CDT is cited twice in Auditor Elaine M. Howle’s report – for “weaknesses” in the state’s information security, and for oversight of state IT projects.
The tech department has been on the auditor’s “High-Risk List” since 2013 for the security issue – which largely centers on CDT’s role as a monitor to which certain state agencies must report. The auditor has noted steady improvement by CDT in that area since 2013, but it says security is still a problem. Because many state departments and agencies self-report to CDT on their security posture, CDT has questioned the reliability and accuracy of some of those findings.
The audit report says CDT is not alone; it faults several other unnamed departments and agencies for failing to follow the standards for reporting and for security.
In its summary of the security findings, the Auditor’s Office writes: “State entities have not demonstrated adequate progress toward addressing deficiencies in their information system controls. Reporting entities continue to struggle with improving their information security status, as evidenced by their performance on a federally sponsored nationwide information security review. For example, reporting entities have self-reported weaknesses in their information security programs since at least 2018, rating themselves on average slightly below the federally recommended minimum level. …”
The problem is mainly with “nonreporting entities” – those that fall outside of the governor’s direct authority, such as constitutional offices and those in the judicial branch. The auditor’s report addresses these specifically: “Nonreporting entities also need to improve their information security status. Specifically, we surveyed 31 nonreporting entities, and only four reported achieving full compliance with their chosen information security framework and standards. Further, three entities have not even adopted a framework or standards. Consequently, because weaknesses persist in information security controls across all types of state entities, information security remains a high-risk statewide issue.”
The auditor’s report notes that in its August 2015 report, it pointed out that “many reporting entities had poor controls over their information systems, placing some of the state’s most sensitive information at risk,” and it recommended nine steps for CDT to address the problem. The audit report three years later, in January 2018, noted some improvement but said risks still existed. By October 2018, CDT had implemented all nine recommendations, but “reporting entities have remained stagnant in their information security development, as the state’s average scores remained nearly unchanged between 2018 and 2020,” Thursday’s report says.
In an email statement to Techwire, a CDT spokesperson wrote Thursday: “CDT takes seriously the findings in the California State Auditor’s report on high-risk issues. We welcome the examination of all of our processes and are committed to making continuous improvement. Evolving cyber attacks pose a threat to private, government and individual information security. That’s why we are focused on achieving measurable improvements through simulated exercises. In the last two fiscal years, we have reduced by 40 percent the average number of high-risk vulnerabilities in key critical systems. We agree we must keep cybersecurity and information security oversight as a high-risk issue and focus on encouraging continued progress through objective measures in the oversight program. We also agree effective oversight is crucial for the success of California’s information technology projects.”
A key factor in tightening the security lapses asserted by the Auditor’s Office is a change in how the state now pays for its information security. Previously, entities were charged by CDT for certain services, including cybersecurity. Under the new state budget signed last month by Gov. Gavin Newsom, CDT was given more funding and will perform these services without the extra step of charging agencies and departments for them.
“CDT states that it expects to see advancement in the state cybersecurity programs in the next two years due to a change in its funding structure,” the auditor’s report notes in its findings.
The second area in which CDT was dinged by the auditor was in oversight of projects that were already underway when the state adopted its Project Approval Lifecycle (PAL) protocol. As Techwire reported in 2016, PAL includes a business analysis (Stage 1), alternatives analysis (Stage 2), solution development phase (Stage 3), and project readiness and approval (Stage 4). “At the conclusion of each stage, project managers and oversight staff reach a go/no-go decision point where a project can be halted if more work is needed.”
The auditor’s report states: “In our January 2020 high-risk assessment, we raised concerns about the need for the PAL process to demonstrate consistent success across projects of varied importance, including highly critical and complex projects. We stated that projects CDT approved before implementing PAL have experienced significant delays and cost increases. … Because the effectiveness of PAL remains unclear, we are retaining CDT as a high-risk state agency.”
The CDT statement also addresses that finding: “CDT has transitioned its oversight function to agile and modular implementation strategies, and tailored the Project Approval Lifecycle engagements as needed to prioritize success for individual projects. California’s response to the COVID-19 pandemic demonstrates CDT’s guidance and oversight result in effective projects that benefit the people of our state. CA Notify, myCAvax, MyTurn, CalCONNECT, CalWorkshare, and the COVID Reporting System were created in a matter of days and weeks and positioned California as a national leader in virus suppression and vaccine distribution.”
The audit report also addresses the tech agency’s shift to use of agile or modular development in projects, which allow for incremental changes and releases rather than one final “waterfall” release.
“CDT has not yet completed development of its reporting and monitoring process for projects that use adaptive approaches, such as agile and modular development,” the audit report says. “Given that CDT is already overseeing projects that are using adaptive approaches but has not yet completed development of its reporting and monitoring process for these kinds of projects, CDT continues to be a high-risk state agency.”
In its summary of agency responses, the auditor’s report says, “CDT stated that the High-Risk assessment fails to capture the complexity or measure the scope and success of PAL because the assessment is focused narrowly on PAL planning activities for projects that were subject to CDT’s independent oversight.”
In an open letter prefacing the report to the governor and leaders of the Legislature, Howle cites issues with four other state entities in addition to CDT that pose a risk to the state: the California Department of Corrections and Rehabilitation, the California Department of Health Care Services, the California Department of Public Health and the California State Teachers’ Retirement System.
Howle notes that her office has “removed state oversight of K-12 education funding from our state high-risk list because the state has made sufficient progress toward controlling risk factors.”