TOPEKA — The first mandated cybersecurity self-assessment by dozens of state agencies affirmed problems with managing risk, handling information available to vendors, updating disaster-recovery plans and complying consistently with data management protocol, state officials said Thursday.
Security challenges in large and small agencies of Kansas’ executive branch have been identified in confidential state government reports produced during the past several years. All that analysis of vulnerability at state agencies prompted the Kansas Legislature to require self-assessments every two years to keep a spotlight on progress to amend weaknesses.
DeAngela Burns-Wallace, secretary of the Kansas Department of Administration and since September 2019 the state’s executive chief information technology officer, said survey responses had been submitted by 42 agencies. Ten agencies, all smaller agencies without full-time IT staff, didn’t meet the mid-October deadline for filing the report.
She didn’t identify agencies that missed the deadline, but said “we need this work done” and would compel production of the reports because it is “key and critical.”
She said there was need across state agencies for more standardization of data management. State organizations struggle to identify, track and manage cybersecurity risk, she said. The survey showed many agencies had disaster continuity plans, but “are not properly developing, testing and maintaining them,” an issue heightened during the COVID-19 pandemic.
In addition, Burns-Wallace said, the survey chronicled agencies that struggle to maintain information security when engaged with third-party vendors.
“The level of IT sophistication around security is varied,” Burns-Wallace said. “Particularly some of our smaller non-Cabinet agencies that don’t have full-time IT staff. Even in our larger Cabinet agencies, the IT expertise is one thing and that security expertise is a little bit different.”
The administration secretary said the state provided access to information security officers to help non-Cabinet agencies with cybersecurity concerns. In the future, she said, monthly training for executives and technical staff would be implemented to work on security.
Rep. Kyle Hoffman, a Coldwater Republican and vice chairman of the Joint Committee on Information Technology, said it was clear state government leaders failed in the past to pay sufficient attention to cybersecurity. He said problems at the Kansas Department of Labor was a vivid example, but the survey of dozens of agencies and the initiation of three-year IT improvement plans during the administration of Gov. Laura Kelly had been a step in the right direction.
“I think we have let cybersecurity go for so long,” Hoffman said. “It just seems like we just have struggled to get any sort of a good cybersecurity system going. I really appreciate what you’re doing with this.”
Hoffman did express concern with delays and cost overruns with an IT overhaul at Fort Hays State University and with hiccups in implementation of a state data center in Overland Park. Migration to the data center is expected to be finished in December, but Burns-Wallace said that project had been stuck at less than 20% migration for more than two years.
Rep. Pam Curtis, a member of the committee and a Democrat from Kansas City, Kansas, said it was important for state agencies to embrace business efficiencies afforded by greater reliance on information technology during the pandemic.
Sen. Kevin Braun, a Kansas City, Kansas, Republican on the IT committee, said he had been in meetings in which state agencies were aware of security problems but lacked the expertise to apply a fix. The idea of integrating security work into routine IT training is an “incredible leap forward in the last two years,” he said.
Burns-Wallace said the objective wasn’t to force centralization of IT operations for state government, but to establish a baseline for agencies of different sizes and with different missions.
It’s not enough for a handful of state agencies to meet benchmark standards while others muddle along without meeting expectations, she said.
“What are the things that you need to protect that are part of the backbone?” she said.
Burns-Wallace said the self-assessment process provided agencies opportunity to be reflective and to take ownership of their cybersecurity stance.
In terms of the state agency surveys on cybersecurity, Burns-Wallace said 25 agencies reported having an organization-wide security program. Ten agencies said they didn’t have such a program and seven agencies said they were unsure.
The survey asked whether the agency assessed and documented risks to IT systems that process, store or transmit restricted-use data. The response: 14 said yes, 25 said no and three were uncertain.
On the question of whether agencies implemented standards to guarantee data and information technology resources were maintained in compliance with state and federal law, here was the response: yes, 32 agencies; no, seven; unsure, three.
A question about implementation of cost-effective safeguards to reduce, eliminate or recover from identified threats data and IT technology resources: 35 said yes, three said no and four were uncertain.
And, another: Does the organization conduct an annual internal assessment of its security program? The answer: 21 said yes, 13 said no and eight were uncertain.
“That’s not great,” she said. “At minimum, you want to know if you have it or not. if you’re unsure, that means we have some work to do.”