Federal agencies face complex cyber compliance – but relief is underway


In the face of escalating cyber threats to our critical infrastructure, economy, and way of life, federal agencies are continuously releasing mandates, memos, requirements, and executive orders focused on improving cyber hygiene. This creates a heavy, ever-shifting compliance burden for these agencies, as well as the many private companies, especially those in the critical sectors, that tend to rely on these agencies’ requirements in enhancing their own cyber strategies.

The White House has taken note, and in July 2023 released a harmonized National Cybersecurity Strategy Implementation Plan.

Among its initiatives, the strategy broadly mentions the need to drive key cybersecurity standards. A few days after the strategy’s release, the Office of the National Cyber Director (ONCD) issued a Request for Information (RFI) seeking input from stakeholders in order to “understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements.”

“When cybersecurity regulations of the same underlying technology are inconsistent or contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers,” ONCD wrote.

CohnReznick expects the final output will create a baseline standard for federal agencies, instead of the multiple and disparate standards they currently must comply with. Additionally:

  • There will be a standardized cybersecurity rule for incident reporting and multifactor authentication.
  • High-risk operators in the Transportation sector would be required to have a standardized vulnerability assessment procedure in place.
  • Cloud Service Providers (CSPs) such as AWS, Microsoft Azure, Google Cloud Platform, and Oracle may be designated as “critical infrastructure.”

However, the White House is careful that it is not “over-regulating” the cybersecurity industry. To that end, Robert Knake, former acting principal deputy national cyber director, said that the national strategy does not seek to iron out “conflicting rules or even conflicting regulators,” but rather to devise a process for “reciprocity,” which would allow organizations to meet multiple requirements with a minimal number of assessments.

Both the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) will continue to play key roles in the new national cybersecurity strategy implementation plan.

The White House is fully aware the national cybersecurity strategy can quickly become obsolete as cyber criminals devise new methods to outwit defenses. Hence, the strategy will be a living document, and will undergo updates when necessary.

The current compliance landscape

As more streamlined frameworks continue to develop, agencies and organizations still face a vast array of cybersecurity-related memorandums, programs, laws, policies, and standards. 

The table below highlights some of the top ones to be aware of in developing your strategies. A more comprehensive list is available from the General Services Administration (GSA).

Compliance Program Driver



Identity, Credential, and Access Management (ICAM)



Domains and Web Hosting



Cloud Adoption



Department of Homeland Security (DHS)

  • Continuous Diagnostics and Mitigation (CDM)
  • Homeland Security Presidential Directive
  • Blueprint for a Secure Cyber Future – The Cybersecurity Strategy for the Homeland Security Enterprise



Federal Information Security Modernization Act (FISMA) OMB Memos

  • M-18-02, Guidance on Federal Information Security and Privacy Management
  • M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information



Executive Orders

  • EO 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
  • EO 13556 – Controlled Unclassified Information
  • EO 14028 – Improving the Nation’s Cybersecurity



Standards – NIST Special Publications (SP)

  • Federal Information Processing Standards (FIPS)
  • SP 800 Series
  • SP 1800 – Cybersecurity Guidelines



One of the most important mandates is Executive Order 14028, “Improving the Nation’s Cybersecurity,” which lays great emphasis on implementing a Zero Trust architecture and securing the supply chain for critical software used by federal agencies.

Federal agencies are feverishly working toward the implementation of EO 14028. The all-encompassing order mandates compliance across eight security domains:

  • Implement multifactor authentication (MFA)
  • Encrypt data-at-rest and data-in-transit
  • Adopt endpoint detection and response solutions
  • Collect and maintain system logs
  • Enhance critical software supply chain security
  • Migrate on-premises solutions to secure cloud offerings
  • Utilize vulnerability management best practices and incident response playbooks
  • Implement Zero Trust Architecture

The ink had barely dried on federal agency gap analyses and technical implementation of EO 14028 when CISA produced more recommendations on anti-phishing MFA. The Pentagon also introduced its definitive version of a Zero Trust strategy. On top of these, the National Archives and Records Administration (NARA) recently issued a new requirement on logging and retention periods. More OMB memoranda and new FISMA audit requirements are constants and will be forthcoming down the road.

Interim steps to strengthen compliance

While relief is on the way, federal agencies may still feel overburdened now with all these requirements. In the meantime, the following steps can help provide a head start on shoring up your compliance practices.

  • Assess your current compliance program to confirm it aligns with the expectations of the myriad of applicable drivers, while also being right-sized for the mission.
  • Confirm that your current program is managing and prioritizing the requisite compliance risks, including any risks related to government funding.
  • Develop a process for ongoing periodic assessment of plan adequacy, resources, and effectiveness.

Contact our team for more information or to get started.


Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy


Bill Hughes, CPA, CDFM, CGFM, CGMA, Partner, Federal Market Leader, Government and Public Sector


Adonye Chamberlain, Manager, Cybersecurity, Technology Risk, and Privacy



Get in touch with our specialists

View All Specialists
Bhavesh Vadhani

Bhavesh Vadhani

CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
bill hughes

Bill Hughes

CPA, CDFM, CGFM, CGMA, CICA, Partner - Federal Market Leader

Looking for the full list of our dedicated professionals here at CohnReznick?



Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

Please select job function
Please select job level
Please select country
Please select state
Please select industry
Please select topic
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.