In a report released Thursday, the state Legislative Analyst’s Office (LAO), a longtime fiscal and policy adviser to the Legislature, examines the information security (IS) compliance of nonreporting state entities — agencies, offices, panels, commissions, boards, departments and others that are not under the “direct authority” of Gov. Gavin Newsom and “therefore, generally [are] considered to be outside of the California Department of Technology’s (CDT) IS authority.” In supplemental report language adopted last year, lawmakers required the LAO to create this report specifically identifying the entities, considering whether some could “benefit from compliance with and reporting on IS policies and procedures” like those set by CDT; and provide options for the Legislature on improving the entities’ IS compliance and maturity, i.e., how prepared their IS programs are to prevent or respond to a cyber attack or threat.
The entities found to be nonreporting are the Board of Equalization, the Citizens Compensation Commission, the Commission on Peace Officer Standards and Training, the Commission on State Mandates, the Department of Education (Superintendent of Public Instruction), the Department of Insurance (Insurance Commissioner), the Department of Justice (Attorney General), the Education Audit Appeals Panel, the Gambling Control Commission, the Health Benefit Exchange (Covered California), the Little Hoover Commission, the Office of Tax Appeals, the Office of the Inspector General, the Office of the Lieutenant Governor, the Privacy Protection Agency, the Public Utilities Commission, the Secretary of State, the State Auditor, the State Controller, the State Lottery, the State Treasurer and the Summer School for the Arts, according to the report. Some, the report notes, “receive hundreds of millions of dollars and employ thousands of staff”; others receive millions of dollars or less and have few staffers if any. Some of these entities play critical roles in accounting and account management that are central to the state, while others do “important oversight” but not “central state functions and roles.” The report’s findings and options, the LAO said, “generally cannot be applied across all nonreporting entities.” Among the takeaways:
- The report describes the state cybersecurity landscape, pointing out the California Cybersecurity Integration Center (Cal‑CSIC) takes the lead on “coordinating statewide IS activities; gathering and disseminating threat intelligence to state entities from the federal government, county and other local governments, and private companies; and responding to cybersecurity incidents.” The Office of Information Security (OIS) creates IS policies, procedures and standards that reporting entities must follow, and formalizes IS policies, procedures, and standards in the State Administrative Manual (SAM) and Statewide Information Management Manual (SIMM). The two entities collaborated to produce Cal-Secure in October 2021, California’s first five‑year IS road map. Nonreporting entities “also can voluntarily opt into Cal‑Secure implementation,” the report said, but the LAO’s understanding is that nonreporting entities do not have to report their progress on this. Historically, the LAO said, nonreporting entities generally haven’t been “subject to the state’s IS governance structure,” with exceptions like their requirement to “submit technology recovery plans for critical infrastructure controls and information to CDT” pursuant to state code. Some nonreporting entities like the Department of Justice are represented within Cal‑CSIC. Newer legislation brings some IS-related mandates for nonreporting entities, including that they must “annually certify their compliance with legislative leadership.” The report defines IS compliance as “the mechanisms within the IS governance structure that are used to oversee state entities’ implementation of IS policies, procedures and standards, and ensure remediation of assessment and audit findings” and indicates that, generally, Assembly Bill 2135 requires nonreporting entities to certify yearly to legislative leaders their compliance with federal and national IS standards — not quarterly as reporting entities must.
- In evaluating nonreporting entities’ IS programs, the LAO found many received Cal-CSIC threat intelligence and use it, for example, to block “malicious Internet Protocol addresses” — but only some of the entities sought guidance from Cal-CSIC and CDT on Cal-Secure. Many nonreporting entities, the report said, use SAM, SIMM and NIST to guide their programs. But the entities found implementing a framework difficult as “guidance, information, and templates made available by CDT were hard to understand and not necessarily relevant to their program areas,” and its recommendations on hardware, software and tools were “too expensive and/or too limited given their constrained IS budgets.” Some entities the LAO interviewed indicated they remained unsure whether they were reporting or nonreporting, which “made their decisions on IS governance and, by extension, compliance more difficult.” Industry Insider — California has reached out to CDT for its perspective; this article may be updated.
- On compliance, nearly all nonreporting entities had done an ISA in the past “two to three years,” though lack of funding prompted some to wait “several years” between ISAs. “Consistent with CDT’s requirement that reporting entities undergo ISAs once every two years (with some limited exceptions), nonreporting entities appear to be undergoing ISAs at a comparable rate consistent with the intent of AB 2135,” the report said. Some entities indicated a “lack of response from CDT” on their IS compliance documentation “made it difficult to ... determine whether deficiencies identified in ISAs had been addressed ...”; and some were required to complete “additional IS compliance activities” by their cyber insurance providers. And some entities reported being unaware of “how to achieve compliance with state IS policies, procedures and standards” and asked that CDT “provide certification and education opportunities” for IS and IT staff. Per CDT, the report said “several” of the entities used a combination of either the department’s security operations center or state data center IT services — but others found working with private IT companies brought “comparable or better levels of service and pricing.” In interviews, entities said software-based training that included mock phishing helped boost IS compliance and maturity, but nearly all entities found recruiting, training and retaining IS staff to be difficult — and cited the lack of qualified IS staff as “one of the barriers” to improving their IS programs. Some of the smaller entities interviewed “raised issues with the division of IT procurement responsibilities” between CDT and the Department of General Services, and a few of those entities indicated a lack of dedicated procurement staff made procurements take longer.
- The LAO offers several options to the Legislature to potentially improve nonreporting entities’ IS compliance and maturity. These include amending CDT’s IS authority to address “the current ambiguity in the definitions and use of state agency and state entity, and make clear whether state entities are nonreporting or reporting”; monitoring the entities’ compliance with AB 2135, as the bill added lawmakers to the state’s IS governance structure; and directing Cal-CSIC to do more outreach to entities that are implementing Cal-Secure to offer guidance. The Legislature could also ask, the report said, that Cal‑CSIC, CDT and the Department of Finance “evaluate the use of provisional budget bill language for nonreporting entities’ IS‑related budget requests to condition the expenditure of funding on compliance with certain IS policies, procedures, and standards”; and lawmakers could consider whether their monitoring of AB 2135 compliance and implementation could inform their analysis of budget requests. The Legislature could also consider requiring CDT to develop a “centralized IS certification and training hub” to educate and certify “all state entity IS staff” on existing and upcoming state IS policies, procedures and the like; and it could require the state to evaluate “major cyber insurance products” now available to state entities to determine which might improve the nonreporting entities’ compliance and maturity. The LAO also suggests the Legislature consider expanding the use of shared service contracts for IS services and directing state agencies and entities to expand their efforts to recruit, train and retain IS staff.