by Dan Lips
The National Governors Association is meeting in Louisiana this week for its biannual cybersecurity summit. An important topic of consideration is how Washington can help state governments by harmonizing regulations. Doing so would let states focus their attention on confronting worsening cybersecurity threats, rather than answering federal auditors.
“On any given day, the guardians of Arkansas’s systems block thousands of attempted attacks from all over the world,” warned Arkansas Governor Asa Hutchison, one of the summit’s co-chairs. “The bad guys never rest.”
Facing this persistent threat, the public would likely hope that federal and state governments are working side-by-side to stop and deter adversaries. But too often state cybersecurity officials are dedicating scarce resources to complying with differing federal regulations to administer government programs.
Oklahoma Chief Information Officer James “Bo” Reese described the challenge in testimony before the House Oversight Committee last year:
“Many state CIOs and Chief Information Security Officers (CISO) invest an inordinate amount of time identifying duplicative federal regulatory mandates, identifying differences, participating in federal audits, reconciling diverse interpretations of federal regulations, and responding to inconsistent audit findings”.
Mr. Reese elaborated on the compliance burden by referencing other states CIOs’ experiences. The Maine state government spent 11,160 hours to comply with regulations from six federal agencies. Louisiana’s CIO reported that five state agencies “were assessed by five separate IRS assessors all auditing the exact same statewide Information Security Policy,” and the IRS reached differing findings for each agency.
He also highlighted examples from other state CIOs about the burden complying with federal agency regulations, which in some cases provide differing guidance. For example, the IRS, FBI, and Social Security Administration “have three different standards for many aspects of security including the rule that governs successful login attempts.”
Mr. Reese also serves as the President of the National Association of Chief Information Officers (NACIO). The Association’s top federal advocacy priority for 2019 is to “harmonize disparate federal cybersecurity regulations and normalize the audit process.”
The importance of regulatory harmonization could also be one of the key takeaways from this week’s NGA cybersecurity summit. In 2017, the Minnesota and Missouri Governors and Chief Information Officers sent a letter to OMB Director Mick Mulvaney raising the issue:
We respectfully ask that your office engage appropriate federal agencies, including those that promulgate regulations and audit state government IT, and work with our representative organizations…to find a solution that satisfies the security and privacy concerns of federal agencies while being cognizant of the cost-saving initiatives and cybersecurity workforce challenges within state government.
The White House has been increasing its focus on cybersecurity including by issuing the recent executive order on America’s cybersecurity workforce, which recognized that the nation had too few cybersecurity experts to confront growing threats.
We cannot afford to waste scarce resources on unnecessary bureaucratic compliance. Regulatory harmonization should be next on the White House’s list.