NASCIO Urges Congress To Cut Red Tape on Cybersecurity

“When states receive federal funds, they are required to certify that certain security measures are in place; this is mandated by the Federal Information Security Management Act. CIOs and CISOs [chief information security officers] must also comply with a variety of federal regulations, typically promulgated in a silo-ed fashion.” Funding remains a challenge to state cybersecurity efforts, Raymond said. Most states spend 1 to 2 percent of their IT budget on cybersecurity, compared with 14 to 16 percent earmarked by the federal government, Raymond said in a prepared statement. The small budget hurts the ability of states to hire and retain skilled personnel, he said. In a separate statement, New York State Police Lt. Col. Daniel Cooney backed streamlined information sharing between state and federal governments, and clear guidelines on who should be called when a local government or private entity suffers a cyberattack. Chairman Dan Donovan of the Emergency Preparedness, Response and Communication Subcommittee said he didn’t understand why many states lag on cybersecurity. “I’m left scratching my head when I see for the fourth year in a row, the National Preparedness Report, released by FEMA, indicates that states continue to report cybersecurity as the lowest core capability,” the New York Republican said in prepared remarks. He acknowledged the need to improve information sharing. “I have heard that while sharing cyber information is becoming more prevalent, there is still confusion on who states should talk to when an incident occurs and the sharing of cyber related information with the emergency management and first responder communities is ad hoc at best.”