Bill Text

Bill Information

PDF |Add To My Favorites |Track Bill | print page

AB-1022 Information technology: Technology Recovery Plans: inventory.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 04/17/2017 09:00 PM
AB1022:v97#DOCUMENT

Amended  IN  Assembly  April 17, 2017
Amended  IN  Assembly  March 28, 2017

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill No. 1022


Introduced by Assembly Member Irwin

February 16, 2017


An act to amend Sections 8592.35 and 8592.40 8592.35, 8592.40, and 8592.45 of the Government Code, relating to technology.


LEGISLATIVE COUNSEL'S DIGEST


AB 1022, as amended, Irwin. Information technology: Technology Recovery Plans: inventory.
The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.
This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would also authorize any other state or local entity that is not defined as a state agency to voluntarily submit an inventory of all critical infrastructure controls, and their associated assets, in the possession of the entity, to the department. The bill would prohibit public disclosure of these inventories.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.
This bill would make legislative findings to that effect.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 8592.35 of the Government Code is amended to read:

8592.35.
 (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.
(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:
(A) Costs to implement the standards.
(B) Security of critical infrastructure information.
(C) Centralized management of risk.
(D) Industry best practices.
(E) Continuity of operations.
(F) Protection of personal information.
(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.
(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency.

SEC. 2.

 Section 8592.40 of the Government Code is amended to read:

8592.40.
 (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.
(b) Any state or local entity that is not required to comply with subdivision (c) of Section 8592.35 may voluntarily submit an inventory of all critical infrastructure controls, and their associated assets, in the possession of the entity, to the department.
(c) The department, in conjunction with the office, may provide suggestions for a state agency to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor.

SEC. 3.

 Section 8592.45 of the Government Code is amended to read:

8592.45.
  The information required by subdivision subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the inventory submission authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (b) (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).

SEC. 4.

 The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
Preventing public disclosure of the individual and statewide critical infrastructure control inventories of state agencies promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.

SEC. 5.

 The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings:
This act strikes the appropriate balance between the public’s right to access information about the conduct of their governmental agencies and the need to protect the cybersecurity of critical infrastructure controls within the state.