Unifying Federal Cybersecurity Requirements For States
State governments face a challenge when working with federal agencies thanks to the Federal Information Security Modernization Act of 2014, which mandates that agencies sharing data that contains personally identifiable information need to oversee states’ cybersecurity. While this is certainly a burden for those agencies, things are more complicated for the states, as they have various agencies all trying to enforce their own cybersecurity requirements.
A state that satisfies a requirement for one agency might find itself in conflict with a requirement from another. Where requirements overlap, states find themselves in the position of having to fulfill the same request for information multiple times so each of the agencies that they receive data from know that they’re in compliance.
The Government Accountability Office has surveyed several federal agencies and is now issuing guidance that they think can ease the compliance burden of states. The main recommendations were the Office of Management and Budget and several federal agencies to find common ground on requirements to relieve some of the pressure on states. GAO doesn’t believe that federal agencies will do this without OMB involvement, so they’re hoping that this guidance can push things along.
OMB has issued its own directives in the past that say that federal agencies should be coordinating when establishing cybersecurity requirements, although it’s clear that more coordination is needed. Additionally, GAO has recommended that OMB ask for agencies to use joint assessments where possible, or to use the assessment of another agency that has already taken place.
The federal agencies themselves have pointed to the difficulty of coordination because of the different legal requirements that each of them are subjected to. GAO specifically took a look at the IRS, Social Security Administration, Criminal Justice Information Services, and the Centers for Medicare and Medicaid Services. Among them, requirements with conflicting parameters were up to as high as 79%. This obviously creates a serious challenge for states trying to comply.
Three of the agencies did agree that there was room to collaborate further, with only the IRS dissenting. What’s clear is that states are having to deal with rigorous differing cybersecurity requirements which leads to a great deal of work and sometime duplicative responses. Hopefully this guidance from GAO will be a step in the right direction toward easing that burden.