The Government Accountability Office (GAO) made several recommendations to the Office of Management and Budget (OMB) and others to improve coordination of cybersecurity requirements among Federal agencies to protect data shared with state government agencies.
“Although the Centers for Medicare and Medicaid Services (CMS), Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), and Social Security Administration (SSA) each established requirements to secure data that states receive, these requirements often had conflicting parameters,” GAO said in a recent report.
State chief information officers that GAO surveyed said that while there’s justification for Federal agencies to have variance among requirements because of agency needs, the resulting impact hits states much more significantly. The differing requirements cost states time and money, while also detracting from security efforts, GAO wrote.
GAO made 12 recommendations in total, including two outlined for OMB:
- OMB should ensure collaboration between CMS, FBI, IRS, and SSA on cybersecurity requirements pertaining to state agencies; and
- OMB should ensure CMS, FBI, IRS, and SSA coordinate on assessments of state agencies’ cybersecurity.
OMB had not commented on the recommendations by the time GAO released its report.
In addition, GAO made two recommendations for CMS, three for the FBI, two for SSA, and three for SSA. CMS, FBI, and SSA agreed with all the recommendations made to them, while IRS only partially agreed with one recommendation, and disagreed with the other.