Last November, state technology offices asked the White House Office of Management and Budget to “harmonize” confusing and inconsistent federal regulations that, state leaders argued, waste agency resources. On Wednesday, Oklahoma Chief Information Officer James “Bo” Reese revisited the topic before a U.S. House subcommittee, saying some progress has been made.
“But in typical state government fashion, it’s slow going,” Reese told the House Oversight Intergovernmental Affairs Subcommittee. “We’re seeking support to continue those actions.”
In his prepared testimony, Reese pointed to the expansive list of federal regulations state agencies must adhere to — including from the FBI, Internal Revenue Service and Social Security Administration — that pull resources away from other operations, including cybersecurity. The situation compromises state governments’ efficiency and their ability to meet their primary goals, he said.
“Federal data security regulations and accompanying audits have not kept pace with changing state government IT business models and are increasingly hindering the ability of state CIOs to streamline processes and deliver savings to state taxpayers,” Reese said.
Also testifying was Oliver Sherouse, a policy analyst for the Mercatus Center, a libertarian think tank at George Mason University. Sherouse described his group’s technology designed to help legislators better understand and address the vast breadth of federal regulations faced by state government, businesses, healthcare institutions, banks and other organizations.
“Today there are more than 103 million words in the code of federal regulations, including 1.08 million individual regulatory restrictions,” he said. “That means if you were to read the code as your full-time job, it would take you three years, 111 days and a bit past lunchtime the next day. By the time you finished, you would need to immediately start figuring out what had changed since you started, and that’s no easy task since the code increases by more than 1.4 million words every year.”
Reese, who’s also the president of the National Association of State Chief Information Officers, cited his state’s and others’ struggles in regulatory compliance: Oklahoma, he said, spends 10,712 hours each year on compliance; Maine spent 11,160 hours responding to six federal regulatory audits; Kansas estimated it spends 14,580 managing federal audits and compliance every three years; and Colorado estimated 2,760 hours annually.
“We’d rather be spending our time and efforts updating legacy systems and trying to enhance our security posture rather than trying to meet some of these — in many cases outdated — regulatory compliances,” Reese told the panel.
Consolidated state IT environments are particularly affected, Reese said, because auditors will often return, unnecessarily, several times to audit the same systems in a single year. Included in Reese’s written testimony was an example provided by Kentucky CISO David Carter.
“We are audited across four agencies for the IRS and three for the SSA,” Carter wrote. “This is single source data from a common federal repository. Where one compliance review would suffice, I have to respond to seven. Adding these to the other requirements within our environment, we respond to 23 to 26 audits annually diverting resources, time, and investment from matters that provide meaningful risk reduction across our infrastructure as a whole.”
Worse, Reese continued, the repeated audits are conducted by third parties with different understandings and interpretations of both the systems they are auditing and the regulations they are enforcing. Data provided to NASCIO showed that five Louisiana state agencies were assessed by five separate IRS assessors all auditing the same exact statewide information security policy, yet those assessments yielded five wildly varying scores.
In another example, Reese showed how federal agencies can require states to meet varying requirements for the same issue, such how to manage invalid login attempts to a state system. One IRS publication requires “a limit of 3 consecutive invalid login attempts by a user during a 120 min period, and automatically lock account for at least 15 mins.” But the FBI’s Criminal Justice Information Services Division requires a “limit of no more than 5 consecutive invalid attempts, otherwise locking system for 10 mins.,” while the Social Security Administration “recommends” systems limit user attempts at “no fewer than three (3) and no greater than five (5).”
Rep. Jamie Raskin, D-Md., pointed out that this is “not a big deal” because states can simply combine the regulations themselves to ensure they are meeting the most strict requirements across all of them.
“On the other hand, why should it be so difficult for the federal government on that to come up with one governing principle?” Raskin said.
Raskin also painted the discussion in broader political terms, defining himself as a firm defender of federal regulations, and criticizing his GOP colleagues and the Trump administration for making deregulation “a mindless political fetish” that he called “risky and dangerous.”
Reese suggested Congress form a working group or committee to identify and harmonize these disparities in regulations. He also asked that federal regulators be required to “communicate their audit priorities and results not just to the programmatic agencies but also to all affected stakeholders, including state CIOs.”
The subcommittee’s chairman, Rep. Gary Palmer, R-Ala., said that the narrative “that us on the Republican side of the aisle are just trying to get rid of regulations is political nonsense. What we want are sensible regulations.”
Raskin and Palmer agreed, however, that Reese’s requests were specific enough that they didn’t apply to any broader attack against federal regulation.
Robert Weissman, president of the consumer-advocacy group Public Citizen, said that Reese’s complaints show a specific need related to government-led cybersecurity efforts.
“In the cyber area, the big problem is that there is no overarching legal framework, and though the executive could come up with one, Congress has actually failed on this,” Weissman said. “We do have a crying need … for overarching cyber protection.”
Palmer cited his previous experience working with state government and said he’s seen firsthand how these regulations can waste resources and confuse everyone involved. He admitted that while regulations have made the country healthier and safer, he also pointed out that sometimes businesses, government agencies, and even the regulators themselves have difficulty understanding exactly what is being required.
“[The regulators] are trying to do a good job,” Palmer said, “but they’re as frustrated as everybody else.”