Governors, state CIOs push for streamlined federal cyber regulations
Connecting state and local government leaders
Federal cybersecurity regulations have become a challenge to state governments that are working to consolidate their IT operations.
As state governments continue to consolidate their IT operations to reduce costs, they are faced with disparate cybersecurity compliance requirements that impede their progress. These mandates -- and accompanying audits -- for individual agency IT environments' compliance with federal standards strains states' limited staff resources and finances.
On Nov. 6, the National Governors Association and National Association of State Chief Information Officers sent a letter to Office of Management and Budget Director Mick Mulvaney asking OMB's Office of Information and Regulatory Affairs to work with two groups to harmonize federal cybersecurity regulations and standardize the federal audit process.
Tax information, Social Security numbers and health information are frequently shared between federal and state agencies as part of everyday operations, but the requirements related to access controls and record retention are different depending on agency standards. To reconcile information from federal regulators, state departments of revenue must comply with standards set in IRS Publication 1075, which differs in minor but significant ways from the FBI’s Criminal Justice Information Services policy.
NGA and NASCIO want the federal agencies to work with them to promulgate rules for state governments that address their cybersecurity concerns and reduce the burden for state officials.
NASCIO Vice President and Oklahoma CIO Bo Reese testified at a June 21 Senate Homeland Security and Governmental Affairs Committee hearing on the need for streamlined federal cybersecurity requirements. The “inconsistent federal audits” caused by the complex federal regulations lead state CIOs to make investment decisions “based on compliance and not risk,” he said.
“When federal data security audits are conducted and produce 'findings' of a critical nature, state CIOs must direct their attention and resources to remediating and addressing those 'findings' to satisfy federal auditors and avoid any potential negative impact to citizens,” Reese said. He added that officials must ensure "that we are delivering government services to citizens in the most efficient and cost-effective matter.”
Federal requirements have caused problems in Maine, where state officials had to spend 6,500 hours responding to audits from the IRS and Social Security Administration alone. Louisiana officials reported receiving different outcomes from five different IRS audits on a single IT environment.
NASCIO has convened meetings with OMB and congressional representatives to come up with solutions, but Yejin Cooke, NASCIO's director of government affairs, said she realizes it is going to be a “tall order” for state and federal parties to work together. The association began asking for volunteers to participate in a working group to develop solutions on Nov. 7 and plans to hold the group’s first meeting in December.
“We want to work with federal agencies who are interested to get their feedback on promulgated rules that we will develop,” Cooke told GCN. Because state government has similar workforce issues as federal agencies, she said, those officials understand “this is an unsustainable way to operate.”
The NGA sees the complexity of the regulatory environment creating “unnecessary red tape that can inhibit or delay consolidation efforts,” according to NGA spokesperson Elena Waskey. “Time spent on navigating and identifying duplicative regulatory mandates can get in the way of states saving money and time,” she said.
Editor's note: This article was changed Nov. 8 to clarify details about shared information and NGA's position.