• United States



Freelance Writer

State CIOs agenda targets cybersecurity

Jan 15, 20165 mins

NASCIO's federal policy agenda for new year looks to expand resources to secure critical infrastructure, recruit top talent and ease the burden of federal regulations.

Credit: Thinkstock

The association representing state CIOs has an ambitious policy agenda in the nation’s capital this year, when members and their advocates will be appealing to Congress for help in securing critical infrastructure and for relief from a thicket of federal regulations.

At the top of the list is cybersecurity, perhaps unsurprising given that members of the National Association of State CIOs (NASCIO) ranked that issue at the top of their own set of operational priorities late last year.

[ Related: State CIOs will focus on security and cloud in 2016 ]

“Cybersecurity has been a big priority for NASCIO for many years,” says Yejin Cooke, the trade group’s director of government affairs. “So naturally, our federal advocacy, reflecting those priorities, is again [focused on] cybersecurity.”

NASCIO is appealing for greater federal resources to protect critical systems and data repositories overseen by the states, but is pragmatic enough to appeal for targeted funding or incentive programs that could advance specific goals in the cybersecurity arena.

“It would be ideal if the federal government said, here’s a lot of money to go work on your cybersecurity,” Cooke says. “That’s not realistic. What we would hope that our federal partners understand is that our state resources when it comes to cybersecurity tend to be very low.”

How low? Cooke says that state CIOs typically only allocate about 2 percent of their IT budgets to cybersecurity, some of which is spent safeguarding federal programs that the states administer. Those funding constraints are compounded by a severe shortage of highly skilled security workers, she explains.

“We have a personnel/HR issue, a workforce issue in the cybersecurity field in the state-government level,” Cooke says. “It’s very, very hard to hire those cybersecurity positions within state government.”

So NASCIO is generally supportive of legislative proposals that would expand cybersecurity funding and widen the pipeline of skilled workers into state governments, which struggle to compete in the IT labor market both with the private sector and their federal counterparts.

The group is also appealing to the Department of Homeland Security to strengthen the cyber programs it oversees that extend to the state level to “support the enhancement of cybersecurity preparedness, protection, response and recovery in the states,” the group says in a fact sheet.

State CIOs struggle with federal regulations

NASCIO’s cybersecurity campaign comes with the caution against any federal mandates for prescriptive technologies that could dampen innovation or add to states’ compliance burden.

Already, Cooke argues, state CIOs are chafing under a tangle of federal regulations that are impeding some of the major tech initiatives they are trying to advance. In particular, the distinct mandates that come with the administration and oversight of different federal programs (food stamps, Medicaid, etc.) include disparate IT specifications that can greatly complicate the work of establishing a streamlined enterprise architecture.

“Our CIOs have to manage a lot of federal data, and they all have to be managed differently, even though the CIO is attempting … to establish an enterprise vision,” she says. “These federal regulations are standing in the way of consolidation and optimization, to put it simply.”

So NASCIO is asking for relief from federal regulations, generally (a tall order, Cooke admits), and in particular is trying to call attention to the challenge of sharing information, both within different state agencies and with outside entities like federal and local government groups, other states and the private sector.

Too often, Cooke says, federal programs administered by the states don’t afford CIOs or agency administrators the explicit flexibility to share information and collaborate across the siloes in which those programs reside. The result of those barriers not only impedes operational efficiencies, but can be a detriment to citizen services when clearly related data sets — say, those involving crime and education statistics — are kept apart.

NASCIO is calling on federal authorities to incorporate reasonable data-sharing provisions as they move ahead with new programs and regulations, and is urging support for the standards-based National Information Exchange Model.

“The current barriers to information sharing is that regulations do not contemplate that up-front, so it makes it harder for us later after we receive the funds … to be able to do cross-boundary collaboration. It makes it really difficult,” Cooke says. “Let’s think about how the feds can make that easier and more possible at the get-go.”

A major facet of NASCIO’s policy work is the broad effort to help lawmakers see the tech issues CIOs focus on amid a larger canvas of social benefit, to make the connections between the work that state tech teams do and the bigger public-policy goals envisioned by federal laws and regulations. That can pose a challenge when advocates like Cooke meet with members of Congress and policymakers who don’t typically focus on tech issues, and are often inclined to dismiss IT as “a backroom kind of thing.”

“These are not just state CIO issues, these are issues that affect all of us,” Cooke says. “I think we as a CIO organization feel some of these things more acutely, but it affects all of us.”