U.S. Cyber Governance

Apr 4, 2025 | Cyber Security, DHS & Cyber, Essay, Policy and Strategy

BY JOHN COSTELLO

Cyber governance remains a persistent challenge for every Administration. As cyber threats evolve, agency missions mature, and technology advances, governance models must be flexible and responsive while ensuring long-term sustainability and coordination. Cybersecurity’s unique positioning as a multi-agency, cross-sectoral issue further complicates governance, as agencies may hold conflicting equities—whether through their enterprise cybersecurity responsibilities, primary cyber missions (CISA, NSA, CYBERCOM), adjacent functions (FDA, DOE), or occasional involvement in cyber-related national security efforts (OFAC sanctions, law enforcement investigations). This dispersion of responsibility has led to duplicative efforts, regulatory inconsistencies, and inefficiencies in both policy and operations.

Despite numerous legislative and executive measures aimed at improving interagency alignment, efforts to centralize authorities and streamline coordination have often exacerbated fragmentation—adding additional coordinating bodies rather than consolidating existing functions. This challenge is rooted in both the Executive Branch, where agencies resist ceding authority, and Congress, where jurisdictional divisions favor narrow, incremental legislative changes over broader restructuring efforts. The result has been a steady expansion of cyber-related authorities and budgets without a corresponding improvement in strategic unity or operational efficiency. Cyber policy and governance in the United States has thus evolved not from a central plan but through an incremental, additive process—layering new authorities, structures, and initiatives atop existing ones rather than undertaking comprehensive reform. The result is a fragmented approach that, while adaptive, often lacks coherence and efficiency.

Attempts to establish a stronger central coordinating function frequently face resistance from agencies and their legislative allies, who seek to preserve autonomy, authority, and funding. Efforts to create more robust governance structures encounter dual opposition: from Executive Branch entities wary of losing influence and from Congressional stakeholders reluctant to reopen statutes that could expose broader agency authorities to revision. This opposition is especially pronounced when proposals risk encroaching on traditionally independent functions, such as law enforcement investigations, regulatory autonomy, or Presidential national security prerogatives. Consequently, any attempt to grant overarching authority to a single agency—whether within the White House or elsewhere—is unlikely to succeed in its original form and risks being diluted into incremental, limited improvements rather than transformative change.

The Trump Administration, known for its unconventional approach to governance and creative statutory interpretation, has a unique opportunity to drive meaningful improvements in how the federal government secures and defends cyberspace. Given the political and structural realities that make sweeping reorganization unlikely, both the Trump Administration and Congress must find ways to enhance cohesion, alignment, and operational effectiveness within existing authorities. This requires leveraging creative governance solutions that maximize coordination without triggering the bureaucratic resistance that has historically stymied reform. In this context, the path forward lies in pragmatic, targeted initiatives that work within existing structures to drive greater cohesion and efficiency. This includes clarifying and reinforcing the role of the National Cyber Director, establishing a more structured and accountable interagency cyber community, setting clear and actionable national cyber priorities, and advancing regulatory harmonization to reduce fragmentation.

Affirm the National Cyber Director Position in Executive Order

While the creation of the National Cyber Director was intended, in part, to streamline, consolidate, and centralize the myriad authorities in the White House into a cohesive center of governance for U.S. government cyber activity, in the three years since its creation there continue to be substantial concerns about the positions authority, roles, and responsibility – particularly with respect to other offices in the Executive Office of the President. Compounding this issue was revival of the National Cyber Coordinator position in 2021 – as the Deputy National Security Advisor for Cyber and Emerging Technologies – a position the NCD was intended to replace. The NCD’s authorizing statute, while important in conveying Congressional intent, offers little help. Congress is significantly limited in the degree it can dictate how the President uses a position it creates – or how such a position works with or is to be integrated into the President’s staff – if at all. This constraint, as well as the need to overcome jurisdictional and executive objections in the legislative process, help explain the lack of concrete detail in the NCD’s authorizing legislation that would otherwise more granularly specific roles and responsibilities in the fabric of the Executive Office of the President.

Similar senate-confirmed positions, which served as the model for the ONCD, generally received an “establishing” Executive Order within two years after their position was formally codified by Congress. These positions fall into unique area of constitutional law and process, one where Congressional authority to make laws and dictate the organization of government intersects with the well-established precedent of Presidential prerogative over his staff. As such, the President has, within reason, wide latitude to more firmly articulate the authorities, roles, and responsibilities of these positions – often through an Executive Order. Such an imprimatur helps to more concretely define the working relationships between these Senate-confirmed positions and the staff positions (NSC, etc.) that fall solely under the President’s discretion. Four years on, the ONCD has yet to benefit from such an order, leaving significant uncertainty regarding its authorities, responsibilities, and integration within the broader executive framework, hampering its ability to drive a cohesive national cyber strategy.

To Fill this gap, the President should issue an Executive Order affirming the role of the National Cyber Director, articulating and further defining the position’s authorities, roles, and responsibilities. In doing so, the President should, when and where possible, seek to align its conception of the position consistent with key elements of the NCD’s authorizing statute, namely advising the President on cybersecurity and defense, budget review and assessment, development and coordination of national cyber strategy, planning and preparation by the U.S. government to significant cyber campaigns, and serving as the principle public face for the U.S. government on cybersecurity issues. 

  • Cyber Defense and Security: Irrespective of the exact division of responsibilities between the NCD and NSC, the Executive Order should nevertheless reaffirm the NCD’s primacy on matters related to cyber defense and security. This entails affirming the role’s status as the principal advisor to the President on matters related to cyber defense and security and ensuring the NCD’s participation and involvement in policy issues and actions that substantial deal with those topics.
  • Dual-hat Arrangement: The Executive Order should formally codify the Federal CISO as dual-hatted to the Office of the National Cyber Director, marrying the particular strengths of the ONCD – visibility, personnel, expertise – with the institutional power, processes, and authorities available to the Federal CISO. Such an arrangement proved effective during former NCD Chris Inglis’s tenure in the position, strengthening both roles and preempting potential concerns over turf and encroachment.
  • Instantiation into Existing Executive Process: Rather than wholly rewriting prior Presidential directives, the Executive Order should systematically incorporate the NCD into existing processes where it has a clear mandate. These include, but are not limited to, the Cyber Response Group outlined in Presidential Policy Directive 41, the Vulnerabilities Equities Process, the Federal Acquisition Security Council, and the Committee on Foreign Investment in the United States. Such an approach cements the NCD’s role as a central participant in cybersecurity decision-making while maintaining the established flow of executive governance.
  • Budget Review and Assessment: The Executive Order should solidify the NCD’s authority to review, coordinate, and advise on federal cyber budgets, ensuring government-wide resource alignment with national cybersecurity objectives. This budgetary oversight would mirror the model granted to similar positions, such as the Director of National Intelligence, by enabling the NCD to inform funding priorities and deconflict spending across departments and agencies. 
  • Public Engagement and External Partnerships: The Executive Order should further highlight the NCD’s responsibility for engaging with key external stakeholders, including industry leaders, state and local governments, and international partners. By serving as the primary spokesperson for U.S. cybersecurity policy, the NCD can foster transparency, build trust, and promote collaborative solutions for shared threats.

National Cyber Community and National Cyber Mission

Although the National Cyber Director (NCD) was authorized to coordinate among federal departments and agencies and bring greater coherence to the national cybersecurity effort, neither its authorizing statute nor any subsequent Executive Order has defined a core group of agencies under a unified “national cyber mission.” This omission contrasts sharply with similarly structured Senate-confirmed positions—the United States Trade Representative, Office of National Drug Control Policy (ONDCP), and Office of the Director of National Intelligence (ODNI)—whose authority and scope of mission go hand in hand with a designated core group of departments and agencies. In the case of ODNI and ONDCP, this designation entailed the formation of a national-level program – National Drug Control Program or National Intelligence Program – which formed the basis of both positions’ authority for budget review, programmatic guidance, and issuance of national-level strategy. Lacking such definitions, both the NCD’s remit and a corresponding national cyber mission can be interpreted variably and inconsistently, which undermines the position’s authority, reduces accountability, and perpetuates confusion over roles and responsibilities among the many White House entities involved in cybersecurity.

A key challenge lies in determining a practical and concise scope for the national cyber mission itself. Cyber issues cut across virtually all agencies, whether as an enterprise-wide concern (most departments), a primary mission (Cybersecurity and Infrastructure Security Agency, National Security Agency Cybersecurity Directorate, U.S. Cyber Command), an ancillary but substantial element of their primary mission (Food and Drug Administration, Department of Energy), or an occasional but essential target of their authorities (Office of Foreign Asset Control sanctions, law enforcement investigations, etc.). If that scope is too narrow, the NCD will lack the authority to engage with all critical players; if too broad, the NCD’s efforts will be diluted by competing interests and mismatched objectives more appropriately handled by existing bodies. As a result, the very cohesion the NCD was designed to provide remains elusive.

To address this gap, Congress should establish a National Cyber Community headed by the NCD and composed of those elements within departments and agencies that bear principal responsibility for securing cyberspace and its foundational technologies. Modeled on the Intelligence Community, this National Cyber Community would serve as the NCD’s “core constituency,” clarifying exactly which the principal entities with whom it collaborates to coordinate and implement policy, align programs and priorities, and streamline procedures in the pursuit of the defense and security of cyberspace. Similar to the Intelligence Community, the focus of community-level policy would be on procedural and programmatic policy issues, reserving higher-profile policy issues for the NSC-led policy process where they are best coordinated.

  • Criteria and Designation: The legislation would direct the President, in coordination with the National Cyber Director and the head of the relevant Department or Agency, to designate as members of the National Cyber Community elements of departments and agencies that are headed by an official at the level of Assistant Secretary or higher (or equivalent) and whose mission is principally focused on the security and defense of cyberspace or its underlying technological ecosystem. This standard ensures a manageable community size while including entities that possess the programmatic clout and authority necessary to drive meaningful outcomes and allows for adaptability as authorities or missions evolve.
  • National Cyber Mission: The legislation would formally establish the National Cyber Mission, composed of the specific programs managed by members of the National Cyber Community and serving as the foundation for the NCD’s budget review authority. This mirrors existing models, such as the Office of the Director of National Intelligence for the National Intelligence Program or the Office of National Drug Control Policy for the National Drug Control Program, ensuring the NCD can coordinate policy and resource allocation across its constituent agencies.
  • Core Mission Distinction: The National Cyber Community construct draws an intentional line between elements of departments and agencies capable of systemic, national-level impact in the cyber mission—those with the authority, programmatic heft, and budget to influence the security and defense of cyberspace—and those whose focus or authority is more localized, sectoral, limited, or niche in scope (Federal cybersecurity, sector risk management, etc.). This framework recognizes that while some departments and agencies may play a crucial supporting role, their impact does not extend systemically. The Community should include as members key agencies that lead or coordinate efforts from among these groups, such as CISA and the Federal CIO/CISO, to ensure their priorities can be accounted for collectively while protecting the Community’s clarity of focus and cohesion in driving systemic improvements in cyber defense and security.
  • Coordination and Conflict Resolution: Under this framework, the National Cyber Director would coordinate interagency efforts to preempt or resolve conflicting equities, preventing the emergence of fragmented initiatives. Regular engagements—both at the principal and working levels—would establish consensus around national cyber priorities, cross-agency policy and operational alignment, and joint programmatic initiatives. 

National Cyber Priorities

A National Cyber Strategy can effectively set high-level priorities that shape medium- and long-term programs, yet there remains a critical gap in mechanisms to guide annual operational priorities within and across federal departments and agencies. While the budget process establishes overarching programmatic parameters, it seldom prescribes specific operational details or concrete plans. Executive orders and presidential memoranda offer powerful instruments for articulating national goals but are not consistently updated or applied on a yearly cycle. Meanwhile, the National Security Council (NSC) process—by default the coordination hub—has limited resources and must address a constant stream of urgent, high-profile national security issues. As a result, day-to-day operational priorities tend to be reactive, shaped by near-term political imperatives and prone to shifting without a sustained framework.

In the absence of a robust, routinely updated coordination mechanism, the federal government lacks a reliable means to synchronize the efforts of its departments and agencies. This challenge extends to aligning operational and programmatic endeavors not only across government entities but also between the public and private sectors. Each agency conceives of its cyber mission differently: some focus on the threat actor (DoD, FBI, the intelligence community), others on the assets requiring protection (DHS, CISA, the Department of Energy), and still others on the technologies most vulnerable to exploitation (CISA, NIST, among others). It is often only in the aftermath of a major incident—when the nature of the threat, the assets at stake, and the relevant technologies all converge—that the political will and mission clarity emerge to drive truly coordinated interagency and public-private collaboration. This reactive model underscores the pressing need for a more deliberate, consistent, and forward-looking approach to operational alignment in cyberspace.

To address the gap between strategic intent and operational alignment, the President should establish yearly National Cyber Priorities, defining a specific threat actor (or set of actors) alongside the most critical at-risk assets or technologies. These annual priorities would function much like the National Intelligence Priorities—providing a formal, recurring process through which the government can coordinate and adjust its cyber efforts in a structured, forward-looking manner. By identifying in advance the intersection of threat, asset, and technology, the framework would recreate the urgency and clarity of a crisis response, but without waiting for an incident to trigger unified action.

  • National Cyber Director Leadership: Consistent with the statute establishing the Office of the National Cyber Director, which authorizes the ONCD to “develop for the approval of the President…operational priorities, requirements, and plans,” the NCD is uniquely positioned to orchestrate and synchronize cybersecurity policy across the federal government. Under this model, the NCD would guide departments and agencies in adopting shared priorities, ensuring that operational planning is consistent with both White House directives and legislative mandates.
  • Formation of Priorities: Modelled on the yearly National Intelligence Priorities process, the National Cyber Director (NCD) would oversee a structured process in coordination with the National Security Advisor—or their delegate—alongside relevant federal departments and agencies. This process would establish the foundational framework, nominate key priorities, rank their significance, and culminate in the submission of recommendations to the President for final approval. While the entire framework and its priorities would not be made fully public, select elements should be shared to foster alignment between public and private sector efforts.
  • Foundational Framework: Yearly cyber priorities would merely serve as a foundational framework of shared priorities—a baseline that enables coordination without constraining the NSC’s or the President’s prerogative to shift focus in response to evolving threats or strategic shifts. Such a process would preserve the NSC’s prerogative while offering a common language and framework for agencies. The NSC could still pivot rapidly to emerging crises or geopolitical shifts, as needed. Meanwhile, agencies would have a year-long roadmap of targeted priorities, reducing ad hoc responses and improving overall coherence in cyber operations.
  • Inform Interagency “Campaigns”:  Priorities should serve as the basis for “campaigns,” marshaling departmental authorities to defend against and disrupt threat actors. By uniting legal, policy, and enforcement tools, these multi-agency efforts can deny adversaries the ability to exploit vulnerabilities in targeted technologies or infrastructure. Coordinated campaigns can also safeguard critical assets, ensuring that each department’s mission is nested within the broader national cyber strategy.
  • Industry and Ally Alignment: These annual priorities would allow industry and allies to self-align with federal efforts. Clear, predictable signals on the threats and assets at the center of U.S. attention make it easier for private-sector stakeholders and international partners to adjust their own risk management, incident response, and collaboration activities. In turn, this alignment enhances the collective resilience of both national infrastructure and the global supply chain.

Joint Collaborative Environment

In 2022, CISA established the Joint Collaborative Environment (JCE) to serve as a government-wide information-sharing platform, enabling the exchange of cyber threat, risk, and vulnerability data among federal agencies and private-sector stakeholders. Conceived as a complement to the Joint Cyber Defense Collaborative (JCDC), the JCE was inspired by the Cyberspace Solarium Commission, which first recommended its creation in its 2021 report. Both the Commission and CISA envisioned the JCE as a technical mechanism for more seamless data transfers and real-time analytic collaboration across departments and agencies and between the public and privates sectors—vital steps toward detecting and identifying emerging threats, establishing a shared situational picture, and building a dynamic capacity for collective defense. 

Despite significant funding allocations in FY 2022, 2023, and 2024 ($317 million, $320 million, $295 million, respectively), the JCE still faces substantial procedural and political challenges. The Cyberspace Solarium Commission’s original proposal divided the initiative into two critical elements: the JCE technical platform itself, and a White House-led “Cyber Threat Data Standards and Interoperability Council.” The Council would identify participating agency programs, address barriers to interoperability, and recommend budget adjustments to overcome technical hurdles to information sharing. Designed to ensure sustained interagency buy-in—especially critical given the historical reluctance of departments and agencies to share operational data—the Council was a necessary element to create the downward pressure needed to drive meaningful collaboration.

The success of any information-sharing or social platforms like the JCE (also referred to in statute as the Cyber Threat Information Collaboration Environment), depends on network effects—where increased participation and data contributions heighten the platform’s overall value. Achieving the necessary critical mass of users and data is challenging if CISA must rely solely on its own threat intelligence, derived from limited sensor arrays, incident response activities, and threat-hunting operations. Given the underwhelming performance of previous initiatives such as AIS, where participation and shared indicators declined over time, there are significant reasons to doubt whether CISA alone can provide the compelling value proposition necessary to both attract a broad user community and overcome the parochial interests and procedural intransigence that have thus far characterized interagency cyber threat information sharing. Without a formal mechanism to encourage—or require—departmental involvement, CISA may continue to face an uphill struggle in building a critical mass of users and content that spurs the type of self-reinforcing collaboration needed for the program to be successful.

To address this gap, Congress should formally codify the Joint Collaborative Environment and the Cyber Threat Data Standards and Interoperability Council (“Council”) into law. Modelled after the “Cyber Threat Information Collaboration Environment” provision included in the markup National Defense Authorization Act for 2023, the law would direct the Council, chaired by the NCD and composed of the Secretary of Homeland Security, Director of National Intelligence, and Secretary of Defense (or designated representatives), to establish data standards, requirements for interoperability, and identify and designate programs that shall participate or be made interoperable with the JCE. This arrangement is intended to improve the chances of interagency buy-in, thereby “jumpstarting” the JCE’s utility and ensuring the platform’s long-term viability. 

  • National Security Agency Involvement: In certain iterations of the legislation, the National Security Agency played a central role, co-developing and managing the JCE in partnership with CISA. This was intended to bring to bear the NSA’s technical expertise and significant experience in managing sensitive, large-scale, data environments with sophisticated access controls.
  • Phased Implementation: The key priority of the JCE should be first reducing barriers to sharing between departments and agencies who routinely collect or acquire cyber threat data or data relevant to cyber threat analysis – then inclusion of the private sector. 
  • Data Governance:  The council shall establish a committee composed of the privacy officers of the principal members who will be responsible for developing robust data governance structures and procedures to ensure the protection of sensitive data, compliance with federal regulations and statutes, and adherence to existing consent agreements with private-sector critical infrastructure entities. 

Cybersecurity Regulatory Harmonization

The U.S. cybersecurity regulatory landscape is characterized by a federated approach, where, in the absence of a national-level preemptive cyber law, each independent and executive branch regulatory agency, as well as each state and local government, is empowered to promulgate regulations within its jurisdiction. The past five years have witnessed a surge in cybersecurity-focused regulations from authorities across all sectors and echelons. This has resulted in an increasingly complex “patchwork” of compliance requirements, often with conflicting, overlapping, or duplicative mandates. Companies operating in heavily regulated sectors, or who are subject to multiple regulatory authorities, face an increasingly complex maze of rules, leading to significant costs and inefficiencies. For example, financial institutions must comply with requirements from multiple federal agencies and state regulators, and the energy sector faces a tangled web of federal and state regulations. In response to the ONCD’s 2024 Request for Information (RFI) on cybersecurity regulatory harmonization, companies emphasized that the fragmented regulatory approach often mean diverting critical resources from security programs to compliance activities – resulting in the adoption of a checklist-based approach to cybersecurity rather than maintaining tailored risk management programs. 

A significant contributing factor to this issue is the lack of any mechanism with the necessary authority and reach to coordinate and deconflict among the diverse array of regulatory authorities. The President is limited in the power to compel either independent regulatory agencies or state and local authorities to conform to a common standard. While the Office of Information and Regulatory Affairs (OIRA) plays a significant role in coordinating agency rulemaking ahead of publication in the Federal register, it was neither designed for nor is well-suited to develop and enforce harmonized regulatory standards across agencies. Existing executive branch efforts, like the Cybersecurity Forum for Independent and Executive Branch Regulators, while well-intended, are voluntary, have varied wildly in activity over time, and have lacked the sustained attention, momentum, and political force necessary to make significant headway in this space. This has resulted in a fragmented and inefficient regulatory environment, where agencies often act in isolation, leading to a proliferation of overlapping and inconsistent requirements.

To rectify these issues, Congress should codify into law a Cybersecurity Regulatory Harmonization Council within the White House, chaired by the National Cyber Director (NCD), and composed of both executive branch and independent regulatory agencies. Modeled on the approach outlined in the Streamlining Federal Cybersecurity Regulations Act, the Council would have the primary goal of developing and implementing a cohesive, comprehensive, and streamlined approach to cybersecurity regulation. This includes the creation of a common lexicon of cyber regulatory terms, development of a single, unified framework for applying cybersecurity standards, and ensuring that regulations are risk-based, outcome-focused, and aligned with consensus standards like the NIST Cybersecurity Framework. This council must also have the power to review and harmonize existing regulations, as well as ensure that any new regulations are consistent with the broader national cybersecurity strategy and avoid duplication.

  • Third-Party Service Providers: The Council should also seek to address regulatory discrepancies that burden third-party service providers, such as Cloud. Although these firms are not always directly regulated, they often contend with a maze of overlapping and contradictory requirements imposed indirectly by the regulatory burden born by their customers. By harmonizing and streamlining these rules, the Council can foster a more coherent and efficient environment that benefits both service providers and the regulated entities they support.
  • Adaptable and Tiered Framework: The regulatory structure developed by the Council should be adaptable across agencies, considerate of sector-specific needs, and built around a tiered model that tailors compliance obligations to each entity’s risk profile. Such an approach ensures that cybersecurity requirements are proportionate to an organization’s operational context and scaled to its size, improving overall effectiveness without imposing undue burdens.
  • State-level Regulation: While the Council is limited in the degree it can influence state-level regulation, it should develop its framework and harmonization efforts as a model states are able to adopt in the long-term. This approach will not solve the problem of conflicting state-level regulations, immediately, but it should reduce potential barriers to states conforming to the harmonized federal framework as new rules are developed and promulgated.
  • Yearly Report: The Council should submit a yearly report to Congress detailing its activities, progress in harmonization efforts, and recommendations for legislative or regulatory changes. This report would provide transparency, ensure accountability, and allow for ongoing Congressional oversight of the council’s work