Regulatory Context for Cybersecurity

Cybersecurity regulation in the United States operates through a fractured but consequential patchwork of federal statutes, sector-specific rules, and state-level mandates that collectively govern how organizations protect data, systems, and critical infrastructure. Understanding this landscape is essential for anyone assessing compliance obligations — whether under a federal framework like FISMA or a sector rule like HIPAA Security Rule. This page maps the major sources of regulatory authority, identifies where that authority ends, traces how the framework has evolved, and explains which exemptions apply to which entities.

Exemptions and Carve-outs

Not all organizations bear identical cybersecurity obligations, and the regulatory architecture deliberately excludes or reduces requirements for defined categories of entities.

Small business thresholds appear prominently in FTC rulemaking. The FTC Safeguards Rule (16 CFR Part 314), which covers non-bank financial institutions, exempts covered entities that collect information on fewer than 5,000 consumers from certain written risk assessment and report-to-board requirements under its 2023 amendments.

Sector-specific safe harbors exist within HIPAA. The U.S. Department of Health and Human Services (HHS) HIPAA Security Rule applies to covered entities and their business associates — it does not extend to entities that handle de-identified data meeting the standards in 45 CFR §164.514(a) through (c). Once data is properly de-identified under either the Expert Determination or Safe Harbor method, this resource's technical safeguard requirements do not attach.

Critical infrastructure operators may receive carve-outs from routine disclosure rules while simultaneously facing additional sector obligations. The Transportation Security Administration's cybersecurity directives for pipeline and aviation operators, issued under 49 U.S.C. § 114, impose affirmative requirements but also include provisions protecting sensitive security information from public disclosure under 49 CFR Part 1520.

Three major categories define most carve-out logic:

1. Entity size — measured by consumer count, revenue, or employee headcount depending on the governing statute
2. Data type — de-identified, aggregated, or publicly available data often falls outside protections
3. Sector classification — entities regulated by a primary federal regulator (e.g., the SEC for broker-dealers, the FRB for bank holding companies) may fall under that regulator's cybersecurity rules rather than the FTC's general authority

Where Gaps in Authority Exist

Federal cybersecurity law lacks a single omnibus statute equivalent to the EU's NIS2 Directive. This structural gap produces overlapping jurisdictions and genuine authority vacuums.

The Cybersecurity and Infrastructure Security Agency (CISA) holds broad coordination authority under the Cybersecurity Act of 2015 and the CISA Act of 2018 but does not possess direct enforcement power over private sector entities outside specific critical infrastructure contexts. CISA can issue advisories and coordinate incident response, but it cannot levy civil penalties for noncompliance in the way the FTC or SEC can.

State attorneys general represent the primary enforcement layer for consumer-facing cybersecurity obligations in the absence of a federal breach notification law. As of the date of CISA's published guidance, all 50 U.S. states have enacted data breach notification statutes with varying thresholds, timelines (ranging from 30 to 90 days in most jurisdictions), and covered data definitions. The absence of federal preemption means multi-state entities must track and reconcile 50 distinct triggering conditions.

Entities seeking to understand how authority overlaps across federal and state levels may find the Cybersecurity Compliance Requirements by Sector page useful for sector-specific mapping.

How the Regulatory Landscape Has Shifted

Three structural shifts have materially altered cybersecurity compliance obligations over the past decade.

SEC disclosure requirements expanded substantially with the SEC's final rule on cybersecurity risk management and incident disclosure (Release No. 33-11216), effective December 2023. 05, and must include annual disclosures of cybersecurity risk management strategy on Form 10-K. This represents a shift from voluntary disclosure norms to mandatory, time-bound reporting.

CISA's CIRCIA authority — established by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Public Law 117-236) — will impose mandatory 72-hour incident reporting and 24-hour ransomware payment reporting obligations on covered critical infrastructure entities once CISA's implementing rulemaking is finalized. The proposed rule was published in the Federal Register in April 2024.

NIST framework adoption has shifted from advisory to de facto baseline. The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, now explicitly includes a "Govern" function alongside the original five, signaling that governance and supply chain risk management are no longer optional overlays but core framework components. Federal agencies must align with CSF through OMB directives under FISMA (44 U.S.C. § 3554).

For a deeper review of how frameworks structure these obligations, the Process Framework for Cybersecurity page provides a step-by-step breakdown.

Governing Sources of Authority

The primary legal and regulatory authorities shaping U.S. cybersecurity obligations fall into four tiers:

1. Federal statutes — FISMA (44 U.S.C. § 3551 et seq.), HIPAA (42 U.S.C. § 1320d), Gramm-Leach-Bliley Act (15 U.S.C. § 6801), CIRCIA (P.L. 117-236)
2. Agency rulemaking — FTC Safeguards Rule (16 CFR Part 314), SEC cybersecurity rules (17 CFR Parts 229, 232, 240), HIPAA Security Rule (45 CFR Parts 160 and 164)
3. Federal standards — NIST SP 800-53 Rev 5 (security and privacy controls for federal systems), NIST CSF 2.0, FIPS 140-3 (cryptographic module validation)
4. State law — California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), New York SHIELD Act (N.Y. Gen. Bus. Law § 899-aa), and analogous statutes in 48 other jurisdictions

These tiers interact in ways that create compliance complexity for organizations operating across state lines or across regulated sectors. Public resources compiled by government bodies — including those indexed at Cybersecurity Public Resources and References — provide direct access to the primary documents referenced above.

References

• Federal Trade Commission — Safeguards Rule (16 CFR Part 314)
• U.S. Department of Health and Human Services — HIPAA Security Rule
• Cybersecurity and Infrastructure Security Agency (CISA) — Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
• National Institute of Standards and Technology — Cybersecurity Framework 2.0
• U.S. Securities and Exchange Commission — Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Release No. 33-11216)
• NIST Special Publication 800-53, Revision 5 — Security and Privacy Controls for Information Systems and Organizations
• Office of Management and Budget — Federal Information Security Modernization Act (FISMA) Guidance