A new state audit of management and contracting policies at the California Public Utilities Commission (CPUC) has revealed that it likely won't achieve full compliance with the state's cybersecurity standards until the end of 2019.
The estimated completion date comes on the heels of a separate audit last year that found "pervasive weaknesses" in the security controls of CPUC technology systems, such as the lack of an incident response plan, and "key information security documents were nonexistent or lacked critical components," according to the state auditor.
In the audit released Sept. 22, the CPUC reported that limited staff resources were a barrier to achieving full compliance, although the commission did say that it was recently granted authorization to add staff to its security team. The state auditor initially recommended CPUC fully comply with the state's security standards by April 2016.
"When we again followed up with the CPUC to verify its compliance status, we expected, at a minimum, that it would have achieved full compliance with nearly all of the security standards," the Sept. 22 audit reports. "However, we found that the CPUC significantly overstated its progress toward addressing our recommendation. Although it submitted copies of various information security documents for our review, it was substantially out of compliance with the majority of the security standards. When we questioned the CPUC about the disconnect between its asserted level of compliance and its actual level of compliance, it explained that it did not fully understand the depth of the security standards when it provided the April 2016 status update."
The CPUC said it now understands the requirements because of the audit follow-up. CPUC also agreed with most recommendations contained in the Sept. 22 audit.
"We have made much progress in bringing our practices into conformity with state procedures, requirements, and norms in the past year. We take the audit report of our practices covering 2010-2015 very seriously and we have a plan in place to comply with the recommendations," CPUC said in a statement to Techwire.
IT staffing and resources have been a challenge for the CPUC, according to state records. Earlier this year, the commission pursued permission to add two dozen more staff to its IT team, in part to begin work on 11 new technology projects that have been conceptually approved. In that staff request, CPUC said it's in "drastic need" of a dedicated security team.
"Until the CPUC improves the controls it has implemented over its information systems, the confidentiality, integrity and availability of its information systems will continue to be at risk," the state auditor reiterated.
The CPUC is not alone in being out of compliance with the state's security standards. A 2015 state audit found that most state departments self-reported that they aren't fully compliant with the state's security standards, and new legislation (AB 670) enacted last year is requiring the state to conduct security audits on dozens of state agencies and departments each year.
