The California Department of Technology (CDT) announced this week that it has created a program to test and assess state government departments’ cybersecurity defenses and then grade them periodically — the first state in the nation to devise such a matrix.
The initiative is an outgrowth of the CDT’s emphasis, as outlined in last year’s “Vision 2020” report, to measure performance through objective metrics — “apples to apples,” as Peter Liebert explains it. Liebert is the state’s chief information security officer and director of the Office of Information Security, and in an interview Thursday with Techwire, he discussed the program and its intent.
“This is not designed to name and shame,” he said. “This is designed to provide a tool (to understand) where they are and where they want to go” in terms of cybersecurity.
For months, the CDT’s Office of Information Security (OIS) and other state IT leaders have been devising ways to assess and grade each department’s cyberdefenses — the ability to resist phishing attacks, for example. Chief information officers and agency information officers helped craft the formulas used to assess cyber hygiene. Departments will be given a grade ranging from 0 on the low end to 4 on the high end.
The CDT laid out the program in a Technology Letter issued earlier this week.
“Here’s where we are: We’re baselining and starting that journey,” Liebert told Techwire.
State departments will be audited and their cyberdefenses graded on an ongoing basis “to establish a baseline for maturity,” he said, defining maturity as “where you are in the implementation of the information security program.”
“Just having a (policy) document doesn’t mean you’re actually implementing it. ... This blends policy and implementation.”
Liebert noted that different departments face different threat levels — some are bigger targets because of the nature of the data they handle.
“We’re not saying this is an end-all and be-all,” Liebert said. “Fantastic programs can be very mature, but just by the nature of (their) business ... (risk) still feeds into the equation. But this helps.”
The California Cybersecurity Maturity Metrics is the outcome of dozens of workshops involving state information security officers (ISOs) and CIOs. In all, Lieber said, representatives of about 40 entities contributed to the final product. Significant input came from the “core four” departments that oversee cybersecurity and cybercrime in California: The California Cyber Security Integration Center (Cal-CSIC), part of the state Office of Emergency Services; the California Highway Patrol, which oversees cybercrime enforcement; the California Military Department; and the CDT.
“We looked at industry best practices,” Liebert said. “We didn’t want to make this an ivory tower approach.” The final outcome is a transparent, open source policy that “draws highly” from the National Institute of Standards and Technology’s (NIST) Cyber Framework.
“We borrowed from the best in the industry and combined it,” he said.
Liebert said the state specifically did not want to purchase an off-the-shelf product.
“Private-sector programs are proprietary,” he noted. “We wanted to make sure it was tailored to California. We wanted to retain it and control what we do. It’s open source; it has to be transparent.” He said the policy and its specifics would be made available online to state employees so they fully understand the criteria and the schedule of assessments, which will occur on a rolling timetable, continually being updated as each department gathers new data.
“We only get partial data each year, so as audits are being done, they’re collecting data. As soon as the final report data is back, we update and provide the metric back. The idea is that each year, a portion is updated. ... The next year, the audit group comes out and tests and pulls new metrics. We didn’t want to just score and then walk away. ... We want to really pay attention to folks that are not progressing” in the metrics from year to year.
The reaction among state department leaders?
“There’s always going to be trepidation,” he said, adding, “We had buy-in from the get-go.”
The program will be explained in depth for state IT workers in a series of workshops this spring. Liebert said attendance is “highly encouraged, and I think we’ll have a packed house, so to speak.”
Departments’ grades will be shared internally with department leaders, but security assessments, audit findings and scores will not be made public, Liebert said.