Budget and Policy Post
March 23, 2023The 2023-24 Budget
Overview of Information Security Proposals
Summary. This post provides an overview of information security (IS) proposals in the Governor’s 2023-24 budget, including our assessment and recommendations across the proposals and specific to the California Cybersecurity Integration Center (Cal-CSIC). First, we provide background information on IS governance and oversight entities as well as key IS-related statutory and policy requirements. Second, we provide a comprehensive list of the IS proposals in the Governor’s 2023-24 budget and describe the major proposals in greater detail. Third, we assess how all proposals are advancing improvement of the state’s IS defenses and preparedness, and whether major proposals meet specific mandates or provide enough information to justify approval. Lastly, we provide recommendations to improve the Legislature’s oversight of statewide IS activities and use state IS resources more efficiently. We also recommend modifications to some of the major proposals, based on their individual merit and keeping in mind the state’s budget problem.
Background
In this section, we provide a brief overview of topics that are relevant to our analysis of IS proposals in the Governor’s 2023-24 budget. Topics include both cyberattack and threat data available from the administration, descriptions of state entities that govern and oversee statewide IS activities, and summaries of authorities that led to some state entities requesting IS resources through the budget process.
Increase in Cyberattacks and Threats to State Entities. According to the administration, in 2020, Cal-CSIC (which we describe in more detail below) identified 126 incidents (that is, cyberattacks, data breaches, and other events that already occurred) for which Cal-CSIC provided analysis or direct response. In 2021, Cal-CSIC identified 460 incidents, more than triple the number identified in 2020. Across public and private sectors, costs associated with cyberattacks also have increased: According to the administration, an incident involving a ransomware attack (that is, malicious software that takes control of data or devices) cost victims an average of $1.85 million per incident in 2021, up from $761,000 in 2020.
Cal-CSIC Provides Statewide IS Leadership. Cal-CSIC is the lead entity for coordinating statewide IS activities; gathering and disseminating threat intelligence to state entities from the federal government, county and other local governments, and private companies; and responding to cybersecurity incidents. Cal-CSIC is a partnership between four state entities: California Office of Emergency Services (CalOES), which administers Cal-CSIC; California Department of Technology (CDT); California Highway Patrol (CHP); and California Military Department (CMD). Figure 1 provides a graphical representation of Cal-CSIC and its partners.
CDT Office of Information Security (OIS) Oversees Most State Entities. OIS is responsible for the creation and enforcement of IS policies, procedures, and standards that most state entities (called reporting entities) must follow. (Some “nonreporting” entities, such as constitutional offices and some independent agencies, are not required to follow IS policies, procedures, and standards set by OIS.) OIS formalizes IS policies, procedures, and standards in the State Administrative Manual and the Statewide Information Management Manual (SIMM). OIS also provides operational oversight through its Security Operations Center which, along with other reporting entities’ security operations centers and IS programs, monitors state networks.
CDT OIS Developed Cal-Secure Roadmap in Collaboration With Cal-CSIC Partners. CDT OIS, in collaboration with other Cal-CSIC partners, published the state’s first five-year IS roadmap—Cal-Secure—in October 2021. The administration’s intent for the roadmap is to prioritize for state entities their cybersecurity initiatives and technical capability investments over the next five years. The roadmap addresses each initiative and technical capability by calendar year. State entities often then request additional funding and/or positions to acquire these capabilities and lead these initiatives. We understand that there are no reporting requirements specific to Cal-Secure; rather, reporting entities report on their Cal-Secure progress as part of their routine reporting requirements, and nonreporting entities do not report on their progress.
Some Key IS-Related Statutory and Policy Requirements. Below, we provide a list of some IS-related statutes and policies that are relevant to the post:
Local Educational Agency (LEA) Cyberattack Reporting. Chapter 498 of 2022 (AB 2355, Salas) added Education Code Sections 35265-35267, which require (1) LEAs to report cyberattacks that impact 500 or more staff or students to Cal-CSIC, (2) Cal-CSIC to establish a database to track LEA reports of cyberattacks, and (3) Cal-CSIC to annually report on January 1 the number and types of LEA cyberattacks and associated data breaches to the Legislature. The bill did not specify requirements for Cal-CSIC, such as whether Cal-CSIC should respond to each request for assistance from LEAs reporting to it. Assembly Bill 2355 remains in effect until January 1, 2027.
Nonreporting Entities’ IS Compliance. Chapter 773 of 2022 (AB 2135, Irwin) amended Government Code Section 11549.3, which now requires nonreporting entities (as defined in Government Code Section 11000) to adopt IS policies, procedures, and standards that adhere to certain federal IS standards; perform an independent security assessment (ISA) every two years; and annually certify by February 1 to legislative leadership their compliance with the IS policies, procedures, and standards they adopted. (An ISA is a technical analysis of a state entity’s cybersecurity defenses.)
Separation of IS and Privacy Officers’ Roles and Responsibilities. CDT OIS SIMM 5305-A—the Information Security Program Management Standard—outlines IS and privacy roles, responsibilities, and specific functions within state entities. For the role of IS officer, CDT’s manual provides that IS officers must not be assigned multiple roles. One such potential additional role is that of the privacy officer. Accordingly, the intent of the policy is to separate the roles of IS officers and privacy officers.
Governor’s 2023-24 Budget
Governor’s IS Proposals Total $64.4 Million ($70.6 Million General Fund) and 125 Positions. According to CDT and the Department of Finance (DOF), 25 budget proposals in the Governor’s 2023-24 budget are IS-related. In addition, we identified another proposal that implements IS-related legislation—CalOES’ Food and Agriculture Sector and Water and Wastewater Sector Cybersecurity (SB 892) proposal—for a total of 26 budget proposals. As shown in Figure 2 below, these proposals request a total of $64.4 million ($70.6 million General Fund) and 125 positions. (The difference between the total amount requested and the General Fund requested is explained by a proposed shift in funding from fee-based special funds to the General Fund in the Department of Alcoholic Beverage Control’s “Administrative Support for Evolving Program Operations” proposal.) Some of these proposals contain non-IS-related funding and/or positions, as we are unable to separate IS-related and non-IS-related costs in each proposal.
Figure 2
2023‑24 Governor’s Budget IS Proposals
(In Millions)
|
Entity |
Budget Change Proposal Name |
2023‑24 |
|||
|
TF |
GF |
OF |
Positions |
||
|
Office of Emergency Services |
California Cybersecurity Integration Center |
$28.7 |
$28.7 |
— |
16 |
|
Office of Emergency Services |
School Cybersecurity (AB 2355) |
5.4 |
5.4 |
— |
17 |
|
Department of Health Care Services |
Program Workload |
3.8 |
1.9 |
$1.9 |
19 |
|
Department of Managed Health Care |
Office of Technology and Innovation—IS Resources |
3.5 |
— |
3.5 |
— |
|
Department of Technology |
Intrusion Detection and Prevention System |
3.0 |
3.0 |
— |
— |
|
Department of Alcoholic Beverage Control |
Administrative Support for Evolving Program Operations |
2.8 |
20.5 |
‑17.7 |
16 |
|
Department of General Services |
Enterprise Technology Solutions IT Workload Adjustment |
2.5 |
— |
2.5 |
12 |
|
Student Aid Commission |
Cybersecurity |
1.9 |
1.9 |
— |
2 |
|
Department of Aging |
The Master Plan for Aging, Phase III—Infrastructure and Capacity |
1.8 |
1.8 |
— |
10 |
|
Department of Technology |
IS (AB 2135) |
1.5 |
1.5 |
— |
7 |
|
State Transportation Agency |
California State Transportation Agency IS and Privacy |
1.3 |
1.3 |
— |
3 |
|
Department of Child Support Services |
Cyber Security |
1.1 |
0.4 |
0.7 |
6 |
|
Department of Public Health |
COVID‑19 Website Transition and IT Resources |
0.9 |
0.9 |
— |
— |
|
Department of Developmental Services |
IS Office Support |
0.9 |
0.9 |
— |
5 |
|
Victim Compensation Board |
IT Staff |
0.9 |
— |
0.9 |
4 |
|
Business, Consumer Services, and Housing Agency |
Business, Consumer Services, and Housing Agency—IS Resources |
0.7 |
0.2 |
0.6 |
1 |
|
Environmental Protection Agency |
IT Security Posture |
0.6 |
0.6 |
— |
— |
|
Department of Fish and Wildlife |
Creation of IS and Privacy Office |
0.6 |
— |
0.6 |
2 |
|
Office of Emergency Services |
Food and Agriculture Sector and Water and Wastewater Sector Cybersecurity (SB 892) |
0.5 |
0.5 |
— |
— |
|
Agricultural Labor Relations Board |
IT Security and Staffing |
0.5 |
0.5 |
— |
1 |
|
Mental Health Services Oversight and Accountability Commission |
IT and Security Unit |
0.4 |
— |
0.4 |
2 |
|
Highway Patrol |
Permanent Funding for Privacy and Risk Management Program Positions |
0.4 |
— |
0.4 |
— |
|
Department of Technology |
Office of Information Security Supply Chain and Third Party Risk Validation |
0.3 |
0.3 |
— |
— |
|
Department of Justice |
IS (AB 2135) |
0.2 |
0.2 |
— |
1 |
|
Department of Human Resources |
Department of Human Resources Privacy Officer |
0.2 |
0.1 |
0.1 |
1 |
|
Public Employment Relations Board |
IT Security and IT Contract Funding |
0.2 |
0.2 |
— |
— |
|
Totals |
$64.4 |
$70.6 |
‑$6.2 |
$125 |
|
|
aSome of the proposals include some amount of funding and positions for non‑IS activities. We are unable to remove these amounts of funding and positions, so they are reflected in the table. bSome of the proposals request one‑time and/or ongoing funding after 2023‑24. The table focuses on the 2023‑24 funding and positions requested. cThis proposal also includes funding and positions for the Department of Technology, Highway Patrol, and Military Department. A breakdown of the funding and positions by entity is provided later in the post. dThe full description for the Student Aid Commission proposal is “Initiate a comprehensive program to reform, improve and enhance the California Student Aid Commission’s (Commission) Information Technology, Cybersecurity, and Data Privacy programs through staff additions, software implementation, and the development of an information technology security assessment and roadmap for incremental cybersecurity program improvements.” |
|||||
|
IS = information security; TF = total funds; GF = General Fund; OF = other funds; and IT = information technology. |
|||||
Two Main Cal-CSIC Proposals Account for Half of Proposed Funding. CalOES’ proposed Cal-CSIC augmentations and “Cal-CSIC School Cybersecurity (AB 2355)” proposal account for half of the proposed funding—$34.1 million:
Cal-CSIC Augmentations. CalOES, on behalf of Cal-CSIC and its partners, requests $28.7 million General Fund and 17 new positions in 2023-24 and ongoing to address increased demand on Cal-CSIC for cybersecurity coordination, intelligence gathering and dissemination, and incident response. The proposal would make permanent 23 existing positions approved in 2020-21 for three fiscal years: 12 at CalOES, 8 at CMD, and 3 at CHP. The proposal also would add 14 new positions at CalOES and 3 new positions at CDT to expand their organizational capabilities. (For example, Cal-CSIC requests additional cybersecurity preparedness activities related to operational technology [OT] for critical infrastructure systems.) Lastly, the proposal includes significant funding ($15.4 million of the $28.7 million) for external consulting and professional services and information technology (IT).
School Cybersecurity (AB 2355). CalOES, on behalf of Cal-CSIC and its partners, also proposes $5.4 million General Fund and 17 positions (7 positions at CalOES, 5 positions at CDT, and 5 positions at CMD) in 2023-24 to implement AB 2355. ($3.9 million General Fund and 17 positions also are proposed from 2024-25 through 2026-27 to provide funding through the January 1, 2027 repeal date of AB 2355.) Of the $5.4 million General Fund and 17 positions proposed, the administration identifies $951,000 and three IT supervisor (ITS) II positions as necessary to meet the specific mandates of AB 2355—that is, for Cal-CSIC to plan, develop, and implement the database required to receive and report LEA cyberattack and data breach information. The remainder of the requested funding represents a preliminary estimate of the resources needed for Cal-CSIC to help LEAs respond to current, and prevent future, cyberattacks and data breaches.
Other Proposals Share Common Requests. Other smaller IS proposals share a number of common reasons for requesting additional resources. State entities requesting funding and/or positions to acquire some technical capabilities or lead some initiatives in Cal-Secure is the most common reason shared among a majority of the proposals. At least two proposals request resources to separate their IS and privacy officer roles and responsibilities pursuant to SIMM 5305-A. Two other requests propose funding for the same type of IS software:
California Department of Human Resources (CalHR) and Department of Fish and Wildlife (DFW) Separation of IS and Privacy Officer Roles and Responsibilities. CalHR’s “CalHR Privacy Officer” proposal and DFW’s “Creation of IS and Privacy Office” proposal both request resources to meet the requirements of SIMM 5305-A. CalHR is requesting $172,000 ($65,000 General Fund) and one position in 2023-24, and $165,000 ($63,000 General Fund) and one position in 2024-25 and ongoing, and DFW is requesting $596,000 and two positions in 2023-24, and $579,000 and two positions in 2024-25 and ongoing.
California Environmental Protection Agency (CalEPA) and California State Transportation Agency (CalSTA) Request Funding for Similar IS Software. CalEPA and CalSTA both request funds to procure Governance, Risk, and Compliance (GRC) software—that is, software that helps agencies manage risks and set controls and policies across their departments. The total amount that CalEPA is requesting (including GRC software) is $605,000 General Fund in 2023-24 and $555,000 General Fund in 2024-25 and ongoing, and CalSTA is requesting $1.3 million and three positions in 2023-24 and ongoing.
Assessment
All Proposals
Limited Opportunities for Legislative Oversight of Cal-Secure Implementation. Multiple state entities are requesting funding and/or positions to acquire technical capabilities and lead initiatives in Cal-Secure. However, none of them require Cal-CSIC and its partners to report to the Legislature on the status of state entities’ Cal-Secure implementation. In the absence of regular legislative reporting, the Legislature will be unable to provide effective oversight of this implementation even as state entities continue to request more resources for implementation over the next several years. Given the recent increase in the cost and number of cyberattacks and threats we cited earlier in the post, there is an urgency to the Legislature increasing its oversight of Cal-Secure implementation to improve state entities’ cybersecurity preparedness.
Disclosure of IS Deficiencies, Findings, and Risks in Support of Proposals Varies Widely. There is no standardized reporting of IS information to the Legislature in support of proposals in the Governor’s 2023-24 budget. Instead, there is a mix of deficiencies, findings, and risks disclosed by state entities to justify their requests. For example, Cal-Secure technical capability “coverage percentages” support the Victim Compensation Board’s IT staff proposal, while ISA findings by risk profile support the Department of Managed Health Care’s “Office of Technology and Innovation—IS Resources” proposal, and finally areas of noncompliance and weaknesses from their plan of action and milestones support the Public Employment Relations Board’s “Worker’s Compensation Information System Upgrade” proposal. Varied and inconsistent disclosures make any direct comparison of IS proposals, particularly within the context of the budget problem, more difficult. A lack of consistent and standardized reporting of IS deficiencies, findings, and risks also inhibits the ability of the Legislature to understand how IS investments lead to improved IS maturity of state entity programs.
Recruiting and Retaining Staff for New IS Positions May Be Challenging. State entities report facing difficulties in recruiting, hiring, and retaining IS staff because of the high demand for IS professionals at private sector companies that may offer higher compensation, compounded by a historically low unemployment rate currently. CalHR’s 2021 California State Employee Total Compensation Report shows average turnover and vacancy rates for entry-level IT specialist staff are comparable to rates for other state staff. However, wages for entry-level IT specialist staff are at least 20 percent lower relative to the private sector in March 2021. Total compensation, including health care and retirement benefits, appears to be more comparable between private sector companies and state government, however. Consequently, whether recruiting and retaining IS professionals is more challenging than other state positions is somewhat unclear. However, since March 2021, when these data were collected and published, the state’s unemployment rate has decreased from 8.4 percent to 4.1 percent (as of November 2022). Moreover, inflation has increased at rates notably higher than recent state salary adjustments. Therefore, state entities likely will face challenges recruiting and retaining for the positions they are requesting in their proposals.
Merit in Separation of IS and Privacy Officer Roles and Responsibilities… We find merit in the CalHR and DFW proposals to separate the roles and responsibilities of their IS and privacy officers pursuant to CDT OIS policy. Sufficient funding and positions for both officers and their programs likely will improve program coordination and implementation and prevent conflicts of interest that arise from officers and programs performing multiple roles.
…But Funding and Positions Needed Not Available to All State Entities. However, CalHR and DFW likely are not the only state entities that will require additional ongoing funding and positions to separate their IS and privacy officers and programs. There are a number of smaller entities handling sensitive personal data with IT budgets that might only support one IS officer who covers both IS and privacy, or no IS staff at all. How these smaller entities will separate their IS and privacy officers and programs without additional funding is unclear.
Shared IS Needs Identified, but Centralized Shared Service Contracts Not Yet Available. Both CalEPA and CalSTA requested funding to procure the same type of IS software, but there is currently no shared service contract—that is, a consolidated contract for IT services managed by CDT and offered to multiple state entities—for this software. Shared service contracts can use the state’s bargaining power to reduce service costs and, therefore, generate savings. According to CDT’s IT contract consolidation report (submitted in February pursuant to Government Code Section 11546.45[a][4]), CDT is prioritizing IS services, such as GRC software, for consolidated shared service contracts. However, the report only expects one additional shared service contract in 2023, so when shared service contracts for IS services like those requested by CalEPA and CalSTA will be procured and made available to state entities remains unclear.
Two Main Cal-CSIC Proposals
Cal-CSIC Augmentations
Merit in Augmentation of Cal-CSIC Funding and Positions… We find merit in Cal-CSIC’s request to make existing positions permanent to meet statewide demand for coordination of IS activities, incident response (such as responding to incidents like those recently involving DOF and Los Angeles Unified School District), and threat intelligence gathering and dissemination. Increased cyberattacks and threats to state entities cited by the administration also support additional positions and resources to meet increased demand for existing services and address emerging areas of cybersecurity risk such as threats to critical infrastructure OT systems.
…But New Goals and Outcomes of Augmentation Warrant Oversight. However, the goals and outcomes provided by Cal-CSIC in support of this proposal suggest legislative oversight is warranted. This is to ensure the augmentation meets the increased demand for existing services, helps address emerging areas of cybersecurity risk, and achieves initiatives and technical capabilities in Cal-Secure. Cal-CSIC did provide supporting documentation that aligns each of the requested positions in the proposal with each of the gaps in Cal-CSIC’s current capabilities based on their level of support, but currently there is no information about the plan and time line to close these gaps. Also, Cal-CSIC’s supporting documentation establishes links between Cal-Secure and positions requested in the proposal, but the goals and success measures provided would require quantification and reporting to the Legislature to be useful. For example, one of the goals is to modernize cybersecurity procurement with an accompanying success measure of eliminating the use of unsecured technology. How procurement will be modernized and the number of devices, networks, and systems that are unsecured and need to be eliminated remains unclear. Clear, measurable goals and outcomes are critical for the Legislature to monitor whether increased Cal-CSIC resources are preventing increasing numbers of cyberattacks on and threats to state entities from becoming incidents.
Budget Problem Warrants Careful Scrutiny of Proposed General Fund Spending Augmentations. In The 2023-24 Budget: Overview of the Governor’s Budget, our office identifies a budget problem in the tens of billions of dollars in 2023-24 and, in The 2023-24 Budget: Multiyear Assessment, projects a larger budget problem at May Revision by several billion dollars across 2022-23 and 2023-24. To address the budget problem, we recommended the Legislature use specific criteria to evaluate which recent augmentations to maintain versus which ones to reduce or delay. One criterion is whether a proposal sets clear goals that are in alignment with legislative priorities. While improving the state’s IS defenses and preparedness is a legislative priority, as evidenced by the Legislature’s approval of numerous IS proposals across several budgets and the establishment of Cal-CSIC in statute, the proposal lacks clear goals and outcome measurements that are connected to the requested funding and positions.
High Vacancy Rate Suggests at Least Some Proposed Positions Could Remain Vacant. According to CalOES, the current vacancy rate for Cal-CSIC positions is 23 percent, which is several percentage points higher than the average vacancy rate for state entities. While CalOES expects to recruit and hire these positions more quickly based on current economic conditions in the technology sector and the increased number of applications received for some positions, some proposed positions (if approved) likely could remain vacant given ongoing vacancy challenges. Given the budget problem, possible vacancies might warrant some delays or reductions of funding.
School Cybersecurity (AB 2355)
Proposal Exceeds Requirements of AB 2355. Cal-CSIC’s preliminary estimate of the resources needed to help LEAs goes beyond the specific requirements of AB 2355 in three key ways. First, the estimate assumes that the addition of requests from LEAs will result in a 100 percent increase in the total number of requests from all entities for assistance from Cal-CSIC and that Cal-CSIC responds to every request. Second, the estimate assumes Cal-CSIC will provide on-site incident response to any LEA, if requested. Third, the estimate assumes Cal-CSIC will establish data sharing agreements and software licensing arrangements with each LEA to integrate at least some LEA data into future automated solutions administered by Cal-CSIC. It is reasonable for Cal-CSIC to consider what additional resources might be needed to help LEAs in the event of a cyberattack or data breach, but none of these additional activities is required by AB 2355.
No Historical Data on Number of LEA Cyberattacks, Requests for Assistance, or Incidents Requiring Response. The new requirements of AB 2355 also mean Cal-CSIC’s preliminary estimate is not informed by historical data on how many cyberattacks will be reported, how many requests for assistance will be submitted, and how many incidents will require Cal-CSIC to respond. The absence of these data makes it difficult to know, for example, how the level of support requested from Cal-CSIC will differ among LEAs. Some LEAs, particularly large LEAs, might first request assistance from their cyber insurance providers and other vendors before requesting Cal-CSIC’s assistance. Other LEAs might meet the reporting requirements of AB 2355, but opt not to request any support from Cal-CSIC and instead use their internal IT staff to respond and remediate any deficiencies and vulnerabilities. Without historical data and/or information about how LEAs will respond to AB 2355, Cal-CSIC’s preliminary estimate of the resources needed to assist LEAs is a “best guess.”
Incremental Approach to Additional Funding and Positions Warranted. Given the specific requirements of AB 2355, we find the initial $951,000 and three positions necessary to plan, develop, and implement the database to be reasonable. However, any additional funding and/or positions in 2023-24 and future fiscal years, particularly within the context of the budget problem, should not be considered in the absence of LEAs’ demonstrated need for additional assistance from Cal-CSIC.
Recommendations
All Proposals
Direct Cal-CSIC and CDT to Report to the Legislature on Cal-Secure Implementation. We recommend the Legislature direct Cal-CSIC, in consultation with its partners, to report annually to the Legislature on the implementation of Cal-Secure initiatives and technical capabilities. This reporting would improve the Legislature’s oversight of Cal-Secure implementation, including state entities’ efforts using funding and/or positions approved through the budget process.
Direct CDT and DOF to Evaluate Options for Disclosure of Information in Support of IS Proposals. We also recommend the Legislature direct CDT and DOF to consider and report back on options for the standardized disclosure of information in support of state entities’ IS-related proposals. CDT and DOF could consider whether information comparable to what is shared with legislative leadership under AB 2135 (that is, compliance certifications and plans of action and milestones) also might be shared for reporting entities to avoid any asymmetry of information sharing. We recommend the Legislature require CDT and DOF to provide these options by the end of the calendar year to inform the 2024-25 budget process.
Consider Phasing in Number of Positions for Larger IS Proposals. For IS proposals that request a large number of positions in 2023-24, we recommend the Legislature consider phasing in some number of positions in acknowledgement of the longer recruitment and hiring time lines for IS staff. These delays also would help in addressing the budget problem in 2023-24, while maintaining the majority of positions to improve the state’s IS defenses and preparedness.
Direct CDT to Evaluate Options for Helping Entities Separate IS and Privacy Program Roles and Responsibilities. We also recommend the Legislature direct CDT to create a plan to separate state entity IS and privacy officers and programs, particularly for smaller entities that maintain and use sensitive personal data. CDT could consider whether centralized IS services—similar to, for example, the Department of General Services’ Centralized Fiscal Services for state entity accounting services—might be warranted to help smaller entities with this separation. We recommend the Legislature require CDT to provide this plan during next year’s budget process for legislative consideration.
Require CDT to Prioritize Cybersecurity Services for Shared Service Contracts. We also recommend the Legislature require CDT to prioritize shared service contracts for IS services as part of its IT contract consolidation efforts to reduce service costs and generate savings. To help monitor these efforts, the Legislature could consider amending current reporting requirements in statute to also require that CDT identify any shared services assessed, procured, and advertised to state entities in its annual report.
Two Main Cal-CSIC Proposals
Cal-CSIC Augmentations
Approve Funding for Existing Cal-CSIC Positions, but Direct Cal-CSIC to Prioritize New Funding and Positions. We recommend the Legislature approve funding for Cal-CSIC to make permanent 23 existing positions approved in 2020-21. We also recommend that the Legislature direct Cal-CSIC, in consultation with its partners, to prioritize new funding and positions that are requested in its augmentation proposal. The current budget problem requires that even proposals that align with legislative goals must prioritize their activities, and the absence of prioritization makes discussions on the proposal more difficult. The Legislature could direct Cal-CSIC to report back to budget subcommittees before May Revision on what funding and which positions are most critical to furthering Cal-CSIC’s mission. With this information, the Legislature could determine whether the requested augmentation might be reduced to make additional General Fund available to address the current budget problem.
Require Reporting on Goals and Outcomes for Any New Funding and Positions. We also recommend the Legislature adopt provisional budget bill language for any new funding that requires Cal-CSIC to quantify its goals and outcomes, and requires a report to the Legislature on Cal-CSIC’s progress towards these goals and outcomes. If the Cal-Secure implementation reporting recommended above is approved, the Legislature also could consider incorporating the Cal-Secure goals and success measures in this proposal into that annual report. This reporting would allow the Legislature to ensure its priorities to improve state entities’ IS defenses and preparedness are achieved by Cal-CSIC.
School Cybersecurity (AB 2355)
Approve $951,000 and Three Positions to Meet Requirements of AB 2355. We recommend the Legislature approve $951,000 and three ITS II positions from 2023-24 through 2026-27 for Cal-CSIC to plan, develop, and implement the database that will allow it to meet the specific requirements of AB 2355.
Reject All Remaining Proposed Funding and Positions That Go Beyond Meeting AB 2355 Requirements. Without a basis for assessing the LEAs’ need for additional assistance from Cal-CSIC, we recommend the Legislature reject the remainder of the funding and positions requested by Cal-CSIC to implement AB 2355: $4.4 million General Fund and 14 positions in 2023-24, and $2.95 million General Fund and 14 positions from 2024-25 through 2026-27.
Consider Approving Provisional Budget Bill Language That Allows Small Amount of Additional Funding Based on Experience With LEAs. Acknowledging the need for some level of Cal-CSIC funding to help LEAs with cyberattacks and data breaches, we recommend the Legislature consider approving provisional budget bill language that would allow Cal-CSIC to request some small amount of additional funding, subject to notification of the Joint Legislative Budget Committee, based on its actual experience with LEAs’ response to AB 2355. We also recommend the language require Cal-CSIC to provide data on the number of reported cyberattacks, requests for assistance, responses to requests for assistance, incidents that warranted response, and descriptions of the level of response before DOF can authorize expenditure of the funding. These data would complement information that is expected to be in Cal-CSIC’s first AB 2355 report on January 1, 2024, and provide the Legislature with an opportunity to assess whether additional resources are warranted.