State chief information officers could advocate for a host of changes to make their lives easier from their federal brethren.
But instead, they just have four federal advocacy priorities.
Alex Whitaker, the director of government affairs for the National Association of State Chief Information Officers, said state CIOs are hoping to see change across a small but important number of areas.
Ensuring responsible implementation of the state and local cybersecurity grant program.
Expanding and strengthening the statewide cyber workforce.
Harmonizing disparate federal cybersecurity regulations and
Continued adoption of the .gov domain
“We really always only have four. I know that a lot of organizations have a long list of priorities, but we keep it to four,” Whitaker said on Ask the CIO. “That’s not to say we don’t do other things. But these are the ones that we think are really the most important, and sort of protects us so I can sometimes say ‘no, we don’t have the bandwidth to get involved with something.’”
Whitaker said strengthening the statewide cyber workforce is a new priority, replacing one from last year, broadband mapping, which NASCIO said states made a lot of progress over the past year, and there is a big push across all public sector organizations to address cyber workforce challenges.
Each of the priorities includes recommendations for how federal agencies can help remove obstacles or solve the challenge.
“We had several of our board members come to town earlier this year and we had some meetings on Capitol Hill and talked about this. We also met with Chris DeRusha, the federal chief information security officer, to talk about all the priorities,” he said. “We also last year did a virtual fly in. One of the good things about the pandemic is we no longer have to do in-person fly ins for 55 plus members, which, as a government affairs advocate, I greatly appreciate that. It’s virtual now, but that’s a great meeting in which we actually had CISA come in and talk about .gov adoption. So we have those conversations all the time with really anyone who will listen both on the Hill and other federal agencies.”
Too many cyber regulations
The two priorities that the Cybersecurity and Infrastructure Security Agency and other agencies can help with are harmonizing federal cyber regulations and the adoption of the .gov domain.
Whitaker said states hold a lot of citizen data and there are certain conditions they have to meet to protect that data when getting federal funding, so having different requirements from every agency makes it more difficult for states.
“The issue that comes to a head, though, is that a lot of these regulations are duplicative. They’re very difficult for states to comply with. So what we’re asking is that, when it’s possible, that regulations are harmonized so states don’t have to submit three or four different sets of data or go through all these redundant security protocols in order to comply with the federal government,’ he said. “It just gets to making the government work a little better, a little bit more efficiently and use the taxpayers’ money better.”
One of the big challenges with the disparate cyber regulations is the need to educate the lawmakers, their staff and others about the cost and time it takes to comply with them.
Whitaker said it’s understandable why agencies feel like they need to have specific requirements, but harmonizing and reducing duplication will mean a streamlined and less burdensome set of efforts across all states.
NASCIO made three recommendations for how to bring cyber regulations closer together. Among those suggestions are for the Office of Management and Budget to coordinate more closely with agencies as they develop and implement cyber regulations and for Congress to give OMB the authorities needed to mandate agencies consult on the requirements.
Whitaker said CISA took an important step recently when it removed the fee for obtaining a .gov address. But there still are some costs associated with the transition. CISA took over management of the .gov domain in 2021 from the General Services Administration.
“I think it’s an education issue. I think sometimes it can be states or localities saying, ‘we don’t need the government telling us what to do here.’ We’re sensitive to those concerns as well when you’re mandating things that can be tough. There are a few issues, but this is one area where I really have appreciated CISA’s collaboration,” he said. “I believe they’ve gotten some increased funding so they can hire some more people. I think that’ll help.”
NASCIO made four recommendations to help with the adoption of the .gov domain, including CISA establishing a stakeholder advisory group with state CIOs and CISOs to help with the education challenges and to highlight the operational benefits of the .gov domain. Additionally, CISA could provide opt-in cybersecurity shared services to create a more compelling case for local governments to migrate to the .gov domain.