Cybersecurity: Selected Federal Agencies Need to Coordinate on Requirements and Assessments of States

GAO-20-123 Published: May 27, 2020. Publicly Released: May 27, 2020.
Jump To:
Fast Facts

States must follow numerous cybersecurity requirements when using federal data. These requirements may vary by federal agency.

State information security officials we surveyed told us, among other things, that the differing requirements cost states additional time and money, and could ultimately detract from security efforts.

Among the 4 federal agencies we examined, 49% to 79% of security requirement parameters—the number of log-on attempts allowed, for example—were in conflict.

We made 12 recommendations, including that the Office of Management and Budget improve coordination of cybersecurity requirements among federal agencies.

Lock and keyboard

Lock and keyboard

Skip to Highlights
Highlights

What GAO Found

Although the Centers for Medicare and Medicaid Services (CMS), Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), and Social Security Administration (SSA) each established requirements to secure data that states receive, these requirements often had conflicting parameters. Such parameters involve agencies defining specific values like the number of consecutive unsuccessful logon attempts prior to locking out the user. Among the four federal agencies, the percentage of total requirements with conflicting parameters ranged from 49 percent to 79 percent. Regarding variance with National Institute of Standards and Technology guidance, GAO found that the extent to which the four agencies did not fully address guidance varied from 9 percent to 53 percent of total requirements. The variances were due in part to the federal agencies' insufficient coordination in establishing requirements. Although the Office of Management and Budget's (OMB) Circular A-130 requires agencies to coordinate, OMB has not ensured that agencies have done so. Further, while federal agencies' variance among requirements may be justified in some cases because of particular agency mission needs, the resulting impact on states is significant, according to state chief information security officers (see figure).

Extent of Impacts Identified by State Chief Information Security Officers as a Result of Variances in Selected Federal Agencies' Cybersecurity Requirements

Note: Not all respondents answered all survey questions. The figure is based on 46 responses.

The four federal agencies that GAO reviewed either fully or partially had policies for coordinating assessments with states, but none of them had policies for coordinating assessments with each other. State chief information security officers that GAO surveyed reinforced the need to coordinate assessments by identifying impacts on state agencies' costs, including multiple federal agencies that requested the same documentation. Coordinating with state and federal agencies when assessing state agencies' cybersecurity may help to minimize states' cost and time impacts and reduce associated federal costs. Federal agencies reported spending about $45 million for fiscal years 2016 through 2018 on assessments of state agencies' cybersecurity.

Why GAO Did This Study

To protect data that are shared with state government agencies, federal agencies have established cybersecurity requirements and related compliance assessment programs. Specifically, they have numerous cybersecurity requirements for states to follow when accessing, storing, and transmitting federal data.

GAO was asked to evaluate federal agencies' cybersecurity requirements and related assessment programs for state agencies. The objectives were to determine the extent to which (1) selected federal agencies' cybersecurity requirements for state agencies varied with each other and federal guidance, and (2) federal agencies had policies for coordinating their assessments of state agencies' cybersecurity.

GAO reviewed four federal agencies that shared data with states and had assessment programs: CMS, FBI, IRS, and SSA. GAO compared, among other things, each agency's cybersecurity requirements to federal guidance and to other selected agencies' requirements; and reviewed federal agencies' policies for conducting assessments. In addition, GAO examined OMB's efforts to foster coordination among federal agencies. GAO also surveyed and received responses from chief information security officers in 50 out of 55 U.S. states, territories, and the District of Columbia to obtain their perspectives.

Skip to Recommendations

Recommendations

GAO is making 12 recommendations to the four selected agencies and to OMB. Three agencies agreed with the recommendations and one agency (IRS) partially agreed or disagreed with them. OMB did not provide comments. GAO continues to believe all recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget
Priority Rec.
This is a priority recommendation.
The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed. (Recommendation 1)
Open
While OMB did not agree or disagree with GAO's recommendation, it has taken steps to partially address the recommendation. As of March 2022, OMB stated that it has continued to review the recommendation with the Federal Chief Information Officer Council, Federal Chief Information Security Officer Council, and the National Association of State Chief Information Officers, but had no new information to provide. To fully address this recommendation, OMB needs to determine and implement an approach that encourages federal agencies to collaborate, or direct agencies to further coordinate. Without OMB's involvement and encouragement that federal agencies collaborate to make their cybersecurity requirements for state agencies consistent to the greatest extent possible, federal agencies are less likely to prioritize such efforts that could lead to greater fragmentation of cybersecurity policies for states.
Office of Management and Budget
Priority Rec.
This is a priority recommendation.
The Director of OMB should take steps to ensure that CMS, FBI, IRS, and SSA coordinate, where feasible, on assessments of state agencies' cybersecurity, which may include steps such as leveraging other agencies' security assessments or conducting assessments jointly. (Recommendation 2)
Open
While OMB did not agree or disagree with GAO's recommendation, it has taken steps to partially address the recommendation. As of March 2022, OMB stated that it has continued to review the recommendation with the councils, but had no new information to provide. To fully address this recommendation, OMB needs to determine and implement an approach that encourages agencies to coordinate on assessments of state agencies' cybersecurity where feasible. Until OMB does so, it will not have reasonable assurance federal agencies are leveraging compatible assessments where practicable that could lead to fragmented assessments across federal agencies.
Centers for Medicare & Medicaid Services The Administrator of CMS should, in collaboration with OMB, solicit input from FBI, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document CMS's rationale for maintaining any requirements variances.(Recommendation 3)
Open
CMS agreed with and has taken steps to partially address this recommendation. As of December 2021, CMS noted that it has been participating in the FBI's Criminal Justice Information Services Division Modernization Task Force, which includes representatives from the FBI and Internal Revenue Services, to discuss the impact of inconsistent cybersecurity standards. CMS also noted that the agencies generally agreed to align their cybersecurity requirements for states with the National Institute of Standards and Technology's Special Publication 800-53, Revision 5. These are positive steps that could lead to less variance among the federal agencies' cybersecurity requirements for states. However, the discussions are in the early stages and it is too soon to assess the impact of these efforts. To fully address this action, CMS needs to complete its efforts to coordinate with the other federal agencies and decide what revisions to make to its cybersecurity requirements for state agencies. We will continue to monitor the agency's progress in implementing this recommendation.
Centers for Medicare & Medicaid Services
Priority Rec.
This is a priority recommendation.
The Administrator of CMS should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 4)
Open
CMS agreed with and has taken steps to partially address this recommendation. As of February 2022, CMS noted that it would accept results of a recent, independent, third-party assessment conducted for another federal agency. CMS also noted that it would work to revise its assessment policies to maximize coordination with other federal agencies to the greatest extent possible, but has not yet set a time frame for doing so. To fully address this action, CMS needs to determine what changes it can make to its assessment policies. We will continue to monitor the agency's progress in implementing this recommendation.
Federal Bureau of Investigation
Priority Rec.
This is a priority recommendation.
The FBI Director should, in collaboration with OMB, solicit input from CMS, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 5)
Open
The FBI agreed with and has taken steps to partially address this recommendation. As of December 2021, FBI established a Criminal Justice Information Services Policy Modernization Task Force consisting of representatives from CMS and IRS, as well as state agencies, to advise FBI on updates to its cybersecurity requirements. In addition, FBI created a Data Categorization Task Force to review and categorize criminal justice information in accordance with guidance from the National Institute of Standards and Technology. Both task forces have met several times and are considering revisions to FBI's cybersecurity requirements and assessment policies that affect state agencies. These are positive steps that could lead to less variance among the federal agencies' cybersecurity requirements for states. However, the discussions are in the early stages and it is too soon to assess the impact of these efforts. To fully address this action, FBI will need to complete the review of its security policy and its data categorization efforts, and determine what changes it will make to address variances among federal agencies' cybersecurity requirements for states. We will continue to monitor the agency's progress in implementing this recommendation.
Federal Bureau of Investigation The FBI Director should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 6)
Closed – Implemented
As of November 2020, FBI's Criminal Justice Information Services (CJIS) Division updated its policies for cybersecurity assessments to include use of prior findings from relevant assessments conducted by other organizations. For example, FBI's CJIS Division updated its Information Technology Security Audit Training Manual and Information Technology Security Audit CJIS System Pre-audit Questionnaire to include the review of previous third-party audit findings as part of the audit planning process. By implementing this recommendation, FBI may potentially reduce unnecessary burdens on state officials' time and resources in responding to overlapping or duplicative requests and inquiries, reviewing controls that have already been evaluated, or reporting similar findings multiple times throughout a state.
Federal Bureau of Investigation
Priority Rec.
This is a priority recommendation.
The FBI Director should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 7)
Open
The FBI agreed with and has taken steps to partially address this recommendation. As of December 2021, FBI stated that staff from its Criminal Justice Information Services (CJIS) Audit Unit held several discussions with officials from the CMS, IRS, and SSA to share information on the assessment processes for state agencies, such as, what agencies and data are included in assessments, previous assessment results, and the potential for further coordination of assessment schedules. FBI noted that it expects to hold these discussions biannually. In addition, FBI solicited input from these federal agencies through its CJIS Security Policy Modernization Task Force. FBI noted that it expects to further align its CJIS policy with guidance from the National Institute of Standards and Technology (NIST) to be more consistent with how other federal agencies use this guidance in their security policies. FBI noted that once it has transitioned to a more robust adoption of the NIST security framework, it would revisit any areas of assessment coordination with the other federal agencies. However, FBI did not have a time frame for the completing these efforts. To fully implement this action, FBI needs to assess the input it has received from other federal agencies and determine what changes it can make to its security policy to enhance coordination. We will continue to monitor the agency's progress in implementing this recommendation.
Internal Revenue Service The IRS Commissioner should, in collaboration with OMB, solicit input from CMS, FBI, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 8)
Closed – Implemented
As of December 2021, IRS revised its security policy based on new guidance from the National Institute of Standards and Technology (NIST) and input from federal and state agencies to implement GAO's May 2020 recommendation. The agency completed a comparison of IRS Publication 1075 with NIST Special Publication 800-53, Revision 5 to identify areas where its security policy could be more consistent with NIST. In addition, IRS participated in discussions with officials from the CMS, FBI, and SSA to discuss the impact of inconsistent cybersecurity standards among the agencies. In addition, IRS sent a draft of its update on Publication 1075 to federal and state agencies, and incorporated their comments in the final version of the publication that was released in December 2021. By implementing this recommendation, IRS potentially reduced unnecessary burdens on state officials' time and resources in responding to variances from multiple federal agencies' cybersecurity requirements.
Internal Revenue Service The IRS Commissioner should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 9)
Closed – Implemented
As of December 2021, IRS incorporated federal agency coordination into its assessments of state agencies' cybersecurity to implement GAO's May 2020 recommendation. IRS shared its fiscal year 2021 agency review schedule with CMS, FBI, and SSA in an effort to coordinate and reduce unnecessary burden to state agencies. Further, in preparing for its fiscal year 2021 assessments, IRS solicited results from assessments conducted by other federal agencies that may cover the same technologies in the scope of the IRS assessment. IRS has also incorporated the above coordination steps into its planning procedures for state agency assessments. IRS's planning procedures now include steps for determining whether the agency can use results from another federal assessment in lieu of a full assessment by IRS. By implementing this recommendation, IRS potentially reduced unnecessary burdens on state officials' time and resources in responding to duplicative requests and inquiries, retesting controls that have already been evaluated, or reporting similar findings multiple times throughout a state.
Social Security Administration
Priority Rec.
This is a priority recommendation.
The Commissioner of SSA should, in collaboration with OMB, solicit input from CMS, FBI, IRS, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document the SSA's rationale for maintaining any requirements variances. (Recommendation 10)
Open
SSA agreed with and has taken steps to partially address this recommendation. In February 2021, SSA compared its security policy to guidance from the National Institute of Standards and Technology's (NIST) Special Publication 800-53, Revision 5 and Special Publication 800-53A, Revision 5. SSA updated its requirements and assessment procedures to be more consistent with NIST's guidance. SSA stated that it piloted the revised security requirements and assessment procedures with states, and solicited their feedback. SSA expected to finalize changes to its security requirements and assessment procedures and begin implementing them in assessments of state agencies by December 2020. As of December 2021, SSA did not have an update on these efforts. To fully implement this recommendation, SSA needs to demonstrate its collaboration with federal agencies in the revisions to its security policy. We will continue to monitor the agency's progress in implementing this recommendation.
Social Security Administration The Commissioner of SSA should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 11)
Closed – Implemented
As of February 2022, SSA updated its policies for cybersecurity assessments to include use of prior findings from relevant assessments conducted by other organizations. Specifically, SSA updated its Technical System Security Requirements to include the review of third-party assessment findings as part of the assessment review process. By implementing this recommendation, SSA may potentially reduce unnecessary burdens on state officials' time and resources in responding to overlapping or duplicative requests and inquiries, reviewing controls that have already been evaluated, or reporting similar findings.
Social Security Administration
Priority Rec.
This is a priority recommendation.
The Commissioner of SSA should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 12)
Open
SSA agreed with and has taken steps to partially address this recommendation. In November 2020, SSA stated that the agency is reviewing its assessment policies to identify where it can incorporate coordination best practices that it currently uses with other federal agencies into its written assessment procedures. SSA expected to incorporate updates to its assessment procedures by September 2021. However, as of December 2021, SSA did not have an update on its efforts. To fully address this recommendation, SSA needs to finalize its review and update its assessment procedures to incorporate steps for coordinating with other federal agencies. We will continue to monitor the agency's progress in implementing this recommendation.

Full Report

GAO Contacts