States Eye Washington for Security GuidanceCities, States Receptive to Fed Cybersecurity Rules As FISMA reform winds its way through Congress, and NIST revises its IT security guidance, federal chief information and chief information security officers are not the only ones who pay attention to the latest developments. CIOs and CISOs from the states and municipalities, too, keep an eye on the evolution of federal IT security laws and guidance, even though they're not directly affected by the rules and regulations emanating from the nation's capital.
For the CIOs and CISOs in the hinterlands, what happens in Washington doesn't stay in Washington.
Unlike federal agencies and departments, most cities and states don't have an IT security governance infrastructure akin to the trinity of the Federal Information Security Management Act (FISMA), the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). U.S. laws and regulations require federal agencies to comply with FISMA provisions and OMB directives, as well as follow NIST's well-researched guidance, but they don't compel states and municipalities do to so -- at least in most instances. Still, many local and state CIOs and CISOs look to FISMA, NIST and OMB to guide them on how they secure their governments' IT assets.
"We have tried to align ourselves basically with all of the procedures and guidelines and best practices that the federal government does," says Kansas CISO Larry Kettlewell.
Especially popular is NIST guidance, notably the NIST's 800-series publications, which provide insightful details on how best to secure nearly every type of computer, computer system, computer network and computer situation. "Everybody uses the NIST standards; it's kind of the standard you base your stuff on," says Randy Moulton, CISO of Charlotte, N.C.
Even in states with strong IT security laws, Washington - the capital not the state - provides direction. Minnesota law grants its Office of Enterprise and Technology the authority and responsibility to define and set security policies and standards for state IT, and the office models its IT security framework on NIST. "The research that is put into NIST documents and the publications is simply outstanding; it is really good literature, and NIST is well funded," Minnesota CISO Chris Buse says.
Michigan Chief Technology Officer Dan Lohrmann, the state's long-time CISO until his promotion earlier this year, says the state employs FISMA standards and NIST guidance as part of its IT security framework. "Sixty percent of our IT spending comes from federal dollars, so we support a lot of federal programs -- everything from roads, transportation to Medicare, Medicaid programs," Lohrmann says. "We implement federal programs, so we have to meet federal regulations, and many of them follow FISMA standards."
Indeed, non-federal CISOs closely follow developments in Washington because of the belief that one day federal cybersecurity law may be imposed on states, counties and municipalities. "By centering our program on the NIST model, we think that we will be in a better position to ultimately demonstrate compliance with FISMA requirements if that ever comes down to the state level," Buse says.
As cybersecurity becomes more collaborative between various levels of government, the likelihood that the federal government will dictate IT security compliance is something some city and state CISOs believe is inevitable. "At some point down the line," Kansas' Kettlewell says, "the federal government regulations are going to be such that if you want to do business with the federal government at the state level, you are going to have to come in line with whatever procedures and processes that the federal government has."
Knowing that, Kettlewell says he wants to be involved in helping influence the direction federal IT security governance takes, so he serves as an informal adviser to the National Association of State Chief Information Officers (NASCIO), which acts as a conduit between federal and state IT leaders.
Buse sees a synergy between cybersecurity developments in Washington and in St. Paul and other state capitals. "One of the things we need to do at the state level is to help shape (national) legislation so it is a little more productive for those that aren't in the federal government," he says. "That is something I feel passionate about; I am pretty active trying to work on those aspects. ...
"When it comes right down to it, the giant federal programs that are required by the federal government -- the lion's share of the work happens down at the state," Buse says. "We need to be all part of the same fabric that works together."