Commentary

Why Oklahoma’s CIO is going to bat for states on federal IT regulations

Commentary: Bo Reese, chief information officer for the state of Oklahoma and president of the National Association of State Chief Information Officers, says states need regulations, but not like these.

By James Bo Reese

August 13, 2018

On July 18, I was invited to testify before the House Oversight, Intergovernmental Affairs Subcommittee to discuss the impact of federal regulations on state government IT. I spoke about the $372 million in savings and cost avoidance achieved by Oklahoma’s IT unification efforts and how federal regulations were often a barrier to the IT unification/consolidation process.

IT unification/consolidation is a priority for many state CIOs because, as was the case in Oklahoma, it leads to cost savings and a more secure cybersecurity posture. These two reasons drive and justify the effort to consolidate state IT and NASCIO’s data show that IT consolidation has been a priority for state CIOs for over a decade. (IT consolidation/optimization has ranked in the top three CIO priorities since the launch of NASCIO’s Top Ten survey in 2006.)

It is no surprise that IT consolidation ranks so high among state CIOs. As the IT provider to state executive branch agencies, state CIOs act as business leaders that must make efficient and effective use of taxpayer dollars. State CIOs understand the mission of the state agencies they serve and ultimately aim to deliver an effective digital experience to state citizens that interact with government. IT consolidation helps state CIOs achieve these goals and while it may be difficult, it’s not impossible.

IT consolidation is challenging for a multitude of reasons but one thing that comes up universally and repeatedly is the hurdle that federal regulations impose on that effort. This is the topic I spoke about at the House Oversight hearing and it’s appropriate that it was held in the Intergovernmental Affairs Subcommittee because of the unique relationship between state governments and the federal government. States administer federal programs and in so doing, exchange data. Federal regulations govern the use of that data and these regulations are typically specific to a program or federal agency. States, then, must comply with these silo-ed federal rules even though our enterprise IT environment is moving in the opposite direction.

There were four other witnesses at the hearing and each spoke to federal regulations, some about the burden on their particular industry and others about the need for regulations. What stood out was that my testimony focused on the regulatory burden but also acknowledged the need for regulations. This shouldn’t be surprising, though, because while I must comply with federal rules, I also act as a regulator within the state for state agencies. As I mentioned in my testimony, the problem isn’t that there regulations, we just think there’s a better, more efficient way to handle the diverse requirements and their accompanying audits.

Identifying requirements from a complex and duplicative swath of federal regulations is time consuming and does not tend to be the best use of scarce state resources. There were several states that calculated their time commitment to responding to federal regulatory audits and reported the following: Oklahoma spends 10,712 hours per year; Maine spent 11,160 hours in responding to six different federal agency audits; Kansas spent 14,580 hours for a three-year period; Colorado spends 2,760 hours per year For reference, a forty-hour work week for fifty-two weeks (i.e. one year) equates to 2,080 hours.

It’s important to note that I was not advocating for a wholesale elimination of regulations and audits. But, state CIOs have reported that they are prioritizing regulatory compliance over their key mission of creating and driving an IT strategy for state government. This and the hours detailed above indicate a distortion of state CIO priorities driven by federal regulations.

We believe there is a better, more efficient way to ensure data security while also enabling state CIOs to move forward with state IT agendas that, ultimately, better serves citizens. To that end, I’ve testified before House and Senate committees regarding potential solutions, NASCIO created a working group that has mapped IRS Publication 1075 requirements against FBI-CJIS regulations, and we know there is a GAO report in the works on this issue. These efforts have been a good starting point for dialogue with our federal partners. We look forward to continuing the conversation and collaboratively developing a meaningful solution that works for both the federal and state governments.