The California Department of Technology came under fire in an audit last week that found the agency continues to struggle with longterm strategic planning and project oversight, leaving state agencies open to cyberattacks and other compromises.
In his report delivered to the California legislature, State Auditor Grant Parks found that while the decade-old IT agency has set “aspirational” goals for information security, it has not delivered on the strategic directions or modernizations required to live up to those benchmarks. The upshot, Parks wrote, is that state agencies remain vulnerable to “cyberattacks that can compromise individuals’ identities, shut down critical government functions, and cost the state millions of dollars to remedy.”
Marks’ investigators found that despite CDT’s overarching goals, its “Vision 2023” strategic plan lacks performance measures that could be used to track agencies’ progress. The department has also failed to identify ways to fill the staffing gaps it identified in the plan.
Furthermore, Marks’ report found that CDT is falling behind in collecting IT inventories and risk assessments from more than 100 state agencies and offices. As a result, CDT is unlikely to complete the current round of its own cybersecurity audits until 2030. But even that appears to be a dubious prospect: The state’s chief information security officer told auditors that while 51 reporting entities remain in the current audit cycle, the department has not identified which of those offices warrant an audit — or when those reviews might happen.
“Although we confirmed that many of the 51 entities are small with respect to their number of employees, we noted that some of these entities have large budgets and some have access to sensitive information,” Marks’ audit reads. “Consequently, even a small reporting entity may pose a risk to the State, which is why it is imperative that CDT determine which specific reporting entities warrant an audit and prioritize them for review.”
The audit also found that agencies statewide are still slow to modernize, further heightening the risk of cybersecurity incidents. Among the instances it cited was an incident last June in which a job-search site run by California Employment Development Department went down. (That outage was the result of an attack against a vendor, which affected dozens of states nationwide.) The audit also mentioned a ransomware attack last December directed at the California Department of Finance.
More than half the 103 agencies Marks’ staff surveyed as part of the audit said their IT systems needed to be modernized, with at least one saying its technology was 15 to 20 years out-of-date.
“These examples underscore the importance of CDT’s identification and assessment of IT systems that require modernization,” it reads. “However, CDT has not yet met its statutory requirements to identify, assess, and prioritize high-risk systems to ensure that they are stable and up to date to meet the State’s needs.”
Marks’ report last week is hardly the first time the California Department of Technology has been poked by the state auditor. An August 2021 review called it a “high-risk” agency for what it called insufficient oversight of IT projects and weak information security across the state. Another report six months later called CDT “slow” to improve its cyber practices.
In her response to the audit, California CIO Liana Bailey-Crimmins wrote that while she agrees strategic planning and oversight is vital to better cybersecurity governance, she quarreled with some of the specific findings. In particular, she wrote that CDT is working with other state agencies, including the Government Operations and Human Resources departments, to address staffing shortages. She also noted the 2021 publication of “Cal-Secure,” a five-year plan to improve cybersecurity controls and reporting across more than 150 California agencies, which are federated and operate with autonomy on IT decisions.
“CDT fully complies with its strategic planning, cybersecurity, and project oversight responsibilities,” she wrote. “While we disagree with many of the conclusions and implications of the audit findings, the State Auditor’s recommendations will be considered.”
But Marks was unconvinced by the response: “CDT’s response suggests that it believes it has successfully executed its planning, cybersecurity, and project oversight responsibilities,” the audit read. “We disagree.”