‘Unfunded Mandates’ in Senate Cybersecurity Bill a Concern, Says NASCIO Executive
State chief information officers want to make sure there are no “unfunded mandates” for states in the cybersecurity measures being considered in Congress, said Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). His group hasn’t taken an “official stand” on the measures being considered in the Senate, he said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"We want to see how it comes out in Washington and which one [bill] is really going to understand the role of the states but also make sure there aren’t any unfunded mandates,” he told us. “Right now the cybersecurity bills do not specifically address state interests [and] that’s one area we want clarified,” he said. NASCIO has been working with the staff of the sponsors of the Cybersecurity Act (S-2105), he said. S-2105 is sponsored by Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, I-Conn., Ranking Member Susan Collins, R-Maine, and others. His group hasn’t worked with staff of Sen. John McCain, R-Ariz., the prime sponsor of the alternative measure, the SECURE IT Act (S-2151), he said.
It’s “unclear” whether states would “fall under the requirements” set in S-2105, Robinson said. NASCIO is trying to get “some interpretative language for whatever version [of S-2105] that goes through” that clarifies whether states are a “covered entity,” he said. Although NASCIO supports “in principle” several provisions of S-2105, “we won’t come out with an official stand until we see if, in fact, there is a determination that it does apply to states,” he said. “Then clearly we have to start talking about unfunded mandates."
Although there’s funding available for cybersecurity in the Department of Homeland Security state grant program, “unfortunately the threat is not one that is given a high amount of prioritization,” Robinson said. There’s no “specific set aside or directed funds” for cybersecurity, so states and local governments “have to spend their own dollars,” he said. Cybersecurity is just an “option under one of seven threat factors” under the DHS grants program, he said.
As for whether state CIOs support sharing cybersecurity information with DHS or national security agencies, Robinson said NASCIO hasn’t “taken a public position on that.” What CIOs want is that the “information that comes to the states needs to be fully developed and actionable,” he said. He said states are facing “challenges” in “recruiting and retaining” IT security personnel in their workforce. With the growing use of mobile devices by employees, “that’s becoming even more of a challenge.”