Cybersecurity: Selected Federal Agencies Need to Coordinate on Requirements and Assessments of States
Fast Facts
States must follow numerous cybersecurity requirements when using federal data. These requirements may vary by federal agency.
State information security officials we surveyed told us, among other things, that the differing requirements cost states additional time and money, and could ultimately detract from security efforts.
Among the 4 federal agencies we examined, 49% to 79% of security requirement parameters—the number of log-on attempts allowed, for example—were in conflict.
We made 12 recommendations, including that the Office of Management and Budget improve coordination of cybersecurity requirements among federal agencies.
Lock and keyboard
Highlights
What GAO Found
Although the Centers for Medicare and Medicaid Services (CMS), Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), and Social Security Administration (SSA) each established requirements to secure data that states receive, these requirements often had conflicting parameters. Such parameters involve agencies defining specific values like the number of consecutive unsuccessful logon attempts prior to locking out the user. Among the four federal agencies, the percentage of total requirements with conflicting parameters ranged from 49 percent to 79 percent. Regarding variance with National Institute of Standards and Technology guidance, GAO found that the extent to which the four agencies did not fully address guidance varied from 9 percent to 53 percent of total requirements. The variances were due in part to the federal agencies' insufficient coordination in establishing requirements. Although the Office of Management and Budget's (OMB) Circular A-130 requires agencies to coordinate, OMB has not ensured that agencies have done so. Further, while federal agencies' variance among requirements may be justified in some cases because of particular agency mission needs, the resulting impact on states is significant, according to state chief information security officers (see figure).
Extent of Impacts Identified by State Chief Information Security Officers as a Result of Variances in Selected Federal Agencies' Cybersecurity Requirements
Note: Not all respondents answered all survey questions. The figure is based on 46 responses.
The four federal agencies that GAO reviewed either fully or partially had policies for coordinating assessments with states, but none of them had policies for coordinating assessments with each other. State chief information security officers that GAO surveyed reinforced the need to coordinate assessments by identifying impacts on state agencies' costs, including multiple federal agencies that requested the same documentation. Coordinating with state and federal agencies when assessing state agencies' cybersecurity may help to minimize states' cost and time impacts and reduce associated federal costs. Federal agencies reported spending about $45 million for fiscal years 2016 through 2018 on assessments of state agencies' cybersecurity.
Why GAO Did This Study
To protect data that are shared with state government agencies, federal agencies have established cybersecurity requirements and related compliance assessment programs. Specifically, they have numerous cybersecurity requirements for states to follow when accessing, storing, and transmitting federal data.
GAO was asked to evaluate federal agencies' cybersecurity requirements and related assessment programs for state agencies. The objectives were to determine the extent to which (1) selected federal agencies' cybersecurity requirements for state agencies varied with each other and federal guidance, and (2) federal agencies had policies for coordinating their assessments of state agencies' cybersecurity.
GAO reviewed four federal agencies that shared data with states and had assessment programs: CMS, FBI, IRS, and SSA. GAO compared, among other things, each agency's cybersecurity requirements to federal guidance and to other selected agencies' requirements; and reviewed federal agencies' policies for conducting assessments. In addition, GAO examined OMB's efforts to foster coordination among federal agencies. GAO also surveyed and received responses from chief information security officers in 50 out of 55 U.S. states, territories, and the District of Columbia to obtain their perspectives.
Recommendations
GAO is making 12 recommendations to the four selected agencies and to OMB. Three agencies agreed with the recommendations and one agency (IRS) partially agreed or disagreed with them. OMB did not provide comments. GAO continues to believe all recommendations are warranted.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget |
Priority Rec.
The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed. (Recommendation 1)
|
OMB did not agree or disagree with GAO's recommendation. In December 2022, OMB stated that it is comparing the recommendations with recent actions, guidance, and policy memoranda issued since the recommendations were made. To fully address this recommendation, OMB needs to determine and implement an approach that encourages agencies to collaborate, or direct agencies to further coordinate amongst each other and with state government agencies that use federal data. As of March 2024, OMB has not completed these actions. Without OMB's involvement and encouragement that federal agencies collaborate to make their cybersecurity requirements for state agencies consistent to the greatest extent possible, federal agencies are less likely to prioritize such efforts, which could lead to greater fragmentation of cybersecurity policies for states using federal data.
|
Office of Management and Budget |
Priority Rec.
The Director of OMB should take steps to ensure that CMS, FBI, IRS, and SSA coordinate, where feasible, on assessments of state agencies' cybersecurity, which may include steps such as leveraging other agencies' security assessments or conducting assessments jointly. (Recommendation 2)
|
OMB did not agree or disagree with GAO's recommendation. In December 2022, OMB stated that it is comparing the recommendations with recent actions, guidance, and policy memoranda issued since the recommendations were made. To fully address this recommendation, OMB needs to determine and implement an approach that encourages agencies to coordinate on assessments of state agencies' cybersecurity where feasible. As of March 2024, OMB has not completed these actions. Until OMB does so, it will not have reasonable assurance federal agencies are leveraging compatible assessments, where practicable, which could lead to fragmented assessments across federal agencies.
|
Centers for Medicare & Medicaid Services | The Administrator of CMS should, in collaboration with OMB, solicit input from FBI, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document CMS's rationale for maintaining any requirements variances.(Recommendation 3) |
CMS agreed with and has taken steps to partially address this recommendation. As of February 2024, CMS has participated in the FBI's Criminal Justice Information Services Division Modernization Task Force, which includes representatives from the FBI and Internal Revenue Services, to discuss the impact of inconsistent cybersecurity standards. CMS stated that it received a presentation from FBI on its efforts to align with the National Institute of Standards and Technology's (NIST) Special Publication 800-53, Revision 5. Further, CMS is currently developing a new version of its state cybersecurity requirements policy to align with the same NIST publication. It also plans to solicit feedback and concurrence from state agency and federal stakeholders. To fully address this action, CMS needs to complete its efforts to coordinate with the other federal agencies and decide what revisions to make to its cybersecurity requirements for state agencies. We will continue to monitor the agency's progress in implementing this recommendation.
|
Centers for Medicare & Medicaid Services |
Priority Rec.
The Administrator of CMS should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 4)
|
CMS agreed with this recommendation. As of February 2024, CMS stated that it would accept results of a recent, independent, third-party assessment conducted for another federal agency. CMS also stated that it would work to revise its assessment policies to maximize coordination with other federal agencies to the greatest extent possible but has not yet provided documentation. In addition, CMS stated that the Office of Management and Budget would need to be involved in developing a standardized process for sharing independent security assessments performed by the states with other federal agencies. To fully implement this recommendation, CMS needs to determine what changes it can make to its assessment policies and implement those changes. Maximizing coordination with other federal agencies would help provide reasonable assurance that CMS is leveraging compatible assessments with other agencies and may help reduce federal resources associated with their implementation. We will continue to monitor the agency's progress in implementing this recommendation.
|
Federal Bureau of Investigation |
Priority Rec.
The FBI Director should, in collaboration with OMB, solicit input from CMS, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 5)
|
FBI agreed with and has taken steps to implement this recommendation. As of February 2024, FBI revised its security policy to further align with security control guidance from the National Institute of Standards and Technology (NIST) and based on input from federal and state agencies. In September 2023, it released its updated Criminal Justice Information Services (CJIS) Security Policy to further align security controls with guidance from NIST Special Publication 800-53. As a result, FBI has addressed a large amount of the variances with other federal agencies' requirements that GAO originally identified. Subsequently, FBI has continued to hold CJIS Policy Modernization Task Force meetings, consisting of representatives from the CMS, IRS, and SSA as well as IT representatives from state law enforcement agencies and courts, to advise FBI on updates to its cybersecurity requirements. By taking these steps, FBI potentially reduced unnecessary burdens on state officials' time and resources in responding to variances from multiple federal agencies' cybersecurity requirements.
|
Federal Bureau of Investigation | The FBI Director should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 6) |
As of November 2020, FBI's Criminal Justice Information Services (CJIS) Division updated its policies for cybersecurity assessments to include use of prior findings from relevant assessments conducted by other organizations. For example, FBI's CJIS Division updated its Information Technology Security Audit Training Manual and Information Technology Security Audit CJIS System Pre-audit Questionnaire to include the review of previous third-party audit findings as part of the audit planning process. By implementing this recommendation, FBI may potentially reduce unnecessary burdens on state officials' time and resources in responding to overlapping or duplicative requests and inquiries, reviewing controls that have already been evaluated, or reporting similar findings multiple times throughout a state.
|
Federal Bureau of Investigation |
Priority Rec.
The FBI Director should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 7)
|
FBI agreed with and has taken steps to implement this recommendation. As of February 2023, FBI's Criminal Justice Information Services (CJIS) Audit Unit held discussions with officials from CMS, IRS, and SSA to share information on the assessment processes for state agencies, such as what agencies and data are included in assessments, previous assessment results, and the potential for further coordination of assessment schedules. FBI noted that it expects to continue to hold these discussions biannually. Further, FBI revised its assessment procedures to include a step for reviewing third-party audit results-such as those from CMS, IRS, and SSA, or others-and incorporating those results into FBI's assessment plans. By taking these steps, FBI may reduce unnecessary burdens on state officials' time and resources in responding to duplicative requests and inquiries, retesting controls that have already been evaluated, or reporting similar findings.
|
Internal Revenue Service | The IRS Commissioner should, in collaboration with OMB, solicit input from CMS, FBI, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 8) |
As of December 2021, IRS revised its security policy based on new guidance from the National Institute of Standards and Technology (NIST) and input from federal and state agencies to implement GAO's May 2020 recommendation. The agency completed a comparison of IRS Publication 1075 with NIST Special Publication 800-53, Revision 5 to identify areas where its security policy could be more consistent with NIST. In addition, IRS participated in discussions with officials from the CMS, FBI, and SSA to discuss the impact of inconsistent cybersecurity standards among the agencies. In addition, IRS sent a draft of its update on Publication 1075 to federal and state agencies, and incorporated their comments in the final version of the publication that was released in December 2021. By implementing this recommendation, IRS potentially reduced unnecessary burdens on state officials' time and resources in responding to variances from multiple federal agencies' cybersecurity requirements.
|
Internal Revenue Service | The IRS Commissioner should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 9) |
As of December 2021, IRS incorporated federal agency coordination into its assessments of state agencies' cybersecurity to implement GAO's May 2020 recommendation. IRS shared its fiscal year 2021 agency review schedule with CMS, FBI, and SSA in an effort to coordinate and reduce unnecessary burden to state agencies. Further, in preparing for its fiscal year 2021 assessments, IRS solicited results from assessments conducted by other federal agencies that may cover the same technologies in the scope of the IRS assessment. IRS has also incorporated the above coordination steps into its planning procedures for state agency assessments. IRS's planning procedures now include steps for determining whether the agency can use results from another federal assessment in lieu of a full assessment by IRS. By implementing this recommendation, IRS potentially reduced unnecessary burdens on state officials' time and resources in responding to duplicative requests and inquiries, retesting controls that have already been evaluated, or reporting similar findings multiple times throughout a state.
|
Social Security Administration |
Priority Rec.
The Commissioner of SSA should, in collaboration with OMB, solicit input from CMS, FBI, IRS, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document the SSA's rationale for maintaining any requirements variances. (Recommendation 10)
|
SSA agreed with and has taken steps to implement this recommendation. As of February 2023, SSA revised its security policy to further align with security control guidance from the National Institute of Standards and Technology (NIST) and based on input from federal and state agencies. In April 2022, the agency updated SSA's Technical System Security Requirements (TSSR) to further align security controls with guidance from NIST Special Publication 800-53. As a result, SSA addressed most of the variances with other federal agencies' requirements that GAO originally identified. Subsequently, SSA has continued to discuss with officials from CMS, FBI, and state agencies inconsistent cybersecurity standards, security control selection, and control tailoring. By taking these steps, SSA potentially reduced unnecessary burdens on state officials' time and resources in responding to variances from multiple federal agencies' cybersecurity requirements.
|
Social Security Administration | The Commissioner of SSA should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 11) |
As of February 2022, SSA updated its policies for cybersecurity assessments to include use of prior findings from relevant assessments conducted by other organizations. Specifically, SSA updated its Technical System Security Requirements to include the review of third-party assessment findings as part of the assessment review process. By implementing this recommendation, SSA may potentially reduce unnecessary burdens on state officials' time and resources in responding to overlapping or duplicative requests and inquiries, reviewing controls that have already been evaluated, or reporting similar findings.
|
Social Security Administration |
Priority Rec.
The Commissioner of SSA should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 12)
|
SSA agreed with and has taken steps to implement this recommendation. As of February 2023, SSA revised its assessment policy and related procedures to improve coordination with other federal agencies. In April 2022, SSA updated its Technical System Security Requirements (TSSR) to note that SSA would leverage assessment results produced by an independent third-party, including CMS, FBI, and IRS. To do so, SSA requires that the third-party assessments utilize the same scope, depth, breadth of an SSA assessment. By taking these steps, SSA may reduce unnecessary burdens on state officials' time and resources in responding to duplicative requests and inquiries, retesting controls that have already been evaluated, or reporting similar findings.
|