IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Audit Recommendations Could Jumpstart Stalled Cybersecurity Bill

The co-chairs of a state Assembly committee that scrutinized a cybersecurity audit agreed that so-called "non-reporting entities," 21 of which were found to have "high-risk" deficiencies, would benefit from increased oversight.

jacqui-irwin.png
Audit recommendations discussed during an Assembly hearing into cybersecurity could jumpstart a piece of stalled legislation and improve oversight of state-level “entities” outside California Department of Technology (CDT) supervision.

Tuesday’s hearing, called by the co-chairs of the Assembly Select Committee on Cybersecurity, followed the July 16 release of a high-risk audit by the State Auditor’s Office identifying numerous weaknesses in more than 30 state-level non-reporting entities. Entities under CDT’s oversight, or reporting entities, have increased compliance with set standards. The non-reporting entities surveyed were developed from a list of 233 state agencies, departments, boards, constitutional offices and other entities maintained by the Secretary of State’s Office. They were not identified, likely for security reasons.

Auditor Elaine M. Howle deemed 24 entities “partially compliant” with standards, but found “high-risk deficiencies” at 21 others. The audit recommended that the entities adopt information security standards similar to those in Chapter 5300 of the State Administrative Manual (SAM 5300); do “comprehensive” information security assessments at least every three years; and confidentially submit compliance certifications to the Assembly Privacy and Consumer Protection Committee, with corrective action plans if applicable. Among the takeaways:

Assemblymember Jacqui Irwin, D-Thousand Oaks and Assemblymember Ed Chau, D-Monterey Park, the committee co-chairs who sought the hearing, told Techwire they agreed with the recommendations, with Irwin indicating she found them “in line” with her own Assembly Bill 1242, which has been held in the state Assembly Committee on Appropriations. Chau, like Irwin, a member of the California Legislative Technology and Innovation Caucus, said via email that the Legislature “may actually need to go further to address the issue adequately, so that we don’t end up with a system of simple self-certification that policy experts would necessarily have to rely upon for lack of IT expertise.”

• Greater oversight of non-reporting entities, including having them report to the Legislature, would not jeopardize their independence, Irwin and Chau said. Asked what set of standards the entities might be held to, Chau pointed out that SAM 5300 was developed for the state by cybersecurity experts, based on National Institute of Standards and Technology (NIST) guidelines, “so it strikes me that it is the most logical standard to turn to.”

• Asked by Techwire what could be next for some of the non-reporting entities, CDT Director and state CIO Amy Tong, who joined discussion at the committee hearing, said CDT, part of the “Core-4 partners in cybersecurity,” is “vigilant in protecting security among all state entities.”

“Creating a common cyber and information security profile across state government is essential to ensure we can protect critical data and information assets,” Tong said via email. Core-4 partners are the Governor’s Office of Emergency Services, California Department of the Military, California Highway Patrol and CDT.

• It’s not yet clear exactly how this would happen, and just four weeks remain until Sept. 13, the Legislature’s last day to pass bills – but Irwin said she’ll look into “if there’s any way to move” AB 1242 forward and include the audit’s recommendations. It originally focused on creating a Cabinet-level “cyber czar” position but has since had that language removed.

“We need to get them up to the point they should be so that they can be ready for the threats that are going to be coming on," Irwin said. "The issue always with things like security, cybersecurity is, it’s preventative. Real investment is preventative, and so I think for a lot of politicians it’s not necessarily the top priority when you have so many other priorities that your constituents will more likely see,” she said, noting that conversations have already begun with constitutional offices that had concerns.

Bills that land in Appropriations are generally expected to remain there, Irwin said; but if AB 1242 moves forward, she’ll ask Chau to be a principal co-author. Chau said: “I think we all recognize after the report and Tuesday’s hearing that this is a problem needing a solution.”

Theo Douglas is Assistant Managing Editor of Industry Insider — California.