IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Analyst Examines Proposed CDT Funding Shift

The Legislative Analyst’s Office said plans to change how California Department of Technology funds aspects of information security and cybersecurity audits, as well as certain programming and staffing needs, to be paid from the General Fund have merit – but would be costly.

cdt-logo-cropped.jpg
The Legislative Analyst’s Office, an adviser to the Legislature on finance and policy, is largely supportive of plans in the state technology agency’s proposed budget to pay for security audits and other asks from the General Fund.

The suggested budget for the California Department of Technology is part of Gov. Gavin Newsom’s proposed $227.2 billion 2021-2022 Fiscal Year state budget released Jan. 8. At $493 million, CDT’s proposed departmental budget represents a roughly 12 percent increase from its approved FY 2020-2021 budget of $440.1 million. Newsom’s budget, which the Legislature must approve by June 15, proposes paying the costs of “some existing CDT programs and services” and of other CDT budget proposals from the state’s General Fund. That would increase General Fund expenditures for CDT by $32.7 million year over year, from $6.8 million in 2020-21 to $39.5 million in 2021-22. Among the takeaways:

  • The proposed budget requests $21 million from the General Fund in FY 2021-2022 and ongoing, to pay the cost of the CDT’s Office of Information Security and Information Security (IS) program audit services, rather than paying for them through the department’s Technology Services Revolving Fund, its cost recovery fund. LAO Senior Fiscal and Policy Analyst Brian Metzker authored the Office’s Budget and Policy Post and said the cybersecurity audits of all state departments that Newsom mentioned when he released his budget Jan. 8 are likely “the same as the information security (IS) program audit services we reference in our post.” A CDT representative told Techwire the department does not discuss budget proposals.
  • The administration’s intent, the LAO said in its post, “is to allow state entities with funding currently budgeted for IS program audits and SOC (Security Operations Center) services to instead use those funds freed up by this proposal to remediate identified IS deficiencies.” A statutory change would be needed to repeal the requirement that state entities audited by CDT pay for their audits and instead pay via the General Fund. The intent of this “funding conversion proposal,” Metzker told Techwire via email, is “to fund IS services provided to most state entities, particularly to smaller entities that might lack the resources for an IS program audit, and (in doing so) allow previously budgeted funding to be used to remediate IS deficiencies.”
  • If this IS proposal is approved, Metzker said, it could spell opportunity for IT vendors: “To the extent vendors provide hardware, services, software, etc., to help state entities remediate their deficiencies, there could be additional departmental funding available for vendor contracts.”
  • CDT also seeks slightly more than $11.4 million from the General Fund and 17 positions in FY 2021-2022 “to hire additional staff and contract with vendors across five different departmental offices.” These are the offices of Enterprise Technology (OET), Government Affairs, Legal Services, Statewide Project Delivery (OSPD) and Technology Services (OTech). Requests are divided into three categories, with the largest area of new requests being the New Service Assessment Program. There, OSPD seeks nearly $3.8 million to fund two staff positions for statewide project delivery services for the California Project Management Office, and two positions for service assessment program staff. OSPD also seeks $2.5 million for specialist diagnostic capabilities consulting, and $500,000 for service assessment program development and testing consulting. The department proposes creating three new programs: OSPD’s service assessment program; a service transformation program in OET; and an infrastructure/platform transformation program in OTech.
  • The idea of funding shift isn’t new; Metzker said CDT introduced a “similar Security Operations Center and Audit Program Funding Conversion proposal during the previous budget cycle,” but it was held as COVID-19 set in. Both proposals, Metzker said, deviate from CDT’s traditional cost recovery model and could show whether using General Fund monies will make the department “more proactive” in responding to the state’s IT and information security needs. The LAO generally found the proposals to have merit, but called it “important” for the Legislature to weigh the likelihood of meeting their intent if implemented. The administration, the LAO said, is considering “different ways” of funding some of the services in the proposals, including “a Pro Rata and/or Statewide Cost Allocation Plan process for SOC services,” the former of which would allow “special fund” reimbursement of the General Fund.
    “To avoid adding to ongoing pressure on the General Fund, alternative funding sources for these programs and services should continue to be explored by the administration and identified alternative funding sources presented to the Legislature in future proposals,” the Office wrote.
  • The LAO recommends that the Legislature approve the funding conversion proposal for the SOC and for the security audit program with “revised statutory language” to reflect the administration’s intent. It also recommends that the Legislature direct CDT to report back at budget hearings on funding statewide SOC services via Pro Rata and Statewide Cost Allocation Plan processes as well as alternate funding sources. The Office also recommends stabilizing “critical services and IT infrastructure proposal” with budget bill language to allow legislative review of changes to administrative policy.
Theo Douglas is Assistant Managing Editor of Industry Insider — California.