Export Compliance Daily is a Warren News publication.
Relationship Improving

Federal-State Coordination on Cyber Requires Better Sharing, Authorities, Virginia Official Says

Virginia believes the federal government needs to improve its information sharing with the states and clearly define when the federal government and states have authority over specific aspects of cyber policy to assist states as they align cybersecurity policies with the National Institute of Standards and Technology Cybersecurity Framework, said Zaki Barzinji, Virginia deputy director-intergovernmental affairs. Virginia was the first state to adopt version 1.0 of the NIST framework after its release in February, doing so in conjunction with Gov. Terry McAuliffe’s (D) formation of the Commonwealth of Virginia Cyber Security Commission, Barzinji said. The Department of Homeland Security has been working to encourage state and local governments to use the NIST framework, but “in a lot of cases we don’t know which federal agency, which state agency has authority,” Barzinji said at a Microsoft event Wednesday.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Cybersecurity remains a “relatively new” policy area for the federal government that it's still working through, said Kelvin Coleman, DHS branch chief-state, local, tribal and territorial government engagement, Office of Cybersecurity and Communications. “We’re not where we want to be” on delineating areas of responsibility for cyber at the federal and state levels, but “our relationship with our state colleagues” is improving, he said. DHS Secretary Jeh Johnson has been urging Congress to pass cybersecurity legislation that would codify DHS’s cybersecurity role, namely via Senate passage of the House-passed National Cybersecurity and Critical Infrastructure Protection Act (HR-3696) (see 1409110033).

The Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) is responsible for cybersecurity information sharing for the 50 states, the 50 state capital cities and Washington, D.C., along with three U.S. territories, six tribal governments, 219 cities and 190 counties, said CIS Chief Operating Officer Julie Evans. MS-ISAC will be monitoring cybersecurity in all 50 states by next year, she said. “If one state sees something, we’ll notify another state if we see similar indicators” there, Evans said. MS-ISAC also leads the annual National Cybersecurity Review that all 50 states participated in last year. MS-ISAC plans to align the 2015 review to the best practices included in the NIST framework, she said.

Fairfax County, Virginia, like other local governments that are improving their cyber-risk management, is “not waiting for coordination, we’re doing,” said Chief Technology Officer Wanda Gibson. “We have no choice but to do.” Local governments may be able to be more nimble in their cyber work than the federal and state governments, but they continue to rely on DHS and other agencies for information sharing, she said. Fairfax County is also a participant in coordinating the cyber efforts of county and city governments in the Washington metropolitan area, Gibson said. The more than 20 local governments in the metro area have jointly created a regional cybersecurity framework that aligns with the NIST framework, she said. The area governments also use the regional Identity & Access Management Service to access regional resources and applications related to cybersecurity, Gibson said.

Virginia’s Cyber Security Commission has taken a “multipronged approach” to encouraging improvements in cybersecurity risk management by appealing to groups beyond the technology sector, Barzinji said. Commission working groups separately work on critical infrastructure cybersecurity, use of cybersecurity as a tool to redefine Virginia’s economy, increase public awareness of cyber issues, improve access to cybersecurity educational and workforce training programs and update state laws related to cyber crime, Barzinji said. “If you want cybersecurity to be something that’s embraced across the board, you have to think about a holistic approach."