In writing the state budget for fiscal 2020-21, the 86th Legislature will consider proposals to increase spending on cybersecurity. Appropriations for cybersecurity are not contained in a single line item but spread across state agencies and included in various strategies, projects, and programs. These appropriations pay for state agency staff, ongoing IT maintenance, payroll systems, data center services, major information resources projects, and other items. Cybersecurity costs make up about 2 percent of a state agency’s IT expenses, according to the Legislative Budget Board (LBB).
The Department of Information Resources’ (DIR) funding request for fiscal 2020-21 in all funds, including exceptional items, for cybersecurity-related projects is about $33.6 million, a 56 percent increase from fiscal 2018-19. DIR, which manages government information technology and provides guidance on cybersecurity for state entities, was appropriated $21.5 million in all funds in fiscal 2018-19 to provide security policy and related services, including assisting state entities in identifying security vulnerabilities. This included $3.4 million in new funding from general revenue, the only general revenue related funds currently appropriated to DIR, for additional cybersecurity assessments and vulnerability testing, requirements established by the 85th Legislature in 2017.
For fiscal 2020-21, DIR has requested $12.3 million in additional general revenue funds for four new cybersecurity-related projects. The projects, listed as exceptional items in the agency’s Legislative Appropriations Request, are:
- a risk-based, multi-factor authentication tool that would require certain users to provide multiple means of identity verification at login to reduce improper or unauthorized access to state data;
- a cloud-based email filtering service through Microsoft Office 365 to help protect against malware and viruses;
- secure coding methods training for certain agency employees; and
- security benchmarking for state agencies’ public-facing websites by a security rating service.
A main source of cybersecurity-related spending in the state budget comes from the Data Center Services program, which was created by the 79th Legislature in 2005 to reduce overall costs by consolidating IT infrastructure, products, and services across state agencies. DIR oversees the program, and participating agencies receive services that include upgraded technology, managed servers and networks, and enhanced security and disaster recovery. The program is available to all state agencies, institutions of higher education, and local governments.
DIR is funded primarily by fees it assesses for services provided by vendors to state agencies. Appropriations to DIR provide payments to vendors for those services. As a result, appropriations for the Data Center Services program are reflected both in DIR’s budget and in those of participating state entities. Fees for the program are deposited into the Statewide Technology Account for program operation and other functions. The Data Center Services program accounts for about 65 percent of DIR’s total budget.
Appropriations to DIR for the Data Center Services program increased from the previous biennium by $29.5 million in fiscal 2018-19, and DIR has requested an increase of $54.6 million, for a total of almost $545 million, for fiscal 2020-21. DIR estimates revenue in the Statewide Technology Account will be $549.7 million in fiscal 2020-21, up $60.8 million from fiscal 2018-19. The increase in both appropriations and revenue is due to program growth, as both the number of customers and the services consumed have increased. According to DIR, agencies are using more cloud services and showing more interest in shared, managed IT services.
As required by the General Appropriations Act for the 2018-19 biennium, DIR submitted a report to the LBB outlining the priority of state agencies’ cybersecurity and modernization projects. The report provides information on 67 projects from 28 agencies totaling an estimated funding request of $482 million. Other cybersecurity-related discussions during the upcoming legislative session could include cloud computing, IT delivery services, and other methods of securing the state’s electronic information.
By MacKenzie Nunez