Reducing Burdensome Cyber Regulations

Mick Mulvaney
Director
Office of Management and Budget (OMB)
725 17th Street, NW,
Washington, DC 20503

Dear Director Mulvaney,

On behalf of the Nation’s governors and state chief information officers, we write to ask that the Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA) engage with us to harmonize disparate federal cybersecurity regulations and normalize the federal audit process.

Federal cybersecurity regulations can hamper state CIO initiatives like IT consolidation which has shown to produce million in savings for state governments and our taxpayers. Additionally, state governments must utilize scarce cybersecurity professionals with the business of federal compliance instead of investing that same time in security actions that would enhance the cybersecurity posture of the state.

On June 21, the Senate Homeland Security and Governmental Affairs Committee (HSGAC) held a hearing, “Cybersecurity Regulation Harmonization” during which NASCIO vice president and Oklahoma CIO, James “Bo” Reese, spoke about the benefits of IT consolidation and the $286 million in savings reaped for the state through this effort. State CIOs across the country are similarly involved in state IT consolidation/optimization efforts. State CIOs aim to operate the state government IT environment as a unified, single entity or “enterprise.”  In doing so, they must comply with a wide range of federal cybersecurity regulations that are imposed on individual state agencies. State IT consolidation efforts are hampered by the disjointed nature with which federal cybersecurity regulations were promulgated.

For example, the state government IT environment must reflect compliance with:

• Internal Revenue Service (IRS) Publication 1075
• FBI Criminal Justice Information Services Security Policy (FBI-CJIS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Office of Child Support Enforcement security requirements3
• CMS Minimum Acceptable Risk Standards for Exchanges (MARS-E)
• Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (SSA)
• U.S. Department of Labor – State Quality Service Plan: Agency Assurances
• Substance Abuse and Mental Health Services Administration (42 CFR part 2)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm Leach Bliley Act
• Child Internet Protection Act of 2000
• Child Online Privacy Protection Rule of 2000

As stewards of citizen data, we understand and appreciate the need to secure sensitive information. However, the plethora of federal regulations can and have impeded state efforts to produce cost savings for taxpayers and diverts the attention of scarce state government cybersecurity professionals to compliance activities rather than implementing forward-leaning security policies.

We respectfully ask that your office engage appropriate federal agencies, including those that promulgate regulations and audit state government IT, and work with our representative organizations, the National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO), to find a solution that satisfies the security and privacy concerns of federal agencies while being cognizant of the cost-saving initiatives and cybersecurity workforce challenges within state government.

We would appreciate your attention, direction, and cooperation in this matter to optimize taxpayer resources while safely securing citizen information.

If you have any questions, please reach out to NGA Legislative Director Mary Catherine Ott (mcott@NGA.org) or NASCIO Director of Government Affairs Yejin Cooke (ycooke@NASCIO.org) for more information.

Sincerely,