In a budget and policy post released March 23, the Legislative Analyst’s Office, which for three-quarters of a century has helped lawmakers ensure the executive branch implements policy effectively and cost efficiently, scrutinizes information security (IS) proposals in Newsom’s budget, offering assessments and recommendations of the proposals and “specific to the California Cybersecurity Integration Center (Cal-CSIC).” In total, 25 budget change proposals in Newsom’s proposed budget are IS-related, the LAO found, and they total $64.4 million ($70.6 million from the General Fund) and 125 positions. The difference between the total amount requested and the General Fund amount requested, the LAO said, represents a “proposed shift in funding from fee-based special funds to the General Fund in the Department of Alcoholic Beverage Control’s “Administrative Support for Evolving Program Operations” proposal. Another proposal, the LAO said, “implements IS-related legislation”: state Senate Bill 892 from the California Governor’s Office of Emergency Services’ food and agriculture sector and water and wastewater sector for cybersecurity, which Newsom approved in September. Among the takeaways:
- Nearly half of the $64.4 million in budget change proposals, or $28.7 million, originates from one proposal: the California Governor’s Office of Emergency Services (Cal OES), the California Highway Patrol (CHP) and the Technology (CDT) and Military (CMD) departments jointly seeking the funding from the General Fund “ongoing” plus 17 positions to “continue limited-term resources authorized in 2020-21 ... and enhance resources to support the responsibilities of the California Cybersecurity Integration Center.” FindIndustry Insider — California’s coverage here. Combined with Bakersfield Democrat Rudy Salas’ Assembly Bill 2355 on school cybersecurity, which Newsom also approved in September, the two bills represent roughly half of the proposed funding, per the LAO, or $34.1 million. The former, the LAO said, would “address increased demand on Cal-CSIC for cybersecurity coordination, intelligence gathering and dissemination, and incident response.” The latter, generally, would enable Cal-CSIC to “plan, develop, and implement” a database to receive and report cyber attack and data breach information from local educational agencies (LEAs), and help them respond to such incidents. The LAO said it finds merit in Cal-CSIC’s request to make positions permanent to meet “statewide demand for coordination of IS activities, incident response and threat intelligence gathering and dissemination,” but finds “legislative oversight is warranted” to ensure this actually meets the rise in demands for service and helps address “emerging areas of cybersecurity risk” while achieving the “initiatives and technical capabilities in Cal-Secure.” The LAO said Cal-CSIC’s preliminary estimate of resources needed to help LEAs “goes beyond the specific requirements of AB 2355.” It indicated the bill’s “new requirements” mean the center’s “preliminary estimate is not informed by historical data” on cyber attacks, making it difficult to know how the level of support requested by LEAs will differ among them; and additional funding and/or positions “should not be considered in the absence of LEAs’ demonstrated need for additional assistance from Cal-CSIC.”
- Other proposals, the office said, have “common reasons” for seeking additional resources, with the most common being to “acquire some technical capabilities or lead some initiatives in Cal-Secure,” the governor’s multiyear cybersecurity maturity road map, released in October 2021 by the California Department of Technology (CDT) and its Office of Information Security. At least two proposals seek resources to separate IS and privacy officer roles and responsibilities in accordance with Statewide Information Management Manual (SIMM) 5305-A. The California Department of Human Resources seeks $172,000, $65,000 of that from the General Fund, and one position in FY 2023-2024; and $165,000, $63,000 from the General Fund and one position in FY 2024-25 and ongoing for a privacy officer. The California Department of Fish and Wildlife seeks $596,000 and two positions in FY 2023-24, and $579,000 and two positions in FY 2024-25 and ongoing to create an IS and privacy office. Two other proposals seek funding for the same IS software. The California Environmental Protection Agency seeks $605,000 from the General Fund in FY 2023-24 and $555,000 from the General Fund in FY 2024-25 and ongoing; and the California State Transportation Agency seeks $1.3 million and three positions in FY 2023-24 and ongoing, both to procure governance, risk and compliance (GRC) software to “manage risks and set controls and policies across their departments.” The LAO said separating the IS and privacy officer roles and responsibilities will likely improve program coordination and implementation and prevent conflicts of interest that arise from officers and programs performing multiple roles — but it’s not clear how smaller state entities might accomplish the same goals.
- Across all proposals, the LAO finds the absence of regular reporting requirements to the Legislature means it “will be unable to provide effective oversight of this implementation even as state entities continue to request more resources for implementation over the next several years.” The office finds a “lack of consistent and standardized reporting of IS deficiencies, findings, and risks” inhibits the Legislature’s ability to understand how investments in IS can yield “improved IS maturity of state entity programs.” It finds state departments are likely to encounter challenges hiring and retaining staff for the positions they seek. For all proposals, the LAO’s recommendations include directing CDT and Cal-CSIC to report yearly to the Legislature on implementing Cal-Secure initiatives; and directing CDT and the Department of Finance to “consider and report back on options” for standardized disclosure of information in support of IS-related proposals. It recommends lawmakers consider phasing in “some number of positions in acknowledgement of the longer recruitment and hiring timelines for IS staff.” And it recommends lawmakers direct CDT to “create a plan to separate state entity IS and privacy officers and programs” that would include smaller entities; and require CDT to “prioritize shared service contracts for IS services” as part of IT contract consolidations to cut costs and realize savings.
- Regarding the Cal-CSIC augmentations, the LAO recommends approving funding to make 23 existing positions permanent, but directing the center to “prioritize new funding and positions” that it requests. Drilling down on what’s most critical could enable lawmakers to decide if the requested augmentation could be reduced “to address the current budget problem.” It also recommends that if lawmakers approve any new funding, they require Cal-CSIC to quantify goals and outcomes and report in on its progress. On AB 2355, the LAO recommends that the Legislature approve $951,000 and three IT Specialist II jobs from FY 2023-24 through FY 2026-27 to enable standing up the database, but “without a basis for assessing the LEAs’ need for additional assistance from Cal-CSIC,” and reject funding and position proposals that go beyond meeting the bill’s requirements. It also recommends lawmakers consider approving provisional budget bill language that would let Cal-CSIC seek “some small amount of additional funding, subject to notification of the Joint Legislative Budget Committee, based on its actual experience with LEAs’ response to AB 2355.” This, generally, would give the Legislature a chance to “assess whether additional resources are warranted.”