California tech department stops charging agencies for security services
The California Department of Technology said Thursday it’s no longer requiring fellow agencies to bear the costs of some of its cybersecurity services thanks to changes that went into effect this month under the state’s new budget.
A CDT blog post stated that before July 1, when California’s spending plan for the 2021-22 fiscal year took effect, state agencies and other government entities were required to reimburse CDT for mandated security services, including threat information sharing, network protection and functions provided by the statewide security operations center. Those requirements, the blog post read, often competed with agencies’ other priorities, sometimes leading to compliance gaps.
“Due to competing priorities, some struggled to prioritize funding toward remediation efforts of identified audit gaps, while others were unable to sustain audits, assessments, security solutions, and SOC mitigations,” read the post, written by statewide Chief Information Security Officer Vitaliy Panych.
But the budget Gov. Gavin Newsom signed earlier this year included several boosts to CDT’s funding, including $21 million in direct support for the 49-person Office of Information Security. Previously, the office was paid for by agencies’ contributions to the state’s Technology Services Revolving Fund.
With the new funding, though, SOC functions, audit services, information sharing and incident response are covered as “default and a built-in function[s] across state government,” Panych wrote.
The shift in funding will also sustain CDT’s cybersecurity audit program for the next four years “without cost recovery ramifications” to agencies under review, according to the budget.
“By funding security activities in the General Fund, state entities are now able to focus and prioritize on fixing critical gaps identified through the oversight program and strengthen their security postures while benefiting from built-in security mitigations from the SOC,” the post reads. “It is a significant step that will improve our cybersecurity maturity and preparedness, protect residents’ sensitive information, and continue the safe and secure delivery of essential services to Californians.”