Each year, the National Association of State Chief Information Officers (NASCIO) releases a list of federal advocacy priorities. The list is short and reflects only the top concerns and requests of the nation’s state CIOs to Congress and federal agencies. Included among only four priorities this year is the pressing need for harmonization of disparate federal cybersecurity regulations.
States administer countless crucial federal programs and must comply with data security regulations of several federal agencies, including the IRS, the FBI and the Centers for Medicare & Medicaid Services. As a result, state governments must store and exchange data with federal agencies; in the process, they become subject to federal security regulations that govern the use and protection of this shared data.
As the amount of data collected by government agencies increases and the need to safeguard it becomes more complicated each year, the pressure that states are under to comply with federal regulations grows significantly. Additionally, as states strive to improve the digital experience and make more services available online, ever more citizens are utilizing state domains for tasks that previously would have been done in person.
Click the banner below to receive customized content by becoming an Insider.
How to Combat Duplicative and Conflicting Requests
At the same time, the COVID-19 pandemic has placed increased demands on state systems, applications and, most important, state workers. MissionSquare Research Institute reports that 36 percent of public sector employees have considered leaving government work because of the pandemic; given that, we must do everything we can to reduce stress on our workforce.
States have previously reported that responding to numerous federal audits with duplicative requests and conflicting requirements has taken hours of staff time. An already taxed state workforce cannot continue spending such a significant amount of time on something that can be improved.
Additionally, compliance with federal cybersecurity regulations is often duplicative and onerous, and has contributed to significant growth in financial costs for CIOs. While federal cybersecurity regulations may largely address the same controls and outcomes, they often differ in their specific requirements.
EXPLORE: How cybersecurity remains a top priority in a shifting landscape.
For example, almost everyone has had the experience of requesting a password reset, entering an incorrect password a handful of times, and getting a screen lockout at their computer workstation. Depending on the audit, the specific lockout time can vary widely from one agency to another — anywhere from 15 or 30 minutes to 60 minutes.
States are responsible for ensuring their own parallel security controls are in compliance across agencies, a seemingly contradictory and unending task. Further, when state data centers are audited for compliance, states receive inconsistent findings from federal auditors (despite reviewing the same IT environment), and these require costly corrections.
Making Collaborative Corrections While Navigating Compliance
The bottom line is that these regulations have real costs for states and the taxpayers they serve. Compliance with disparate regulations is an obstacle for states that are actively seeking savings for taxpayers through IT initiatives such as consolidation and optimization.
NASCIO is not alone in sounding the alarm on these duplicative and costly regulations. In May 2020, the Government Accountability Office issued a report titled “Selected Federal Agencies Need to Coordinate on Requirements and Assessments of States,” which found that between 49 and 79 percent of federal agency cybersecurity requirements had conflicting parameters. The GAO urged federal agencies to collaborate on cybersecurity requirements, but to date, there is little evidence this has occurred.
DISCOVER: The keys to countering cyberattacks against state and local agencies.
NASCIO calls for the following actions to eliminate costly and duplicative federal cybersecurity regulations:
- Congress and federal agencies should implement the recommendations of the GAO report and urge the Office of Management and Budget to coordinate collaboration among federal agencies on the development and implementation of cybersecurity regulations.
- Congress should empower OMB with requisite authorities to ensure OMB can mandate consultation among federal agencies before updating their cybersecurity regulations.
- Federal agencies should work with state CIOs and CISOs to streamline cybersecurity regulations.
Addressing duplicative regulations and inconsistent audit practices will not only save taxpayer funds but also improve our nation’s cybersecurity posture. State CIOs and CISOs remain committed to working with federal agencies and auditors to harmonize disparate interpretations of security regulations and to normalize the audit process.