‘Slowly but surely,’ states are convincing feds to simplify security regulations

Though no regulations have been changed yet, officials say the last several years of talks are essential first steps toward change.
Getty Images

State IT leaders met Wednesday with officials from various federal agencies, including federal Chief Information Officer Suzette Kent, to inch forward the discussion on simplifying the reams of complex security regulations with which they’re required to comply.

The meeting, part of the National Association of State Chief Information Officers’ annual visit to Washington to discuss state government involvement in national policy, marked the third consecutive year the organization has made “harmonizing” a host of complex and sometimes conflicting regulations — issued by agencies including the Internal Revenue Service, FBI and the General Services Administration, among others — its top priority in talks with federal officials.

Meredith Ward, a senior policy analyst with NASCIO, told StateScoop that talks have “slowly but surely” been progressing as federal leaders have become increasingly receptive to complaints from state CIOs and chief information security officers that federal security regulations and their associated audits are needlessly time-consuming.

The talks are the continuation of a letter drafted by officials from NASCIO and the National Governors Association in November 2017 to the Office of Management and Budget that regulations intended to safeguard critical data often “hamper” state initiatives as CIOs respond to overlapping audits by various federal agencies that are not sharing information with one another.


Though no changes in federal regulations have yet been made as a result of these meetings, Ward said the conversations over the past three years have been valuable in educating federal policymakers on how the time state officials spend dealing with duplicative regulations could be used to save states money through the advancement of IT modernization projects.

“We don’t think this is going to be solved overnight,” Ward said. “It’s a million small steps we have taken and will continue to take to work on this issue.”

In addition to harmonizing regulations, NASCIO also sought to solidify state CIO and CISO participation in the Federal Emergency Management Agency’s advisory committees and urban-area working groups, which began including state officials last year, and to encourage federal officials to recognize the work states do in researching and developing new technologies as it develops policies and implements its own solutions.

Matt Pincus, NASCIO’s director of government affairs, said that in the 18 years NASCIO’s members have flown into Washington to advance their policies, the character of the interactions has matured substantially.

“[Before], our members would go storm the hill and lobby their members of Congress,” Pincus said.


In 2019, everyone has planned meetings, including more than an hour with Kent, the federal CIO, who Pincus said was sympathetic with the challenges her counterparts in state government face.

“This kind of environment is great,” Pincus said. “It’s just the CIOs and the members and their staff and it’s pretty unfiltered. They can ask any questions that are on their mind.”

The security requirements put forth by federal agencies match about 90 of the time, but the remaining 10 percent of mismatched requirements add complexity to state compliance, Pincus estimated. He described the conversation between NASCIO’s members and officials from the FBI’s Criminal Justice Information Services and the IRS — two key agencies for states — as “frank.”

“CIOs are frustrated and just don’t understand why there’s a perceived lack of collaboration in terms of their security regulation,” Pincus said.

Though the talks have not yet produced anything tangible, Ward said she hopes to have an announcement for states regarding federal regulations later this year.

Colin Wood

Written by Colin Wood

Colin Wood is the editor in chief of StateScoop and EdScoop. He's reported on government information technology policy for more than a decade, on topics including cybersecurity, IT governance and public safety.

Latest Podcasts