The state auditor’s office says in a new report that it’s keeping the California Department of Technology (CDT) on its list of “high-risk” agencies due to concerns about state departments’ information security controls, which CDT is charged with auditing periodically.
The auditor also faults CDT’s oversight of state IT projects.
According to the report and a summary letter from California State Auditor Grant Parks, which was published Thursday, CDT has been on the “high-risk” list for information security since September 2013.
“In a subsequent high-risk audit, Report 2015-611, August 2015, we noted that many reporting entities had poor controls over their information systems,” the new report says. “In our state high-risk assessment, Report 2017-601, January 2018, we reported that CDT had made improvements to its oversight but that reporting entities still showed significant room for improvement. Finally, in Report 2021-601, August 2021, we reported that a federally sponsored nationwide security review noted that state entities in California self-reported ratings below the federally recommended minimum level.”
In a report this spring, the auditor wrote: “Report 2022-114, April 2023, reiterated many of our previous concerns with the state’s information security. Our audit found weaknesses in CDT’s strategic planning, oversight of information security and IT projects, and that CDT has not ensured that the state’s IT systems are adequately protected from cyberattacks. This inadequate protection has the potential to compromise individuals’ identities, shut down critical government functions, and cost the state millions of dollars to remedy.”
Last week’s report adds: “CDT has not sufficiently improved its oversight of information security to mitigate the risks we have identified; therefore, this issue will remain on the state high-risk list. CDT is responsible for providing direction for the state’s information security efforts and for reviewing the security of reporting entities. However, CDT has yet to determine the effectiveness of cybersecurity programs for all of the entities for which it has oversight responsibility.”
Both the auditor’s office and the Legislative Analyst’s Office have previously noted the fact that short staffing has limited CDT’s ability to perform the audits in a timely fashion.
“However, CDT explained that it does not have any immediate plans to hire additional staff or contractors,” last week’s report says. “Instead, CDT reports that it hopes to find increased efficiencies through a new IT system, which does not currently exist, that would allow CDT to more efficiently conduct its audits.”
The auditor’s assessment for what lies ahead is sobering.
“It is likely that attempts against governmental information assets will only increase in the future,” the report says. “CDT has reported that in the wake of the pandemic, the cybersecurity threat nearly quadrupled in the sophistication of attacks by nation-state adversaries and criminal organizations. Because cybersecurity threats are significant and oversight of state departments and agencies remains inadequate, we will retain this issue on the high-risk list.”
Agencies that are examined in the auditor’s reports are given a chance to respond to the findings and to have those responses included in the report. CDT’s director, state Chief Information Officer Liana Bailey-Crimmins, offered a detailed, point-by-point explanation for many of the auditor’s assertions, some of which the auditor rebutted in the report.
Bailey-Crimmins noted in her response that, in addition to the security audits CDT performs on state departments, it also uses other oversight tools and techniques to gauge the maturity of the agencies’ information security measures.
“As the threat landscape continues to evolve, CDT will adapt its oversight program to encompass standards, advisory, and operational measures,” Bailey-Crimmins writes. “We appreciate input from CSA [California State Auditor] on any aspect of our measures. The CDT takes a holistic, risk-based approach to oversight and remediation, as focusing on policy reviews and audits alone is not sufficient.”
The state CIO concludes: “We remain committed to the ongoing evaluation of the effectiveness of the planning and oversight activities as we continue to explore methods to effectively correlate project planning and oversight efforts to successful project outcomes.”
The other area where the auditor faults CDT — IT project oversight — has been an issue for more than 15 years.
“We designated CDT’s oversight of IT projects as high-risk in our initial high‑risk assessment Report 2006-601, May 2007, because of the number of costly and complex projects that were underway and the state’s history of failed IT projects,” last week’s report says. “In part to address these concerns, CDT implemented PAL [Project Approval Lifecycle] in 2016. However, our state high-risk assessment, Report 2021-601, August 2021, found PAL’s effectiveness to be unclear since a sufficient number of projects — especially highly complex and critical projects — had not been completed using PAL. We further noted in our Report 2022‑114, April 2023, that CDT will require new metrics to better track its effectiveness as it uses PAL to support more complex and critical projects.”
The auditor writes: “Several agencies noted that the PAL process is too lengthy and that it delays the approval of projects. Timelines that stretch into multiple years can be costly to agencies and can delay updates to critical IT systems. PAL remains a lengthy process for agencies in 2023, and CDT has not clearly demonstrated its effectiveness.”
To this finding, Bailey-Crimmins also responded point-by-point, adding: “CDT asserts that the PAL process and subsequent project oversight functions have significantly improved project outcomes.”
The state CIO adds: “We remain committed to the ongoing evaluation of the effectiveness of the planning and oversight activities as we continue to explore methods to effectively correlate project planning and oversight efforts to successful project outcomes.”