Federal agencies should coordinate on state agencies’ cybersecurity assessments, including leveraging other agencies’ assessments or conducting joint reviews, the Government Accountability Office says.
States have long complained that exchanging data containing personally identifiable and other sensitive information with federal agencies is overly complex. Agencies have different cybersecurity requirements, and states spend excessive time and resources to comply with each agency’s assessment programs.
A new report from the Government Accountability Office confirmed those issues. It solicited feedback from all 50 state chief information security officers and examined practices at four agencies -- the Centers for Medicare and Medicaid Services, the FBI, the IRS and the Social Security Administration -- and concluded that federal agencies should better coordinate on state agencies’ cybersecurity assessments, including leveraging other agencies’ assessments or conducting joint reviews.
While the four agencies each coordinated with the states on various security controls, they did not coordinate with each other, GAO said. That meant states had to set up separate procedures for multiple federal agencies that requested the same documentation on network configurations, password policies, and incident response policies, for example.
Additionally, the four agencies did not fully address National Institute of Standards and Technology security guidance, GAO said. Some agencies had unique requirements, some security controls had conflicting parameters and some agencies did not address all the NIST controls.
The auditing agency laid the responsibility for agencies’ varying requirements with the Office of Management and Budget. OMB, it said, has not ensured agencies comply with Circular A-130, which requires coordination.
“The selected agencies’ insufficient coordination has contributed to variances in the agencies’ control selection, terminology, and technical parameters across hundreds of cybersecurity requirements imposed on states,” GAO said.
“[C]oordinating with both state and federal agencies when assessing state agencies’ cybersecurity may help to minimize additional cost and time impacts on state agencies, and reduce federal resources associated with implementing state-based cybersecurity assessments,” GAO said. “Until OMB takes steps to ensure federal agencies coordinate on assessments of state agencies’ cybersecurity, it will not have reasonable assurance federal agencies are leveraging compatible assessments to the greatest extent possible.”
GAO included 12 specific recommendations for the selected agencies and OMB to harmonize cybersecurity requirements and concluded by urging agencies to “identify opportunities where requirements can be streamlined or made more consistent while still achieving each agency’s desired security outcomes because doing so may reduce potential burdens on state agencies.”
The report’s recommendations affirm the National Association of State Chief Information Officer’s top advocacy priority of harmonizing disparate federal cybersecurity regulations, the organization said in a statement.
“The hours and effort required by states to respond to several audits from different agencies with different security controls is burdensome, costly and negatively impacts states,” NASCIO Executive Director Doug Robinson said. We are hopeful that the federal agencies will heed the report’s recommendations and foster a much greater collaborative environment on these regulations.”