Report 2021-602 All Recommendation Responses

Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)

Recommendation for Legislative Action

To strengthen the information security practices of reporting entities, the Legislature should amend state law to require that CDT confidentially submit an annual statewide information security status report, including the maturity metric scores it has calculated and the results of the nationwide review, to the appropriate legislative committees no later than December 2022. This status report should include CDT's plan for assisting reporting entities in improving their information security.

Description of Legislative Action

AB 2190 (Irwin, 2022) would have required the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee, with the first report required to be submitted no later than January 2023. The bill would have also required the status report and any information or records included with the status report to be confidential and to prohibit the information or records from being disclosed. This bill died in the Senate.

Legislative Action Current As-of: October 2022

California State Auditor's Assessment of Status: Legislation Proposed But Not Enacted

Description of Legislative Action

AB 2190 (Irwin, 2022) would require the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection, with the first report required to be submitted no later than January 2023. The bill would require the status report and any information or records included with the status report to be confidential and prohibit the information or records from being disclosed.

Legislative Action Current As-of: April 2022

California State Auditor's Assessment of Status: Legislation Introduced

Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require each nonreporting entity to adopt information security standards comparable to SAM 5300 and to provide a confidential, annual status update on its compliance with its adopted information security standards to legislative leadership, including the president pro tempore of the California State Senate, the speaker of the California State Assembly, and minority leaders in both houses. It should also require each nonreporting entity to perform or obtain an audit of its information security no less frequently than every three years.

Description of Legislative Action

AB 2135 (Chapter 773, Statutes of 2022) requires certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill requires these state agencies to perform a comprehensive, independent security assessment every two years and authorizes them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill requires certain nonreporting agencies to certify annually by February 1 to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.

Legislative Action Current As-of: October 2022

California State Auditor's Assessment of Status: Legislation Enacted

Description of Legislative Action

AB 2135 (Irwin, 2022) would require certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill would require these state agencies to perform a comprehensive, independent security assessment every two years and would authorize them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill would require certain nonreporting agencies to certify, by February 1 annually, to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a risk register and plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.

Legislative Action Current As-of: April 2022

California State Auditor's Assessment of Status: Legislation Introduced

Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require nonreporting entities that allow employees to telework to develop telework policies and training comparable to those CDT requires.

Description of Legislative Action

As of October 26, 2022, the Legislature has not taken action to address this specific recommendation.

Legislative Action Current As-of: October 2022

California State Auditor's Assessment of Status: No Action Taken

Description of Legislative Action

As of March 18, 2022, the Legislature has not taken action to address this specific recommendation.

Legislative Action Current As-of: April 2022

California State Auditor's Assessment of Status: No Action Taken

Recommendation #4 To: Technology, California Department of

To ensure that it understands the statewide security status of reporting entities, CDT should increase its capacity to perform timely compliance audits of high-risk entities, which may entail hiring more staff or securing additional contracted audit support. Further, CDT should prioritize calculating maturity metric scores for the nine entities that it has audited but that do not yet have scores because it has not evaluated their privacy controls. CDT should complete these steps by the conclusion of the four-year oversight life cycle in June 2022.

Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.

Estimated Completion Date: July 2024

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until July 2024.

Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.

Estimated Completion Date: June 2023

California State Auditor's Assessment of Status: Partially Implemented

CDT only completed 48 of the 52 originally planned audits, and it did not complete all of those audits during the four-year cycle. Further, it has not increased its capacity to perform timely compliance audits.

Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.

Completion Date: September 2022

California State Auditor's Assessment of Status: Partially Implemented

Although CDT completed 48 high-risk audits, it did not complete all of the audits during the four-year cycle, and it only completed 48 of the 52 originally planned audits. Further, it has not increased its capacity to perform additional high-risk audits. However, as CDT states in its response, it completed the privacy-focused audits for the nine referenced entities and calculated the maturity metric scores.

Auditee did not substantiate its claim of full implementation
Auditee did not address all aspects of the recommendation

Final Reports for 44 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered. The Final Reports for the last 4 are being reviewed and will be approved and delivered by August 5th.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued. The Audit Reports for these Privacy focused audits will be issued by August 15, 2022.

Completion Date: August 2022

California State Auditor's Assessment of Status: Partially Implemented

CDT has not increased its capacity to perform timely compliance audits and, per its response, it will not finalize the maturity metric scores until August 2022.

Auditee did not substantiate its claim of full implementation
Auditee did not address all aspects of the recommendation

The California Department of Technology (CDT) is on track to complete 48 of the 52 scheduled high-risk audits for FY 2021-22 by the end of June 2022. CDT is exploring capacity options within the administration for the next fiscal year to support advisory and compliance enforcement measures of high-risk entities.

The entities referenced are high risk entities which did not have privacy controls audited after additional privacy controls were added into our audit framework. The nine (9) referenced entities are currently engaged in focused audits to have their privacy controls evaluated and maturity scores updated by June 2022.

Estimated Completion Date: June 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not implement this recommendation until June 2022.

Recommendation #5 To: Technology, California Department of

Until it is able to conduct timely, objective audits of reporting entities, CDT should provide additional guidance to them by April 2022 on what constitutes a critical IT system and follow up annually to ensure that they complete the required self-assessments of those systems.

CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its October 2022 update, CDT has conducted additional demonstration sessions with an opportunity for Q&A and individual entity one-on one guidance sessions as requested to further support entity completion. AISOs have been provided with reports of status for the non-compliant entities within their purview and have been asked to direct their entity's compliance. Additionally, CDT is working on a non-compliance enforcement standard which will outline specific consequences for various non-compliance scenarios.

Estimated Completion Date: April 2023

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until April 2023.

CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022, to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.

CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its July 2022 update, CDT has conducted seven walkthrough demonstration sessions* with an opportunity for Q&A to further support entity completion and over 20 individual entity one-on one guidance sessions as requested to assist state entities with meeting the October 31 deadline.

Schedule of Walkthrough Demonstration Sessions

Date Time Link to Register

8/5/22 12:00-1:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22548

8/9/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22549

8/12/22 10:00-11:00 AM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22550

8/16/22 3:30-4:30 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22551

8/30/22 3:00-4:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22552

9/13/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22558

9/15/22 1:00-2:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22559

Estimated Completion Date: November 2022

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it has made some progress, but it has not yet fully implemented this recommendation.

CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022 to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.

Estimated Completion Date: December 2022

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until December 2022.

CDT has engaged with the Information Technology (IT) community and provided guidance on the definition of critical system on December 15, 2021, and March 30, 2022. CDT is engaged with the Governor's Office of Emergency Services' Critical Infrastructure Protection and Planning and Preparedness Branches to provide additional ongoing guidance on the critical system definition. CDT has made joint presentations to the IT community on December 15, 2021, and March 30, 2022. The presentation and guidance materials have been published on the OIS Agency.net- (Extranet) accessible to designated AIOs, AISOs, CIOs, ISOs, Privacy Program Coordinators, Technology Recovery Coordinators and their designated back-ups and staff.

State entities are already aware of the requirement to complete the self-assessment in the Cal-CSIRS. Taking into consideration various reporting deadlines and associated workload on state entities, CDT will follow-up with these entities to ensure completion of the self-assessment pursuant to the Information Security Compliance Reporting Schedule SIMM 5330-C (ca.gov).

Estimated Completion Date: December 2022

California State Auditor's Assessment of Status: Partially Implemented

CDT provided documentation of the guidance it presented and the training video available to IT personnel regarding the definition of critical systems.

Recommendation #6 To: Technology, California Department of

To ensure that it understands the statewide security status of reporting entities, CDT should utilize the information from the entities' self-assessments of their systems, as well as from the nationwide review, to annually help identify common areas that require improvement across multiple reporting entities.

CDT has now incorporated prior year NCSR scores into its priority risk ranking and will report entity status to the cybersecurity select committee in its confidential Legislative briefings with the Legislature going forward.

Estimated Completion Date: March 2023

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until March 2023.

CDT is still on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

Estimated Completion Date: December 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

CDT is on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

Estimated Completion Date: December 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

The NCSR reporting information is being reviewed and will be incorporated into statewide risk scoring and ranking calculations annually. Annually the NCSR surveys are submitted by February. CDT will incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

Estimated Completion Date: December 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

Recommendation #7 To: Technology, California Department of

To help ensure that reporting entities are aware of new federal information security standards that are intended to strengthen their security and privacy governance, CDT should complete the necessary updates to SAM 5300 and SIMM by June 2022.

Updates have been made and the announcement was released August 2022.

PS 023 - CDT General SIMM Maintenance | CDT (ca.gov)

Completion Date: August 2022

California State Auditor's Assessment of Status: Fully Implemented

CDT updated the links in SAM 5300 so they refer to the current federal information security standards, and it completed the necessary updates to SIMM.

Updates have been made and the announcement will be released by July 31, 2022.

Completion Date: August 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until August 2022.

Auditee did not substantiate its claim of full implementation

CDT acknowledges this recommendation and has begun the process of updating from rev 4 to 5, to be completed by fiscal year-end. The State defined parameters for the NIST SP 800-53 controls (SIMM 5300-A) update (rev 4 to rev 5), Foundational Framework (SIMM 5300-B), and POAM (5300-C) to be completed by the fiscal year-end.

Estimated Completion Date: June 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until June 2022.

Recommendation #8 To: Technology, California Department of

To help reporting entities ensure that their teleworking employees are taking appropriate security precautions, CDT should clarify guidance by February 2022 to require all employees using personal devices for state business to implement baseline security measures.

Updates have been made and the announcement released August 2022.

PS 023 - CDT General SIMM Maintenance | CDT (ca.gov)

Completion Date: August 2022

California State Auditor's Assessment of Status: Fully Implemented

CDT fully implemented this recommendation by updating its guidance in the Telework and Remote Access Security Standard.

Updates have been made and the announcement will be released by July 31, 2022.

Completion Date: August 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until August 2022.

Auditee did not substantiate its claim of full implementation

Updated telework guidance has been provided on https://telework.govops.ca.gov and is continually updated. In addition, updates to policy language have been completed and currently is in the publishing process; these updates will be issued shortly.

Estimated Completion Date: June 2022

California State Auditor's Assessment of Status: Pending

Per CDT's response, it expects to fully implement this recommendation by June 2022.

All Recommendations in 2021-602

Agency responses received are posted verbatim.