How the CSF can reduce state compliance burdens
Supporting efforts that bring greater rationalization to the cybersecurity regulatory environment.
Earlier this week, the National Governor’s Association held its annual winter meeting in Washington, DC. Technology innovation and cybersecurity continue to be key priorities for our nation’s governors.
However, as state governments are seeking to improve efficiencies by modernizing and consolidating their IT systems and services, they are encountering significant challenges and costs in complying with a broad range of federal cybersecurity regulations.
Last year, Oklahoma Chief Information Officer Bo Reese, who serves as Vice President of the National Association of State Chief Information Officers (NASCIO), testified before the Senate Homeland Security and Government Affairs Committee, stating that “the efficiencies and financial savings achieved by streamlining or consolidating the state’s IT environment are obfuscated by complex, disjointed, federal data security regulations that were issued in a de-centralized and “siloed” fashion.
NASCIO has listed harmonization of disparate federal cybersecurity regulations and normalization of the audit process as its top federal advocacy priority.
Clearly, federal agencies have a responsibility to protect the personal data of citizens and to defend federal information systems against disruption or compromise. However, the costs of adhering to disparate federal regulatory requirements are forcing state governments, critical infrastructure industries, and other organizations to prioritize limited IT budget resources on compliance rather than on improving services, maximizing efficiency, and enhancing security.
At CA Technologies, we recognize the tremendous value IT modernization can bring to state governments and other organizations. We also know that strong cybersecurity is a critical component of any state IT modernization initiative. Therefore, we support efforts that bring greater rationalization to the cybersecurity regulatory environment in ways that enable flexibility while also promoting robust security.
The Framework for Improving Critical Infrastructure Cybersecurity, or Cybersecurity Framework (CSF) as it’s commonly known, was developed under a partnership between industry and government in response to an Executive Order by former President Obama. The CSF provides a flexible, cost-effective, risk-based approach to establishing or improving organizational cybersecurity.
A multitude of companies and organizations, including CA, have adopted the CSF as the central foundation for their cybersecurity programs. The Federal government is continuing to promote organizational adoption of the CSF. However, what had been lacking until recently, was federal agency adoption of the CSF.
President Trump signed an Executive Order last May, which requires federal agencies to adopt the CSF. Adopting the CSF will allow agencies to implement risk management measures in a flexible, prioritized fashion.
CA believes that federal cybersecurity requirements, which flow down to state government partners, should also be aligned with the CSF. Alignment with the CSF would drive an outcomes-focused approach to protecting citizen data and federal and state information systems without unnecessarily specifying distinct compliance requirements that may conflict with one another.
Federal regulatory alignment with the CSF would provide consistency for states, allowing them to control compliance costs. It would also support the Trump Administration’s mandate for Federal agencies to reduce regulations and control regulatory costs. And it would drive stronger cybersecurity outcomes because each state could prioritize its actions according to the unique risks and threats it faces.
At CA, we recognize the tremendous responsibilities that State CIOs face in maintaining IT systems, providing online services, and protecting citizen data. We also know that compliance with disparate federal regulations places much larger strains on state IT budgets than it should. Federal and state cybersecurity alignment around the CSF can improve efficiencies, reduce regulatory costs and drive stronger cybersecurity outcomes.