GAO Report Affirms NASCIO Calls for Harmonizing Federal Cybersecurity Regulations

LEXINGTON, KY., Wednesday, May 27, 2020 — Today, the Government Accountability Office (GAO) released a report, Selected Federal Agencies Need to Coordinate on Requirements and Assessments of States. The report recommendations affirm the National Association of State Chief Information Officer’s (NASCIO) top advocacy priority of harmonizing disparate federal cybersecurity regulations. The report was required in response to a 2018 request made by the U.S. Senate Homeland Security and Governmental Affairs Committee along with the U.S. House of Representatives Committee on Oversight Intergovernmental Affairs Subcommittee who tasked the GAO to study the various federal cybersecurity regulations and issue corresponding recommendations. The report includes feedback from all fifty state chief information security officers.

The report includes twelve recommendations for selected federal agencies and the first two call for federal agencies to ensure that they are collaborating on cybersecurity requirements “to state agencies to the greatest extent possible” and that federal agencies should coordinate “on assessments of state agencies’ cybersecurity, which may include steps such as leveraging other agencies’ assessments or conducting assessments jointly.”

“NASCIO has long advocated for federal cybersecurity requirements to be harmonized and applauds the findings in the GAO report,” said Doug Robinson, NASCIO’s Executive Director. “The hours and effort required by states to respond to several audits from different agencies with different security controls is burdensome, costly and negatively impacts states. We are hopeful that the federal agencies will heed the report’s recommendations and foster a much greater collaborative environment on these regulations.”

Notably, the report concludes by stating, “…we continue to believe that it is important for all of the agencies in our review to identify opportunities where requirements can be streamlined or made more consistent while still achieving each agency’s desired security outcomes because doing so may reduce potential burdens on state agencies, as discussed in this report.”

The report can be found on GAO’s website here:


Meredith Ward
Director of Policy and Research
National Association of State Chief Information Officers