Robb told Infosecurity that the state CIOs are looking to get funding from the Department of Homeland Security under the Homeland Security Grant Program (HSGP) designed to help state and local agencies improve their homeland security systems. Robb said that funding information security projects is not currently a priority under the program.
In a letter sent by NASCIO and the Multi-State Information Sharing and Analysis Center (MSIAC) to DHS’s Federal Emergency Management Agency (FEMA), the groups urged FEMA to set up and fund a Cyber Security Grant Program under HSGP.
“Although cyber security is an approved funding category within the HSGP…cyber security programs and projects unsuccessfully compete against other high priority investments meant to improve physical security preparedness and response capabilities, particularly at the local government level. This request is for the establishment and annual funding, through federal Homeland Security appropriations law, of a distinct federal homeland security grant program…dedicated to improving cyber prevention, protection, response, and recovery capabilities at both the state and local government levels,” wrote NASCIO Executive Director Doug Robinson and MSIAC Chair William Pelgrin in their Aug. 6 letter to FEMA Administrator Craig Fugate.
Robb said that NASCIO and MSIAC are working with DHS on a risk assessment survey to document the need for increased funding of state information security projects. The survey will be carried out over the next six months. “Hopefully, it will show that there are information security gaps at the state level and the impact of that on overall homeland security,” he said.
According to a recent NASCIO survey, information security is one of the top 10 strategic priorities for state CIOs. In the 2010 survey, information security was ranked seventh among the priorities, down from sixth in the 2009 survey. Robb explained that the drop in ranking does not reflect less concern with information security among CIOs.
“Many of the priorities listed above information security in the priorities list have an information security aspect to them,” Robb said. For example, the top four priorities—consolidation/optimization, budget and cost control, health care, and cloud computing—all have information security “embedded” in them.
NASCIO also ranked the top 10 CIO priorities in terms of technologies, applications, and tools. Two information security tools appeared on the list; identity and access management tools were ranked fifth and security enhancement tools were ranked seventh. Identify and access management jumped from ninth in 2009. “There is so much interest in it, both from the security perspective and the operational perspective,” Robb said. NASCIO has set up a working group to apply the Federal Identity, Credential, and Access Management (FICAM) model to the states, he noted.
In a joint Deloitte-NASCIO survey released last month, state chief information security officers (CISOs) expressed concern that they did not have adequate resources to protect government data and personal information of citizens.
“While [CISOs] may be increasingly concerned about budgets, this does not directly drive CIO concerns. The top 10 list is the CIOs point of view. There is not a big difference of opinion between the CISOs and the CIOs; it’s a matter of being closer to the threat,” Robb said. “CIOs are likely to hold the line on information security budgets,” he added.