulemaking.