Assembly Select Committee on Cybersecurity

Everybody was very interested in this subject and we were going to have an overflowing crowd, but apparently not. No, we didn't want everybody to have to walk across, well, I didn't want to have to walk across to the swing space, but welcome to today's informational hearing on California's Cybersecurity Plan for the State and Local Cybersecurity Grant Program. I want to remind everybody that testimony and public comment must be in person.

This hearing will be live streamed on the Assembly website and the recording will be posted online. I know that Committee Members were not able to join us, but some of them will be watching online and we know other stakeholders will be watching also. I would like to start by thanking the panelists that are joining us today as we examine California's work to expand our cybersecurity efforts with local governments and, importantly, leverage federal dollars in this critical area.

This hearing will be an opportunity for the public to develop a deeper understanding of the recently submitted California Cybersecurity Plan, which was a requirement of the State and Local Cybersecurity Grant Program, a program created by the Federal Infrastructure Investment and Jobs Act. This planning effort envisioned collaboration between the state and local leaders to prioritize efforts within the general categories to enhance our collective cybersecurity, all while understanding our state has a wide range of cyber maturity when encompassing every county, city, special district, school district, and other forms of local government.

One of the constant challenges I have faced chairing this Committee in the past nine years is rarely do cybersecurity preventative measures get the attention or investment that they deserve. When I heard about this grant program being included in the Bipartisan Infrastructure Act, I was surprised but also relieved that our partners in Congress are finally putting some investment and focus on the cybersecurity of our local governments. As a former mayor and council member, I understand how critical it is for local governments to remain available and reliable to our constituents that they serve on a day-to-day basis.

In many respects, the cybersecurity of our local governments, including the special districts who provide many critical services, are more fundamental to the daily lives of Californians than the operations of some state and federal agencies. I look forward to hearing from our panelists today and learning how the Legislature can ensure the success of California's participation in this grant program. With that, I would like to call up the first panel, and I'll ask some questions after so you know who you are.

Tom and Vitaliy, good morning and thank you. Our first two witnesses are Tom Osborne, the Deputy Director for Homeland Security Directorate from the Governor's Office of Emergency Services, and Vitaliy Panych, the State Chief Information Security Officer from the California Department of Technology. You may begin when you are ready. Thank you.

Good morning, Chairwoman and Members of the Committee. My name is Tom Osborne. I am a Deputy Director at the Governor's Office of Emergency Services, where I oversee our Homeland Security Directorate. In California, Cal OES is identified as the state entity for Homeland Security, and the Director of Cal OES serves as the Governor's Homeland Security Advisor. Cal OES is charged with mitigating the effects of disasters and protecting the lives and properties of Californians and supporting our communities in an effort to be resilient.

In an endeavor to achieve resiliency, we promote safe and prepared communities with strength to withstand or rebound from any event or emergency, including cyber attacks. One such avenue of responsibility is through the coordination of federal grants, which includes the one we are here today to discuss. A little bit of background, the California Cybersecurity Integration Center, or the Cal-CSIC, is located within Cal OES's Homeland Security Directorate.

And the mission of the Cal-CSIC and associated duties include certainly reduce the likelihood and severity of cyber incidents that could damage California's economy, its critical infrastructure, or public and private sector computer networks. The Cal-CSIC serves as the central coordinating hub of state government cybersecurity activities and coordinates information sharing with local, state, and federal agencies, tribal governments, utilities and other service providers, academic institutions, and non-government organizations.

The Cal-CSIC is also charged with development of a cybersecurity strategy with recommendations received from the California Task Force on Cybersecurity, strengthening California's emergency preparedness and response. A little bit of background on this grant, as referred to earlier, Cal OES administers many federal grants for the State of California, including the one we're here to talk about today. But before I get into where we are at now and our next steps, I'd like to provide a little background in particular on this federal grant.

In September 2022, Department of Homeland Security, the Federal Department of Homeland Security, established the State and Local Cybersecurity Grant Program via the Infrastructure Investment and Jobs Act, as referred to a little bit earlier of 2021, also known as the Bipartisan Infrastructure Law. Further referred to in my testimony as I go forward as the Cyber Grant Program or Grant Program. Through this Bill, Congress set aside 1 billion to be awarded over a period of four years to qualifying applicants nationwide to support projects throughout the period of performance.

These funds are dedicated for the purpose of reducing cybersecurity risks and threats to state, local, and territorial governments' information systems. FEMA's notice of funding opportunity, or NOFO, as it's referred to for this grant, and the grant requirements are detailed on grants.gov. The NOFO requires allocation of funds according to a cybersecurity plan developed by a Cybersecurity Planning Committee. All 56 states and territories are eligible recipients, but only one eligible entity may apply for this grant. Sub-recipients receive funding through the State Administrative Agency. Here in California, that is Cal OES.

Sub-recipients are state agencies, local governments, and tribal governments. To put it in perspective, the scope of this grant to California includes 482 cities, 58 counties, approximately 3400 special districts, 1800 joint power authorities, almost 1000 school districts, 110 tribal governments, and over 140 state entities is the universe for which we're attempting to assist. All states and territories will receive funds determined by a statutory formula. Of the money received by California, 80% must be passed through directly or via inkind services to local governments.

In addition, 25% of that pass through amount must go to rural areas. Sub-award recipients may use funds in the areas of cybersecurity planning, equipment, exercises, management and administration organization and training. Also, as a part of this grant, there's a cost share requirement. The Cyber Grant has a predetermined percentage of cost share requirements for the recipients. For the FY 22 award, Cal OES submitted a 10% cost share waiver request to FEMA, for which it was subsequently approved.

Future cost sharing requirements for FY 23 is 20%, 30% for FY 24, and 40% for FY 25. Additionally, recipients must use non-federal funds for their respective cost share requirements. So kind of what we've done as far as at OES and with our partners to move this ball forward, the Cal-CSIC has formed a subcommitee of the California Cybersecurity Task Force called the Cybersecurity Investment Planning Committee. Further in my testimony, I refer to that as the Subcommitee for the purpose of creating the plan as required by the grant.

The Subcommitee is a requirement of the grant, as I just mentioned, and is vital to establish a representation of our local governments. As mentioned previously, 80% of the grant is intended to pass through to the locals, with 25% of that going to rural populations. Currently, there are over 560 members on our Subcommitee, and it has sent out regular announcements via updates, via email distribution, and has also held two informal sessions in May of 2023. On December 27th of 2022, California was successfully awarded $7,976,788 for the Cyber grant first year funding, so FY 22.

With Cal OES accepting the award on January 23rd of 2023. As part of the NOFO, the Cyber Grant requires 16 elements to be included in the submitted Cybersecurity Plan. These 16 required elements form the guidelines to improve cybersecurity and must be addressed in the plan, but are not conditions for funding. Furthermore, the Cyber Grant required a capability gap survey of these 16 required elements to be completed. As such, our capability gap survey was completed in May of 2023. The analysis was completed in July of 2023, and then most recently, a preferred services survey was sent out in September of 2023.

Our Chief Information Security Officer, my partner in crime, Vitaliy Panych, will also provide the results of this survey shortly. As mentioned, the survey is a grant mandate. It's a comprehensive maturity and capability gap of the 16 required elements as part of this planning process. This survey and assessment provides a greater understanding of the existing vulnerabilities and areas that need improvement across our state. Over 121 organizations completed the survey. All required sectors participated, representing all potential sub-recipient groups, county, city, special districts, tribal governments, and state government.

On August 7th of 2023, FEMA announced $15,879,497 in FY 23 funding for the State of California. The required Cybersecurity Plan was completed before the September 30 deadline, September 30, 2023 due date, and was subsequently approved by DHS CISA. Last month, Cal OES applied for the FY 23 portion of the Cyber Grant by the due date of October 6, 2023, on time. With that, I'd like to transition over to Vitaliy Panych, our state's Information Security Officer, to talk a little bit more in depth about the survey, some of the requirements. Vitaliy, over to you.

Thank you. Good morning, Madam Chair. My name is Vitaliy Panych. I am the State Chief Information Security Officer with the California Department of Technology. Thank you for the opportunity to speak before you guys today. I serve as the senior advisor for the SLCGP Planning Committee, the State Local Cybersecurity Grant Program, and a partner within the Cal-CSIC. Today, or at this point, I wanted to take a deeper dive into the organization and composition of the Grant Planning Committee.

Its importance to represent the maximum amount of needs possible, the statutory required methodology to select the prioritized projects that fulfill the required elements within the grant, the emphasis on the prioritized projects selected as in-kind services provided by the state versus distributing entirely by direct funds. In other words, our hybrid approach where entities will get to choose an option.

So, given the sheer scale of California, encompassing almost a total of 7000 maximum organizations between the entities previously outlined by Mr. Osborne, the state has executed on a specific approach to meet the federal eligibility requirements of the grant and also effectively address cyber risk reduction needs for our sub-grantees, as facilitated by our outreach. This grant will not only address the most urgent deficiencies for the beneficiaries, but it's a significant step towards helping many organizations establish basic fundamental cybersecurity practices.

Our goal here is to leverage this limited amount of funding opportunity to focus on the most underfunded and constrained organizations, especially at the local levels, and leverage the state's buying power to maximize these dollars to go further than individual jurisdictions can do on their own. The required planning Committee was established in two parts. An Executive Committee was established to serve as signatories on the charter and formally approve the plan. This Executive Committee consists of the Office of Emergency Services as the State Administrative Agency, the SAA, within the OES Grants Unit, and the Cal-CSIC serving as the principal advisors.

The State Chief Information Officer, along with the State CISO, which is myself, serving as the principal advisor, as well as the Acting Commander of the Cal-CSIC, along with representatives from the California State Association of Counties, Coalition of California Urban Area Security Initiatives, League of California Cities, California Department of Education, Local Public School District Representatives, the California Health and Human Services Agency, and finally the Rural County Representatives of California.

Second, a Cybersecurity Task Force Subcommitee was established to develop the Cybersecurity Plan through participation in multiple working groups as well as surveys and information sessions, as mentioned previously before me. This broader group of several hundred individuals included representatives from the following Municipal Information Systems Association of California, California County Information Services Directors Association, California Special Districts Association, Tribal Government representatives, and numerous IT cybersecurity and grants management professionals from city, county, special districts, and joint powers authorities.

This Committee also established four working groups that focused on program objectives outlined within the plan. These working groups developed a methodology to assess two things, really the maturity and identify gaps for these future beneficiaries of this program. Then, this group mapped the maturity plus the capability scores that were assessed to the 16 categories this program is required to address over time. There are 16 required elements for the cybersecurity plan.

These elements form guidelines to improve cybersecurity capabilities and must be addressed in the plan, but are not conditions for final funding outcomes. The program expects states to prioritize the elements based on capability gaps and that not all elements are required to be aligned to the proposed projects or projects to be funded. These elements are the subject of the capability gap survey instituted by our working groups.

This capability gap survey was completed in May 23, the analysis was completed in July of 23, and the Prioritized Preferred Services survey was completed in September. The survey and informational meetings with the working groups evaluated maturity levels and capability gaps structured to align with these direct 16 required elements of the Cybersecurity Plan, ensuring that it provides insights directly relevant to grant recipients' cybersecurity needs.

So, the maturity scores focus to prioritize the weaker of the scale, focusing on fundamental and foundational levels of maturity with combined gaps across and cross reference to the 16 elements and those are depicted in red in our cybersecurity plan. This identified top capability gaps to enable targeted investments in areas where they are needed the most, favoring the smaller and rural jurisdictions. So capability gaps are depicted in green within Appendix A of the Cybersecurity Grant Program. The combined results were also cross referenced to services that the Cal-CSIC and the CDT can realistically and cost effectively provide in the near term.

As a result, the prioritized areas that the state provides as in-kind services are dark web monitoring facilitated and operationalized by the Cal-CSIC, threat intelligence subscriptions to include intelligence products subscriptions, monthly cyber threat briefings and morning reports, then security information and event management, a SIM capability provided by the CDT for the purposes of log management. And then also we have the Security Operations Center capability which provides continuous monitoring, detection, and alerting via the state security operations as a service offering.

So it really provides the personnel and the processes and the capability to have eyes on glass and look for activity within sub-grantees' networks and act on it. Most importantly and then lastly, virtual CISO advisory services to provide security personnel and augment security personnel really to aim at building risk management programs for the potential sub-grantees. And this particular program has been highly successful within our state agencies in order to really help the state agencies mature their cybersecurity resilience scores.

So some of these programs were looking at potentially scaling out if they are in demand and providing that to the sub-grantees. The committees were also surveyed on which funding models would be most preferred, which are state government provided in-kind services, in lieu of cash, then direct cash, or a hybrid, in other words, an option to choose. The results of that question indicated a hybrid approach was preferred, with over 24% preferring the in-kind services route for services that the state provides, 23% preferred to receive direct cash to augment their internal efforts or a project falling within the 16 categories.

And then lastly, 44% preferred to retain an option to select a combination of services or cash with the possibility of leveraging the state's buying power for necessary contracts. While these efforts involved many hours and many participants, they were necessary to gauge the actual needs and gaps of our represented grant beneficiaries. At this point in time, in the current fiscal year, or in fiscal year 22, statewide funding for California has been awarded and FY 23 funding is currently being allocated while we work towards final informal awards to our locals.

The next step is really to intake sub-grantee applications, review, prioritize, and really figure out what the needs are at the local level so that we could support them with the appropriate funding model and/or the appropriate service. But before we get there, obviously our efforts will also be focused on outreach and advertising and really getting the word out that this grant opportunity is out there and we need as many applicants as we can so we could initiate our prioritization efforts.

And throughout the year, we certainly have been conducting outreach through our partners mentioned before, as well as attending their events, their conferences, setting up exhibition booths to really market what the state does and what the state can provide so that we can ultimately benefit the greater good of the community and serve those that actually need our help. So with that, thank you for the opportunity to speak to you guys today. I look forward to answering any questions and I will turn it over back to Mr. Osborne for any final remarks.

Thank you, Vitaliy. Just a couple things to wrap up. So kind of where we're at right now and where we're going. Vitaliy mentioned it, but right now that the Cybersecurity Plan has been approved, Cal OES and our Cal-CSIC Cyber Grant Project Management Team is working with various divisions within Cal OES, specifically our grants division, which are experts in the administration of federal grants, and the Department of Technology to establish our grant application process for the subrecipients according to the plan.

This includes a price determination of service costs. What does that in-kind cost actually cost the State of California? And then translate that, because for this first year we only have $7.9 million. So spread across all those jurisdictions and the like. It's not a whole lot of money, appreciative of the dollars, but it's our first step. And determining our service enrollment process and forms, a request for proposal process for cash requests, refined approved criteria for our subrecipients, and various other dependencies that are required to implement the cybersecurity plan.

So next steps as a subrecipient grant application is established, Cal OES will announce the application window through our partners, as Vitaliy will go far and wide in our advertisement of when this application window is open and how to apply through a website, a portal, many different areas that we are going to do. Those are all currently under works. Cal OES and CDT will perform outreach, as I mentioned, to ensure all subrecipients, including those who are not currently aware of the program, that we reach them as well.

We think we did a pretty good marketing effort through the formulation of our Subcommitee and making sure we go far and wide. In conclusion, Cal OES will continue to work with our partners at the state, local, and federal levels to ensure Californians are prepared and can effectively respond to cyber attacks and threats throughout our communities. The federal Cyber Grant is a great way to assist in the fight against cyber threats, and Cal OES is taking steps to ensure all Californians can take full advantage of this program through accessibility and information. Thank you so much for the opportunity to speak to you today. We look forward to answering any questions that you may have.

Well, thank you very much. So, just to be clear, these programs were, I mean, it seems like it's focusing on what existing services are already there, right?

Not necessarily at the beginning of this entire process, but with the compacted time frame of actually getting money out to make an immediate impact, we certainly presented an option that here are a list of services that you could deploy readily, like right now, versus if a county or a city may want a contract for dark web monitoring as a service, by the time they would submit that application, by the time they would contractually obligate those funds and get those online, it would take them time.

So one of the thoughts on this that the Committee even came up with, what can we do right now in the immediate term to help protect from cyberattacks? And so, as the survey certainly showed, that's where the hybrid model came in. It's not a one size fits all. We wanted maximum flexibility to serve potential subrecipitants.

Okay, I guess what I was saying is, it seems that these are very similar services to what CDT and Cal-CSIC already offer. And we know over the years that it's been very difficult to get local governments to use these services. And so maybe you can go a little bit more deeply, besides the outreach, by forming the Committee, how are you going to reach out to local governments?

Yeah, I think certainly, and Vitaliy can chime in here, through the representation of our Subcommitee of all respective recipients, our baseline, we had to certainly understand what is their fundamental baseline of cybersecurity, what is their maturity, and how can we help them almost immediately. And so, through their input, through their recommendations and thought is how the five different areas came into being.

And as we mapped out in the survey, those five particular areas in the NOFO, the fundamentals of notice, of funding opportunity, there are 16 required elements, right? So we mapped out each one of those services that are considered in-kind services, they map to all of those 16 required elements so those help assist that. So as far as these are services that have already been provided, not at the scope and scale that we expected as a result of this project, but those are services that are readily available that we can do now.

Because you were talking about the number of local agencies in California, what did that add up to? I heard 1000 districts, two, three thousand different entities that need to be reached. And right up to this point, before you started this effort, what percent do you think you have a relationship with?

That's a very good question. And I'm going to base this on our current outreach that we do with our cyber threat intelligence distribution list that we touch. And it's roughly 1800 different entities that we touch on a regular basis. So it's pretty far, pretty wide. But certainly some of the representatives of different special districts, we relied upon them to reach out to their constituents because we certainly can't touch them all through simple word of mouth or an email blast. So we certainly, I think, made a really great effort in hitting all those particular groups and committees to help spread the word and go far as wide. Do I think we've touched every single community? Probably not, but that is still our goal.

And then, I'm kind of curious, $7.9 million is almost nothing. I hate to say that I think it's really important to go through this effort and leverage. I mean, use it to leverage as much as you can. Why even ask local governments if they would like cash or if there's a hybrid program? Because it would come out to a few dollars and not necessarily help them further what it is that they are trying to do. So are you settled on this hybrid model? Does cash to individual local governments make sense at all?

That's on the front end as we were developing this with our Subcommitee, that is certainly something that we examined, right? You're 100% correct. If one of the models was just straight cash, submit us a request, it may hit it. You can only slice that pie so much and it's no longer pie. And then you're really not making an impact of all of those numbers that we read of all the different districts. And you could probably not even put one person in a sands class if you wanted to spread it out equally, however, we wanted flexibility, right? We didn't want to have it as it's a one size fit all.

So that's where we currently are right now. The evaluation of proposals that we'll receive have to certainly be ranked, prioritized, and thought out carefully. But I think it was quite clear in the survey when we asked that particular question, different representative communities wanted the flexibility to make the decision later.

Yeah, I'm not sure how realistic that is, but I appreciate you reaching out to all these localities. So how do you plan to collect the success metrics? And I obviously have a lot of interest in the migration to .gov, which is one of the elements. You have that 90% of local governments should be using multi-factor authentication, 100% of local governments should prohibit default passwords, and 90% should be going to the .gov domain. So how do you plan on collecting those statistics? Or are you already collecting them?

Yeah, sure, I could take that one. Obviously with the hybrid approach warrants a hybrid approach in collecting the data spanning from self assessment surveys and questionnaires. For example, if one takes some cash, we would expect some data coming back into us so that we could ultimately report to FEMA and data such as what's your coverage? For example, if you're buying a security training and awareness tool, are you sending that training material and covering all of your users, partial users, so things like that could be quantified.

And then meantime the resolution, meantime the detection. So for example, if one chooses to go with our security operations center with an existing in-kind service, we already have metric and data collection measures in place. So if they subscribe with a SOC service offering, or the threat intelligence service offering, or even the virtual CISO service offering, we already have metrics in those service lines that we can collect and really report on behalf of the sub-grantee to CISA and FEMA.

So obviously that's a condition of the grant, which makes it much more appealing to go with an in-kind service versus taking the cash and putting in a bunch of work and overhead to collect data and metrics or figuring out their own process for data collection. So for in-kind services, we have data collection mechanisms and reporting, which we've already instituted for our state agencies, but with hybrid or the cash option, we will have to resort on questionnaires and data coming back to us.

I do want to focus a little again, because I'm interested on the .gov portion. You have 90% of local governments on .gov. The Bill that we had ended up peeling away a lot of the special districts, and it's just counties and cities, and I think currently they're at 30% or so. You have a pretty short time frame to get everybody else on. And to me it doesn't seem like when they were opposing the Bill, they said that they didn't have the resources, so it seems small amount of funding isn't even going to get you there with who is already subject to that law.

So I would think the virtual CISO would be the best way for counties and cities, local governments that are having issues to get help. But how much are you going to be funding that? How many people is that going to be? Or is this going to be completely automated? Or have you put together some sort of step by step instruction on how to convert to .gov?

Yeah, and there's a looser kind of macro or general level step by step request process that's already outlined on how to request a domain and how to set up your email system and how to set up a web server. So all of those basic things are already documented. The challenges will come into the scope that falls outside of that. So for example, if somebody has some custom application or some custom integration within their organization, that's when extra and additional help would need to come in and potentially supplanted by a grant program like this.

However, the broader family of CDT, there is a group that can also help out in terms of consulting and guiding those fringe use cases, or use cases that fall outside of the normal request process. So there's already a limited amount of resources within CDT that can consult on how to migrate. But potentially, if there's a bigger project associated with moving a large and complex organization to a CA gov in terms of their email or web servers or custom applications that potentially I would anticipate take additional funding.

What does it look like right now? When you say you're offering virtual CISO services, how many people is that? Or how many people will that be once you are fully operational?

So today we operate with a team of advisors that some of them are state staff and a majority of them are contractors. So we tapped into a contract which really gives us reach into a bunch of security professionals. So a bunch of security professionals, depending on what the need or what the discipline is. So for example, if we come across an agency or a customer or sub-grantee that needs help in how to build an incident response plan, we'll pull in an incident response expert from that bench of security professionals to help out with that specific need.

Or, for example, if we need an individual that's good at setting up DNS security, or domain name system security, specifically applicable to the DNS migration, we can ask to pull in an expert on DNS security. So it's really a loose personnel augmentation with a consultancy or a contractor that has far and wide reach into various disciplines of IT and specifically IT security that we have the flexibility to pull into and essentially tag somebody into a specific problem.

Okay.

The particular organization we're dealing with, they have over 1000 security professionals that we can potentially ask for help. Not all at the same time, of course.

But again, going back to this, getting these 90% of local governments on board. So you think that for the .gov, you think that the step by step instructions should be sufficient for most local governments.

Generally, for a cookie cutter organization, it'll be sufficient enough. But I honestly can't say without knowing the full scope of the problem of what's out there between the thousands of organizations out there. But a typical organization, it should be pretty straightforward to set up a domain name, point it to a web server or an email. But I don't know a lot of those fringe use cases amongst the thousands of organizations that we're dealing with yet.

And we focused on counties and cities. But I think what's really at risk is a lot of these special districts, and we would have liked to have included everything. But hopefully the special districts will see the writing on the wall and start to migrate also and use these other multi-factor authentication and prohibiting default passwords. I really appreciate you coming, and I think this is an extremely difficult task, again, for California. To me, this is just not the type of resources that should be, I mean, it's not nearly enough to put toward where we need to go with cybersecurity.

But while we were putting this hearing together, it was difficult to find local government associations that were familiar with the plan and willing to discuss it. And so I think that's really my biggest concern is the way I started out, is there has to be a new way to do outreach, or I shouldn't say a new way.

You have to augment the outreach that you're currently doing because it's really critical that at least all those local governments that are getting the threat analysis, that we know that they're on board and we know that they're doing the right things to protect their constituents. So I hope that there's really a lot of thought put into that, that we're not leaving anybody behind.

Absolutely, understood. It's not a perfect science of touching each and everyone, but also in our plan there is a listing of all the different organizations and their chairs, who they represent is listed that's on there. So it was pretty expansive in that regard. Now, how far that permeates down is to your point, that's the challenge for which we all face, and ensuring that they are reaching their constituents not just through them but also through us. That's our obligation as well.

And you always can work with legislators. If you look at the Senators and the Assembly Members, every county, every city, every special district is in one of our districts. And if we had information put together to let these counties and cities know what their responsibilities are, where they can find help through the state, we can help spread that information also. But this is really something that is critical.

And I think it is becoming more and more critical when we see the elections coming up and we're seeing more and more of these cyberattacks. We really need to get everybody with the program. So use us, utilize us to help you spread the information. So thank you very much for joining us today. And we are now going to call up our next panel, and this is going to be an implementation discussion by representatives of local governments. Thank you, gentlemen.

Thank you.

For our next panel, we have Glenn Herdrich, who serves as the Information Security Manager for the County of Sacramento. And I guess we can have everybody come up at once. And then we have Andrea Bennett and David Thurston.

All right, why don't we start with Glenn?

All right, so can you hear me? Okay. First, I want to start with good morning all and thank you for coming to see about cybersecurity. As we look in the communities, there's different languages, and that makes it hard to communicate on the same level. I just want to share that with you before I start. Thank you. So with that, I worked on--first off, I guess I'll back up a little bit. My name is Glenn. I'm a CODA, so my parents are deaf.

I understand that there is different perspectives on the way in which we integrate and communicate, and definitely as well as that in cybersecurity and what different levels think is the best priority for moving forward. I've worked in a lot of different organizations, first starting in the military, government contractor, health care, education, automotive, local government. I've worked in a lot of different sectors around security and cybersecurity, and our problems are all the same, but they're all different.

We have different scopes and scales in which we can apply our resources to mitigate these cyber threats, and as your organizations get larger, your problems in scope also increases, but even in those organizations that are smaller, they have those same risks that need to be applied to them. When looking at the grant 16 categories, it felt like initially we weren't necessarily aligned to all of our needs at our level.

I think that these are worthy items to help get us started in the right direction and provide a foundation to figure out how we should be actioning these resources. As a part of these plans that the state put together, it felt like--while I was appreciative of the integration that we got from the state and the outreach--that it didn't really align yet to our needs, mainly because there was a difficulty in understanding what our needs in the first place were.

How do you communicate with so many organizations across such a large state to bring back those appropriate details to formulate a plan? I worked on three of the four working groups, and it was a bit of an eye opener at the differences that we saw in how we put this information together among the groups and related up, and was a little worrisome thinking that this was going on across the country where we were all heading in different directions and what our goals are because of our differences.

I think there are some great components in this plan and that the goals set up while they are lofty and while with only four of them significantly wide in scope, that would be difficult to achieve for any organization, even the state itself. Some of these great components of this plan include some services from the state.

I think that leveraging those services from a centralized place is going to be the only way that we are successful in adequating or applying funds to make a difference throughout the state. Sacramento County leverages some of these services already: vulnerability assessments, threat intelligence assessments, and we're still looking at integrating with their security operations center because as we integrate more together, we do better together, we have a better idea of the impacts that are occurring across the county, but there's some items in here, like you mentioned earlier: the NICE Workforce Framework.

If you took a look at the positions that are listed in that framework, they're great, they're in detail, they're specific about a bunch of different disciplines within this cybersecurity space, but if you turn to look at your states and counties, in my organization, we have 12 individuals for all of cybersecurity for the entire county. If you take a look at my hometown, Galt, they have two IT people.

So when you try to apply these really in-depth, scoped positions to our needs, they don't align. Sacramento County barely now has one security classification. We are moving for a couple of more, but they're all in line for a single alignment of information security analysts with a chain up, and that's even inclusion of the governance, risk compliance, security operations. It makes it very difficult for us to align to the things listed in this plan.

And as I read through the plan, it felt like it was scoped for the state and that it was a repurposing of the state's goals and initiatives, their state security manual, how they operate, and how they believe that they should be moving forward, not necessarily how we should be moving forward. I think that there are some really good components specifically around the preparedness.

And I think that in this grant funding, if we spent year one, year two, solely focusing all of those funds towards preparedness, we would set a foundation in which we could better communicate and understand the organization's risks, and what I mean by that in preparedness is, does each of the entities have an incident response plan that's something that could be templated, worked with the different organizations, and applied evenly throughout the state?

Do they have a communication plan, a simple call tree that's printed out in a binder on their desk that they can pull out and say, 'hey, systems are down. Who do I call? Who do I call at the state so I can get the services and the help that I need?' Exercises. There's a lot of organizations here that haven't even completed one cybersecurity exercise, and if they do, the scope of that exercise is usually limited to the technical staff.

As we look at, you know, in the State of California, the Great Shake, earthquake awareness and preparedness, why do we not have a similar action for cybersecurity to bring up awareness in these different organizations so that their leadership can be aware of these problems and contribute funding on their own behalf to help further their cybersecurity? There's another, I guess, issue that I'd like to just mention slightly, is the services that are received from the state. We leverage them.

They're not fast, but they do provide a quality product, and if we allocate a significant amount of funding towards these state programs, we need to make sure that there's also checks to make sure that, 'hey, we were successful in allocating those funds for how the counties and local governments were able to improve their cybersecurity,' but is there requirements for the state in which they are obligated to, to provide those services to our county?

Because if they're not effective, or if they're not streamlining their services towards our needs, then we are not going to be successful, and then it's going to look bad on the counties because we didn't--or local government--because we didn't leverage these services that were provided and maybe it's because we couldn't because it just didn't work from a workflow perspective. Also, another item as we look for future planning is we need to find a way to help small and local businesses with their cybersecurity.

Cybersecurity is not just a county's problem, the state problem, local government's problem. This is something that we've seen time and time again where third party vulnerabilities result in compromises of organizations. So we need to help these businesses, especially these new businesses, have an understanding of cybersecurity and how they can implement some basic best practices so that they can help protect us over time.

There was quite a few great mentions about the NICE cybersecurity framework, and I think that is how we gain the insight and drive forward in our cybersecurity posture. The NICE cybersecurity framework has some categories that are listed in a way that are understandable from both sides of the conversation. They're gradable, they're repeatable. Counties already do these as a part of their national cybersecurity readiness for grant funding to begin with.

How can we get this information to the state as a survey to understand truly where our deficiencies are and where our risks are so that we can do better and move forward? I do want to say I appreciate all of the work that the state has done and the working groups.

I think that this plan will be successful over time, and I think a lot of teams did a lot of great work to put this together so that we can become qualified for this grant funding and we can start moving in the right direction. Thank you.

All right. Thank you very much. That was really helpful. So you're talking about surveying how well the government services are working yearly or how would you say that should be done?

I would say, let's see, maybe some obligations if like, hey, we submitted for a request. How long does it take for the state to initially respond to acknowledge our request? How long does it take for the services to begin? How long does it take for those services to conclude and use those as metrics to see how effective these services are being actioned and did they actually resolve the problem that started the services in the first place?

All right. Thank you very much. As I said, that was really helpful, Mr. Herdrich. Next up, we have two panelists from California IT in Education, their Executive Director, Andrea Bennett, and CITE's Treasurer, David Thurston, who serves as the Assistant Superintendent for Technology Services for the San Bernardino Superintendent of Schools. Whenever you're both ready.

I was going to do that same introduction, so appreciate that. So CITE is a not for profit organization supporting the IT professionals in K-12 education in California. Our members have titles such as Chief Technology Officer, Director of IT, Network Manager, Engineer, database administrators, CALPADS administrators, as well as first responders for classrooms, technology in the classrooms. Thank you for inviting us here today to talk about the plan.

We really appreciate that the state submitted the plan and we look forward to seeing the changes that can be made as a result. Generally, we are concerned that the state plan does not adequately address the cybersecurity threats targeting our public schools, public school students, the teachers, administrators, and classified employees. Schools often maintain important personal information like Social Security numbers, health care information, and sensitive personal data that, when compromised, can hurt people.

While it is important for the California Department of Technology and Cal-CSIC to first develop internal infrastructure to support the plan, direct cybersecurity support for schools is vital to protecting California students and school employees. Our 1,100 public school agencies continue to be a target for ransomware, DDoS attacks, and other incidences. California's public schools are different from other local governments like cities and counties, in that they are almost entirely dependent upon state and federal funding in order to operate.

School boards lack the ability to raise local revenue in order to fund new, ongoing or ongoing initiatives like cybersecurity, so we need your help. The Legislature has taken positive steps recently. The recent passage of AB 1023 requires Cal-CSIC to coordinate cyber threat information sharing with schools. Cal-CSIC is preparing for this role now and can expand it when more help is needed by these entities. CITE also recently sponsored legislation signed by Governor Newsom to allow the California Military Department to offer independent security audits.

However, in our experience so far, it's been somewhat difficult to obtain these services due to lack of adequate staff within the military department, so we urge the Legislature to consider improving funding for these efforts. CITE has a vibrant community that communicates regularly with each other to assist, inform, and develop best practices for the use of technology in schools. So one way that CITE can help is by getting information to schools and county offices of education.

We can reach our members easily online and through regional groups and at other events. Our relationships with ACSA, CASBO, and CSBA can also help get information to other individuals and entities. Like I mentioned, there are about 1,100 individual school districts and also 58 county offices of education in California. They range like counties, from highly urban to highly rural, and two-thirds of the schools in California are considered small, which means they have about 2,500 students or less.

This means their budgets are small and their staffs are small. They don't have staff trained in cybersecurity and often have to use consultants to perform that kind of work. Many school districts cannot pay IT personnel at a rate commiserate with Silicon Valley, and so we struggle to fully staff our IT departments. Many counties and schools have already begun to evaluate their current cybersecurity posture, but often find it difficult to develop any kind of internal structure to mitigate risks regularly. Help from the state is essential.

Since the structure of the plan has no cash awards being given to schools, it will be up to the state to develop and make available services to accomplish the objectives in the plan. Proper and effective staffing, collaboration between municipalities and schools involving the private sector are all areas of importance. CITE would like to work with those involved in bringing SLCGP to fruition. We can be the voice of K-12 schools, county offices of education, and those working with them.

We appreciate your attention to this important issue. Our association stands ready and willing to continue to work with the Legislature and Administration to protect our public school students, teachers, administrators, and classified employees. And David Thurston here is definitely a subject matter expert and he's here to help me answer any questions you may have.

I just have one before we move on. You mentioned the security assessments done by the military department. You haven't been able to access them? Not at all or--

No, they've been very willing to help us. The pilot that we had set up got waylaid by attorneys.

Oh. So it hasn't happened?

It hasn't happened yet.

Did you have a comment?

Took us about a year to get an assessment as well. We're just now starting up the legal tie up as well on the state side.

Did we know that? Maybe we could learn later about the legal tie up there? Not right now, probably. It's not supposed to be. If it's legal, you probably don't want to do it over the microphone. All right, thank you.

And to speak about that particular service, while that pilot would have been an excellent opportunity to explore the effects of that assessment on school districts' ability to improve their posture, it was very clear from our interactions with the California Department of Military that they did not have the capacity to scale that up past possibly 10 districts at any given time. So if you're dealing with 1,100 districts, it's going to be difficult to reach a significant number of those districts. So that's something to be concerned of.

As the colleagues here on the table have all commented, we definitely applaud the state, especially Cal OES and the CDT, to get this grant and get this money, however limited, into the state and to affect state and local governments. It is very clear from the reading of this grant or this plan, that this plan is not really designed to assist school districts, and that's fine.

We understand that initially. Hopefully, the plan is to develop that capacity for Cal OES, specifically Cal-CSIC, to help school districts because currently that capacity doesn't exist. Another example would be AB 2355, which requires the reporting of cybersecurity events affecting more than 500 students or 500 staff members at a local school district.

My colleagues and I from other county offices of education reached out to Cal OES and Cal-CSIC to talk about what that reporting would look like, and for quite a bit of time, there wasn't any clear guidance regarding that reporting, and there still isn't really an established protocol for that reporting.

Right now, it's just an email. There hasn't been a formalized form, a workflow process, so it's up to school districts, local school districts to develop that process and then outreach to Cal OES, and there has been no--unfortunately--there's been no outreach from those state partners, and I don't think that that's not for a lack of trying or not for a lack of want. I think it's a lack of capacity.

They've suddenly had their mission expanded by a large number of agencies that they have to outreach, and some of that infrastructure doesn't exist, and CITE, as a representative of those school districts, is here to cross that bridge or help them cross that bridge and develop that infrastructure because that communication infrastructure is going to be key.

Okay. Do we have anything--

Just here to answer questions.

Oh. Do you have any questions? All right. Well, this was, I think one of--it was short and sweet. I think everybody probably is happy that they're going to have an extra hour in their day, so I really appreciate--we're going to continue to focus on this issue, look a little bit more deeply into the issues that you brought up today, especially for the schools. But like I mentioned, there are a lot of local governments, and we really have to make sure that we get everybody into the fold.

So these comments have been very helpful. So thank you for joining us today and we are going to call members of the public if they have any public comments. All right, no public comments. So I would like to thank everybody for joining us. Oh, you do have a public comment?

Good morning, Madam Chair. Marcus Detwiler with the California Special Districts Association. Happy to be here today. We've recently received the plan and begun our association's review of the plan. Looking forward to working with stakeholders on its development. Thank you.

Or rather its deployment. Thank you.

All right.

Okay. Thank you very much for joining us. Again, I would like to thank all the panelists that joined us today to present to the Committee of One, and I'd like to thank all the support staff too that helped make this hearing possible. And with that, this informational hearing of the Assembly Select Committee on Cybersecurity is adjourned. Thank you.