Bill Text

PDF |Add To My Favorites |Track Bill | print page

AB-2225 State government: storing and recording electronic media.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 04/10/2018 09:00 PM
AB2225:v97#DOCUMENT

Amended  IN  Assembly  April 10, 2018
Amended  IN  Assembly  March 19, 2018

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill No. 2225


Introduced by Assembly Member Limón

February 13, 2018


An act to amend Section 12168.7 of the Government Code, relating to state government.


LEGISLATIVE COUNSEL'S DIGEST


AB 2225, as amended, Limón. State government: storing and recording electronic media.
Existing law establishes the Department of Technology, under the supervision of the Director of Technology, to, among other things, establish and enforce state information technology strategic plans, policies, standards, and enterprise architecture.
Existing law requires the Secretary of State to approve and adopt appropriate standards established by the American National Standards Institute in order to ensure that uniform statewide standards for storing and recording permanent documents in electronic media remain current and relevant. Existing law requires those standards to include a requirement that a trusted system system, as defined for purposes of these provisions and for purposes of provisions relating to the duties of county auditors, treasurers, and recorders, be utilized, and further specifies that a cloud computing storage service that complies with specified standards shall be considered a trusted system. Existing law specifies that, for purposes of those provisions, “cloud computing” is defined in a specified publication of the National Institute of Standards and Technology.
This bill would instead require the Department of Technology and the Secretary of State State, in consultation with the Department of Technology, to approve and adopt appropriate uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media, and would specify that require “cloud computing” shall to be defined by the Department of Technology based on industry-recognized standards, consistent with the intent of the state law. The bill would delete those provisions that define a “trusted system” for purposes of the duties of county auditors, treasurers, and recorders. The bill would require a cloud computing storage service that complies with the standards adopted by the Secretary of State that provide administrative users with controls to prevent stored records from being overwritten, deleted, or altered to be considered a trusted system. The bill would require a trusted system using cloud computing storage service to comply with applicable standards articulated in the State Administrative Manual and the Statewide Information Management Manual. The bill would also require a state agency that contracts with a local government entity for the development, use, or maintenance of an information system, product, solution, or service to enter into a written agreement with that local government entity that, at a minimum, complies with requirements set forth in the State Administrative Manual.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) Use of cloud storage for any business operation is a benefit to the state and to local public entities.
(b) There is within the Government Operations Agency the Department of Technology under the supervision of the Director of Technology, who also serves as the State Chief Information Officer. The department is generally responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.
(c) There is within the Department of Technology the Office of Information Security, under the supervision of the Chief of the Office of Information Security. The office provides direction for information security and privacy to state government agencies.
(d) The Secretary of State is required to approve and adopt appropriate standards established accredited by the American National Standards Institute.

SEC. 2.

 Section 12168.7 of the Government Code is amended to read:

12168.7.
 (a) The Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.
(b) In order to ensure that uniform statewide standards remain current and relevant, the Department of Technology and the Secretary of State shall approve and adopt appropriate uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.
(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, “trusted system” means a combination of technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.
(d) The Secretary of State shall consult with the Department of Technology when approving and adopting appropriate uniform statewide standards, pursuant to subdivision (b), for storing permanent and nonpermanent records using a cloud computing storage service.

(d)

(e) A cloud computing storage service that complies with International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry-recognized standard relating to security techniques and information security management, and standards adopted pursuant to subdivision (b) relating to techniques and information security management, and that provides administrative users with controls to prevent stored records from being overwritten, deleted, or altered altered, shall be considered a trusted system.

(e)

(f) A trusted system using cloud computing storage service shall also comply with applicable standards articulated in the State Administrative Manual and the Statewide Information Management Manual. This requirement applies to state agencies and does not apply to local government entities. entities, except to local government entities that have voluntarily entered into a written agreement with a state agency subject to the State Administrative Manual, for the development, use, or maintenance of an information system, product, solution, or service.
(g) A state agency that contracts with a local government entity for the development, use, or maintenance of an information system, product, solution, or service shall enter into a written agreement with that local government entity that, at a minimum, complies with requirements set forth in the State Administrative Manual.

(f)

(h) For purposes of this section “cloud computing” shall be defined by the Department of Technology based on industry-recognized standards, consistent with the intent of this section.

(g)State officials

(i) The Secretary of State shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute for recording of permanent records. and nonpermanent records or any other applicable and comparable industry standard.

(h)

(j) Nothing in this section shall prohibit a local government entity from adopting applicable standards articulated in the Secretary of State’s uniform statewide standards for Trustworthy Electronic Document or Record Preservation, the State Administrative Manual and Manual, or the Statewide Information Management Manual for purposes of utilizing a trusted system as defined described in subdivision (c). (e).