NASCIO Security Community,
Last spring President Obama and CIO Vivek Kundra made an announcement that they were going to actively search for ways to reform the federal government to ease the administrative and regulatory burdens on state and local government. Leader from the administration reperated this pledge at the NASCIO Mid Year Conference.
Feeling strongly that IT security regulations are unduely complex, I sent the federal CIO and his representatives a message after the NASCIO meeting, a copy of which can be seen below. These individuals have responded back and would like to hear what essentially boils down to a more specific and detailed understanding of the problem that states now face.
I am posting this message to my colleagues to let all of you see what I proposed. But more importantly, I would like to hear your thoughts about this request and whether you feel that it is an area that deserves the attention of our professional organization.
********* Start of Message*************
Dear Mr. Glickman and Ms. Wiggins,
First off, I would like to thank both of you and Mr. Kundra for taking the time yesterday to discuss federal reform opportunities. When I first read President Obama's call for reform, I immediately told my colleagues in the Minnesota security community that we needed to seize this opportunity to simplify the current maze of federal information security requirements that is both difficult to understand and costly to navigate. What was very inspiring to to me yesterday was the fact that you not only seemed to feel our pain, but you genuinely wanted to help.
Brief Overview of the Problem
Today state governments are besieged by numerous federal agency specific information security requirements, such as Treasury Circular 1075 and the new CJIS Security Guide, just to name a few. It is very difficult to keep abreast of the changes to all of these documents. Furthermore, because there is no common terminology or organizational framework, state security leaders must go through a painstakingly difficult process of trying to figure out what is the lowest common denominator among all of the various regulatory publications. States also spend an inordinate amount of time dealing with federal information technology audits, which are also done agency by agency. To illustrate, we recently had teams on site from both the IRS and SSA. Because much of the underlying technology on our side was the same, we literally had two different federal audit teams assessing controls over the very same environment in the span of one month. In their defense, though, they each were conducting their engagements in accordance with their own set of rules.
Proposed End State
I believe that the federal government needs to reconcile and simplify its security requirements into one common document, or set of artifacts, that is shared by all federal agencies. Clearly, it will not be possible to create a one size fits all standard. However, it certainly should be possible to publish a series of security baseline standards for information systems that have certain characteristics. It could be as simple as publishing three standards: high security systems, medium security systems, and systems with minimal security needs. When this is done, agencies should be prohibited from adopting information security standards, unless they are incorporated in the centrally managed repository. On the audit side, I think that we need to work towards a model like the one that is currently in place for financial audits, articulated in the Single Audit Act. Under this model, states must undergo one audit that is structured to meet the needs of all federal agencies.
Moving towards my proposed end state will be mutually beneficial for both states and the federal government. But beyond the simple efficiency gains, it also will put all levels of government in a better position to harness the benefits of cloud computing, virtualization, and other underpinning technologies that are geared to support multiple services. In Minnesota – and for that matter in other states too – the economic situation now makes it cost prohibitive to build entire technology solutions one by one on distinct infrastructure. Recognizing the technology path is already taking us to a place where IRS, SSA, other types of data will be housed in the same virtual place, we clearly need strong leadership from you to put in place a corresponding security architecture that aligns with the new realities of information technology.
Finally, if you choose to run with this idea, I certainly would be willing to throw my hat in the ring to help and I know that I could garner the support of my colleagues in Minnesota and around the country as well. Projects like this are fraught with red tape and there will be lots of people with parochial interests who will advocate for business as usual. But with that said, I hope that the two of you keep up the spirit and continue to focus on what is right, because collectively we CAN do it.
Please pass on my thanks to Mr. Kundra as well.
---------------------------------------------------------------------------------
Christopher P. Buse
Chief Information Security Officer
State of Minnesota
658 Cedar Street, Suite 300
St. Paul, MN 55155
651-201-1200 (W)
651-334-7146 (M)
Chris.Buse@State.MN.US
---------------------------------------------------------------------------------
***********End of Message***********