Blogs

The Weekly WHAT has been on hiatus during political silly season, but that does not mean there’s not action in the world of federal and state cybersecurity--or other tech issues. Here’s what you have been missing:

Key Takeaway:
NASCIO Files Comments on the NIST Framework
On October 10, NASCIO filed comments with the National Institute for Standards and Technology (NIST) regarding states' experiences with the NIST Framework for Improving Critical Infrastructure Cybersecurity. The comments were in response to a request for information (RFI) in which NIST asked about the use of its framework and companion Roadmap. NIST hopes to use this data as it prepares to update the framework over time.

NASCIO utilized its findings in the 2014 Deloitte-NASCIO Cybersecurity Study, State governments at risk: Time to move forward to provide a picture of how the framework is being utilized in the states. Our results showed that 47 percent of CISOs plan to leverage the framework within the next six months to a year, and an additional 38.8 percent responded that they are currently reviewing the framework. Only two percent of state CISOs responded that they had no plan to leverage the NIST cybersecurity framework. NASCIO also focused on the fact that "NASCIO has not seen any evidence of an effort by federal regulatory agencies to utilize the framework to harmonize these regulations or provide other consistency across the patchwork of cybersecurity regulations that federal activities impose upon state governments."  

Read NASCIO's comments at www.nascio.org/advocacy/current.  The state of Virginia also provided comments, available here.

Other Buzz
Executive Order bolsters fiscal transaction security, safeguard personal data
On October 17, President Obama signed an executive order (EO) that will upgrade federal credit cards and payment terminals, as well as take other steps to bolster both public and private sector security against credit card fraud and identity crimes. 

Perhaps of most interest to states will be the EO’s request for a plan from the National Security Council, the Office of Science and Technology Policy, of the Office of Management and Budget to “ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and effective identity proofing process, as appropriate.” Depending on the scope, this could mean substantial changes to security protocols for agencies that receive federal funding to collect citizen data and provide services. The plan is due within 90 days and its implementation is ordered within 18 months. 

The main thrust of the EO is that federal government credit cards will transition to “chip and PIN” technology, and retail payment card terminals for consumer sales will be upgraded to accept this better security.  This does not appear to include grantees such as states. The Executive Order is available here, and a fact sheet is available here.

Gubernatorial Elections May Bring Churn To State IT
These may be mid-term elections for the feds, but with 39 State and Territorial gubernatorial elections on tap, some states can expect shifts in state IT leadership. In an anti-incumbent year, approximately half the seats are considered competitive races.  In addition, there are ten “open seats” without an incumbent running for re-election when (including the US Virgin Islands and the District of Columbia); while many of these may not switch parties, the new Governor may bring in new leadership.

FirstNet Comments Due Monday, October 27
A friendly reminder that the FirstNet Authority, responsible for creating a Nationwide Public Safety Broadband Network, is requesting comments from the public on key issues that could drastically effect how states work with the authority, and how the network looks in its final form.  FirstNet is requesting public comment on their interpretations of FirstNet’s enabling legislation, The Middle Class Tax Relief and Job Creation Act of 2012, and issued an RFI and draft Statement of Objectives (SOO) that FirstNet hopes will guide them in deciding on how best to build their nationwide network.

The request for public comments, available here, asks key questions such as who will use the network, what the definition of rural might look like (important as FirstNet must meet certain requirements of build-out in rural areas), and user fees.