"Voluminous," "disjointed" and "complex" were just a few of the words Oklahoma CIO James “Bo” Reese used to describe the federal cybersecurity regulations facing states in written testimony before a U.S. Senate committee June 21.
Reese, who also serves as the vice president of the National Association of State Chief Information Officers (NASCIO), discussed some of the issues states face when complying with federal cybersecurity regulation with members of the Senate Homeland Security and Government Affairs Committee Wednesday morning.
While industry and federal government experts were also present, Reese focused his testimony on the disjointed and time-consuming task of coordinating with various federal agencies charged with the oversight of state cybersecurity compliance.
In his testimony, the CIO voiced concerns about duplicative efforts that arise out of federal mandates — especially where the acceptance or administration of federal grant funds were concerned.
“Because state CIOs deliver enterprise IT services to state agencies that administer federal programs or receive federal funds or grants, state CIOs and the larger IT enterprise must also comply with and abide by federal data security regulations that are imposed on those state agencies,” he said in his written statement. “Thus, state CIOs find themselves operating in an increasingly complex regulatory environment driven by disjointed federal regulations.”
Reese said the federal audits and regulation mean states are often shoehorned into making compliance-based decisions rather than decisions based on a strategic need.
The need to comply with audit findings, which can vary widely depending on the federal agency conducting them, forces states to rush to mitigate for the short term instead of the fixing a larger problem that might exist.
“We find the scenario kind of like a well-trained physician who’s gone to school for many years and practiced and wants to go heal people, and he finds himself in a practice where he is being told, ‘Just put a Band-Aid on it and move on. You don’t have time to treat the illness. You’ve got to just put a Band-Aid on it,’" he said. "Our cybersecurity folks feel like that is what they are being told, ‘Put a Band-Aid on it. Check the box. Move on.’”
When asked what could be done to harmonize and normalize the regulations imposed by the federal government, the lack of a cohesive structure or chain of communication was an issue raised by Reese and his industry and federal colleagues.
“This approach is problematic for state government cybersecurity because it encourages state CIOs to make check-the-box compliance investments instead of ones based on risk, which is the more secure approach to managing sensitive data,” he said.
Though Oklahoma state government recently underwent a significant consolidation of its IT assets, Reese said the efficiencies created as a result are lost when the new structure is not recognized by federal partners, who carry on as if silos were still in place.
“Even though many federal regulations are similar in nature in that they aim to protect high-risk information, they are mostly duplicative and have minor differences, which can obscure the goal of IT consolidation,” he said. “The whole point of which is to streamline IT applications and simplify the enterprise IT environment to produce savings for tax payers.”
With regard to how he believed federal regulation and oversight could be adjusted to improve the process of state-federal collaboration, Reese said reconciling the regulations among oversight agencies and communications channels would be ideal.