Report 2021-602 Recommendation 5 Responses

Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)

Recommendation #5 To: Technology, California Department of

Until it is able to conduct timely, objective audits of reporting entities, CDT should provide additional guidance to them by April 2022 on what constitutes a critical IT system and follow up annually to ensure that they complete the required self-assessments of those systems.

CDT meets with all entities individually annually and conducts quarterly meetings to ensure compliance and understanding of the definitions of mission-critical, state-critical, and critical infrastructure systems and their reporting requirements. Most discussions with entities begin with addressing disaster recovery compliance leading to a business impact analysis and submitting a self-assessment that aligns with the NIST 800-53 Framework and implemented security controls within the California Compliance and Security Incident Reporting System (Cal-CSIRS). In addition to the initial training sessions that CDT held, we have dedicated staff and on-demand training modules to help entities submit critical systems within Cal-CSIRS. CDT assists in the prioritization of systems for entities and has initiated a process and policy update to review the number of identified systems are submitted correctly and that entities are updating the status of their system at a minimum annually as gaps are being addressed.

California State Auditor's Assessment of Status: Fully Implemented

CDT provided guidance to reporting entities about what constitutes a critical IT system and demonstrated that it follows-up with entities about the requirement to complete self-assessments of those systems.

Critical System Self-Assessments in the CalCSIRS system is a continuous process that all reporting entities are required to conduct. At this point in time, there have been a total of 334 NIST-defined critical system self-assessments. There are 209 of the 334 being assessed, re-assessed or added. Thirty-one of the 334 are actively entering remediation plans from the self-assessments, and 94 of the 334 are in a state of completion. These numbers with fluctuate annually as we continue to work with state entities on their Technology Recovery Plans and ensure CalCSIRS is updated accordingly.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until July 2024.

CDT continually reminds and provides additional guidance on what constitutes a critical IT system through its oversight, advisory services and stability programs and is regularly following up to ensure system self-assessments are completed.

Since CDT's last response CDT has provided additional documentation and reporting that verifies what constitutes a critical IT system and is following up annually to ensure that reporting entities complet the required self-assessments of those critical IT systems.

California State Auditor's Assessment of Status: Partially Implemented

CDT did not provide sufficient evidence to demonstrate that it follows up annually with reporting entities to ensure that they complete the required self-assessments of their critical IT systems.

CDT has always been able to conduct timely, objective audits or reporting entities as per statute. Statute requires CDT to conduct high risk audits as per risk criteria set forth by CDT. Only highest risk entities receive full and formalized audits. Selection is based on current and past performance (ISA and Audit), and additional metrics. The additional metrics include scoring from other technical assessment data, the NCSR (as recommended by CSA), and CCMM scores. Again, only the highest risk rated entities receive full audits in addition to the mentioned additional metrics and will generate CCMM scores. High risk and/or CCMM scorable entities may cycle in/out of the Audit cycle based on performance improvement from the other additional metrics (deemed technical and operational). These technical and operational metrics are used as they exhibit symptomatic gaps from a potential immature information security program which the full audits measure. If an entity exhibits poor performance and/or symptomatic indicators in the operational activities, then a full audit is performed thus upgrading an entity into the Audit cycle at that point in time. Conversely an entity may show positive improvement and would be downgraded from the highest risk and rotate out of the Audit cycle at that time. This approach is intended to attain and measure information security status for all entities and raise the bar for all entities to mature their programs. Currently CDT has CCMM metrics for over 50 entities and has measured and risk ranked over 120 entities using the other additional metrics mentioned above.

CDT continually reminds and provides additional guidance on what constitutes a critical IT system through its oversight, advisory services and stability programs and is regularly following up to ensure system self-assessments are completed.

California State Auditor's Assessment of Status: Partially Implemented

CDT provided guidance to departments regarding what constitutes a critical IT system. However, CDT did not provide evidence showing how it ensures that the assessments are updated annually.

CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its October 2022 update, CDT has conducted additional demonstration sessions with an opportunity for Q&A and individual entity one-on one guidance sessions as requested to further support entity completion. AISOs have been provided with reports of status for the non-compliant entities within their purview and have been asked to direct their entity's compliance. Additionally, CDT is working on a non-compliance enforcement standard which will outline specific consequences for various non-compliance scenarios.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until April 2023.

CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022, to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.

CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its July 2022 update, CDT has conducted seven walkthrough demonstration sessions* with an opportunity for Q&A to further support entity completion and over 20 individual entity one-on one guidance sessions as requested to assist state entities with meeting the October 31 deadline.

Schedule of Walkthrough Demonstration Sessions

Date Time Link to Register

8/5/22 12:00-1:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22548

8/9/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22549

8/12/22 10:00-11:00 AM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22550

8/16/22 3:30-4:30 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22551

8/30/22 3:00-4:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22552

9/13/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22558

9/15/22 1:00-2:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22559

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it has made some progress, but it has not yet fully implemented this recommendation.

CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022 to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until December 2022.

CDT has engaged with the Information Technology (IT) community and provided guidance on the definition of critical system on December 15, 2021, and March 30, 2022. CDT is engaged with the Governor's Office of Emergency Services' Critical Infrastructure Protection and Planning and Preparedness Branches to provide additional ongoing guidance on the critical system definition. CDT has made joint presentations to the IT community on December 15, 2021, and March 30, 2022. The presentation and guidance materials have been published on the OIS Agency.net- (Extranet) accessible to designated AIOs, AISOs, CIOs, ISOs, Privacy Program Coordinators, Technology Recovery Coordinators and their designated back-ups and staff.

State entities are already aware of the requirement to complete the self-assessment in the Cal-CSIRS. Taking into consideration various reporting deadlines and associated workload on state entities, CDT will follow-up with these entities to ensure completion of the self-assessment pursuant to the Information Security Compliance Reporting Schedule SIMM 5330-C (ca.gov).

California State Auditor's Assessment of Status: Partially Implemented

CDT provided documentation of the guidance it presented and the training video available to IT personnel regarding the definition of critical systems.

All Recommendations in 2021-602

Agency responses received are posted verbatim.