Report 2021-602 All Recommendation Responses
Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)
Recommendation for Legislative Action
To strengthen the information security practices of reporting entities, the Legislature should amend state law to require that CDT confidentially submit an annual statewide information security status report, including the maturity metric scores it has calculated and the results of the nationwide review, to the appropriate legislative committees no later than December 2022. This status report should include CDT's plan for assisting reporting entities in improving their information security.
Description of Legislative Action
As of February 6, 2023, the Legislature has not taken additional action to address this specific recommendation.
AB 2190 (Irwin, 2022) would have required the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee, with the first report required to be submitted no later than January 2023. The bill would have also required the status report and any information or records included with the status report to be confidential and prohibited the information or records from being disclosed. This bill died in the Senate.
- Legislative Action Current As-of: March 2023
California State Auditor's Assessment of Status: Legislation Proposed But Not Enacted
Description of Legislative Action
AB 2190 (Irwin, 2022) would have required the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee, with the first report required to be submitted no later than January 2023. The bill would have also required the status report and any information or records included with the status report to be confidential and to prohibit the information or records from being disclosed. This bill died in the Senate.
- Legislative Action Current As-of: October 2022
California State Auditor's Assessment of Status: Legislation Proposed But Not Enacted
Description of Legislative Action
AB 2190 (Irwin, 2022) would require the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection, with the first report required to be submitted no later than January 2023. The bill would require the status report and any information or records included with the status report to be confidential and prohibit the information or records from being disclosed.
- Legislative Action Current As-of: April 2022
California State Auditor's Assessment of Status: Legislation Introduced
Recommendation for Legislative Action
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require each nonreporting entity to adopt information security standards comparable to SAM 5300 and to provide a confidential, annual status update on its compliance with its adopted information security standards to legislative leadership, including the president pro tempore of the California State Senate, the speaker of the California State Assembly, and minority leaders in both houses. It should also require each nonreporting entity to perform or obtain an audit of its information security no less frequently than every three years.
Description of Legislative Action
AB 2135 (Chapter 773, Statutes of 2022) requires certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill requires these state agencies to perform a comprehensive, independent security assessment every two years and authorizes them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill requires certain nonreporting agencies to certify annually by February 1 to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.
- Legislative Action Current As-of: October 2022
California State Auditor's Assessment of Status: Legislation Enacted
Description of Legislative Action
AB 2135 (Irwin, 2022) would require certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill would require these state agencies to perform a comprehensive, independent security assessment every two years and would authorize them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill would require certain nonreporting agencies to certify, by February 1 annually, to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a risk register and plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.
- Legislative Action Current As-of: April 2022
California State Auditor's Assessment of Status: Legislation Introduced
Recommendation for Legislative Action
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require nonreporting entities that allow employees to telework to develop telework policies and training comparable to those CDT requires.
Description of Legislative Action
As of February 6, 2023, the Legislature has not taken action to address this specific recommendation.
- Legislative Action Current As-of: March 2023
California State Auditor's Assessment of Status: No Action Taken
Description of Legislative Action
As of October 26, 2022, the Legislature has not taken action to address this specific recommendation.
- Legislative Action Current As-of: October 2022
California State Auditor's Assessment of Status: No Action Taken
Description of Legislative Action
As of March 18, 2022, the Legislature has not taken action to address this specific recommendation.
- Legislative Action Current As-of: April 2022
California State Auditor's Assessment of Status: No Action Taken
Recommendation #4 To: Technology, California Department of
To ensure that it understands the statewide security status of reporting entities, CDT should increase its capacity to perform timely compliance audits of high-risk entities, which may entail hiring more staff or securing additional contracted audit support. Further, CDT should prioritize calculating maturity metric scores for the nine entities that it has audited but that do not yet have scores because it has not evaluated their privacy controls. CDT should complete these steps by the conclusion of the four-year oversight life cycle in June 2022.
CDT has increased its capacity to perform timely compliance audits of high-risk entities by hiring 3 additional lead auditors, with the hiring of the final auditor occurring in May 2024. Additionally, CDT has evaluated the privacy scores for the 9 entities in question, and by June 2022, successfully calculated maturity metric scores for these entities.
- Completion Date: May 2024
California State Auditor's Assessment of Status: Fully Implemented
CDT has increased its capacity to perform timely compliance audits and calculated maturity metric scores for the nine entities.
To meet the increased audit workload for FY 24/25 and complete the audits left in the Executive Branch, 3 Lead Auditors were hired. Audit engagement letters were sent to 10 Constitutionals and Independents entities, however to date neither one of these entities were interested in receiving an audit by CDT, the risk of not knowing if they are compliant or not is still not being addressed at this time. New auditors are being trained and will be expected to share the full workload by July 24'. The number of full audits scheduled: (20) and check in Audits (13). The Governance team have developed several enforcement strategies to get entities to close and or remediate audit findings, at this time the proposal is still being reviewed / discussed. Strategy: The audit team working with the Governance and Advisory Services team are working on updating the following: SAM, SIMM, etc., to reflect on the two key emerging security threats from Cloud Computing and AI environment(s) and how it may impact the risk in state agencies.
The audit program and audit articles request will also be updated to reflect the updated Cybersecurity Framework (2.0) and is scheduled to be a 14 months' work effort, with the expected date to begin in June 2024 (subject to identifying a project manager & funding). The Governance team is also formalizing an Enforcement and Risk Management Program policy to ensure that entities are prioritizing and remediating risks identified as audit findings. Currently, the enforcement policy is in its final draft after external community feedback. The enforcement policy is being routed to leadership with the aim to publish in summer of 24'. The Risk Management Program policy is still in development.
- Estimated Completion Date: July 2025
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until July 2025.
The nine entities mentioned in this report have received their final maturity metric scores which included their privacy controls. In addition, the audit team received funding approval to hire 3 additional lead auditors, the additional resources will allow CDT to complete the balance of audits of the Executive Branch by the end of FY 24/25, there were 21 entities left to audit and that involves a full audit for each remaining entity that will satisfy the 107 total entities needed to be audited in the Executive Branch. The detail audit schedule for FY24/25 has been developed and the audit engagement letters will be sent out in January 2024 notifying the entities of the upcoming audits beginning in July 2024. In addition, the audit program team will perform check in audits (8-10) during the FY 24/25 period. The total number of audits that will be completed by the end of FY 24/25 will be 31 audits in full including the balance of entities in the Executive Branch. Lastly, the final security maturity scores will be given to each of these entities but will not be finalized until they receive an ISA from the California Military Department.
- Completion Date: January 2024
California State Auditor's Assessment of Status: Partially Implemented
While CDT successfully demonstrated that it calculated maturity metric scores for the nine entities, it is still working to hire additional auditors to increase its capacity to perform timely compliance audits.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
CDT is hopeful and planning for a Unified Integrated Risk Management (UIRM) system to be implemented in the future. If successfully implemented, the UIRM will help automate many processes of the Audit program as well as remediation assistance activities delivered by the Advisory Services program. In addition, OIS has secured 3 additional auditor positions which will increase audit capacity by up to 50%. These positions are in active recruitment at the time of this response.
- Estimated Completion Date: December 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until December 2024.
Prior response provided on April 25, 2023 - Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self-assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.
CDT is also working on hiring two more auditors which would result in an additional 8 entities being audited in each fiscal year.
- Estimated Completion Date: TBD
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it has not fully implemented this recommendation.
Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.
- Estimated Completion Date: July 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until July 2024.
Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.
The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.
- Estimated Completion Date: June 2023
California State Auditor's Assessment of Status: Partially Implemented
CDT only completed 48 of the 52 originally planned audits, and it did not complete all of those audits during the four-year cycle. Further, it has not increased its capacity to perform timely compliance audits.
Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.
The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.
- Completion Date: September 2022
California State Auditor's Assessment of Status: Partially Implemented
Although CDT completed 48 high-risk audits, it did not complete all of the audits during the four-year cycle, and it only completed 48 of the 52 originally planned audits. Further, it has not increased its capacity to perform additional high-risk audits. However, as CDT states in its response, it completed the privacy-focused audits for the nine referenced entities and calculated the maturity metric scores.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
Final Reports for 44 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered. The Final Reports for the last 4 are being reviewed and will be approved and delivered by August 5th.
The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued. The Audit Reports for these Privacy focused audits will be issued by August 15, 2022.
- Completion Date: August 2022
California State Auditor's Assessment of Status: Partially Implemented
CDT has not increased its capacity to perform timely compliance audits and, per its response, it will not finalize the maturity metric scores until August 2022.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
The California Department of Technology (CDT) is on track to complete 48 of the 52 scheduled high-risk audits for FY 2021-22 by the end of June 2022. CDT is exploring capacity options within the administration for the next fiscal year to support advisory and compliance enforcement measures of high-risk entities.
The entities referenced are high risk entities which did not have privacy controls audited after additional privacy controls were added into our audit framework. The nine (9) referenced entities are currently engaged in focused audits to have their privacy controls evaluated and maturity scores updated by June 2022.
- Estimated Completion Date: June 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not implement this recommendation until June 2022.
Recommendation #5 To: Technology, California Department of
Until it is able to conduct timely, objective audits of reporting entities, CDT should provide additional guidance to them by April 2022 on what constitutes a critical IT system and follow up annually to ensure that they complete the required self-assessments of those systems.
CDT meets with all entities individually annually and conducts quarterly meetings to ensure compliance and understanding of the definitions of mission-critical, state-critical, and critical infrastructure systems and their reporting requirements. Most discussions with entities begin with addressing disaster recovery compliance leading to a business impact analysis and submitting a self-assessment that aligns with the NIST 800-53 Framework and implemented security controls within the California Compliance and Security Incident Reporting System (Cal-CSIRS). In addition to the initial training sessions that CDT held, we have dedicated staff and on-demand training modules to help entities submit critical systems within Cal-CSIRS. CDT assists in the prioritization of systems for entities and has initiated a process and policy update to review the number of identified systems are submitted correctly and that entities are updating the status of their system at a minimum annually as gaps are being addressed.
- Completion Date: January 2024
California State Auditor's Assessment of Status: Fully Implemented
CDT provided guidance to reporting entities about what constitutes a critical IT system and demonstrated that it follows-up with entities about the requirement to complete self-assessments of those systems.
Critical System Self-Assessments in the CalCSIRS system is a continuous process that all reporting entities are required to conduct. At this point in time, there have been a total of 334 NIST-defined critical system self-assessments. There are 209 of the 334 being assessed, re-assessed or added. Thirty-one of the 334 are actively entering remediation plans from the self-assessments, and 94 of the 334 are in a state of completion. These numbers with fluctuate annually as we continue to work with state entities on their Technology Recovery Plans and ensure CalCSIRS is updated accordingly.
- Estimated Completion Date: July 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until July 2024.
CDT continually reminds and provides additional guidance on what constitutes a critical IT system through its oversight, advisory services and stability programs and is regularly following up to ensure system self-assessments are completed.
Since CDT's last response CDT has provided additional documentation and reporting that verifies what constitutes a critical IT system and is following up annually to ensure that reporting entities complet the required self-assessments of those critical IT systems.
- Completion Date: July 2023
California State Auditor's Assessment of Status: Partially Implemented
CDT did not provide sufficient evidence to demonstrate that it follows up annually with reporting entities to ensure that they complete the required self-assessments of their critical IT systems.
- Auditee did not substantiate its claim of full implementation
CDT has always been able to conduct timely, objective audits or reporting entities as per statute. Statute requires CDT to conduct high risk audits as per risk criteria set forth by CDT. Only highest risk entities receive full and formalized audits. Selection is based on current and past performance (ISA and Audit), and additional metrics. The additional metrics include scoring from other technical assessment data, the NCSR (as recommended by CSA), and CCMM scores. Again, only the highest risk rated entities receive full audits in addition to the mentioned additional metrics and will generate CCMM scores. High risk and/or CCMM scorable entities may cycle in/out of the Audit cycle based on performance improvement from the other additional metrics (deemed technical and operational). These technical and operational metrics are used as they exhibit symptomatic gaps from a potential immature information security program which the full audits measure. If an entity exhibits poor performance and/or symptomatic indicators in the operational activities, then a full audit is performed thus upgrading an entity into the Audit cycle at that point in time. Conversely an entity may show positive improvement and would be downgraded from the highest risk and rotate out of the Audit cycle at that time. This approach is intended to attain and measure information security status for all entities and raise the bar for all entities to mature their programs. Currently CDT has CCMM metrics for over 50 entities and has measured and risk ranked over 120 entities using the other additional metrics mentioned above.
CDT continually reminds and provides additional guidance on what constitutes a critical IT system through its oversight, advisory services and stability programs and is regularly following up to ensure system self-assessments are completed.
- Completion Date: January 2023
California State Auditor's Assessment of Status: Partially Implemented
CDT provided guidance to departments regarding what constitutes a critical IT system. However, CDT did not provide evidence showing how it ensures that the assessments are updated annually.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its October 2022 update, CDT has conducted additional demonstration sessions with an opportunity for Q&A and individual entity one-on one guidance sessions as requested to further support entity completion. AISOs have been provided with reports of status for the non-compliant entities within their purview and have been asked to direct their entity's compliance. Additionally, CDT is working on a non-compliance enforcement standard which will outline specific consequences for various non-compliance scenarios.
- Estimated Completion Date: April 2023
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until April 2023.
CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022, to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.
CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its July 2022 update, CDT has conducted seven walkthrough demonstration sessions* with an opportunity for Q&A to further support entity completion and over 20 individual entity one-on one guidance sessions as requested to assist state entities with meeting the October 31 deadline.
Schedule of Walkthrough Demonstration Sessions
Date Time Link to Register
8/5/22 12:00-1:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22548
8/9/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22549
8/12/22 10:00-11:00 AM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22550
8/16/22 3:30-4:30 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22551
8/30/22 3:00-4:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22552
9/13/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22558
9/15/22 1:00-2:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22559
- Estimated Completion Date: November 2022
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it has made some progress, but it has not yet fully implemented this recommendation.
CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022 to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until December 2022.
CDT has engaged with the Information Technology (IT) community and provided guidance on the definition of critical system on December 15, 2021, and March 30, 2022. CDT is engaged with the Governor's Office of Emergency Services' Critical Infrastructure Protection and Planning and Preparedness Branches to provide additional ongoing guidance on the critical system definition. CDT has made joint presentations to the IT community on December 15, 2021, and March 30, 2022. The presentation and guidance materials have been published on the OIS Agency.net- (Extranet) accessible to designated AIOs, AISOs, CIOs, ISOs, Privacy Program Coordinators, Technology Recovery Coordinators and their designated back-ups and staff.
State entities are already aware of the requirement to complete the self-assessment in the Cal-CSIRS. Taking into consideration various reporting deadlines and associated workload on state entities, CDT will follow-up with these entities to ensure completion of the self-assessment pursuant to the Information Security Compliance Reporting Schedule SIMM 5330-C (ca.gov).
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Partially Implemented
CDT provided documentation of the guidance it presented and the training video available to IT personnel regarding the definition of critical systems.
Recommendation #6 To: Technology, California Department of
To ensure that it understands the statewide security status of reporting entities, CDT should utilize the information from the entities' self-assessments of their systems, as well as from the nationwide review, to annually help identify common areas that require improvement across multiple reporting entities.
The national review (annual NCSR survey), this data is utilized in deriving a risk ranking for each Entity. Additionally, the last NCSR survey that just completed in February 2024 was analyzed to identify patterns. The following areas are being analyzed:
- Agency average at the control and sub-control level to assess each Agency's status.
- Entity scores for each sub-control to identity which Entity has outliers and which control consistently score low.
Office of Information Security (OIS) did an assessment on all self-certificated system security plans (SSPs) and OIS wanted to increase reporting goals of the self-assessments. OIS has partnered with the Critical Services and Modernization team at CDT to be able to develop a streamline procedure that will help gather and inventory more critical systems throughout the State more effectively, and in a phased and systematic approach, to gather data more intuitively. OIS has and will continually communicate to entities of reporting requirements to ensure it gathers and identifies common areas of improvement.
- Estimated Completion Date: December 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until December 2024.
CDT utilizes the national NCSR self-assessment survey scores in its Risk Rankings model. Also, the NCSR survey summary results are shared with the various teams in OIS to provide insight on the Entity and Agency and identify areas for improvement.
Right now, it is an ad hoc process where its sparsely, and only in certain circumstances, used to check the accuracy of the reported critical systems of an entity and ensure that it matches their Technology Recovery Plan. We are finally out of the phase where we were to understand what data we can compile from the Cal-CSIRS self-assessment and how we can best utilize it to provide meaningful insight and guidance.
Our long-term goal, which we hope to have established by Fall, is to use the data to:
- Log the results in the Risk Profile.
- Compare how many assessments are done vs how many are in the TRP coversheet for assets listed.
- Write narratives around TRP assets and missing Risk Assessment's (RA).
- Map out gaps from those RA's for the entire state based on the data that we have, although it's minimal, it will show what controls people do not have in place for critical TRP systems.
CDT is emphasizing that the initial intake of critical systems in Cal-CSIRS started in the winter of 2022 and with the change of SRG management and the hiring of the whole Risk Team in the Fall of 2023, it is only recently when this initiative that has been started.
- Estimated Completion Date: January 2025
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until January 2025.
CDT utilizes data science and has derived a Bayesian model that uses conditional security factors to formulate a priority risk ranking and cyber resiliency of state entities across California. The priority risk ranking compares states averages that are based on technical security controls that are identified through security assessments and vulnerability scanning of systems. To help limit the weight of outliers and biases, CDT utilizes the Nationwide Cybersecurity Review (NCSR) as a confidence interval in its model which additionally allows CDT to identify and determine potential common areas of strengths and weaknesses. By enforcing annual review and updates of the NCSR program, it enables CDT to ensure entities are reviewing and gaining a better understanding of their systems and how they can continuously improve their cyber maturity with the assistance of CDT.
- Completion Date: January 2024
California State Auditor's Assessment of Status: Partially Implemented
Although CDT demonstrated that it is utilizing information from the nationwide review to help identify common areas that require improvement across multiple reporting entities, CDT did not provide evidence that it has also used information from reporting entities' self-assessments of their critical IT systems.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
The NCSR reporting information and scoring is now actively reviewed and incorporated into the statewide risk scoring and rankings annually. OIS currently has 119 risk scores for both reporting and non-reporting entities. This year's NCSR survey opens on October 1st and closes on February 28th, 2024. Risk Ratings will be updated with this year's NCSR data as soon as it is available. In addition to working with entities through our Advisory Services efforts, we are working closely with our Critical Services Team and leveraging modernization funds to close gaps and reduce risk across the entities they work with.
- Estimated Completion Date: June 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until June 2024.
CDT in the prior response noted the NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities. CDT has provided additional information and supporting documentation that shows the NCSR is being completed and reveals low ratings across all agencies.
- Completion Date: July 2023
California State Auditor's Assessment of Status: Partially Implemented
CDT did not provide evidence that it has used information from reporting entities' self-assessments of their systems to help identify common areas that require improvement across multiple reporting entities.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
The NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities.
- Completion Date: January 2023
California State Auditor's Assessment of Status: Partially Implemented
Although CDT incorporated information from the nationwide review into its risk analysis process beginning in April 2023, it did not provide evidence that it has used this information to help identify common areas that require improvement across multiple reporting entities.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
CDT has now incorporated prior year NCSR scores into its priority risk ranking and will report entity status to the cybersecurity select committee in its confidential Legislative briefings with the Legislature going forward.
- Estimated Completion Date: March 2023
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until March 2023.
CDT is still on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until December 2022.
CDT is on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until December 2022.
The NCSR reporting information is being reviewed and will be incorporated into statewide risk scoring and ranking calculations annually. Annually the NCSR surveys are submitted by February. CDT will incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until December 2022.
Recommendation #7 To: Technology, California Department of
To help ensure that reporting entities are aware of new federal information security standards that are intended to strengthen their security and privacy governance, CDT should complete the necessary updates to SAM 5300 and SIMM by June 2022.
Updates have been made and the announcement was released August 2022.
PS 023 - CDT General SIMM Maintenance | CDT (ca.gov)
- Completion Date: August 2022
California State Auditor's Assessment of Status: Fully Implemented
CDT updated the links in SAM 5300 so they refer to the current federal information security standards, and it completed the necessary updates to SIMM.
Updates have been made and the announcement will be released by July 31, 2022.
- Completion Date: August 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until August 2022.
- Auditee did not substantiate its claim of full implementation
CDT acknowledges this recommendation and has begun the process of updating from rev 4 to 5, to be completed by fiscal year-end. The State defined parameters for the NIST SP 800-53 controls (SIMM 5300-A) update (rev 4 to rev 5), Foundational Framework (SIMM 5300-B), and POAM (5300-C) to be completed by the fiscal year-end.
- Estimated Completion Date: June 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until June 2022.
Recommendation #8 To: Technology, California Department of
To help reporting entities ensure that their teleworking employees are taking appropriate security precautions, CDT should clarify guidance by February 2022 to require all employees using personal devices for state business to implement baseline security measures.
Updates have been made and the announcement released August 2022.
PS 023 - CDT General SIMM Maintenance | CDT (ca.gov)
- Completion Date: August 2022
California State Auditor's Assessment of Status: Fully Implemented
CDT fully implemented this recommendation by updating its guidance in the Telework and Remote Access Security Standard.
Updates have been made and the announcement will be released by July 31, 2022.
- Completion Date: August 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until August 2022.
- Auditee did not substantiate its claim of full implementation
Updated telework guidance has been provided on https://telework.govops.ca.gov and is continually updated. In addition, updates to policy language have been completed and currently is in the publishing process; these updates will be issued shortly.
- Estimated Completion Date: June 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it expects to fully implement this recommendation by June 2022.
All Recommendations in 2021-602
Agency responses received are posted verbatim.