Report 2021-602 All Recommendation Responses

Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)

Recommendation for Legislative Action

To strengthen the information security practices of reporting entities, the Legislature should amend state law to require that CDT confidentially submit an annual statewide information security status report, including the maturity metric scores it has calculated and the results of the nationwide review, to the appropriate legislative committees no later than December 2022. This status report should include CDT's plan for assisting reporting entities in improving their information security.

Description of Legislative Action

As of February 6, 2023, the Legislature has not taken additional action to address this specific recommendation.

AB 2190 (Irwin, 2022) would have required the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee, with the first report required to be submitted no later than January 2023. The bill would have also required the status report and any information or records included with the status report to be confidential and prohibited the information or records from being disclosed. This bill died in the Senate.

California State Auditor's Assessment of Status: Legislation Proposed But Not Enacted

Description of Legislative Action

AB 2190 (Irwin, 2022) would have required the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee, with the first report required to be submitted no later than January 2023. The bill would have also required the status report and any information or records included with the status report to be confidential and to prohibit the information or records from being disclosed. This bill died in the Senate.

California State Auditor's Assessment of Status: Legislation Proposed But Not Enacted

Description of Legislative Action

AB 2190 (Irwin, 2022) would require the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection, with the first report required to be submitted no later than January 2023. The bill would require the status report and any information or records included with the status report to be confidential and prohibit the information or records from being disclosed.

California State Auditor's Assessment of Status: Legislation Introduced

Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require each nonreporting entity to adopt information security standards comparable to SAM 5300 and to provide a confidential, annual status update on its compliance with its adopted information security standards to legislative leadership, including the president pro tempore of the California State Senate, the speaker of the California State Assembly, and minority leaders in both houses. It should also require each nonreporting entity to perform or obtain an audit of its information security no less frequently than every three years.

Description of Legislative Action

AB 2135 (Chapter 773, Statutes of 2022) requires certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill requires these state agencies to perform a comprehensive, independent security assessment every two years and authorizes them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill requires certain nonreporting agencies to certify annually by February 1 to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.

California State Auditor's Assessment of Status: Legislation Enacted

Description of Legislative Action

AB 2135 (Irwin, 2022) would require certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill would require these state agencies to perform a comprehensive, independent security assessment every two years and would authorize them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill would require certain nonreporting agencies to certify, by February 1 annually, to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a risk register and plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.

California State Auditor's Assessment of Status: Legislation Introduced

Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require nonreporting entities that allow employees to telework to develop telework policies and training comparable to those CDT requires.

Description of Legislative Action

As of February 6, 2023, the Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Status: No Action Taken

Description of Legislative Action

As of October 26, 2022, the Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Status: No Action Taken

Description of Legislative Action

As of March 18, 2022, the Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Status: No Action Taken

Recommendation #4 To: Technology, California Department of

To ensure that it understands the statewide security status of reporting entities, CDT should increase its capacity to perform timely compliance audits of high-risk entities, which may entail hiring more staff or securing additional contracted audit support. Further, CDT should prioritize calculating maturity metric scores for the nine entities that it has audited but that do not yet have scores because it has not evaluated their privacy controls. CDT should complete these steps by the conclusion of the four-year oversight life cycle in June 2022.

The nine entities mentioned in this report have received their final maturity metric scores which included their privacy controls. In addition, the audit team received funding approval to hire 3 additional lead auditors, the additional resources will allow CDT to complete the balance of audits of the Executive Branch by the end of FY 24/25, there were 21 entities left to audit and that involves a full audit for each remaining entity that will satisfy the 107 total entities needed to be audited in the Executive Branch. The detail audit schedule for FY24/25 has been developed and the audit engagement letters will be sent out in January 2024 notifying the entities of the upcoming audits beginning in July 2024. In addition, the audit program team will perform check in audits (8-10) during the FY 24/25 period. The total number of audits that will be completed by the end of FY 24/25 will be 31 audits in full including the balance of entities in the Executive Branch. Lastly, the final security maturity scores will be given to each of these entities but will not be finalized until they receive an ISA from the California Military Department.

California State Auditor's Assessment of Status: Partially Implemented

While CDT successfully demonstrated that it calculated maturity metric scores for the nine entities, it is still working to hire additional auditors to increase its capacity to perform timely compliance audits.

CDT is hopeful and planning for a Unified Integrated Risk Management (UIRM) system to be implemented in the future. If successfully implemented, the UIRM will help automate many processes of the Audit program as well as remediation assistance activities delivered by the Advisory Services program. In addition, OIS has secured 3 additional auditor positions which will increase audit capacity by up to 50%. These positions are in active recruitment at the time of this response.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until December 2024.

Prior response provided on April 25, 2023 - Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self-assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.

CDT is also working on hiring two more auditors which would result in an additional 8 entities being audited in each fiscal year.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it has not fully implemented this recommendation.

Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until July 2024.

Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.

California State Auditor's Assessment of Status: Partially Implemented

CDT only completed 48 of the 52 originally planned audits, and it did not complete all of those audits during the four-year cycle. Further, it has not increased its capacity to perform timely compliance audits.

Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.

California State Auditor's Assessment of Status: Partially Implemented

Although CDT completed 48 high-risk audits, it did not complete all of the audits during the four-year cycle, and it only completed 48 of the 52 originally planned audits. Further, it has not increased its capacity to perform additional high-risk audits. However, as CDT states in its response, it completed the privacy-focused audits for the nine referenced entities and calculated the maturity metric scores.

Final Reports for 44 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered. The Final Reports for the last 4 are being reviewed and will be approved and delivered by August 5th.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued. The Audit Reports for these Privacy focused audits will be issued by August 15, 2022.

California State Auditor's Assessment of Status: Partially Implemented

CDT has not increased its capacity to perform timely compliance audits and, per its response, it will not finalize the maturity metric scores until August 2022.

The California Department of Technology (CDT) is on track to complete 48 of the 52 scheduled high-risk audits for FY 2021-22 by the end of June 2022. CDT is exploring capacity options within the administration for the next fiscal year to support advisory and compliance enforcement measures of high-risk entities.

The entities referenced are high risk entities which did not have privacy controls audited after additional privacy controls were added into our audit framework. The nine (9) referenced entities are currently engaged in focused audits to have their privacy controls evaluated and maturity scores updated by June 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not implement this recommendation until June 2022.

Recommendation #5 To: Technology, California Department of

Until it is able to conduct timely, objective audits of reporting entities, CDT should provide additional guidance to them by April 2022 on what constitutes a critical IT system and follow up annually to ensure that they complete the required self-assessments of those systems.

CDT meets with all entities individually annually and conducts quarterly meetings to ensure compliance and understanding of the definitions of mission-critical, state-critical, and critical infrastructure systems and their reporting requirements. Most discussions with entities begin with addressing disaster recovery compliance leading to a business impact analysis and submitting a self-assessment that aligns with the NIST 800-53 Framework and implemented security controls within the California Compliance and Security Incident Reporting System (Cal-CSIRS). In addition to the initial training sessions that CDT held, we have dedicated staff and on-demand training modules to help entities submit critical systems within Cal-CSIRS. CDT assists in the prioritization of systems for entities and has initiated a process and policy update to review the number of identified systems are submitted correctly and that entities are updating the status of their system at a minimum annually as gaps are being addressed.

California State Auditor's Assessment of Status: Fully Implemented

CDT provided guidance to reporting entities about what constitutes a critical IT system and demonstrated that it follows-up with entities about the requirement to complete self-assessments of those systems.

Critical System Self-Assessments in the CalCSIRS system is a continuous process that all reporting entities are required to conduct. At this point in time, there have been a total of 334 NIST-defined critical system self-assessments. There are 209 of the 334 being assessed, re-assessed or added. Thirty-one of the 334 are actively entering remediation plans from the self-assessments, and 94 of the 334 are in a state of completion. These numbers with fluctuate annually as we continue to work with state entities on their Technology Recovery Plans and ensure CalCSIRS is updated accordingly.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until July 2024.

CDT continually reminds and provides additional guidance on what constitutes a critical IT system through its oversight, advisory services and stability programs and is regularly following up to ensure system self-assessments are completed.

Since CDT's last response CDT has provided additional documentation and reporting that verifies what constitutes a critical IT system and is following up annually to ensure that reporting entities complet the required self-assessments of those critical IT systems.

California State Auditor's Assessment of Status: Partially Implemented

CDT did not provide sufficient evidence to demonstrate that it follows up annually with reporting entities to ensure that they complete the required self-assessments of their critical IT systems.

CDT has always been able to conduct timely, objective audits or reporting entities as per statute. Statute requires CDT to conduct high risk audits as per risk criteria set forth by CDT. Only highest risk entities receive full and formalized audits. Selection is based on current and past performance (ISA and Audit), and additional metrics. The additional metrics include scoring from other technical assessment data, the NCSR (as recommended by CSA), and CCMM scores. Again, only the highest risk rated entities receive full audits in addition to the mentioned additional metrics and will generate CCMM scores. High risk and/or CCMM scorable entities may cycle in/out of the Audit cycle based on performance improvement from the other additional metrics (deemed technical and operational). These technical and operational metrics are used as they exhibit symptomatic gaps from a potential immature information security program which the full audits measure. If an entity exhibits poor performance and/or symptomatic indicators in the operational activities, then a full audit is performed thus upgrading an entity into the Audit cycle at that point in time. Conversely an entity may show positive improvement and would be downgraded from the highest risk and rotate out of the Audit cycle at that time. This approach is intended to attain and measure information security status for all entities and raise the bar for all entities to mature their programs. Currently CDT has CCMM metrics for over 50 entities and has measured and risk ranked over 120 entities using the other additional metrics mentioned above.

CDT continually reminds and provides additional guidance on what constitutes a critical IT system through its oversight, advisory services and stability programs and is regularly following up to ensure system self-assessments are completed.

California State Auditor's Assessment of Status: Partially Implemented

CDT provided guidance to departments regarding what constitutes a critical IT system. However, CDT did not provide evidence showing how it ensures that the assessments are updated annually.

CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its October 2022 update, CDT has conducted additional demonstration sessions with an opportunity for Q&A and individual entity one-on one guidance sessions as requested to further support entity completion. AISOs have been provided with reports of status for the non-compliant entities within their purview and have been asked to direct their entity's compliance. Additionally, CDT is working on a non-compliance enforcement standard which will outline specific consequences for various non-compliance scenarios.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until April 2023.

CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022, to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.

CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its July 2022 update, CDT has conducted seven walkthrough demonstration sessions* with an opportunity for Q&A to further support entity completion and over 20 individual entity one-on one guidance sessions as requested to assist state entities with meeting the October 31 deadline.

Schedule of Walkthrough Demonstration Sessions

Date Time Link to Register

8/5/22 12:00-1:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22548

8/9/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22549

8/12/22 10:00-11:00 AM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22550

8/16/22 3:30-4:30 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22551

8/30/22 3:00-4:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22552

9/13/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22558

9/15/22 1:00-2:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22559

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it has made some progress, but it has not yet fully implemented this recommendation.

CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022 to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until December 2022.

CDT has engaged with the Information Technology (IT) community and provided guidance on the definition of critical system on December 15, 2021, and March 30, 2022. CDT is engaged with the Governor's Office of Emergency Services' Critical Infrastructure Protection and Planning and Preparedness Branches to provide additional ongoing guidance on the critical system definition. CDT has made joint presentations to the IT community on December 15, 2021, and March 30, 2022. The presentation and guidance materials have been published on the OIS Agency.net- (Extranet) accessible to designated AIOs, AISOs, CIOs, ISOs, Privacy Program Coordinators, Technology Recovery Coordinators and their designated back-ups and staff.

State entities are already aware of the requirement to complete the self-assessment in the Cal-CSIRS. Taking into consideration various reporting deadlines and associated workload on state entities, CDT will follow-up with these entities to ensure completion of the self-assessment pursuant to the Information Security Compliance Reporting Schedule SIMM 5330-C (ca.gov).

California State Auditor's Assessment of Status: Partially Implemented

CDT provided documentation of the guidance it presented and the training video available to IT personnel regarding the definition of critical systems.

Recommendation #6 To: Technology, California Department of

To ensure that it understands the statewide security status of reporting entities, CDT should utilize the information from the entities' self-assessments of their systems, as well as from the nationwide review, to annually help identify common areas that require improvement across multiple reporting entities.

CDT utilizes data science and has derived a Bayesian model that uses conditional security factors to formulate a priority risk ranking and cyber resiliency of state entities across California. The priority risk ranking compares states averages that are based on technical security controls that are identified through security assessments and vulnerability scanning of systems. To help limit the weight of outliers and biases, CDT utilizes the Nationwide Cybersecurity Review (NCSR) as a confidence interval in its model which additionally allows CDT to identify and determine potential common areas of strengths and weaknesses. By enforcing annual review and updates of the NCSR program, it enables CDT to ensure entities are reviewing and gaining a better understanding of their systems and how they can continuously improve their cyber maturity with the assistance of CDT.

California State Auditor's Assessment of Status: Partially Implemented

Although CDT demonstrated that it is utilizing information from the nationwide review to help identify common areas that require improvement across multiple reporting entities, CDT did not provide evidence that it has also used information from reporting entities' self-assessments of their critical IT systems.

The NCSR reporting information and scoring is now actively reviewed and incorporated into the statewide risk scoring and rankings annually. OIS currently has 119 risk scores for both reporting and non-reporting entities. This year's NCSR survey opens on October 1st and closes on February 28th, 2024. Risk Ratings will be updated with this year's NCSR data as soon as it is available. In addition to working with entities through our Advisory Services efforts, we are working closely with our Critical Services Team and leveraging modernization funds to close gaps and reduce risk across the entities they work with.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until June 2024.

CDT in the prior response noted the NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities. CDT has provided additional information and supporting documentation that shows the NCSR is being completed and reveals low ratings across all agencies.

California State Auditor's Assessment of Status: Partially Implemented

CDT did not provide evidence that it has used information from reporting entities' self-assessments of their systems to help identify common areas that require improvement across multiple reporting entities.

The NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities.

California State Auditor's Assessment of Status: Partially Implemented

Although CDT incorporated information from the nationwide review into its risk analysis process beginning in April 2023, it did not provide evidence that it has used this information to help identify common areas that require improvement across multiple reporting entities.

CDT has now incorporated prior year NCSR scores into its priority risk ranking and will report entity status to the cybersecurity select committee in its confidential Legislative briefings with the Legislature going forward.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until March 2023.

CDT is still on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

CDT is on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

The NCSR reporting information is being reviewed and will be incorporated into statewide risk scoring and ranking calculations annually. Annually the NCSR surveys are submitted by February. CDT will incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

Recommendation #7 To: Technology, California Department of

To help ensure that reporting entities are aware of new federal information security standards that are intended to strengthen their security and privacy governance, CDT should complete the necessary updates to SAM 5300 and SIMM by June 2022.

Updates have been made and the announcement was released August 2022.

PS 023 - CDT General SIMM Maintenance | CDT (ca.gov)

California State Auditor's Assessment of Status: Fully Implemented

CDT updated the links in SAM 5300 so they refer to the current federal information security standards, and it completed the necessary updates to SIMM.

Updates have been made and the announcement will be released by July 31, 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until August 2022.

CDT acknowledges this recommendation and has begun the process of updating from rev 4 to 5, to be completed by fiscal year-end. The State defined parameters for the NIST SP 800-53 controls (SIMM 5300-A) update (rev 4 to rev 5), Foundational Framework (SIMM 5300-B), and POAM (5300-C) to be completed by the fiscal year-end.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until June 2022.

Recommendation #8 To: Technology, California Department of

To help reporting entities ensure that their teleworking employees are taking appropriate security precautions, CDT should clarify guidance by February 2022 to require all employees using personal devices for state business to implement baseline security measures.

Updates have been made and the announcement released August 2022.

PS 023 - CDT General SIMM Maintenance | CDT (ca.gov)

California State Auditor's Assessment of Status: Fully Implemented

CDT fully implemented this recommendation by updating its guidance in the Telework and Remote Access Security Standard.

Updates have been made and the announcement will be released by July 31, 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until August 2022.

Updated telework guidance has been provided on https://telework.govops.ca.gov and is continually updated. In addition, updates to policy language have been completed and currently is in the publishing process; these updates will be issued shortly.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it expects to fully implement this recommendation by June 2022.

All Recommendations in 2021-602

Agency responses received are posted verbatim.