California announces cybersecurity maturity metrics for ‘objective’ agency comparison

The state's chief information security officer says the new system will provide a much more detailed and accurate view of California's IT security risk.

California may soon have an idea of exactly how vulnerable each of its agencies are to cybersecurity threats, thanks to the recent release of a new security risk and maturity measurement program.

The California Department of Technology announced on Monday the release of the California Cybersecurity Maturity Metrics, which are designed to provide an objective comparison across all state government agencies.

“This is not a punishment thing. This is not a naughty list,” State Chief Information Officer Peter Liebert told StateScoop. “This is literally us doing our best to ensure we find weak areas or those that are risky and help ensure that they’re empowered to get a better program and increase their maturity to decrease their overall risk.”

The metrics will give his office and legislators a more precise tool to inform investment and guide policymaking, he said.


The metrics, which were announced with the release of Technology Letter 18-01, include measurements with names like risk, threat, impact, and maturity. Each metric is rated on a scale from 0 to 4, entirely based on existing data from audits, anecdotal reports, and existing measurement policies.

All the data is bundled together and passed through an algorithm that allows the state an “apples-to-apples” comparison across agencies, Liebert explained. 

Each agency will get a categorization for its cybersecurity maturity level. The categories will be based on those found in the popular Cybersecurity Framework issued by the federal National Institute of Standards and Technology, Liebert said. While some companies have similar proprietary metrics, Liebert said, he hasn’t seen anything quite like this in state government. 

And best of all, he said, the state didn’t have to pay a contractor for it. The metrics are the result of “I don’t know how many hours” of planning sessions and research, Liebert said, conducted with its project partners, which are the California Highway Patrol, California Military Department and California Office of Emergency Services.

While the state has implemented components of all of these measurements in the past before, nothing this comprehensive or objective has been attempted. Often, security assessments are difficult to quantify or adequately explain to an outside party, lacking an objective scale or any other outside frame of reference, Liebert said.


Conservatively, Liebert predicted an initial report based on these metrics will be released within two years.

“The effort here is to continue CDT’s effort to provide additional metrics that are measurable for both internal and external use,” Liebert said. “This is a key component of how we’re going to determine risk across the state.”

Latest Podcasts