NASCIO pushes to harmonize federal regulations
Connecting state and local government leaders
Federal regulatory requirements "hamstring" states that are trying to consolidate IT operations, Oklahoma's CIO told a House panel.
The state of Oklahoma spends approximately 10,712 hours a year working to comply with federal regulations, and those compliance efforts create challenges for consolidating cross-agency IT operations, Oklahoma's CIO told a House panel.
“We had to devote time and resources working with our state agency customers to explain to them that the unified IT structure could and would meet the compliance expectations of their federal partners,” said Bo Reese, Oklahoma CIO and president of the National Association of State CIOs, in his written testimony for a July 18 hearing of the House Oversight and Government Reform Committee's Intergovernmental Affairs Subcommittee. “We continue to devote personnel time and resources to meet federal regulatory demands because our federal partners do not recognize our IT service model.”
Other states are bearing the burden of federal compliance as well, according to Reese’s testimony. Maine spent approximately 11,160 hours responding to six federal regulatory agency audits, and Kansas officials estimate that the state spends 14,580 hours every three years managing financial audits and compliance.
Besides the time states spend on duplicative compliance activities, some federal agencies have "prior notice" requirements, Reese said. For example, state agencies that want to move operations to the cloud need approval from a systems officer with the FBI’s Criminal Justice Information Services before they implement compensating controls for securing criminal justice data. And the IRS requires 45 days’ advance notice before states can use contractors for cloud solutions.
“These types of federal regulatory requirements hamstring the ability of state CIOs to deliver technology and IT solutions effectively and efficiently to state agency customers and ultimately to state citizens,” Reese said.
The data regulations promulgated by federal agencies vary, making it difficult to take a “holistic view of data security," he added. States have had some success implementing cybersecurity controls from the National Institute of Standards and Technology’s Cybersecurity Framework, but Reese said federal agencies are not imposing their own risk-based regulatory requirements on state agencies.
For example, the IRS, FBI and Social Security Administration have three different standards for many of the same aspects of security, including unsuccessful login attempts, he said.
In addition, even though federal program audits are only conducted every two or three years, state employees spend time and resources preparing for them, reconciling individual auditors' interpretations and responding to findings. Furthermore, audits are conducted for each program rather than at the state level, so a state may be subject to several audits of the same data.
To solve those problems, Reese offered four possible solutions on behalf of NASCIO:
- Form a working group or committee composed of federal regulators and state CIOs to identify regulatory disparities and harmonize regulatory requirements.
- Require federal regulators to communicate their audit priorities to the programmatic agencies and all affected stakeholders.
- Conduct federal regulatory audits once for multiple programs instead of conducting audits multiple times for each program or each use of federal data.
- Open compensating controls that are acceptable to federal regulators to a broader audience instead of just the affected agency.