Report 2022-114
April 20, 2023

California Department of Technology
Weaknesses in Strategic Planning, Information Security, and Project Oversight Limit the State's Management of Information Technology

April 20, 2023

The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814

Dear Governor and Legislative Leaders:

As directed by the Joint Legislative Audit Committee, my office conducted an audit of the California Department of Technology's (CDT) oversight of information technology (IT) projects and the State's safeguards against cybersecurity threats. In general, we determined that CDT's weaknesses in strategic planning, information security, and project oversight limit the State's management of IT.

CDT has broad responsibility and authority over nearly all aspects of IT in the State, including providing strategic direction, assessing IT security, and performing project oversight. However, it has not fulfilled important responsibilities in these areas, resulting in significant consequences for the State. CDT has not provided the State with sufficient strategic direction to ensure that critical IT systems are modernized, secure, and that the systems effectively provide important services. For example, CDT has yet to identify the systems statewide that are outdated or obsolete and require modernization, leaving the State at risk of outage or failure.

Additionally, CDT has yet to determine the effectiveness of the State's information security programs and whether the State's IT systems incorporate adequate protection from cyberattacks that could compromise individuals' personal information, shut down critical government functions, and cost the State millions of dollars to remedy. Despite CDT's identifying significant problems in the IT projects it oversees, it has not used its authority to make sure those problems are resolved, which has led to delays, cost overruns, and systems that do not function as intended.

To ensure IT systems' effectiveness and security, CDT must implement a comprehensive statewide strategic plan that clearly sets priorities for addressing the State's IT needs and demonstrates urgency in preparing for and responding to cybersecurity threats. The Legislature should also act to ensure the effectiveness and independence of the State's IT project oversight.

Respectfully submitted,

California State Auditor