Auditors Call on OMB to Ensure Agencies Coordinate on State Cybersecurity Requirements

The Office of Management and Budget can relieve some of the burden states face in complying with laws to manage the protection of federal information they access by enforcing its own rule on the issue, according to the Government Accountability Office. 

Under the Federal Information Security Modernization Act of 2014, federal agencies sharing personally identifiable information and other sensitive data with states must oversee the cybersecurity of those states’ systems.

Following a request by a trio of Republican lawmakers, GAO examined the extent to which resulting instructions states must follow vary from agency to agency. The watchdog found that among the four agencies it examined—the Centers for Medicare and Medicaid Services, the FBI’s Criminal Justice Information Services, the Internal Revenue Service and the Social Security Administration— “the percentage of total requirements with conflicting parameters ranged from 49% to 79%.”

This takes a toll, according to state officials surveyed in the GAO report issued in late May.

“Addressing variances in cybersecurity requirements reduced the ability of state officials to focus on their primary mission of securing data across their state enterprise,” one state official said. Another official noted that the variation increased the complexity of automating the state’s monitoring and reporting processes.

The agencies argued that what they require of states will necessarily differ because the legal requirements the agencies are subject to differ.

None of the four agencies have established policies for coordinating with other federal agencies when assessing state agencies’ cybersecurity. Officials said this is because their priority is to assess compliance with their own security requirements.

“Each of the selected agencies noted that they determined the unique controls and competing parameters in their requirements were necessary and warranted,” GAO reported, noting the agencies cited “legitimate reasons” for variances such as how often plans should be updated or the number of consecutive login attempts that should trigger a user being locked out. 

However, GAO said there are still steps agencies can take to coordinate. 

The agencies largely agreed with this recommendation. Only the IRS stood by its disagreement, maintaining it should have sovereignty over its own requirements. 

GAO sympathized with the agencies. Its main recommendations were for OMB, which, in its own directive—OMB Circular A-130, Managing Information as a Strategic Resource—identifies requirements for federal agencies to coordinate when establishing cybersecurity requirements for nonfederal entities, such as state agencies.

GAO recommended the OMB director take steps to ensure the agencies reviewed coordinate, where feasible, on assessments of state agencies’ cybersecurity, noting that could include leveraging other agencies’ security assessments or conducting joint assessments.

“Without OMB’s involvement and encouragement that federal agencies collaborate to make their cybersecurity requirements for state agencies consistent to the greatest extent possible, federal agencies are less likely to prioritize such efforts,” GAO said. 

While OMB officials interviewed for the report acknowledged they could do more to encourage agency coordination, they said ultimately the decision was up to the individual agencies. 

OMB did not provide official comments in response to the GAO’s recommendations.