New Statewide Information Security Funding Ensures Critical Services

July 29, 2021 – When Gov. Gavin Newsom signed California’s FY 2021-22 budget, he set in motion a host of state technology initiatives that will improve the delivery of government services to California’s nearly 40 million residents. One initiative allows us, the California Department of Technology (CDT), to receive General Funding to support essential statewide information security services. The significance of this new funding model can be understood by reviewing CDT’s previous model.

The previous model, funded through the Technology Services Revolving Fund, required state agencies, departments, and other government entities to absorb the cost of mandated security services. Some entities found it difficult to pay the cost of program and oversight services, threat information sharing, protection, and centralized Security Operations Center (SOC) functions; all of which are mission-critical security services required of state entities. Due to competing priorities, some struggled to prioritize funding toward remediation efforts of identified audit gaps, while others were unable to sustain audits, assessments, security solutions, and SOC mitigations. This new funding shift adds additional capacity to fund necessary requirements that otherwise may have conflicted with security implementations and deferred security measures.

The new centralized funding model ensures SOC and Statewide Information Security Oversight benefits for all state entities and supports maturing the statewide information security infrastructure as a default and a built-in function across state government.

As of July 1, 2021, we discontinued billing for the following services:

  • Security Operations Center (SOC) – monitors and reacts to threats on the California the state’s primary enterprise network, CGEN.
  • Information Security Audit Program – evaluates compliance with state security and privacy policies.
  • California Compliance and Security Incident Reporting System (Cal-CSIRS) – the tool used for Security Incident Reporting.

This includes Information Security Program Audits, 24/7/365 SOC services, Statewide incident reporting, intelligence analysis, information sharing, and incident response provided by the California Cyber Security Integration Center.

The new model also ties into the state’s technology strategic plan—Vision 2023:

Protect California’s information assets and maximizing data access.
Develop a robust and collaborative risk reduction strategy.
Improve and invest in security capabilities to protect mission-critical systems and data.

By funding security activities in the General Fund, state entities are now able to focus and prioritize on fixing critical gaps identified through the oversight program and strengthen their security postures while benefiting from built-in security mitigations from the SOC. It is a significant step that will improve our cybersecurity maturity and preparedness, protect residents’ sensitive information, and continue the safe and secure delivery of essential services to Californians.