And in response, CDT and the state’s chief information security officer, Vitaliy Panych, have pushed back with direct point-by-point rebuttals — to which the Auditor responded. The report, headlined “The California Department of Technology’s Inadequate Oversight Limits the State’s Ability to Ensure Information Security,” is longer than many such audits and offers a detailed rundown of the Auditor’s points — and CDT’s counterpoints.
In an accompanying letter to Gov. Gavin Newsom and the Legislature, Acting Auditor Michael S. Tilden lays out three key issues examined in the audit report:
- “We found that CDT has yet to establish an overall statewide information security status for the state’s 108 reporting entities,” Tilden’s letter says, referring to those entities in the executive branch that are under the governor’s direct authority; non-reporting entities are those outside CDT’s purview. Tilden writes that “because CDT was slow to complete compliance audits, it only calculated 18 of the 39 maturity metric scores it should have determined by June 2021. Despite being aware of shortcomings with its approach, CDT failed to expand its capacity to perform compliance audits.”
- Tilden also says that even though CDT requires reporting entities to complete self-assessments of their information security each year, “it does not use this information to inform the statewide security status.” He says the information that CDT has does show that reporting entities “continue to perform below recommended standards and have not improved over the last several years.” And, he adds, CDT has not taken “critical steps to help reporting entities improve, such as holding them accountable for identifying potential risks to their critical information systems.”
- In the area of non-reporting entities, Tilden recommends that the Legislature create “an oversight structure” for all non-reporting entities, since they fall outside CDT’s purview. “Although 29 of the 32 nonreporting entities have adopted an information security framework or standards, only four reported that they achieved full compliance with their chosen framework or standards,” Tilden notes in his letter.
- CDT has been slow to assess the information security status of reporting entities and has failed to proactively expand its capacity to do so.
- CDT has not held reporting entities accountable for performing required self‑assessments.
- CDT does not use the self‑reported information it has collected to inform the overall status of the state’s information security.
- CDT has not updated its security and privacy policies to align with federal standards.
- CDT’s guidance about information security relative to teleworking policies and training is not entirely clear.
- Many reporting entities’ information security is below standards and has not improved over the last several years.
- Among non-reporting entities, few are fully compliant with information security standards, and some have not yet even adopted such a standard or framework.
- The Legislature should create an oversight structure for non-reporting entities to better hold them accountable for improving their information security.
“Even before these audit findings were shared with CDT, the department began laying the groundwork with a comprehensive cybersecurity plan that is a national model for ensuring the security of state information. CDT published the Cal-Secure road map in October 2021. And, as the threat of cyber attacks continues to grow, we are moving aggressively to help state departments take steps like those identified in the Auditor’s report to protect against this growing threat.”
Norris added: “While we share the Auditor’s prioritization of this issue broadly, we disagree somewhat with the Auditor’s findings. We believe we correctly prioritized cybersecurity response to mitigate threats we face in real time to treat higher risks over cybersecurity compliance audit measures. The risk-based approach is consistent with the sudden and urgent demands of the COVID-19 emergency. CDT immediately scaled up to support the security of technology-based pandemic response and remote work. While the audit program is vitally important to measure the state’s security posture, the emergency actions during the pandemic were necessary to ensure the continued, safe operation of state government services.”
In his comments in the Auditor’s report appendix, Panych describes certain assertions and metrics as “misleading,” “inaccurate” and “irrelevant.”
The findings come almost two years after the COVID-19 pandemic upended state agencies’ protocols for remote working and the security challenges those protocols entail — state workers using their own computer equipment, for example.
Though the Auditor cites the “high-risk” nature of security flaws, California state government has not succumbed to the numerous ransomware attacks and other security incursions that have targeted local governments and schools across the nation since the pandemic began. The technology department and others also helped out with fraud cases that targeted the Employment Development Department, even though those were, by and large, not related to technology.
The Auditor’s report makes only passing mention of Cal-Secure, the cybersecurity road map that the Newsom administration rolled out in October. The report is too new to yield any findings on its effectiveness, the Auditor said.
Tilden notes that although the Auditor has been critiquing CDT’s information security practices since 2013, it focused this audit only on the department’s oversight of reporting entities and their efforts related to telework.
The report was completed in mid-December, just before the retirement of state Auditor Elaine M. Howle and the departure of Amy Tong, who moved from the role of state CIO and CDT director to the directorship of the Office of Digital Innovation (ODI). CDT Chief Deputy Director Russ Nichols is now acting state CIO.
The audit concludes with recommendations for CDT and the Legislature. For the Legislature, it advises:
- Require that CDT confidentially submit an annual statewide information security status report, including maturity metric scores and self‑reported information, to the appropriate legislative committees no later than December 2022. This status report should include CDT’s plan for assisting reporting entities in improving their information security.
- Require each non-reporting entity to adopt information security standards comparable to those required by CDT and to provide a confidential, annual status update on its compliance with its adopted information security standards to legislative leadership, including the president pro tempore of the California state Senate, the speaker of the California state Assembly, and minority leaders in both houses. It should also require each non-reporting entity to perform or obtain an audit of its information security no less frequently than every three years.
- Require non-reporting entities that allow employees to telework to develop telework policies and training comparable to those CDT requires.
- Increase its capacity to perform timely compliance audits — which may entail hiring more staff or securing additional contracted audit support — by the conclusion of the four-year oversight life cycle in June 2022.
- Until it is able to conduct timely, objective audits of reporting entities, CDT should follow up with reporting entities annually to ensure that they complete the required self‑assessments of their critical IT systems.
- Utilize the information from the various self‑assessments the reporting entities complete annually to help identify common areas that require improvement across multiple reporting entities.
- To help ensure that reporting entities are aware of new federal information security standards that are intended to strengthen their security and privacy governance, CDT should complete the necessary updates to the state’s information security and privacy policies by June 2022.
- To help reporting entities ensure that their teleworking employees are taking appropriate security precautions, CDT should clarify guidance by February 2022 to require all employees using personal devices for state business to implement baseline security measures.
