DoIT budget raises cybersecurity funding amid concerns about training, patches and project oversight

The Education, Business and Administration Subcommittee heard on the Department of Information Technology’s (DoIT) fiscal 2025 budget, where analyst Yashodhar Araya said the allowance increases by $50.2 million, with $50.0 million earmarked for a security program focused on cybersecurity.

Araya told the committee that key managing‑for‑results indicators show mixed performance: cybersecurity training compliance fell to 64% in fiscal 2023 after a rebound to 81% in fiscal 2022, and advanced endpoint detection‑and‑response coverage declined to 89% as DoIT rolled out a new EDR solution. "We request DoIT to brief the committee on its outreach efforts to improve the share of employees' compliance with cybersecurity awareness training," Araya said.

Araya also flagged that critical patch and vulnerability‑scan compliance remained below 50% for agencies under DoIT enterprise support, citing slow reactions to support expirations (for example, Windows 10). He asked DoIT to outline strategies to improve compliance with critical patches.

On major IT projects, Araya said DoIT expects to oversee 58 projects in FY25 and that the major IT project fund accounts for a large share of DoIT spending. He noted proposed 2024 departmental bills—referred to in the presentation as Senate Bill 294 and House Bill 227—would raise the threshold to define a major IT project from $1 million to $5 million and give the DoIT secretary broader authority to designate or exempt projects. Araya said the bills would "require discovery phases prior to project commencement" and could reduce procurement delays if enacted.

Araya recommended committee actions including restricting general funds for certain large projects pending submission of required information technology project requests (ITPRs) and adopting committee narrative requiring DoIT to add value and cost indicators to its MFRs. "DLS recommends adopting committee narrative to expand its MFR goals to include value and add indicators that measure cost and value," he said.

Secretary Katie Savage, who followed the analyst’s presentation, highlighted recent hires and organizational changes intended to strengthen cybersecurity, including the recently confirmed state chief information security officer, a new Maryland Digital Service, an Office of Digital Accessibility and a senior adviser for responsible AI. "We are trying to take DoIT from being a commodity IT provider to being a true visionary and a partner to our fellow executive agencies," Savage said.

Next steps noted for the committee included DoIT briefings on outreach to increase training compliance, plans to improve EDR coverage and critical‑patch compliance, and responses to DLS requests for details on canceled and reappropriated funds comprising $12.2 million in special funds included in the FY25 allowance.

No formal votes were recorded on the presentation; DLS recommended narrative and restricted‑fund language that the subcommittee may consider for incorporation into committee reports or appropriation language.