The Nationwide Affiliation of State Chief Data Officers (NASCIO) held its 2022 annual convention in Louisville, Kentucky, final week, and the occasion had a document attendance of almost 1,000 individuals. There have been many nice themes and tales that got here up all through the week, together with this showcase of tales from GovTech:


Unsurprisingly, cybersecurity was a serious matter at a number of NASCIO convention periods, and this overview article highlighting the 2022 Deloitte-NASCIO Cybersecurity Research begins this manner: “CISOs are gaining consideration exterior IT workplace and cyber financing isn’t a giant problem, for the primary time within the historical past of the survey. However CISOs nonetheless battle with expertise gaps and have to strengthen native relationships to construct statewide approaches.”

The survey outcomes listed within the report cowl gaps within the workforce, statewide cybersecurity, and plenty of different subjects.

(As an apart, I lined the very important significance of the statewide method to cybersecurity on this latest article.)

I actually like the outline given by Leah McGrath, Govt Director of StateRAMP, in a latest LinkedIn publish in regards to the NASCIO most important session:

“Right now’s Nationwide Affiliation of State Chief Data Officers (NASCIO) cybersecurity session was implausible, and once more I used to be impressed by the audio system and considerate dialogue. The dialogue additionally strengthened for me the significance of StateRAMP.

“I took a second to jot down a number of conclusions: 1) The scarcity of cybersecurity personnel will drive the federal government to search for extra non-public sector companions and collaborations like StateRAMP. The federal government might want to focus much more on doing solely what it may possibly do and dealing with others to realize its objectives. With StateRAMP, the federal government can transfer the work they do evaluating third-party suppliers to StateRAMP, to allow them to spend extra time doing what solely they’ll do, managing danger to the residents they serve.

2) Whole state approaches and the creation of cyber ecosystems between the state, locals, increased schooling and K12 stays a necessity. Widespread language and customary requirements are necessary when constructing bridges. StateRAMP gives a typical normal for states, locals, and public schooling businesses for his or her third-party cloud suppliers. 3) Traditionally, the federal government has resorted to “after the actual fact” penalties when managing third-party vendor danger, reminiscent of incorporating incident reporting, penalties, or cyber insurance coverage into contracts. StateRAMP provides a preventative method to 3rd celebration danger administration. Collectively, we will change our method, expectations, and mindset round cloud safety. Thanks NASCIO for an additional nice day!”


Okay, so what shocked me about state authorities cybersecurity information over the past week?

First, a number of states talked about that they could resolve NOT to just accept federal grant funds from the State and Native Cyber ​​Safety Grant Program, as a result of the paperwork, federal system monitoring of their state networks, and different authorized language contained in this system might trigger funds are extra bother than profit.

Let me make clear that solely a small variety of states stated that Could it doesn’t settle for federal grant {dollars}, and most states are working enthusiastically to submit their plans for funding as quickly as attainable. These states additionally stated they’re working with the Cybersecurity and Infrastructure Safety Company (CISA) to attempt to deal with their considerations. Nonetheless, I used to be very shocked by these statements made in open convention periods and in non-public.

Second, a number of states plan to submit joint plans with different states to remove cost-sharing necessities for his or her state budgets.

As acknowledged within the truth sheet on the CISA web site:

What’s the value share required for particular person tasks? Reply: For purposes made by a person eligible entity, the non-Federal value share requirement for fiscal 12 months 2022 is 10%.

What’s the shared value for a multi-entity undertaking? Reply: There is no such thing as a value share requirement for multi-entity tasks in fiscal 12 months 2022.”

Lastly, the third merchandise that struck me concerning NASCIO cybersecurity this week was the highest concern of state CISOs listed within the Deloitte-NASCIO Cybersecurity Research: “Legacy infrastructure and options to assist rising threats” was the highest concern at 52 %, in comparison with simply 34 % of respondents in 2020.

“This 12 months, insufficient availability of cybersecurity professionals was the #2 concern at 50%. Moreover, insufficient cybersecurity staffing ranked third with 46% of respondents.”

What shocked me about this? “Inadequate cybersecurity finances” was the highest merchandise TWO years in the past, but it surely did not seem within the high 5 in any respect in 2022. To be honest, the second merchandise on the listing was not sufficient cyber professionals, however finances is not the the identical factor.


As soon as once more, the NASCIO convention offered a terrific alternative to community and be taught from private and non-private sector friends targeted on authorities know-how throughout the nation. As I’ve written many instances, NASCIO is a must-attend convention for critical authorities tech leaders.

For many who had been unable to attend, I encourage you to go to the 2022 NASCIO Recognition Awards Library and be taught from one of the best practices adopted by state award winners in varied classes, together with cybersecurity.

NASCIO awards relationship again to 2017 might be discovered right here.

Three Cybersecurity Surprises from State Security Chiefs

By admin