In a budget change proposal (BCP) following the January release of Gov. Gavin Newsom’s proposed 2023-2024 Fiscal Year budget, CalVCB seeks $877,000 from the Restitution Fund and four positions in FY 2023-24; and $789,000 and four positions in FY 2024-25 and ongoing to “implement and maintain increased cybersecurity capabilities.” Among the takeaways:
- CalVCB, like other state entities, is working to meet the 29 required capabilities in Newsom’s multiyear cybersecurity maturity road map, Cal-Secure, which the California Department of Technology (CDT) and its Office of Information Security released in October 2021. The board has absorbed the workload of nine of those capabilities. But, it said in the BCP, “current IT security staffing levels at CalVCB are not adequate to implement and support the cybersecurity requirements of Cal-Secure.” The board now has 1.2 information security staff positions through which to maintain the information security program as required under State Administrative Manual (SAM) Section 5300. The BCP, it said, will empower the board to “reduce data security risks while executing departmental statutory functions.”
- Specifically, CalVCB wants to hire four IT security staff this year — one IT Specialist I position and three IT Specialist II positions — to put in place and keep up the 20 capabilities it can’t handle with current staffing. Capabilities not fully in place include an anti-phishing program, at 50 percent implementation; multifactor authentication, at 20 percent; asset management at 30 percent; and continuous vulnerability management at 90 percent. The IT Specialist I would be a security and privacy analyst with duties including “developing new and updating existing policies and procedures to incorporate changes” associated with Cal-Secure; taking over areas including incident response triaging from the Information Security Section Chief; and analyzing and identifying security policy needs. The IT Specialist II positions would include one infrastructure security lead and two technical security and privacy engineers. The former’s duties would include enhancing infrastructure security for the board’s Compensation and Restitution System and the underlying infrastructure with new security solutions and the expansion of existing ones. The latter's duties would include handling Cal-Secure capabilities such as security continuous monitoring and software supply chain management, as well as cloud security monitoring, data loss prevention and insider threat detection.
- Accountability, should the BCP be approved, will be measured by “annual assessment” submitted to CDT, and by “Independent Security Assessments” done by the California Military Department every other year. Progress will also be reported to CDT and follow Statewide Information Management Manual (SIMM) Section 5305. Among feasible alternatives, approving the funding but adding just six additional positions would enable action on Cal-Secure and improve cybersecurity and information privacy but still bring increased costs and ongoing expenditures to the Restitution Fund. Approving less funding and fewer positions — $674,000 from the Restitution Fund for three IT Specialist IIs in FY 2023-24 and $608,000 ongoing, with a limited-term IT Specialist I and $181,000 in the second year — would bring somewhat similar positive results but still have added costs and would also delay implementation of Cal-Secure capabilities. A third reduced alternative — $674,000 from the Restitution Fund for three IT Specialist IIs in 2023-24 and $608,000 ongoing — would require less funding but also see fewer results, including the delay in implementation of some capabilities, lower cybersecurity maturity and audit scores for the board, and “higher risks associated with supply chain and asset management” due, generally, to the lack of resources to execute needed remedies. CalVCB’s recommendation is to approve the BCP as requested.
