California: New Metrics for Cybersecurity Readiness

California will soon implement a new set of measurements to gauge the cybersecurity readiness of state agencies, using a novel system to find network or software weaknesses, assess risk and compare results. Officials believe the metrics will yield a more accurate, objective, across-the-board appraisal of how each agency is prepared to combat cyber security attacks.

On Monday, the California Department of Technology’s (CDT) Office of Information Security (OIS) released a common set of metrics to apply to each agency’s or state entity’s cyber security program. The goal is multi-fold: to help state organizations comply with security and privacy requirements, and to improve efficiencies, visibility and decision-making, the OIS said in Technology Letter 18-01.

Together the benchmarks are referred to as the California Cybersecurity Maturity Metrics. They cover factors such as policy, system categorization and governance and are intended to evaluate budget allocations and capture objective data points, the letter said. Scoring is done on a 1-4 scale, with level 4 equated to high program maturity. The categories are based on the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework that’s designed to help employers identify, recruit and develop cyber security talent.

At the conclusion of an independent audit, each agency’s/state entity’s management and IT security teams will receive its maturity scores. The metrics themselves will not be adjusted or altered for four years to “ensure year-over-year comparisons for accurate trending and analysis,” according to the letter. At the end of that cycle, the measurements will be evaluated and updated to reflect changes in technology and the cybersecurity threat landscape, state officials said.

Peter Liebert
Peter Liebert

"This is not a punishment thing. This is not a naughty list," Peter Liebert, California chief information security officer and OIS director, told StateScoop. "This is literally us doing our best to ensure we find weak areas or those that are risky and help ensure that they're empowered to get a better program and increase their maturity to decrease their overall risk."

Will other states look closely at California’s system and perhaps follow its lead? While some states have applied a system of measurements to examine the cyber security performance of private industry, Liebert said there may not be another example in state government to measure cyber security program effectiveness.

There have been a number of calls for a national cyber security program. For example, a year ago Virginia Governor Terry McAuliffe called on Congress to build a bipartisan national plan for cyber security employment that spanned states, cities, counties and the federal government. Four months later, Virginia became the first state to adopt the NICE Framework.

California has previously installed parts of the performance yardsticks but never as a whole initiative, Liebert said. Training will begin sometime this spring and the first findings report should be released in about two years.

"The effort here is to continue CDT's effort to provide additional metrics that are measurable for both internal and external use," Liebert told StateScoop. "This is a key component of how we're going to determine risk across the state."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.