Fast Facts

States must follow numerous cybersecurity requirements when using federal data. These requirements may vary by federal agency.

State information security officials we surveyed told us, among other things, that the differing requirements cost states additional time and money, and could ultimately detract from security efforts.

Among the 4 federal agencies we examined, 49% to 79% of security requirement parameters—the number of log-on attempts allowed, for example—were in conflict.

We made 12 recommendations, including that the Office of Management and Budget improve coordination of cybersecurity requirements among federal agencies.

Lock and keyboard

Lock and keyboard

Skip to Highlights
Highlights

What GAO Found

Although the Centers for Medicare and Medicaid Services (CMS), Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), and Social Security Administration (SSA) each established requirements to secure data that states receive, these requirements often had conflicting parameters. Such parameters involve agencies defining specific values like the number of consecutive unsuccessful logon attempts prior to locking out the user. Among the four federal agencies, the percentage of total requirements with conflicting parameters ranged from 49 percent to 79 percent. Regarding variance with National Institute of Standards and Technology guidance, GAO found that the extent to which the four agencies did not fully address guidance varied from 9 percent to 53 percent of total requirements. The variances were due in part to the federal agencies' insufficient coordination in establishing requirements. Although the Office of Management and Budget's (OMB) Circular A-130 requires agencies to coordinate, OMB has not ensured that agencies have done so. Further, while federal agencies' variance among requirements may be justified in some cases because of particular agency mission needs, the resulting impact on states is significant, according to state chief information security officers (see figure).

Extent of Impacts Identified by State Chief Information Security Officers as a Result of Variances in Selected Federal Agencies' Cybersecurity Requirements

Note: Not all respondents answered all survey questions. The figure is based on 46 responses.

The four federal agencies that GAO reviewed either fully or partially had policies for coordinating assessments with states, but none of them had policies for coordinating assessments with each other. State chief information security officers that GAO surveyed reinforced the need to coordinate assessments by identifying impacts on state agencies' costs, including multiple federal agencies that requested the same documentation. Coordinating with state and federal agencies when assessing state agencies' cybersecurity may help to minimize states' cost and time impacts and reduce associated federal costs. Federal agencies reported spending about $45 million for fiscal years 2016 through 2018 on assessments of state agencies' cybersecurity.

Why GAO Did This Study

To protect data that are shared with state government agencies, federal agencies have established cybersecurity requirements and related compliance assessment programs. Specifically, they have numerous cybersecurity requirements for states to follow when accessing, storing, and transmitting federal data.

GAO was asked to evaluate federal agencies' cybersecurity requirements and related assessment programs for state agencies. The objectives were to determine the extent to which (1) selected federal agencies' cybersecurity requirements for state agencies varied with each other and federal guidance, and (2) federal agencies had policies for coordinating their assessments of state agencies' cybersecurity.

GAO reviewed four federal agencies that shared data with states and had assessment programs: CMS, FBI, IRS, and SSA. GAO compared, among other things, each agency's cybersecurity requirements to federal guidance and to other selected agencies' requirements; and reviewed federal agencies' policies for conducting assessments. In addition, GAO examined OMB's efforts to foster coordination among federal agencies. GAO also surveyed and received responses from chief information security officers in 50 out of 55 U.S. states, territories, and the District of Columbia to obtain their perspectives.

Skip to Recommendations

Recommendations

GAO is making 12 recommendations to the four selected agencies and to OMB. Three agencies agreed with the recommendations and one agency (IRS) partially agreed or disagreed with them. OMB did not provide comments. GAO continues to believe all recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget 1. The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed. (Recommendation 1)
Open
As of March 2021, OMB stated that it concurs that agencies should reduce any possible conflict or overlap in cybersecurity policies for states. OMB stated that efforts by agencies to improve the consistency in cybersecurity requirements for state agencies and to revise assessment policies to maximize coordination with other federal agencies would provide significant value to the states and a more unified direction in cybersecurity from the federal government. OMB noted that it is leveraging the Federal Chief Information Officer (CIO) Council and Chief Information Security Officer (CISO) Council to hold monthly engagements with agency CIOs and CISOs, and occasionally provide updates to the National Association of State CIOs. In addition, OMB stated that the CISO Council has begun exploring opportunities for coordinating varying standards with other federal agencies in order to reduce burden on states and that the effort is ongoing. OMB noted that it will review this recommendation in consultation with the Federal CIO Council and evaluate the most direct and productive manner in which to engage agencies to reduce possible overlap or conflict. We have not yet received supporting documentation of the agency's efforts. We will continue to monitor the agency's progress in implementing this recommendation.
Office of Management and Budget 2. The Director of OMB should take steps to ensure that CMS, FBI, IRS, and SSA coordinate, where feasible, on assessments of state agencies' cybersecurity, which may include steps such as leveraging other agencies' security assessments or conducting assessments jointly. (Recommendation 2)
Open
As of March 2021, OMB stated that it concurs that agencies should reduce any possible conflict or overlap in cybersecurity policies for states. OMB stated that efforts by agencies to improve the consistency in cybersecurity requirements for state agencies and to revise assessment policies to maximize coordination with other federal agencies would provide significant value to the states and a more unified direction in cybersecurity from the federal government. OMB noted that it is leveraging the Federal Chief Information Officer (CIO) Council and Chief Information Security Officer (CISO) Council to hold monthly engagements with agency CIOs and CISOs and occasionally provides updates to the National Association of State CIOs. OMB also stated that it will review this recommendation in consultation with the Federal CIO Council and evaluate the most direct and productive manner in which to engage agencies to reduce possible overlap or conflict. We have not yet received supporting documentation of the agency's efforts. We will continue to monitor the agency's progress in implementing this recommendation.
Centers for Medicare and Medicaid Services 3. The Administrator of CMS should, in collaboration with OMB, solicit input from FBI, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document CMS's rationale for maintaining any requirements variances.(Recommendation 3)
Open
When we confirm what actions CMS has taken in response to this recommendation, we will provide updated information.
Centers for Medicare and Medicaid Services 4. The Administrator of CMS should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 4)
Open
When we confirm what actions CMS has taken in response to this recommendation, we will provide updated information.
Federal Bureau of Investigation 5. The FBI Director should, in collaboration with OMB, solicit input from CMS, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 5)
Open
In November 2020, FBI identified steps that the agency has taken towards implementing this recommendation. Specifically, FBI noted that it has established a working group consisting of representatives from CMS, IRS, SSA, and state agencies that is to advise on updates to its cybersecurity requirements. In addition, FBI stated that its Criminal Justice Information Services Division established a Data Categorization Task Force charged with reviewing NIST Special Publication 800-60 and to formally categorize criminal justice information. We have not yet received supporting documentation of the agency's efforts. We will continue to monitor the agency's progress in implementing this recommendation.
Federal Bureau of Investigation 6. The FBI Director should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 6)
Closed - Implemented
As of November 2020, FBI's Criminal Justice Information Services (CJIS) Division updated its policies for cybersecurity assessments to include use of prior findings from relevant assessments conducted by other organizations. For example, FBI's CJIS Division updated its Information Technology Security Audit Training Manual and Information Technology Security Audit CJIS System Pre-audit Questionnaire to include the review of previous third-party audit findings as part of the audit planning process. By implementing this recommendation, FBI may potentially reduce unnecessary burdens on state officials' time and resources in responding to overlapping or duplicative requests and inquiries, reviewing controls that have already been evaluated, or reporting similar findings multiple times throughout a state.
Federal Bureau of Investigation 7. The FBI Director should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 7)
Open
In November 2020, FBI stated that had taken steps towards implementing this recommendation. Specifically, FBI stated that its Criminal Justice Information Services (CJIS) Audit Unit initiated discussions with CMS, IRS, and SSA to share information on the audit processes for state agencies such as what agencies and data are included in audits, previous audit results, and the potential for further coordination of assessment schedules. FBI also noted that the agency plans to hold these discussions biannually. We have not yet received supporting documentation of the agency's efforts. We will continue to monitor the agency's progress in implementing this recommendation.
Internal Revenue Service 8. The IRS Commissioner should, in collaboration with OMB, solicit input from CMS, FBI, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 8)
Open
In November 2020, IRS noted that its ability to harmonize requirements with other federal oversight agencies is limited by the Internal Revenue Code. Despite this challenge, the agency identified several steps that it had taken towards implementing this recommendation. Specifically, IRS stated that it completed a cross-walk of its Publication 1075 with the recently published NIST Special Publication 800-53 revision 5. In addition, IRS stated that it participated in FBI's Criminal Justice Information Services (CJIS) Division working group to discuss the impact of inconsistent standards and to support FBI's CJIS policy modernization effort. IRS also noted that the agency engaged with SSA and CMS contacts to partner in any policy updates. We have not yet received supporting documentation of the agency's efforts. We will continue to monitor the agency's progress in implementing this recommendation.
Internal Revenue Service 9. The IRS Commissioner should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 9)
Open
In November 2020, IRS stated that it shared its fiscal year 2021 agency review schedule with FBI, CMS, and SSA in an effort to coordinate and reduce unnecessary burden to state agencies. Further, in preparing for its fiscal year 2021 assessments, IRS noted that it now solicits a copy of any federal oversight audit results that may cover the same technologies in scope for the IRS assessment. We have not yet received supporting documentation of the agency's efforts. We will continue to monitor the agency's progress in implementing this recommendation.
Social Security Administration 10. The Commissioner of SSA should, in collaboration with OMB, solicit input from CMS, FBI, IRS, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document the SSA's rationale for maintaining any requirements variances. (Recommendation 10)
Open
In November 2020, SSA identified several actions that it had taken in response to our recommendation. Specifically, SSA identified that it had conformed its risk assessment process to NIST Special Publications 800-53 and 800-53a; mapped new process requirements to NIST controls and tailored 12 objectives to protect the confidentiality of data that state partners process, store, or transmit; created new assessment documents that align with government-wide standards prescribed by NIST; and trained officials on the new modernized cybersecurity risk assessment process. In addition, SSA piloted its new process in February 2020 and solicited and incorporated feedback from the states. SSA expected to fully implement its new process by the first quarter of fiscal year 2021. However, SSA has not yet identified how it has collaborated with other federal agencies in making these revisions. In addition, we have not yet received supporting documentation of the agency's efforts. We will continue to monitor the agency's progress in implementing this recommendation.
Social Security Administration 11. The Commissioner of SSA should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 11)
Open
In November 2020, SSA stated that the agency is reviewing its current procedures to determine when it would be appropriate to consider previous assessments performed by other federal agencies or independent third parties. SSA stated that it expects to finalize new procedures to address this recommendation by the end of third quarter of FY 2021. We will continue to monitor the agency's progress in implementing this recommendation.
Social Security Administration 12. The Commissioner of SSA should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 12)
Open
In November 2020, SSA stated that the agency is reviewing its assessment policies to identify where it can incorporate coordination best practices that it currently uses with other federal agencies into its written assessment procedures. SSA did not provide a date for expected implementation. We will continue to monitor the agency's progress in implementing this recommendation.

Full Report

GAO Contacts