How the federal government can improve security and save taxpayer dollars today

Tax reform is the policy issue du jour. It’s also October which, in the IT world, means National Cybersecurity Awareness month. The timing is more than appropriate to discuss one way that the federal government can help save taxpayer dollars while also achieving a more secure approach to cybersecurity.

In June 2017, NASCIO president and Oklahoma Chief Information Officer (CIO) Bo Reese testified before the Senate Homeland Security and Governmental Affairs Committee on the $283 million worth of savings he’s been able to bring to the state through IT consolidation. At its heart, IT consolidation is a strategy to reduce the “number of kinds” and bring Costco-like savings to state government via technology. Does every state agency need its own time-keeping system or could we use one solution across the state government enterprise and save taxpayer money? State CIOs would overwhelmingly answer ‘yes’ to this question; not just in the context of time-keeping systems but also in regard to data centers, security and more. So, what’s keeping state CIOs from bringing these Costco-like savings to state taxpayers? One answer you’ll hear consistently from state CIOs across the board is “federal cybersecurity regulations.”

Federal agencies share data with state government because the delivery of government services happens at the state level. That’s why John Doe doesn’t have to come to Washington, D.C. to apply for the Supplemental Nutrition Assistance Program (SNAP); the U.S. Department of Agriculture works with states to administer SNAP. This isn’t just true of SNAP. State governments partner with the federal government on everything from the administration of Medicaid to ensuring that child support payments are made. This also means that for every piece of data that’s shared by the feds to the states, there are rules as to how this data should be secured which is simple in theory but extremely complex in practice.

{mosads}Why so complex? Because every federal entity that shares data with states issues its own set of security rules. When the Internal Revenue Service (IRS) shares federal tax information (FTI) with state revenue agencies, states must comply with IRS Publication 1075, a 180-page manual that governs the security practices for handling FTI. As previously mentioned, states administer Medicaid and the Centers for Medicare and Medicaid Services has stated that in doing so, states must comply with CMS-Minimum Acceptable Risk Standards for Exchanges. Child support? Must comply with Health and Human Service’s (HHS) security and privacy program which, to their credit, mostly maps back to IRS Publication 1075’s requirements. Exchanging criminal justice information? The state must comply with the Federal Bureau of Investigation’s (FBI) Criminal Justice Information Security (CJIS) policy. Using social security numbers? Must comply with the Social Security Administration’s (SSA) appropriately titled “Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration.” And even this list isn’t exhaustive.

You can see, then, how the plethora of federal regulations can quickly hamper the efforts of state CIOs who are trying to configure security policies and processes that can meet the requirements of state agencies, while simultaneously seeking efficiencies through a more enterprise-wide standard configuration. If the sheer number of regulations isn’t compelling, consider this example: the IRS requires session lock out after three failed attempts and 15 minutes of inactivity. FBI-CJIS requires the same at five failed attempts and 10 minutes of inactivity. Is there a policy justification for this difference? It’s these kinds of conflicting controls (multiply that by the number of regulating agencies) that confound state CIOs and state chief information security officers (CISO). Add to this the audit event and things get even more complicated.

State data centers are audited by each federal regulating agency and often produce inconsistent results. Further, what is accepted as a compensating control tends to differ by auditor. This incentivizes investments in cybersecurity that are driven by compliance and not risk which is a less secure approach and can be costlier for state government. The state of Oklahoma reported having to prematurely retire software because federal auditors deemed it a critical “finding” even though the state had purchased extended maintenance to offset the risk. Louisiana reports receiving five different audit outcomes even though federal auditors were examining the same IT environment. The state of Maine reports spending 4,000 hours responding to an IRS audit and over 2,500 hours on an SSA audit which calculated out is, respectively, one year and eleven months and one year and two and a half months of one person working eight hours a day, every day, responding to audits.

It’s widely accepted that there’s a lack of qualified cybersecurity personnel working in government. It’s also widely accepted that cybersecurity programs, policies, and investments should be informed and prioritized based on levels of risk and not by the complexity of compliance. Again, this is not to say that state CIOs and CISOs don’t appreciate the role of compliance, of course we do. But we would ask that our federal partners engage with NASCIO and help us chart a more efficient and consistent path forward that makes effective use of cybersecurity personnel and accommodates technological transitions within the state government enterprise. We hope to achieve better security and better use of taxpayer dollars. We look forward to this collaboration.

Yejin is the director of government affairs at the National Association of State Chief Information Officers (NASCIO), a nonprofit association with a mission to foster government excellence through quality business practices, information management and technology policy.