The university of tulsa Online Blog

Cybersecurity regulations are laws and policies that protect data, networks, and digital assets from threats. They help organizations safeguard these assets against potential cyber threats and bad actors. Different types of regulations govern data protection in various contexts. 

Learn more about cybersecurity regulations in the U.S. and how aspiring cybersecurity professionals can rise to meet cybersecurity needs in every sector.

Why Cybersecurity Regulations Matter

Cybersecurity regulations establish guidelines for protecting personal and organizational data. Violating these regulations can lead to data breaches, lost information, significant fines, and legal action. 

Cybersecurity regulation in the U.S. has become broader, more rapidly evolving, and more consequential. Cybersecurity regulations increasingly affect:

• Board and executive oversight

• Incident response and disclosure

• Vendor and contract management

• Data retention and transfer practices

• Sector-specific compliance programs

• Customer, regulator, and investor communications

For many organizations, the question is no longer whether cybersecurity is regulated, but which regulators, contracts, and state laws apply to their business model.

The Big Picture: No Single U.S. Cybersecurity Law

The U.S. doesn’t have a universal cybersecurity law that applies uniformly to every organization. Instead, most organizations face a layered framework made up of:

• Federal rules and executive actions

• Federal contracting mandates

• Sector-specific requirements

• State privacy and breach notification laws

• Regulatory guidance

• Enforcement expectations

That patchwork matters because a single cyber incident can trigger several obligations at once: internal escalation, state breach notification, regulatory notification, contractual notice, securities disclosure, and remediation documentation.

Historic Federal Cybersecurity Regulations

The U.S. doesn’t have one overarching cybersecurity law. 

At the federal level, the Federal Trade Commission (FTC) plays a leading role in enforcing cybersecurity laws and regulations. The FTC often relies on the FTC Act to challenge unfair or deceptive data security practices, and it enforces parts of the Gramm-Leach-Bliley Act, which requires covered financial institutions to develop, implement, and maintain safeguards for customer information.

The U.S. Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) also help shape and support the broader cybersecurity regulatory framework. 

ConnectWise’s “Cybersecurity Regulations and Laws” provides a broad overview of global cybersecurity measures by region: the U.S., the European Union, the United Kingdom, and the Association of Southeast Asian Nations (ASEAN) and Oceania.

Further information on the scope and potential impact of U.S. federal cybersecurity regulations follows in the next sections.

U.S. Federal Cybersecurity Regulations

Consider a snapshot of important U.S. federal cybersecurity regulations in recent years.

Executive Branch on Cybersecurity Policy

Executive orders (EOs) can drive U.S. cybersecurity regulation by directing federal agencies on how to use the authority they already have. They don’t replace statutes passed by Congress, but they can shape how cybersecurity policy is implemented across the federal government and in the private sector.

• EO on Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (June 6, 2025): This EO shifts away from federal consolidation of cybersecurity oversight and instead directs agencies to take responsibility for updating cybersecurity standards. 

• Fact Sheet: President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America: This guidance frames the June 6, 2025, order as a refocusing of federal cybersecurity policy toward foreign cyber threats, secure software practices, post-quantum cryptography, updated encryption standards, Internet of Things (IoT) trust designations, and limits on cyber sanctions.

• Fact Sheet: President Donald J. Trump Combats Cybercrime, Fraud, and Predatory Schemes Against American Citizens (March 6, 2026): This refers to an EO that directs a government-wide review of regulatory tools against transnational criminal organizations engaged in cyber-enabled crime and requires an action plan to identify and dismantle those networks while prioritizing prosecutions.

SEC Cybersecurity Disclosure Rules

For public companies, rules set forth by the U.S. Securities and Exchange Commission (SEC) remain central. The SEC’s rules require disclosures about cybersecurity risk management, strategy, governance, and material cybersecurity incidents.

• Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure: This has practical consequences beyond securities filings. Public companies need a process for:

  • Identifying potentially material incidents

  • Escalating information quickly

  • Documenting materiality decisions

  • Coordinating legal, security, communications, and executive teams

  • Connecting cyber governance to board-level oversight

HIPAA Security Rule Developments

Health care remains one of the most important regulated cybersecurity sectors in the U.S. 

The U.S. Department of Health and Human Services (HHS) states that the Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes national standards for protecting electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

The Summary of the HIPAA Security Rule explains that the security rule applies to:

• Health plans

• Health care clearinghouses

• Health care providers

• Associates of certain covered business entities 

HHS says changes in the HIPAA Security Rule require regulated entities to protect ePHI and provide more specific direction on what they must do.

HHS also emphasized in 2025 guidance that risk analysis is foundational to Security Rule compliance. For health care organizations, that means that cybersecurity compliance isn’t just about having policies on paper. It requires a defensible, documented process for identifying risks and tying them to safeguards.

Justice Department Data Security Program

The U.S. Department of Justice (DOJ) Data Security Program is one of the most important recent federal developments. A full overview of the program and Executive Order 14117 is available, with hyperlinks to related federal regulations that address national security risks.

As explained in the Data Security Program: Frequently Asked Questions, this program matters because it reaches beyond traditional breach compliance. It affects how organizations handle covered data transactions involving sensitive data and U.S. government-related data. 

CISA and Critical Infrastructure Expectations

The Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals, Version 2.0, provides an updated set of measurable actions for critical infrastructure organizations. This federal cybersecurity guidance is intended to provide best practices to help information technology and operational technology organizations meet three critical needs:

1. Identify cyber attack risk reduction best practices

2. Prioritize and implement practices to reduce risk

3. Communicate practice value to senior leadership

The most current Cybersecurity Performance Goals 2.0 (CPG 2.0) is increasingly important as a practical benchmark for what sound cyber hygiene looks like.

Best practices to protect critical infrastructure against damaging cyber intrusions start with basic security protections:

• Multi-factor authentication (MFA)

• Strong password management

• Routine backups

For operational technology environments, CISA has also issued guidance focused on secure connectivity and resilience. That makes CISA materials especially relevant for infrastructure, industrial, and public-sector organizations that need to align operations with federal expectations.

Cybersecurity Maturity Model Certification and Defense Contractors

For defense contractors, 2025 was a major compliance year. The U.S. Department of Defense (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) rule on assessing contractor implementation of cybersecurity requirements was published September 10, 2025. According to the department’s Cybersecurity Maturity Model Certification (CMMC) materials, the rule took effect on November 10, 2025, beginning a phased rollout across defense contracts.

State Laws Are a Major Part of Cybersecurity Compliance

State law is one of the fastest-moving parts of the cybersecurity landscape. White & Case’s state privacy law analyses note that eight state privacy laws took effect in 2025. Rulemaking activity also accelerated, and businesses continued facing new obligations around privacy, data security, breach notifications, incident response, and enforcement.

State-level compliance pressure isn’t just about consumer privacy rights. It also increasingly includes:

• Cybersecurity audit expectations

• Risk assessment requirements

• Breach notification changes

• Vendor and service-provider obligations

• Data retention and deletion requirements

• Enforcement activity by state regulators and attorneys general

What Organizations Should Do Now About Cybersecurity

Based on current cybersecurity regulations, here’s a checklist of actions that U.S.-based organizations should take to improve their security and resilience against cyber attacks.

Build a Regulatory Map

Start by identifying which rules actually apply to your organization. A good compliance map should account for:

• Public company obligations

• Health care obligations

• Defense contract obligations

• State privacy and breach laws

• Regulatory guidance

• Customer and vendor contract terms

• Cross-border data risks

Strengthen Governance

Cybersecurity compliance increasingly depends on governance, not just on tooling. Organizations should be able to show:

• Who owns cyber risk

• How incidents are escalated

• How decisions are documented

• How security and legal functions coordinate

Treat Risk Analysis as Core Compliance Work

Risk analysis is central in regulated environments, especially health care. However, it’s also a practical necessity more broadly, as it supports defensible control decisions, budget prioritization, and incident response planning.

Revisit Vendor Risk Management

Third-party risk is now a recurring regulatory theme. Review whether vendor programs address access controls, MFA, encryption, due diligence, audit rights, incident notification timing, and data use restrictions.

Prepare for Multitrack Incident Response

A cyber incident may create overlapping obligations. Incident response plans shouldn’t stop at containment and recovery. They should also include legal triage, state breach notification analysis, contractual notice analysis, investor disclosure analysis (where relevant), regulatory communications, and evidence retention.

Common Cybersecurity Mistakes to Avoid

As cybersecurity risks become increasingly complex, it’s important to understand common mistakes and how to avoid them.

• Treating cybersecurity as only an information technology issue: In many settings, cybersecurity is now also a governance, disclosure, and procurement issue.

• Ignoring state developments: Federal monitoring alone isn’t enough. State privacy laws, breach notification changes, and rulemaking activity continued to evolve in 2025 and 2026. 

• Assuming guidance doesn’t matter: Guidance may not always be a stand-alone regulation, but it often shows how regulators interpret existing duties and what they expect to see in examinations, investigations, and enforcement.

Final Takeaway

The most important concept to know about cybersecurity regulations is that compliance is no longer a single checklist. In the U.S., it’s an evolving combination of federal rules, state laws, industry-specific mandates, contractual obligations, and regulatory expectations. 

Organizations must translate those obligations into repeatable processes for governance, risk analysis, vendor oversight, incident response, and documentation.