A group of state IT officials said during an online event Wednesday that while White House directives on cybersecurity don’t explicitly apply to their governments, they try to fit some of those orders to the agencies they lead, especially if they contain good security practices.
“You get these executive orders but they don’t come with any road rules for how to implement them at the state level,” New York State Chief Information Officer Angelo “Tony” Riddick said during a virtual panel hosted by the Advanced Technology Academic Research Center, a government IT think tank.
Riddick and other speakers, who represented the states of Florida, Michigan and Texas, had been asked how they’ve interpreted recent orders, such as President Joe Biden’s May 12 executive order, a 34-page document aimed at upgrading cybersecurity standards and practices across federal agencies and contractors.
While Biden’s order is only binding at the federal level, Riddick and others said that its requirements — logging network events, implementing multi-factor authentication and making it easier for agencies to share threat information — have benefits for states, after the lawyers weigh in.
“I have the benefit of my general counsel to take a look at this guidance,” Riddick said. “Generally we parallel federal government with regards to regulations, policies and rules.”
The same line of thought applies for the Binding Operational Directives issued by the Cybersecurity and Infrastructure Security Agency, said Andy Brush, who leads cybersecurity partnerships for the Michigan Department of Technology, Management and Budget. Last week, for instance, CISA gave federal agencies 60 days to patch more than 300 vulnerabilities in products from major vendors including Microsoft, Cisco, Google and IBM, all of which have extensive state and local government businesses.
“We share [the directives] and talk about them in the state, that they are really good ideas,” Brush said. “There’s no mandate to it, no teeth to it. But if CISA is spending its time researching this and telling us to do it, it’s probably worth it.”
Still, Brush conceded that at the state level, White House orders and CISA directives are merely suggestions.
“We can’t tell you you have to do this, but a lot of guys are,” he said, adding that he tries to connect resource-strapped local governments with the Michigan National Guard or the state’s Civilian Cyber Corps for assistance.
Federal directives are also arriving at a faster clip, said Jayson Cavendish, Michigan’s deputy chief security officer.
“[National Institutes of Standards and Technology] and CISA have been very active. It just keeps coming,” he said. “The reality is, it’s great stuff. That general guidance is going to have a lot of good recommendations.”