S. 1875 — Streamlining Federal Cybersecurity Regulations Act of 2025

This section defines 11 terms for purposes of the Act, including (1) agency and independent regulatory agency (as defined in 44 U.S.C. 3502); (2) appropriate congressional committees (i.e., the Senate Committee on Homeland Security and Governmental Affairs, the House Committee on Oversight and Government Reform, and congressional committees with jurisdiction over regulatory agencies or Sector Risk Management Agencies); (3) cybersecurity requirement (i.e., a regulation or supervisory activity with administrative, technical, or physical requirements relating to information security, cybersecurity, or cyber risk or resilience); (4) harmonization (i.e., aligning cybersecurity requirements into common minimum requirements across sectors and necessary sector-specific requirements, without exempting agencies from Administrative Procedure Act requirements); (5) reciprocity (i.e., one regulatory agency's recognition of another's assessment of a regulated entity's cybersecurity compliance); (6) regulatory agency (i.e., any agency with statutory authority to issue or enforce mandatory cybersecurity requirements); and (7) Sector Risk Management Agency (as defined in 6 U.S.C. 650).

This section establishes the Harmonization Committee, chaired by the National Cyber Director, to develop baseline and sector-specific, risk-based cybersecurity requirements and enhance reciprocity across federal regulatory agencies. The committee comprises the National Cyber Director; heads of regulatory agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST); the head of the Office of Information and Regulatory Affairs; and other agencies as determined by the chair, with a publicly available list of members maintained on a website. The committee must develop and publicly deliver to Congress a charter detailing its processes, objectives, and scope. Not later than one year after enactment, the committee must develop and publish in the Federal Register a regulatory framework—including baseline requirements across sectors, common regulatory language for future rules, and processes for reciprocal compliance, identifying overly burdensome or inconsistent requirements, issuing recommendations, and drafting model language—after public comment and consultation with stakeholders, while accounting for unique sector-specific needs. Not later than 90 days after framework publication, the committee must select 3 to 5 regulatory agencies to voluntarily conduct a pilot program implementing the framework for 3 to 6 substantially similar cybersecurity requirements (with at least one per agency) that govern the same regulated entities, with voluntary entity participation; participating agencies may issue Administrative Procedure Act waivers and alternative procedures, deeming compliant entities that follow pilot requirements, terminating upon pilot conclusion (duration set by the committee). The committee may authorize subsequent pilots only after the later of specified dates (not provided in text).

This section directs the Director of the Office of Management and Budget (OMB), in consultation with the Committee, to issue guidance to federal agencies—including the Cyber Incident Reporting Council—on coordination with the Committee not later than 180 days after enactment. It further directs the OMB Director, in coordination with the Committee and not later than one year after completion of the initial pilot program and submission of its report, to issue guidance to all agencies ensuring cybersecurity requirements are consistent with the framework developed under subsection (e) and incorporating pilot program results and lessons learned. Such guidance must (1) update the regulatory review process, as appropriate, for proposed cybersecurity requirements; (2) provide draft regulatory language for covered agencies; (3) supply procedures for covered agencies to resolve inconsistencies with the framework; and (4) include a template with recommended implementation procedures. This section also requires all agencies to report to appropriate congressional committees on implementation of the subsection (a) guidance and authorizes the Committee to provide expertise or technical assistance on harmonizing and reciprocating cyber requirements—with State Department concurrence and National Institute of Standards and Technology coordination to foreign governments, international organizations, or entities; and to State, local, Tribal, and territorial governments.

This section states that nothing in the Act (1) expands or alters existing authorities of any agency, including independent regulatory agencies, or (2) provides any such agency with new or additional authorities, except for exemptions under section 3(f) to implement the pilot program established under that section; and (3) affects, augments, or diminishes the authority of the Secretary of State or any other federal officer.