LAO Contact
February 8, 2021
The California Department of Technology (CDT) is the administration’s central information technology (IT) entity with broad authority over most aspects of technology in state government. CDT traditionally funds its operations, programs, and services using a cost‑recovery model that charges both administrative fees and set rates for services to entities. The Governor’s 2021‑22 Budget proposes to pay the costs of some existing CDT programs and services from the General Fund instead, and to use General Fund for other budget proposals from the department. As a result, General Fund expenditures for CDT would increase $32.7 million year over year—from $6.8 million in 2020‑21 to $39.5 million in 2021‑22. (Total expenditures from all funds would increase from $434 million to $493 million.) This post assesses whether this proposed increase in General Fund expenditures is prudent, weighs the merits of the department’s budget proposals, and provides associated recommendations.
CDT Office of Information Security (OIS). CDT OIS is responsible for the creation and enforcement of information security (IS) policies, standards, and procedures that many state entities must follow. OIS also operates the state’s Security Operations Center (SOC), which continuously monitors and reacts to threats on the California Government Enterprise Network (CGEN), the state government’s primary enterprise network. (An enterprise network is a combination of physical and virtual IT infrastructure that connects applications, devices, systems, and users.) A number of state entities connect to CGEN, which allows SOC to identify and respond more quickly to any attacks and/or threats to these entities. OIS also provides IS program audit services, which determine whether a state entity is compliant with state IS policy and standards. Auditors request documentation from an entity to perform an initial assessment of the entity’s compliance; perform field work at the entity, such as interviews with state staff; and issue a final report to the entity with findings of non‑ or partial compliance with state IS policies, standards, and/or procedures that require corrective action. OIS bills audited entities for these services. (For more information about state IS strategy, please see our February 25, 2020 post—The 2020‑21 Budget: The Governor’s Information Security Proposals.)
Budget Requests $21 Million General Fund to Pay for Costs of SOC and IS Program Audit Services Directly. CDT requests $21 million General Fund in 2021‑22 and ongoing to pay the costs of OIS SOC and IS program audit services, reflecting a shift away from funding these activities through CDT’s cost recovery fund—the Technology Services Revolving Fund. The intent of the administration is to allow state entities with funding currently budgeted for IS program audits and SOC services to instead use those funds freed up by this proposal to remediate identified IS deficiencies.
Proposed Statutory Changes Would Allow General Fund to Pay for IS Program Audit Services. The administration also is proposing statutory changes that would repeal a requirement that state entities audited by CDT are required to fund the cost of their audits, and instead allow General Fund to be used for this purpose.
Budget Requests $11.4 Million General Fund to Expand Existing Programs and Services and Create New Ones. CDT requests $11.4 million General Fund and 17 positions in 2021‑22 to hire additional staff and contract with vendors across five different departmental offices. Figure 1 identifies and describes each affected office, and Figure 2 specifies the amount of funding and number of positions by office, program, and/or service.
Figure 1
Descriptions of CDT Offices With Proposed Budget Augmentations
Office |
Description |
Office of Enterprise Technology |
Provides platforms and technology such as geographic information systems and open data, as well as services ranging from development and operations engineering to planning and product management to software engineering. |
Office of Governmental Affairs, Office of Broadband and Digital Literacy |
Supports the California Broadband Council, which identifies public and private resources and recommends policies to expand Internet access in the state. Supports and monitors the implementation of the new State Broadband Action Plan, including ongoing annual plan reviews. |
Office of Legal Services |
Supports department operations with legal research and advice, as well as review of contracts, law, and policy. |
Office of Statewide Project Delivery |
Approves IT projects through the state’s IT project planning process—the Project Approval Lifecycle—and provides independent oversight services for projects in development and implementation. Conducts IT project procurements and tele‑communications acquisitions. Provides project consulting and management services for certain IT projects. |
Office of Technology Services |
Manages and operates the State Data Center to provide shared infrastructure, platforms, software, storage, and other solutions for (among others) state government entities. |
CDT = California Department of Technology and IT = information technology. |
Figure 2
Five CDT Offices Request General Fund Support and Positions for Existing and New Programs/Services
General Fund (In Thousands)
Office |
Relevant Program and/or Service |
Requested Funding |
Requested Positions |
Existing Programs and Services |
|||
Office of Enterprise Technology |
COVID‑19 Cloud Services and Softwarea |
$3,000 |
— |
Office of Enterprise Technology |
Data and Geospatial Services Staff |
456 |
3 |
Office of Government Affairs |
Broadband and Digital Literacy Staff |
326 |
2 |
Office of Legal Services |
Legal Services Staff |
203 |
1 |
Subtotals |
($3,985) |
(6) |
|
New Service Assessment Program |
|||
Office of Statewide Project Delivery |
Specialist Diagnostic Capabilities Consultinga,b |
$2,500 |
— |
Service Assessment Program Development and Testing Consultinga |
500 |
— |
|
Service Assessment Program Staff |
352 |
2 |
|
California Project Management Office ‑ Statewide Project Delivery Services Staff |
426 |
2 |
|
Subtotals |
($3,778) |
(4) |
|
New Service Transformation Program |
|||
Office of Enterprise Technology |
Specialist Diagnostic Capabilities Consultingb |
$2,500 |
— |
Service Transformation Program Staff |
214 |
1 |
|
Technology Innovation Services ‑ Software Engineering Staff |
139 |
1 |
|
Technology Innovation Services ‑ DevOps Engineering Staff |
139 |
1 |
|
Technology Innovation Services ‑ Planning and Product Management Staff |
139 |
1 |
|
Subtotals |
($3,131) |
(4) |
|
New Infrastructure/Platform Transformation Program |
|||
Office of Technology Services |
Infrastructure/Platform Transformation Program Staff |
$538 |
3 |
Subtotals |
($538) |
(3) |
|
Total |
$11,432 |
17 |
|
aFunding requested for external consulting and contracted specialized expertise. bTable reflects even split in requested funding for specialist diagnostic capabilities, but exact split between programs unknown. CDT = California Department of Technology and COVID‑19 = coronavirus disease 2019. |
Proposal Creates Three New Programs. CDT proposes to create three new programs across three departmental offices: (1) a Service Assessment Program in the Office of Statewide Project Delivery (OSPD), (2) a Service Transformation Program in the Office of Enterprise Technology (OET), and (3) an Infrastructure/Platform Transformation Program in the Office of Technology Services (OTech).
Budget Proposals Have Merit… The intent of the administration that is reflected in the package of budget proposals is to (1) improve the statewide delivery of IS services and (2) proactively address the performance and stability issues of IT systems that hinder state entities’ ability to deliver critical services. We find that the administration’s intent, and thus the proposed new programs and services, have merit. The proposed use of General Fund for these proposals, instead of CDT’s traditional cost recovery fund, also is intended to (1) provide a more stable source of funding for services provided to most state government entities, and (2) fund more proactive and targeted service delivery by CDT to state entities instead of state entities paying CDT to provide select services or remediate specific issues. We agree with the administration’s stated rationale to use the General Fund for these proposals. A more stable funding source would allow OIS to perform audits more routinely, especially of smaller entities with more limited budgets, and not limit SOC services to those entities that can pay for them. A more proactive CDT would also be able to assess, prioritize, and remediate system issues across state government in a way that individual state entities are unable to do.
…But Significantly Increase General Fund Expenditures Year Over Year. However, if the Legislature approves these proposals, General Fund expenditures for CDT will increase $32.7 million year over year from $6.8 million in 2020‑21 to $39.5 million in 2021‑22. Given the state’s projected multiyear budget deficits and the fact that the General Fund has not traditionally been used to directly support most CDT programs and services, the proposed use of General Fund should be given an appropriate level of scrutiny by the Legislature. Accordingly, while the intent of the proposals has merit, it will be important for the Legislature to consider the likelihood of the proposals successfully meeting this intent when implemented. We understand the administration also is considering different ways of funding some of the services in these proposals, such as a Pro Rata and/or Statewide Cost Allocation Plan process for SOC services. (State Pro Rata and Statewide Cost Allocation Plan processes allow special fund and federal fund reimbursement, respectively, of the General Fund.) To avoid adding to ongoing pressure on the General Fund, alternative funding sources for these programs and services should continue to be explored by the administration and identified alternative funding sources presented to the Legislature in future proposals.
Proposed Statutory Language Does Not Require Entities to Use Previously Budgeted Audit Funding to Remediate IS Deficiencies as Intended by Administration. We understand that the intent of the statutory language proposed by the administration is to allow state entities to use funding they previously budgeted for IS program audits (and now freed up by the budget proposal) to remediate deficiencies in their IS programs. While we find the intent of the administration has merit, that intent is not reflected in the text of the proposed language. Instead, the administration anticipates using audits, independent security assessments, and meetings with IS staff to make sure previously budgeted audit funding is used as intended. Given the confidential nature of IS‑related activities, the Legislature has no means of ensuring funds are used in this manner absent revising the proposed language.
No Administrative Policy or Statutory Changes Proposed to Support New Programs. The administration has stated that it is relying on existing statutory authority for each of the new programs in the Stabilize Critical Services and IT Infrastructure proposal, and anticipates changes in state administrative policy would be made after the proposal is approved. While we raise no issues with the department’s existing statutory authority, we suggest the Legislature consider whether statutory changes are warranted to establish goals for the new programs and/or prioritize certain entities for assessments. We do, however, consider the lack of proposed administrative policy problematic in that it means the Legislature lacks key details on how the new programs would be implemented. For example, administrative policy will need to address:
The Legislature should be given the opportunity to review the finalized changes in administrative policy (which will provide more details on the new programs) as a condition of the department’s expenditure of some amount of approved funding.
Approve Security Operations Center and Audit Program Funding Conversion Proposal With Revised Statutory Language to Reflect Administration’s Intent. We recommend the Legislature approve CDT’s IS budget proposal with revised statutory language to reflect the intent of the administration for state entities to use funding previously budgeted for IS program audits to remediate deficiencies in their IS programs. We also recommend the Legislature direct CDT to report back at future budget hearings on the possibility of funding statewide SOC services in this proposal through the state’s Pro Rata and Statewide Cost Allocation Plan processes, as well as other alternative funding sources for new programs and services.
Approve Stabilize Critical Services and IT Infrastructure Proposal With Budget Bill Language to Allow Legislative Review of Changes in Administrative Policy. We recommend the Legislature approve CDT’s Stabilize Critical Services and IT Infrastructure proposal with budget bill language that conditions the expenditure of some amount of approved funding on the completion of changes in administrative policy and notification of (at a minimum) the Joint Legislative Budget Committee for legislative review. The exact amount of approved funding subject to this provision would be negotiated between the administration and the Legislature.