Head of OMES Information Services speaks on federal cybersecurity regulations
WASHINGTON — Duplicative and inconsistent federal regulations can hinder efforts to unify states’ information technology, save taxpayers’ money and secure citizens’ data, Oklahoma Chief Information Officer Bo Reese testified today before the U.S. Senate Homeland Security and Governmental Affairs Committee.
“Over the past five years, (OMES has) reduced these redundancies, made large strides to unifying technology, and completed consolidation of 76 of the 78 mandated state agencies and more than 30 voluntary agencies,” said Reese, who leads the Information Services division for the Office of Management and Enterprise Services.
“Consolidation has resulted in $283 million of estimated reduced spending and projected savings,” Reese said. Oklahoma’s IT unification has also created a robust cybersecurity program, Oklahoma Cyber Command. In 2016, Cyber Command successfully responded to about 32,000 cases of unique malware, about 750 instances of malicious activity and nearly 400 occasions of unauthorized access.
“We appreciate efforts by the federal government to secure and protect sensitive citizen information because we also share that responsibility at the state level,” Reese said. “But, we must accomplish our shared goal without overly burdening state governments, ensuring that we are delivering government services to citizens in the most efficient and cost-effective manner.”
Reese, who also serves as vice president of the National Association of State Chief Information Officers, was invited to testify at the hearing, “Cybersecurity Regulation Harmonization,” to give an overview on how federal data security regulations impact the work of CIOs to introduce efficiencies and generate savings.
“State CIOs and chief information security officers must comb through thousands of pages of federal regulations to ensure that states are in compliance with rules from our federal partners,” he said. “Even though many federal regulations are similar in nature, in that they aim to protect high-risk information, they are mostly duplicative but have minor differences which can obscure the goal of IT consolidation, the whole point of which is to streamline IT applications and simplify the enterprise IT environment to produce savings for taxpayers.”
In his testimony, Reese brought attention to several federal cybersecurity regulations that pose obstacles for state IT unification and risk-based cybersecurity investments. Examples included differences in IRS and FBI regulations on what to include in passwords and how long to keep them.
Reese also called on federal regulatory agencies to normalize the federal cybersecurity compliance audit process which encourages states to make counterproductive compliance investments instead of ones based on risk.
“This approach is problematic for state government cybersecurity because it encourages state CIOs to make check-the-box compliance investments instead of ones based on risk, which is the more secure approach to managing sensitive data.”
Reese’s full testimony and a recording of the hearing can be found on the U.S. Senate Homeland Security and Governmental Affairs Committee website.
Media Contact
MICHAEL BAKER
Director of Public Affairs
(405) 522-4265 | [email protected]