A report published Wednesday by the General Accountability Office, the investigative and auditing arm of Congress, calls on federal agencies to align the cybersecurity standards they impose on states using federal data. State chief information officers have long argued that the disparate requirements that different agencies, like the FBI or Social Security Administration, impose on states makes compliance burdensome.
“Harmonization” of these rules has been one of the top federal priorities sought by the National Association of State Chief Information Officers for the past several years. According to NASCIO, some states have reported spending tens of thousands of hours annually responding to federal audits, a process dragged out by varying guidelines for procedures as mundane as how many unsuccessful login attempts a user is allowed to have before being locked out of a network.
The report, which congressional leaders requested in 2018, makes 12 recommendations that the federal government should adopt to streamline its cybersecurity rules, which often clash with each other. Across the four agencies reviewed — the FBI, Social Security Administration, Internal Revenue Service and Centers for Medicare & Medicaid Services — the GAO found that between 49% and 79% of regulations were in conflict with the corresponding rules at one of the other selected agencies. Social Security was the worst offender by percentage, with 48 of its 61 relevant regulations out of sync with the others’.
States rely on federal records to deliver a huge spectrum of services. The FBI’s Criminal Justice Information Services, for instance, gives state police agencies access to biometric information, property records and criminal histories, while CMS data determines how states administer their Medicaid programs for low-income residents. But state IT officials have long complained that the rules on how those data sets are accessed and used are incongruous and confusing — a conclusion that the GAO report confirms.
GAO auditors compiled the report through a survey that garnered responses from all 50 states’ chief information security officers. A majority of CISOs said the four reviewed agencies’ rules vary enough to be a distraction from protecting state networks. Thirty-four of 50 CISOs said the agencies had “moderate to very great variation” with respect to their requirements. And 29 CISOs said the agencies also vary widely in instructing states how to comply with the federal cybersecurity controls prescribed by National Institute of Standards and Technology.
The clashing regulations sometimes cause CISOs to spend more time thinking about federal regulations than protecting the state networks they’re charged to defend.
“For example, in responding to a survey question about challenges or impacts that state officials experienced regarding federal requirements and assessment processes, an official from one state agency explained that addressing variances in cybersecurity requirements reduced the ability of state officials to focus on their primary mission of securing data across their state enterprise,” the report reads.
The first two recommendations instruct the the White House Office of Management and Budget, currently led by Acting Director Russell Vought to take the lead in getting the reviewed agencies to align their regulations, particularly when pertaining to how states comply.
“The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed,” the top recommendation reads.
The remaining 10 recommendations give similar instructions to the individual agencies’ leaders that they collaborate on cybersecurity regulations pertaining to state agencies “to the greatest extent possible.”
NASCIO welcomed the report, saying in a press release that the GAO review affirms the group’s federal priorities.
“The hours and effort required by states to respond to several audits from different agencies with different security controls is burdensome, costly and negatively impacts states,” NASCIO Executive Director Doug Robinson said in the release. “We are hopeful that the federal agencies will heed the report’s recommendations and foster a much greater collaborative environment on these regulations.”