The Washington State Auditor's Office presented its fiscal 2025 cybersecurity audit results to the Joint Legislative Audit and Review Committee on Oct. 5, saying audits of seven state agencies and 52 local governments found hundreds of security vulnerabilities and incomplete implementation of widely recommended safeguards. The auditor reported 227 vulnerabilities at the seven state agencies, including three rated critical and 21 rated high; penetration tests at seven local governments identified roughly 300 vulnerabilities, including nine critical and 47 high. "Protecting IT systems and data is important today as ever before," said Steven, a cybersecurity auditor at the State Auditor's Office, during the presentation.
The audit results matter because state and local IT systems underpin essential services and are attractive targets for ransomware, social engineering and nation-state activity, the auditors told the committee. The State Auditor's Office (SAO) compares agency practices to the Center for Internet Security Critical Security Controls version 8 and performs internal and external penetration testing; the office also delivers detailed, confidential technical results directly to audited entities. "There is an RCW that allows us to keep certain information confidential," Steven said, explaining why detailed vulnerabilities are shared only with relevant staff.
Across the seven state agency audits, auditors found that about one-third of assessed safeguards were fully implemented on all systems and that 61% of assessed safeguards were fully implemented on at least some systems. For the seven local cybersecurity audits, auditors found roughly one-quarter of assessed safeguards fully implemented on all systems and 51% implemented on at least some systems. Auditors said agencies reported fixes or fixes in progress for the most severe state-agency vulnerabilities. "We found a consistent drive across our auditees to address the critical vulnerabilities immediately and the high vulnerabilities rapidly as well," Steven said.
Committee members pressed auditors and WaTech staff on the practical ability to fix urgent vulnerabilities when agencies lack immediate budget authority. Representative Scott asked whether state agencies can repurpose funds to act quickly. Quinn Peralta, an IT security assistant audit manager at SAO, said the effort required depends on the vulnerability and that auditors try to identify free or low-cost mitigations and point entities to grant programs where funding is needed. Ralph Johnson, state chief information security officer at Washington Technology Solutions (WaTech), described compensating controls such as network segmentation and restricting internet connectivity to vulnerable systems as options when funding is not immediately available.
The presentations and Q&A emphasized that remediation often involves a mix of immediate configuration changes, compensating controls, and grant-funded projects. WaTech said federal and state cybersecurity grant funds have been pivotal: "Over the past 2 years, Washington state has leveraged more than $11,000,000 in federal and state cybersecurity grant funds in support of over 200 projects statewide," Johnson told the committee. Auditors and WaTech urged continued legislative support for grant programs and staffing to sustain improvements.
The SAO noted confidentiality limits on public reporting of specific entity names or vulnerability details; auditors said the detailed technical results are provided directly to audited entities and to limited partners with a need to know. The hearing closed with committee members thanking SAO and WaTech for the audits and for offering follow-up support. The SAO also outlined additional services — including targeted ransomware resiliency audits and critical-infrastructure audits — intended to help entities address urgent risks.