NASCIO Supports Adoption of the NIST Cybersecurity Framework

LEXINGTON, Ky., Wednesday, February 12 — NASCIO applauds the Administration for publishing a consensus-based, voluntary Cybersecurity Framework. The Framework provides states with a common platform on which to base strategic security decisions, allocate resources, and build defenses against both common and sophisticated attacks. The Framework provides a common language for all levels of government and their partners in the private sector to perform risk analysis and detail their security efforts.

Today’s release is a critical step in a process the President began a year ago when he signed an Executive Order that brought federal leadership to a major vulnerability in our national security infrastructure. The inclusion of a methodology to protect privacy and personal information is also valuable for states, which are responsible for storing sensitive information on citizens and businesses. This addition is a welcome refinement to the final framework.

Similarly to the private sector, state governments are at risk from a host of diverse and changing security threats that require a formal strategy, adequate resources, and constant vigilance. In response, states are actively working to increase their cyber readiness. Over three-quarters of states have adopted some cybersecurity framework based on national standards and guidelines, with the vast majority utilizing National Institute of Standards and Technology (NIST) standards to some degree.

NASCIO thanks the Administration for the collaborative process that led up to the creation of the cybersecurity framework. Our members hope to continue to collaborate with NIST and the Department of Homeland Security to create a state and local government overlay for the cybersecurity framework that will provide additional specificity by including the federal laws and regulations with which states and localities must comply.

NASCIO will be encouraging states to adopt the framework as a common language in which to build a strategic cybersecurity plan that provides leadership and stakeholders a better understanding of the security stance within state governments.

This is not the end, but the beginning of a process, and both states and our federal partners still have significant work to do in this area. Advancing common security and information sharing, protocols, such as National Information Exchange Model (NIEM), will be important to securing public sector data while still allowing it to flow between various sectors of government. In addition, Congress and the Administration must work to reform the Federal Information Security Management Act of 2002 (FISMA). By streamlining requirements to meet end goals rather than checklists, we can provide greater services to citizens and more secure state data networks.