A technician adjusts cables inside a server room in this file photo. A bipartisan pair of state senators has put a hold on a massive state IT contract amid questions about the performance of the state’s Department of Information Technology, or DoIT. (Photo by Petty Officer 1st Class Luke Pinneo/U.S. Coast Guard)
Officials at the state Department of Information Technology pushed back on a new audit that raises questions about how much progress has been made on issues found in earlier reviews.
The new report updates a 2024 review that cited more than a dozen concerns, including some redacted cybersecurity issues, at the department. While some progress had been made on those issues, auditors said the department “had not resolved some or all of the recommendations” from the earlier report.
But agency officials said they had fully implemented corrective action on four and were working on others. When auditors disagreed, Acting DoIT Secretary Melissa Leaman wrote in a response letter that “there are many factual inaccuracies in the draft report that we hope are addressed prior to OLA finalizing the report.”
It is common for auditors to share a draft copy of a report with department heads so that they can respond before an audit is released to the public.
The audit team said it stands by the accuracy of its report.
“DoIT’s response notes pervasive disagreement with our conclusions and several assertions that our comments were factually inaccurate,” Legislative Auditor Brian S. Tanen, wrote in the audit. “We reviewed DoIT’s responses and stand by the facts presented … which were factually accurate based upon documentation DoIT was able to provide during our fieldwork.”
The tug-of-war comes as lawmakers in Annapolis have taken a renewed interest in DoIT, following audits and concerns that the agency is not properly overseeing major and expensive technology projects. One top lawmaker characterized the agency’s efforts as a money pit.
The March 25 review by the Office of Legislative Audits looked at November 2024 to January 2025 and found that the department “had not resolved some or all of the recommendations in the 10 non-cybersecurity related findings” in a March 2024 report, that “concluded that DoIT’s accountability and compliance rating was unsatisfactory.”
The latest review showed many the earlier recommendations still unresolved, Tanen wrote in a letter to the legislative Joint Audit and Evaluation Committee.
DoIT claimed it had corrected concerns with ensuring major projects remained on time and on budget, evaluating outside project managers hired by contractors, and providing support documentation for costs in annual reports sent to the governor and legislature.
Auditors, in the most recent review, disagreed saying the efforts were “in progress.”
In another instance, auditors raised concerns about $25 million in cybersecurity remediation work orders. The auditor said the department had not done enough to ensure that nearly $12 million in work invoiced by the vendor related to those work orders.
The department reported to auditors that the issue had been corrected. Auditors, in their report, said corrective efforts were “in progress.”
The department also did not provide any updates on a nearly $589 million technology project called MDThink. Auditors said the recommendations from an earlier audit were not fully implemented.
The department has become a source of frustration for some lawmakers, including Sens. Katie Fry Hester (D-Howard and Montgomery) and Stephen S. Hershey Jr. (R-Upper Shore).
Both lawmakers said the agency’s “lack of clarity, authority and management and oversight really has led to poor project management, cost overruns and failures.”
One of those failures, according to Hester, was an 80% cost overrun on the MDThink project proposed by Gov. Larry Hogan (R). The senator called the resulting $588 million cost “pretty sad.”
Hester and Hershey sponsored a bill this year imposing more oversight over the agency.
The department also caught the attention of Senate Budget and Taxation Chair Sen. Guy Guzzone (D-Howard). He called the agency “a mess.” He added money for IT projects has been “going down a hole in many ways and in many projects. And it’s really a shame.”
The chair at the time vowed that the situation “has got to get handled, and it’s going to get handled.”
The General Assembly passed identical bills — House Bill 738 and Senate Bill 705 — aimed at refocusing the department on major projects and ensuring compliance with recommendations from the auditor. The bill now awaits action by Gov. Wes Moore (D).
Hester and Del. Anne Kaiser (D-Montgomery), sponsor of the House bill, are co-chairs of the Joint Committee on Cybersecurity and Information Technology.
The legislation as passed imposes new oversight and reporting requirements.
A key part of the bill expands and defines the responsibilities of the department secretary on oversight of major IT projects. The bill also prohibits contracting for IT services or products that are not consistent with its master plan.
The secretary must also meet quarterly with the chief information officer of agencies or departments with planned or ongoing IT projects.
It also sets up an expert panel to advise the legislature on IT issues and requires the Senate Budget and Taxation and House Health and Government Operations committees to convene a work group to evaluate the bill and other potential changes. The work group will also determine if other actions are needed to resolve issues raised by the auditor.