KC Cyber Resilience Audit: Findings Sealed Under RCW 42.56.420(4), Public Gets a Letter Saying There Were Findings
What the public is allowed to know
| Item | Public? |
|---|---|
| That an audit happened | Yes |
| Period covered | Not stated |
| Agencies audited (beyond KCIT) | No |
| Specific vulnerabilities | No |
| Recommendation count | No |
| Recommendation content | No |
| County response | No |
| Whether KCIT agrees with findings | No |
| Whether any recommendations are accepted | No |
| Independent verification of any of the above | No |
The Auditor cites RCW 42.56.420(4): records related to “security or construction-related operations” of county IT infrastructure are exempt from public disclosure. The Auditor’s Office says it will follow up to ensure recommendations are implemented, but that follow-up will also be confidential.
What the public is told
- King County’s Office of Risk Management assesses it is “very likely” the county will experience a significant electronic security breach within the next five years.
- Cyberattacks on local governments elsewhere have caused “tens of millions of dollars” in damages and widespread system outages.
- The audit examined cybersecurity governance, threat assessment, risk prioritization, and incident detection and response.
- The audit found “areas of risk where King County could improve governance and processes around cybersecurity.”
The structural problem this case documents
This is not a critique of the RCW. There is a legitimate public-safety case for not publishing detailed vulnerabilities. The problem is the downstream accountability gap:
- Public cannot evaluate the severity of findings.
- Public cannot evaluate whether KCIT agreed or disagreed.
- Public cannot evaluate whether recommendations were implemented.
- Council members who do receive the confidential report cannot discuss it publicly.
- The follow-up audit will also be confidential.
The IG feasibility study (KC-2026-012) does not propose any solution to this specific gap. The Inspector General proposal (KC-2026-007) does not propose any solution either. Cyber governance is a structural blind spot in the registry by statute, not by neglect.
Comparison: Part I vs Part II
| Part I | Part II | |
|---|---|---|
| Date | Aug 4, 2020 | June 10, 2025 |
| Title | Cybersecurity Performance Audit | Cyber Resilience Performance Audit |
| Public findings | None | None |
| Public recommendations count | Not disclosed | Not disclosed |
| Public departments named | Not disclosed | KCIT named |
| County response published | No | No |
Five years between audits. The public knows the same amount about each: that they happened and that the auditor found things.
Reform watch
Reform status: none_proposed. Possible structural reforms a Council
could pursue without violating RCW 42.56.420(4):
- Public summary of recommendation count and themes (not content).
- Public acceptance/rejection signal from KCIT (not the substance).
- Public timeline for implementation.
- Independent verification by a separate body (e.g., SAO) with redacted public reporting.
None of these are currently in flight.
Pairs with
- 2026-ospi-school-funding-it-system (OSPI IT failures — different pattern, public)
- KC-2026-012 (Auditor+Ombuds IG feasibility, which does not address this gap)
- KC-2026-007 (IG proposal, which does not address this gap)