Translate

LAO Contact

Brian Metzker

Budget and Policy Post
February 8, 2021

The 2021-22 Budget

California Department of Technology


Budget Overview

The California Department of Technology (CDT) is the administration’s central information technology (IT) entity with broad authority over most aspects of technology in state government. CDT traditionally funds its operations, programs, and services using a cost‑recovery model that charges both administrative fees and set rates for services to entities. The Governor’s 2021‑22 Budget proposes to pay the costs of some existing CDT programs and services from the General Fund instead, and to use General Fund for other budget proposals from the department. As a result, General Fund expenditures for CDT would increase $32.7 million year over year—from $6.8 million in 2020‑21 to $39.5 million in 2021‑22. (Total expenditures from all funds would increase from $434 million to $493 million.) This post assesses whether this proposed increase in General Fund expenditures is prudent, weighs the merits of the department’s budget proposals, and provides associated recommendations.

Budget Proposals

Security Operations Center and Audit Program Funding Conversion

CDT Office of Information Security (OIS). CDT OIS is responsible for the creation and enforcement of information security (IS) policies, standards, and procedures that many state entities must follow. OIS also operates the state’s Security Operations Center (SOC), which continuously monitors and reacts to threats on the California Government Enterprise Network (CGEN), the state government’s primary enterprise network. (An enterprise network is a combination of physical and virtual IT infrastructure that connects applications, devices, systems, and users.) A number of state entities connect to CGEN, which allows SOC to identify and respond more quickly to any attacks and/or threats to these entities. OIS also provides IS program audit services, which determine whether a state entity is compliant with state IS policy and standards. Auditors request documentation from an entity to perform an initial assessment of the entity’s compliance; perform field work at the entity, such as interviews with state staff; and issue a final report to the entity with findings of non‑ or partial compliance with state IS policies, standards, and/or procedures that require corrective action. OIS bills audited entities for these services. (For more information about state IS strategy, please see our February 25, 2020 post—The 2020‑21 Budget: The Governor’s Information Security Proposals.)

Budget Requests $21 Million General Fund to Pay for Costs of SOC and IS Program Audit Services Directly. CDT requests $21 million General Fund in 2021‑22 and ongoing to pay the costs of OIS SOC and IS program audit services, reflecting a shift away from funding these activities through CDT’s cost recovery fund—the Technology Services Revolving Fund. The intent of the administration is to allow state entities with funding currently budgeted for IS program audits and SOC services to instead use those funds freed up by this proposal to remediate identified IS deficiencies.

Proposed Statutory Changes Would Allow General Fund to Pay for IS Program Audit Services. The administration also is proposing statutory changes that would repeal a requirement that state entities audited by CDT are required to fund the cost of their audits, and instead allow General Fund to be used for this purpose.

Stabilize Critical Services and IT Infrastructure

Budget Requests $11.4 Million General Fund to Expand Existing Programs and Services and Create New Ones. CDT requests $11.4 million General Fund and 17 positions in 2021‑22 to hire additional staff and contract with vendors across five different departmental offices. Figure 1 identifies and describes each affected office, and Figure 2 specifies the amount of funding and number of positions by office, program, and/or service.

Figure 1

Descriptions of CDT Offices With Proposed Budget Augmentations

Office

Description

Office of Enterprise Technology

Provides platforms and technology such as geographic information systems and open data, as well as services ranging from development and operations engineering to planning and product management to software engineering.

Office of Governmental Affairs, Office of Broadband and Digital Literacy

Supports the California Broadband Council, which identifies public and private resources and recommends policies to expand Internet access in the state. Supports and monitors the implementation of the new State Broadband Action Plan, including ongoing annual plan reviews.

Office of Legal Services

Supports department operations with legal research and advice, as well as review of contracts, law, and policy.

Office of Statewide Project Delivery

Approves IT projects through the state’s IT project planning process—the Project Approval Lifecycle—and provides independent oversight services for projects in development and implementation. Conducts IT project procurements and tele‑communications acquisitions. Provides project consulting and management services for certain IT projects.

Office of Technology Services

Manages and operates the State Data Center to provide shared infrastructure, platforms, software, storage, and other solutions for (among others) state government entities.

CDT = California Department of Technology and IT = information technology.

Figure 2

Five CDT Offices Request General Fund Support and Positions for Existing and New Programs/Services

General Fund (In Thousands)

Office

Relevant Program and/or Service

Requested Funding

Requested Positions

Existing Programs and Services

Office of Enterprise Technology

COVID‑19 Cloud Services and Softwarea

$3,000

Office of Enterprise Technology

Data and Geospatial Services Staff

456

3

Office of Government Affairs

Broadband and Digital Literacy Staff

326

2

Office of Legal Services

Legal Services Staff

203

1

Subtotals

($3,985)

(6)

New Service Assessment Program

Office of Statewide Project Delivery

Specialist Diagnostic Capabilities Consultinga,b

$2,500

Service Assessment Program Development and Testing Consultinga

500

Service Assessment Program Staff

352

2

California Project Management Office ‑ Statewide Project Delivery Services Staff

426

2

Subtotals

($3,778)

(4)

New Service Transformation Program

Office of Enterprise Technology

Specialist Diagnostic Capabilities Consultingb

$2,500

Service Transformation Program Staff

214

1

Technology Innovation Services ‑ Software Engineering Staff

139

1

Technology Innovation Services ‑ DevOps Engineering Staff

139

1

Technology Innovation Services ‑ Planning and Product Management Staff

139

1

Subtotals

($3,131)

(4)

New Infrastructure/Platform Transformation Program

Office of Technology Services

Infrastructure/Platform Transformation Program Staff

$538

3

Subtotals

($538)

(3)

Total

$11,432

17

aFunding requested for external consulting and contracted specialized expertise.

bTable reflects even split in requested funding for specialist diagnostic capabilities, but exact split between programs unknown.

CDT = California Department of Technology and COVID‑19 = coronavirus disease 2019.

Proposal Creates Three New Programs. CDT proposes to create three new programs across three departmental offices: (1) a Service Assessment Program in the Office of Statewide Project Delivery (OSPD), (2) a Service Transformation Program in the Office of Enterprise Technology (OET), and (3) an Infrastructure/Platform Transformation Program in the Office of Technology Services (OTech).

  • Service Assessment Program. The administration’s intent for OSPD’s new Service Assessment Program is to help state entities evaluate the critical services they deliver using IT systems, and identify opportunities for system improvement to prevent failure or substandard performance. Tentatively, OSPD would form and manage assessment teams with staff from OET and/or OTech, the Office of Digital Innovation (in the Government Operations Agency), and the assessed entity. Teams would look at evaluated services within the context of entity‑specific and state IT operations and policy, measure how IT systems perform when delivering these services, and work with entities to prioritize their IT expenditures in the short and long terms.
  • Service Transformation Program. The administration’s intent for OET’s new Service Transformation Program is to build on the initial service assessments performed by OSPD with additional “deep dive” assessments. The deep dive assessments would identify (at a minimum) application, data, and web issues affecting an assessed entity’s delivery of critical services. OET development and operations engineering, planning and product management, and software engineering staff would focus on short‑term service stabilization and the remediation of urgent issues. In the immediate term, requested OET staff would support the applications deployed for coronavirus disease 2019 and wildfire emergency response. ($3 million of the $11.4 million requested is to fund operational expenses for these applications, some amount of which might be eligible for federal reimbursement.) In the long term, the scope of the program is expected to include service transformation initiatives, such as a single digital identifier for applicants across state programs and services.
  • Infrastructure/Platform Transformation Program. The administration’s intent for OTech’s new Infrastructure/Platform Transformation Program also is to build on OSPD’s initial service assessments, but to focus its deep dive assessments on the identification of (at a minimum) an entity’s legacy system infrastructure and platform issues. Similar to OET’s Service Transformation Program, OTech’s program would focus new CDT staff on short‑term infrastructure and platform stabilization and the remediation of immediate issues.

Assessment

Budget Proposals Have Merit… The intent of the administration that is reflected in the package of budget proposals is to (1) improve the statewide delivery of IS services and (2) proactively address the performance and stability issues of IT systems that hinder state entities’ ability to deliver critical services. We find that the administration’s intent, and thus the proposed new programs and services, have merit. The proposed use of General Fund for these proposals, instead of CDT’s traditional cost recovery fund, also is intended to (1) provide a more stable source of funding for services provided to most state government entities, and (2) fund more proactive and targeted service delivery by CDT to state entities instead of state entities paying CDT to provide select services or remediate specific issues. We agree with the administration’s stated rationale to use the General Fund for these proposals. A more stable funding source would allow OIS to perform audits more routinely, especially of smaller entities with more limited budgets, and not limit SOC services to those entities that can pay for them. A more proactive CDT would also be able to assess, prioritize, and remediate system issues across state government in a way that individual state entities are unable to do.

…But Significantly Increase General Fund Expenditures Year Over Year. However, if the Legislature approves these proposals, General Fund expenditures for CDT will increase $32.7 million year over year from $6.8 million in 2020‑21 to $39.5 million in 2021‑22. Given the state’s projected multiyear budget deficits and the fact that the General Fund has not traditionally been used to directly support most CDT programs and services, the proposed use of General Fund should be given an appropriate level of scrutiny by the Legislature. Accordingly, while the intent of the proposals has merit, it will be important for the Legislature to consider the likelihood of the proposals successfully meeting this intent when implemented. We understand the administration also is considering different ways of funding some of the services in these proposals, such as a Pro Rata and/or Statewide Cost Allocation Plan process for SOC services. (State Pro Rata and Statewide Cost Allocation Plan processes allow special fund and federal fund reimbursement, respectively, of the General Fund.) To avoid adding to ongoing pressure on the General Fund, alternative funding sources for these programs and services should continue to be explored by the administration and identified alternative funding sources presented to the Legislature in future proposals.

Proposed Statutory Language Does Not Require Entities to Use Previously Budgeted Audit Funding to Remediate IS Deficiencies as Intended by Administration. We understand that the intent of the statutory language proposed by the administration is to allow state entities to use funding they previously budgeted for IS program audits (and now freed up by the budget proposal) to remediate deficiencies in their IS programs. While we find the intent of the administration has merit, that intent is not reflected in the text of the proposed language. Instead, the administration anticipates using audits, independent security assessments, and meetings with IS staff to make sure previously budgeted audit funding is used as intended. Given the confidential nature of IS‑related activities, the Legislature has no means of ensuring funds are used in this manner absent revising the proposed language.

No Administrative Policy or Statutory Changes Proposed to Support New Programs. The administration has stated that it is relying on existing statutory authority for each of the new programs in the Stabilize Critical Services and IT Infrastructure proposal, and anticipates changes in state administrative policy would be made after the proposal is approved. While we raise no issues with the department’s existing statutory authority, we suggest the Legislature consider whether statutory changes are warranted to establish goals for the new programs and/or prioritize certain entities for assessments. We do, however, consider the lack of proposed administrative policy problematic in that it means the Legislature lacks key details on how the new programs would be implemented. For example, administrative policy will need to address:

  • How the administration will select entities for an initial service assessment.
  • The length and scope of both initial and deep dive service assessments.
  • The transition from short‑term stabilization and issue remediation efforts to long‑term planning and future IT projects.
  • Reporting mechanisms to inform the Legislature (and other stakeholders) about assessments and their outcomes.

The Legislature should be given the opportunity to review the finalized changes in administrative policy (which will provide more details on the new programs) as a condition of the department’s expenditure of some amount of approved funding.

Recommendations

Approve Security Operations Center and Audit Program Funding Conversion Proposal With Revised Statutory Language to Reflect Administration’s Intent. We recommend the Legislature approve CDT’s IS budget proposal with revised statutory language to reflect the intent of the administration for state entities to use funding previously budgeted for IS program audits to remediate deficiencies in their IS programs. We also recommend the Legislature direct CDT to report back at future budget hearings on the possibility of funding statewide SOC services in this proposal through the state’s Pro Rata and Statewide Cost Allocation Plan processes, as well as other alternative funding sources for new programs and services.

Approve Stabilize Critical Services and IT Infrastructure Proposal With Budget Bill Language to Allow Legislative Review of Changes in Administrative Policy. We recommend the Legislature approve CDT’s Stabilize Critical Services and IT Infrastructure proposal with budget bill language that conditions the expenditure of some amount of approved funding on the completion of changes in administrative policy and notification of (at a minimum) the Joint Legislative Budget Committee for legislative review. The exact amount of approved funding subject to this provision would be negotiated between the administration and the Legislature.