A Government Accountability Office (GAO) review found that the differing cybersecurity requirements across federal agencies costs states additional time and money, which could detract from security efforts.
States depend on federal records for a wide range of services. For example, the FBI provides state police with access to biometric information, property records and criminal background. States must follow numerous cybersecurity requirements when using federal data. These requirements currently vary by federal agency. For example, the number of log-in attempts allowed before the user is locked out differs between agencies.
GAO was asked to evaluate federal agencies’ cybersecurity requirements and related assessment programs for state agencies. The watchdog reviewed four federal agencies that shared data with states and had assessment programs: Centers for Medicare and Medicaid Services (CMS), Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), and Social Security Administration (SSA). The review compared, among other things, each agency’s cybersecurity requirements to federal guidance and to other selected agencies’ requirements; and reviewed federal agencies’ policies for conducting assessments. In addition, GAO examined the Office of Management and Budget (OMB) efforts to foster coordination among federal agencies. To complete its review, GAO also surveyed and received responses from chief information security officers (CISOs) in 50 out of 55 U.S. states, territories, and the District of Columbia to obtain their perspectives.
GAO found that although CMS, FBI, IRS, and SSA each established requirements to secure data that states receive, these requirements often had conflicting parameters. Among the four federal agencies, the percentage of total requirements with conflicting parameters ranged from 49 percent to 79 percent.
Regarding variance with National Institute of Standards and Technology (NIST) guidance, GAO found that the extent to which the four agencies did not fully address guidance varied from 9 percent to 53 percent of total requirements.
GAO’s May 27 report notes that the four agencies did not fully address guidelines from NIST in 141 instances. FBI’s Criminal Justice Information Services (CJIS) had the most variances, with 63 requirements that did not fully address NIST guidelines, followed by SSA with 30 variances, CMS with 26 variances, and IRS with 22 variances. For example, FBI’s CJIS’s requirement did not identify the time period to retain individual training records, as called for by NIST guidance. In addition, SSA did not define the frequency of how often agencies should assess the security controls in the information system and its environment of operation.
GAO said these shortcomings were due in part to the federal agencies’ insufficient coordination in establishing requirements. The agencies will soon have an opportunity to harmonize their requirements as they revisit and potentially update their existing security policies based on anticipated changes in NIST guidance.
Although the OMB Circular A-130 requires agencies to coordinate, the review found that OMB has not ensured that agencies have done so. State CISOs told GAO that the resulting impact from the lack of coordination is significant. For example, according to three state CISOs, the selected federal agencies have asked them to address similar questions regarding physical security controls, network configurations, and password policies in separate interviews. Three state CISOs also noted that they have provided to multiple federal agencies documentation (such as network diagrams and incident response policies) related to the same IT environment and have facilitated multiple federal assessments of the same physical environment.
The four federal agencies that GAO reviewed either fully or partially had policies for coordinating assessments with states, but none of them had policies for coordinating assessments with each other. State chief information security officers that GAO surveyed reinforced the need to coordinate assessments by identifying impacts on state agencies’ costs, including multiple federal agencies that requested the same documentation. Federal agencies reported spending about $45 million for fiscal years 2016 through 2018 on assessments of state agencies’ cybersecurity.
GAO found that none of the four agencies established policies for coordinating with other federal agencies when assessing state agencies’ cybersecurity. Officials from the four selected agencies reported that this is because their priority is to assess compliance with their own security requirements and they are not comfortable relying solely on other federal agencies’ assessments.
FBI’s CJIS officials stated that they schedule their security assessments six months ahead of time, but would be willing to reschedule the assessment if the state was unavailable due to another assessment being conducted. In addition, CJIS officials noted that while they test for security controls that other federal agencies are testing, they are not assessing the same information as other agencies because the FBI specifically requires criminal justice data to be logically separated from other data. CJIS officials added that their assessment results and audit findings cannot be shared and that other federal agencies would need to refer to a state’s criminal justice agency for such information.
To address the issues uncovered in its review, GAO made twelve recommendations:
- The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed.
- The Director of OMB should take steps to ensure that CMS, FBI, IRS, and SSA coordinate, where feasible, on assessments of state agencies’ cybersecurity, which may include steps such as leveraging other agencies’ security assessments or conducting assessments jointly.
- The Administrator of CMS should, in collaboration with OMB, solicit input from FBI, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document CMS’s rationale for maintaining any requirements variances.
- The Administrator of CMS should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable.
- The FBI Director should, in collaboration with OMB, solicit input from CMS, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible.
- The FBI Director should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations.
- The FBI Director should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable.
- The IRS Commissioner should, in collaboration with OMB, solicit input from CMS, FBI, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible.
- The IRS Commissioner should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable.
- The Commissioner of SSA should, in collaboration with OMB, solicit input from CMS, FBI, IRS, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document the SSA’s rationale for maintaining any requirements variances.
- The Commissioner of SSA should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations.
- The Commissioner of SSA should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable.
The Department of Health and Human Services agreed with GAO’s recommendations and stated that CMS intends to solicit input from the other federal agencies identified in the report and from state agency stakeholders when making updates to its MARS-E security policy and when updating its assessment guidance to states on how to maximize coordination with other federal entities. The department also noted that CMS had developed and implemented its suite of guidance and requirements, known as MARS-E, based on the Patient Protection and Affordable Care Act, FISMA, and NIST. It’s view is that variances in security requirements are to be expected because of the flexibility that NIST allows in its guidance. The department stated that it collaborated with federal agencies, including FBI’s CJIS, in developing MARS-E and during subsequent updates of that security policy. However, GAO did not receive documentation from CMS as evidence of its collaboration with FBI’s CJIS on the development of MARS-E. GAO is also concerned that CMS did not collaborate with the other agencies included in the review after the development of the most recent version of MARS-E.
FBI’s CJIS agreed with the watchdog’s three recommendations to the agency. Among other things, the agency stated that it would, to the greatest extent possible, collaborate with OMB and solicit input from the other federal agencies subject to this review, as well as from state agency stakeholders, on revisions to its security policy. It also maintained that it had updated security policy recently but did not provide evidence of doing so to GAO.
IRS agreed to participate in collaborative working sessions with OMB and interested stakeholders to discuss the impact of inconsistent standards and the extent to which the standards might be harmonized. The agency stated that it must follow Treasury Directives and internal standards for systems that process tax data and, as a result, its ability to harmonize requirements may be limited.
IRS disagreed with GAO’s recommendation to revise its assessment policies to maximize coordination with other federal agencies to the greatest extent possible. IRS stated that it has sole statutory oversight authority and enforces requirements for agencies subject to Internal Revenue Code § 6103. Consequently, IRS cannot solely rely on an assessment conducted by another agency. GAO continues to believe the recommendation is warranted and argues that IRS could leverage and share relevant information and artifacts with other federal agencies while continuing to conduct its own required assessments and oversight.
State CISO’s have been burdened with the complexities of agency variation and a lack of coordination for some time. In November 2017, the National Governors Association and National Association of State Chief Information Officers wrote to the Office of Management and Budget to request that its Office of Information and Regulatory Affairs work with two groups to harmonize federal cybersecurity regulations and standardize the federal audit process.
Complete alignment of assessment policies may not be feasible in light of unique statutory responsibilities and requirements. Agency coordination and simplification of certain assessment logistics may be possible however and could result in gained efficiencies and improved security from the perspective of the federal government.
