To simplify cybersecurity regulations, state groups ask federal government for help

In a desire to simplify IT consolidation efforts, state government associations are asking the Office of Management and Budget (OMB) to “harmonize” a disparate and sometimes conflicting collection of federal cybersecurity regulations.

In a letter from the National Association of State Chief Information Officers (NASCIO) and the National Governors Association (NGA) sent Monday, the groups ask OMB to make its Office of Information and Regulatory Affairs available to adjust existing regulations, which they say “hamper” state government. The groups are asking for continuity and consistency in regulations and perhaps a directive from OMB that federal agencies must first to look at existing requirements before creating new ones.

“We respectfully ask that your office engage appropriate federal agencies, including those that promulgate regulations and audit state government IT, and work with our representative organizations, [NGA and NASCIO], to find a solution that satisfies the security and privacy concerns of federal agencies while being cognizant of the cost-saving initiatives and cybersecurity workforce challenges within state government,” the letter reads.

In its letter, the groups highlight the burden faced by states by listing these regulations that states must consider when consolidating and optimizing state government computer systems:

• Internal Revenue Service (IRS) Publication 1075
• FBI Criminal Justice Information Services Security Policy (FBI-CJIS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Office of Child Support Enforcement security requirements
• CMS Minimum Acceptable Risk Standards for Exchanges (MARS-E)
• Electronic Information Exchange Security Requirements and Procedures for State and Local
• Agencies Exchanging Electronic Information with the Social Security Administration (SSA)
• U.S. Department of Labor – State Quality Service Plan: Agency Assurances
• Substance Abuse and Mental Health Services Administration (42 CFR part 2)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm Leach Bliley Act
• Child Internet Protection Act of 2000
• Child Online Privacy Protection Rule of 2000

At a Senate hearing in June, Oklahoma State CIO Bo Reese testified that he was able to help his state realize $286 million in savings through IT consolidation, but explained that to do so he spent an inordinate amount of time complying with federal cybersecurity regulations. Reese also noted the absence of a reliable single point of contact that states can consult with on such issues.

While success stories like Oklahoma’s, Nebraska’s and others highlight the potential of eliminating redundancy and modernizing old systems, as many as 80 percent of such projects go over budget or deadline, due in part to project complexity.

Last week, NASCIO voted to form a federal cybersecurity harmonization working group, and that group, said NASCIO’s Yejin Cooke, would do a lot of the work to eliminate the confusion around the regulations states must adhere to.

“We’ll be doing a lot of the brainstorming, a lot of the solution crafting,” Cooke said.

The groups hope their federal partners will engage, she said, but couldn’t speak to what their potential approach to this challenge might be.

“We hope — not OMB — but the regulating agencies like IRS, FBI-CJIS and Social Security, that they’ll provide feedback as we move forward on providing these solutions,” Cooke said.

Wading through the thousands of pages of legal code, she said, is expected to be a “very difficult task.”