The federal government is not alone in its failure to integrate cybersecurity into strategic technology planning. According to a new study by the Brookings Institution, only two states — New Mexico and Colorado — demonstrated a “solid and robust” understanding of the importance of integrating cybersecurity in their strategic IT plans.
In a detailed review of state-level strategic IT plans, Brookings analysts found that most states make only passing mention of cybersecurity and offer little, if any, detailed guidance.
“These states have solid IT strategic plans and clearly mention the need for cybersecurity, however security does not figure prominently in their IT strategic plan,” wrote Brookings authors Gregory Dawson and Kevin Desouza. “If strategies exist, they are mostly focused on a single aspect of cybersecurity such as infrastructure management.”
While all states mention cybersecurity in their planning documents, two states — Vermont and Utah — “were virtually silent on the topic and only touched on the need for cybersecurity in a general fashion,” the authors wrote in a March 5 blog post. “In these state plans, we saw little evidence of awareness of cybersecurity as an issue and no evidence of any robust plans for addressing it.”
The Brookings review looked at the IT strategic plans for every state but Alaska, which doesn’t publish a plan. This latest review comes less than two weeks after another Brookings study that analyzed federal agency strategic plans. That review, which covered more than 1,000 pages of federal IT planning documents, concluded that the focus on cybersecurity at the federal agency level is “abysmal.”
Half of the federal agency strategic plans reviewed by the authors make no mention of cybersecurity, and less than a quarter of IT objectives make any mention of efforts to secure IT systems. Additionally, federal agencies rarely discuss cybersecurity efforts in detail, the authors said.
These latest studies come more than a year after the Obama administration’s release of the cybersecurity framework and the announcement by the Department of Homeland Security that it would conduct an outreach effort to provide state governments with training and best practices related to the federal Continuous Diagnostics and Mitigation Program.
But those efforts don’t seem to be reaching the states.
“I’m not sure if the guidance is not getting to the states or if the states are just not picking up on it,” Dawson, who’s also an assistant professor in the Information Systems Department at the W.P. Carey School of Business and a research fellow at the Center for Organization Research and Design at Arizona State University, said in an email to FedScoop. “What surprised us is how many states were trying to go it alone rather than taking advantage of efforts like DHS/NIST…etc.”
“At present, most states are trying to define cyber security, create measures, evaluate risk and develop action plans without consulting anyone outside of the borders of the state,” Dawson said. “To us, at best this is an inefficient process but is likely to be less effective and more costly than taking advantage of some of the help that exists.”
The Brookings review found Idaho and Mississippi to be “truly outstanding in their focus on cybersecurity.” These states have a strong awareness of cybersecurity and take a multifaceted approach, including integrating the National Institute of Standards and Technology cybersecurity framework and other national standards into their state-level plans.
Mississippi, for example, plans to align its Enterprise Security Policy and overall information security program with the NIST cybersecurity framework, the security controls defined in the 800 series of publications by NIST, the recommendations in the National Governors Association’s Call to Action for Governors on Cybersecurity, and the Top 20 Critical Security Controls maintained by the Council on Cybersecurity.
“Such an approach is the most cost efficient and effective way to enact standards and policies for cybersecurity,” the Brookings authors said. “While we are not asserting that all states should adopt NIST’s proposals, we are concerned that locally developed standards may be inferior.”