State Auditor Grant Parks’ department undertook the audit at the direction of the Joint Legislative Audit Committee. It is addressed to Gov. Gavin Newsom as well as the state Senate president and the Assembly speaker, and it addresses CDT’s oversight of IT projects and the state’s safeguards against cybersecurity threats.
“In general, we determined that CDT’s weaknesses in strategic planning, information security, and project oversight limit the state’s management of IT,” Parks writes in a letter prefacing the report.
In his summary, Parks’ “results in brief” include the following key points:
- “CDT has not fulfilled important responsibilities in the areas of strategic management, IT security, and project oversight, resulting in significant consequences for the state.”
- “CDT has not ensured that the state’s IT systems are adequately protected from cyberattacks that can compromise individuals’ identities, shut down critical government functions, and cost the state millions of dollars to remedy.”
- “CDT’s inadequate oversight of IT projects has been insufficient in preventing delays and has led to tens of millions of dollars in cost overruns and systems that do not fully function as intended. Despite identifying significant problems in the IT projects it oversees, CDT has not used its available authority to ensure that those problems are resolved.”
Parks’ summary concludes: “Over the past 10 years, our multiple audits of CDT have identified the same or similar problems. Nevertheless, CDT has continued to struggle to demonstrate critical aspects of leadership, such as ensuring accountability, setting priorities, demonstrating urgency, and maintaining independence. The Legislature should make changes to ensure the effectiveness and independence of the state’s IT project oversight. We describe our recommendations in detail here and believe they are essential to address weaknesses in the state’s management of IT.”
State Chief Information Officer Liana Bailey-Crimmins, who’s also CDT director, issued the following statement to Industry Insider — California: “Over the past decade, technology has become essential for all operations and services in state government. The California Department of Technology guides over 150 state departments, each with their own CIO, to achieve successful outcomes according to the Statewide IT Strategic Plan — Vision 2023. CDT stands on its record of success — and stands behind the thousands of state IT professionals who helped California lead the nation in pandemic response. CDT appreciates the State Auditor’s comments and its ongoing efforts to provide transparency into the workings of state government operations. We will continue to implement improvements as we advise and oversee statewide information technology and security for the fourth largest economy in the world.”
‘NOT EFFECTIVELY GUIDED’
In the first of the three main sections, headlined “CDT Has Not Effectively Guided the State’s IT Needs,” the report cites three key findings:
- CDT’s strategic plan does not follow best practices by failing to include “measurable objectives, such as a description of specific tasks or timelines necessary to achieve the broad goals.” Among the specific findings in this section, the audit says, “CDT has identified a need for qualified and experienced IT staff in state service, and it included a staffing-related goal in its current strategic plan. However, CDT did not identify in the plan any specific actions or initiatives to address this need.”
- The department has not identified the high-risk, critical IT systems in need of modernization. “One agency stated that many of its systems are at least 15 to 20 years old, use unsupported technology, and pose significant security risks,” the audit says. “Another agency noted that its primary safety alarm system, which provides alerts about medical emergencies, is becoming obsolete: the equipment is aging and automating updates is difficult.”
- CDT has not reduced the risk of redundant systems. “CDT does not track and publish complete information that would enable reusability and minimize redundancy across IT proposals and projects, and it does not work with agencies to identify and pursue opportunities for sharing technology,” the report says.
REPORTING ENTITIES
The second of the three main sections, “CDT Has Not Taken Critical Steps to Assess Whether Reporting Entities Have Implemented Appropriate Safeguards to Protect Their IT Systems,” includes the following findings:
- CDT hasn’t determined the overall status of statewide information security. “Information CDT has obtained indicates that most reporting entities are not making significant progress toward improving their information security.” This section cites a June 2022 cyber attack that shut down access to CalJOBS, the online portal that the Employment Development Department requires claimants to use when seeking unemployment benefits. “In an even more recent example, the Department of Finance was the subject of a cyberattack in December 2022 in which data that may include Social Security numbers, bank account information, and user passwords were unlawfully obtained from its servers.”
- CDT could more effectively encourage agencies to use the department’s threat monitoring service, which it has offered free to departments since July 2021. “Some agencies stated that CDT’s service was unable to meet their specific needs, while only 28 percent of surveyed agencies reported using CDT’s monitoring service,” the audit says.
APPROVAL AND OVERSIGHT SYSTEM
The third section, titled “CDT’s Approval and Oversight Processes Do Not Adequately Mitigate Risks for Complex IT Projects,” finds that:
- The Project Approval Lifecycle (PAL) process that CDT uses “misses important opportunities to identify and address potential risks during project planning.” It notes that as of November, CDT remained unable to document the effectiveness of PAL.
- CDT is not adequately addressing risks associated with complex projects. The department’s “pattern of not taking adequate action when projects are struggling illustrates our concerns about its ability to make difficult decisions that are in the state’s best interests, such as by suspending or terminating high-risk projects,” the report says. It also notes that CDT is an executive branch department that reports to the governor and is overseeing IT projects of other executive branch entities, which creates “adverse pressures, direct or indirect, from the agency it is overseeing.”
The audit concludes that the Legislature “should revise state law to clarify CDT’s role, responsibilities, and priorities for strategically guiding the state’s acquisition, management and use of IT.”
It also recommends that CDT develop a policy that documents the elements of its strategic plan, which should include key goals, strategies, measurable objectives, performance measures and processes to monitor progress.
This article was originally published by Industry Insider — California, Government Technology's sister publication.