The Marin County Housing Authority on Jan. 14 authorized a managed IT services contract with ConsultAd, Inc. for a not-to-exceed value of $1,400,000 over five years and approved an enterprise security risk assessment to follow a cybersecurity incident that the California Cybersecurity Integration Center investigated.

The decision followed public concern about nearly $1,000,000 the housing authority reported as stolen and requests that the agency pursue a forensic audit. Jason Balderrama, Marin County’s chief information security officer and a cybersecurity consultant to the housing authority, told commissioners that CalSIC, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI were engaged for incident response and that CalSIC’s forensic team concluded there was no evidence of continued compromise after remediation.

“CalSIC did bring in their team of forensic specialists to analyze the incident, do remediation [and] conduct investigation. That investigation has concluded and at this time there’s no further evidence of compromise with MHA’s IT systems,” Balderrama said.

Executive Director Kimberly Carroll told the board the procurement followed the housing authority’s procurement policy and that eight firms responded to the RFP. The evaluation committee recommended ConsultAd, Inc. as the vendor best suited to provide IT management, strategic planning and cybersecurity support.

The board also authorized a one-time enterprise security risk assessment by Plante Moran. Carroll said the assessment will inventory systems and review business processes, critical data, applications and controls to produce remediation recommendations. Balderrama said he and the county will continue to support the transition and that some CalSIC recommendations already have been implemented.

Public commenters urged more transparency about the theft and stronger process controls. Anne de Vera Rosenfeld, a resident and former auditor, urged the authority to explain “who is going to be held accountable” and to provide the investigative report she had been told existed. Other residents recommended a forensic audit and staff cybersecurity awareness training.

The board voted unanimously to approve the managed IT services contract and the enterprise security risk assessment. Carroll said staff will continue to report back to the board as work proceeds and as results from the Plante Moran assessment become available.

The authority also is working to migrate agency email and web services to a .gov domain as part of cybersecurity hardening and external support through federal and state partners.