Compare Versions

PDF |Add To My Favorites |Track Bill | print page

AB-1242 Information security.(2019-2020)



Current Version: 04/30/19 - Amended Assembly         Compare Versions information image


AB1242:v97#DOCUMENT

Amended  IN  Assembly  April 30, 2019
Amended  IN  Assembly  April 12, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill
No. 1242


Introduced by Assembly Member Irwin
(Coauthors: Assembly Members Gipson and Low)

February 21, 2019


An act to amend Sections 8586.5, 11546.2, 11549.3, and 11549.4 of, and to add Chapter 1.5 (commencing with Section 12095) to Part 2 of Division 3 of Title 2 of, the Government Code, relating to security. An act to amend Sections 11546.2 and 11549.3 of the Government Code, relating to security.


LEGISLATIVE COUNSEL'S DIGEST


AB 1242, as amended, Irwin. Office of Cybersecurity. Information security.
(1) Existing law establishes the Department of Technology within the Government Operations Agency. Existing law requires each state agency and certain designated state entities, on or before February 1 of each year, to submit to the Department of Technology a summary of their actual and projected information technology and telecommunications costs and a summary of their actual and projected information security costs, as specified.
This bill would, instead, require each state agency to comply with those provisions and would define state agency for these purposes to mean every state office, officer, department, division, bureau, board, and commission, except for the California State University.
(2) Existing law establishes the Office of Information Security within the Department of Technology, headed by the Chief of the Office of Information Security. Existing law requires the chief to establish an information security program and requires that program to include specified responsibilities, including coordinating the activities of state agency information security officers for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards. Existing law requires specified state entities to implement and comply with the policies and procedures issued by the office.
This bill would require each state agency to comply with the policies and procedures issued by the Office of Information Security, and would define state agency for these purposes to mean every state office, officer, department, division, bureau, board, and commission, except for the California State University.

(1)The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law requires the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center with the primary mission to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in the state.

This bill would create, in the office of the Governor, the Office of Cybersecurity under the direction of the Director of the Office of Cybersecurity. The bill would make the office responsible for, among other things, advising the Governor on issues of information security, privacy, and cybersecurity and would transfer the duty of establishing and leading the California Cybersecurity Integration Center to the Office of Cybersecurity from the Office of Emergency Services.

(2)Existing law establishes the Department of Technology within the Government Operations Agency. Existing law requires each state agency and certain designated state entities, on or before February 1 of each year, to submit to the Department of Technology a summary of their actual and projected information technology and telecommunications costs and a summary of their actual and projected information security costs, as specified.

This bill would, instead, require every state agency to comply with those provisions and would define state agency for these purposes to mean every state office, officer, department, division, bureau, board, and commission, except for the California State University.

(3)Existing law requires the Office of Information Security to consult with the Director of Technology, the Office of Emergency Services, the Director of General Services, the Director of Finance, and any other relevant agencies concerning policies, standards, and procedures related to information security and privacy.

This bill would, instead, require the office to consult with those entities concerning, among other things, the cybersecurity of the state.

(4)Existing law establishes the Office of Information Security within the Department of Technology, headed by the Chief of the Office of Information Security. Existing law requires the chief to establish an information security program and requires that program to include specified responsibilities, including coordinating the activities of state agency information security officers for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards. Existing law authorizes the office to conduct an independent security assessment of each state agency, department, or office and to conduct an audit of information security to ensure program compliance, subject to certain standards and procedures, including reporting requirements. Existing law requires each state agency to implement and comply with the policies and procedures issued by the office.

This bill would require the Office of Information Security to consult with the Office of Cybersecurity when establishing the information security program and would require the program, in coordination with the Office of Cybersecurity, to be responsible for the creation and operation of select centralized security services. The bill would also transfer specified duties related to the assessment and audit described above from the Office of Information Security to the Office of Cybersecurity. The bill would further require each state agency to comply with the policies and procedures issued by the Office of Information Security, and would define state agency for these purposes to mean every state office, officer, department, division, bureau, board, and commission, except for the California State University.

This bill would make conforming changes.

Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 11546.2 of the Government Code is amended to read:

11546.2.
 (a) On or before February 1 of every year, each state agency and state entity subject to Section 11546.1, agency, as defined in Section 11000, shall submit, as instructed by the Department of Technology, a summary of its actual and projected information technology and telecommunications costs, including, but not limited to, personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year, in a format prescribed by the Department of Technology in order to capture statewide information technology expenditures.
(b) On or before February 1 of every year, each state agency and state entity subject to Section 11546.1 agency, as defined in Section 11000, shall submit, as instructed and in a format prescribed by the Department of Technology, a summary of its actual and projected information security costs, including, but not limited to, personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year, in order to capture statewide information security expenditures, including the expenditure of federal grant funds for information security purposes.

SEC. 2.

 Section 11549.3 of the Government Code is amended to read:

11549.3.
 (a) The chief shall establish an information security program. The program responsibilities include, but are not limited to, all of the following:
(1) The creation, updating, and publishing of information security and privacy policies, standards, and procedures for state agencies in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies to effectively manage security and risk for both of the following:
(A) Information technology, which includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical, confidential, sensitive, or personal, as defined and published by the office.
(3) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies for the collection, tracking, and reporting of information regarding security and privacy incidents.
(4) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies in the development, maintenance, testing, and filing of each state agency’s disaster recovery plan.
(5) Coordination of the activities of state agency information security officers, for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards.
(6) Promotion and enhancement of the state agencies’ risk management and privacy programs through education, awareness, collaboration, and consultation.
(7) Representing the state before the federal government, other state agencies, local government entities, and private industry on issues that have statewide impact on information security and privacy.
(b) All state entities defined in Section 11546.1 Each state agency, as defined in Section 11000, shall implement the policies and procedures issued by the office, including, but not limited to, performing both of the following duties:
(1) Comply with the information security and privacy policies, standards, and procedures issued pursuant to this chapter by the office.
(2) Comply with filing requirements and incident notification by providing timely information and reports as required by the office.
(c) (1) The office may conduct, or require to be conducted, an independent security assessment of every state agency, department, or office. The cost of the independent security assessment shall be funded by the state agency, department, or office being assessed.
(2) In addition to the independent security assessments authorized by paragraph (1), the office, in consultation with the Office of Emergency Services, shall perform all the following duties:
(A) Annually require no fewer than thirty-five (35) state entities to perform an independent security assessment, the cost of which shall be funded by the state agency, department, or office being assessed.
(B) Determine criteria and rank state entities based on an information security risk index that may include, but not be limited to, analysis of the relative amount of the following factors within state agencies:
(i) Personally identifiable information protected by law.
(ii) Health information protected by law.
(iii) Confidential financial data.
(iv) Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:
(I) Information asset management.
(II) Risk management.
(III) Information security program management.
(IV) Information security incident management.
(V) Technology recovery planning.
(C) Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.
(3) The Military Department may perform an independent security assessment of any state agency, department, or office, the cost of which shall be funded by the state agency, department, or office being assessed.
(d) State agencies and entities required to conduct or receive an independent security assessment pursuant to subdivision (c) shall transmit the complete results of that assessment and recommendations for mitigating system vulnerabilities, if any, to the office and the Office of Emergency Services.
(e) The office shall report to the Department of Technology and the Office of Emergency Services any state entity found to be noncompliant with information security program requirements.
(f)  (1) Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to subdivision (c), information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees and state contractors who have been approved as necessary to receive the information and records to perform that independent security assessment, subsequent remediation activity, or monitoring of remediation activity.
(2) The results of a completed independent security assessment performed pursuant to subdivision (c), and any related information shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1), including, but not limited to, Section 6254.19.
(g) The office may conduct or require to be conducted an audit of information security to ensure program compliance, the cost of which shall be funded by the state agency, department, or office being audited.
(h) The office shall notify the Office of Emergency Services, Department of the California Highway Patrol, and the Department of Justice regarding any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government.

SECTION 1.Section 8586.5 of the Government Code is amended to read:
8586.5.

(a)The Office of Cybersecurity shall establish and lead the California Cybersecurity Integration Center. The California Cybersecurity Integration Center’s primary mission is to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in our state. The California Cybersecurity Integration Center shall serve as the central organizing hub of state government’s cybersecurity activities and coordinate information sharing with local, state, and federal agencies, tribal governments, utilities and other service providers, academic institutions, and nongovernmental organizations. The California Cybersecurity Integration Center shall be comprised of representatives from the following organizations:

(1)The Office of Cybersecurity.

(2)The Office of Emergency Services.

(3)The Office of Information Security.

(4)The State Threat Assessment Center.

(5)The Department of the California Highway Patrol.

(6)The Military Department.

(7)The Office of the Attorney General.

(8)The California Health and Human Services Agency.

(9)The California Utilities Emergency Association.

(10)The California State University.

(11)The University of California.

(12)The California Community Colleges.

(13)The United States Department of Homeland Security.

(14)The United States Federal Bureau of Investigation.

(15)The United States Secret Service.

(16)The United States Coast Guard.

(17)Other members as designated by the Office of Cybersecurity.

(b)The California Cybersecurity Integration Center shall operate in close coordination with the California State Threat Assessment System and the United States Department of Homeland Security — National Cybersecurity and Communications Integration Center, and the Office of Emergency Services, including sharing cyber threat information that is received from utilities, academic institutions, private companies, and other appropriate sources. The California Cybersecurity Integration Center shall provide warnings of cyber attacks to government agencies and nongovernmental partners, coordinate information sharing among these entities, assess risks to critical infrastructure and information technology networks, prioritize cyber threats and support public and private sector partners in protecting their vulnerable infrastructure and information technology networks, enable cross-sector coordination and sharing of recommended best practices and security measures, and support cybersecurity assessments, audits, and accountability programs that are required by state law to protect the information technology networks of California’s agencies and departments.

(c)The California Cybersecurity Integration Center shall develop a statewide cybersecurity strategy, informed by recommendations from the California Task Force on Cybersecurity and in accordance with state and federal requirements, standards, and best practices. The cybersecurity strategy shall be developed to improve how cyber threats are identified, understood, and shared in order to reduce threats to California government, businesses, and consumers. The strategy shall also strengthen cyber emergency preparedness and response, standardize implementation of data protection measures, enhance digital forensics and cyber investigative capabilities, deepen expertise among California’s workforce of cybersecurity professionals, and expand cybersecurity awareness and public education.

(d)The California Cybersecurity Integration Center shall establish a Cyber Incident Response Team to serve as California’s primary unit to lead cyber threat detection, reporting, and response in coordination with public and private entities across the state. This team shall also assist law enforcement agencies with primary jurisdiction for cyber-related criminal investigations and agencies responsible for advancing information security within state government. This team shall be comprised of personnel from agencies, departments, and organizations represented in the California Cybersecurity Integration Center.

(e)Information sharing by the California Cybersecurity Integration Center shall be conducted in a manner that protects the privacy and civil liberties of individuals, safeguards sensitive information, preserves business confidentiality, and enables public officials to detect, investigate, respond to, and prevent cyber attacks that threaten public health and safety, economic stability, and national security.

SEC. 2.Section 11546.2 of the Government Code is amended to read:
11546.2.

(a)On or before February 1 of every year, each state agency, as defined in Section 11000, shall submit, as instructed by the Department of Technology, a summary of its actual and projected information technology and telecommunications costs, including, but not limited to, personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year, in a format prescribed by the Department of Technology in order to capture statewide information technology expenditures.

(b)On or before February 1 of every year, each state agency, as defined in Section 11000, shall submit, as instructed and in a format prescribed by the Department of Technology and the Office of Cybersecurity, a summary of its actual and projected information security costs, including, but not limited to, personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year, in order to capture statewide information security expenditures, including the expenditure of federal grant funds for information security purposes.

SEC. 3.Section 11549.3 of the Government Code is amended to read:
11549.3.

(a)The chief shall establish an information security program in consultation with the Director of the Office of Cybersecurity. The program responsibilities include, but are not limited to, all of the following:

(1)The creation, updating, and publishing of information security and privacy policies, standards, and procedures for state agencies in the State Administrative Manual.

(2)The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies to effectively manage security and risk for both of the following:

(A)Information technology, which includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines.

(B)Information that is identified as mission critical, confidential, sensitive, or personal, as defined and published by the office.

(3)The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies for the collection, tracking, and reporting of information regarding security and privacy incidents.

(4)The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies in the development, maintenance, testing, and filing of each state agency’s disaster recovery plan.

(5)Coordination of the activities of state agency information security officers for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards.

(6)Promotion and enhancement of the state agencies’ risk management and privacy programs through education, awareness, collaboration, and consultation.

(7)Representing the state, in consultation with the Office of Cybersecurity, before the federal government, other state agencies, local government entities, and private industry on issues that have statewide impact on information security and privacy.

(8)In coordination with the Office of Cybersecurity, the creation and operation of select centralized security services, including, but not limited to, the California Department of Technology Security Operations Center.

(b)Each state agency, as defined in Section 11000, shall implement the policies and procedures issued by the office, including, but not limited to, performing both of the following duties:

(1)Comply with the information security and privacy policies, standards, and procedures issued pursuant to this chapter by the office.

(2)Comply with filing requirements and incident notification by providing timely information and reports as required by the office.

(c)The Office of Information Security, in consultation with the Office of Cybersecurity, shall perform all the following duties:

(1)Annually require no fewer than 35 state entities to perform an independent security assessment, the cost of which shall be funded by the state agency, department, or office being assessed.

(2)Determine criteria and rank state entities based on an information security risk index that may include, but not be limited to, analysis of the relative amount of the following factors within state agencies:

(A)Personally identifiable information protected by law.

(B)Health information protected by law.

(C)Confidential financial data.

(D)Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:

(i)Information asset management.

(ii)Risk management.

(iii)Information security program management.

(iv)Information security incident management.

(v)Technology recovery planning.

(3)Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.

(4)The Military Department may perform an independent security assessment of any state agency, department, or office, the cost of which shall be funded by the state agency, department, or office being assessed.

(d)State agencies and entities required to conduct or receive an independent security assessment pursuant to paragraph (7) of subdivision (c) of Section 12095 shall transmit the complete results of that assessment and recommendations for mitigating system vulnerabilities, if any, to the Office of Information Security and the Office of Cybersecurity.

(e)(1)Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to paragraph (6) of subdivision (c) of Section 12095 or an information security audit pursuant to subdivision (f) of Section 12095, information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees and state contractors who have been approved as necessary to receive the information and records to perform that independent security assessment, subsequent remediation activity, or monitoring of remediation activity.

(2)The results of a completed independent security assessment performed pursuant to paragraph (7) of subdivision (c) of Section 12095 and any related information shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1), including, but not limited to, Section 6254.19.

SEC. 4.Section 11549.4 of the Government Code is amended to read:
11549.4.

The office shall consult with the Director of Technology, the Office of Emergency Services, the Director of General Services, the Director of Finance, and any other relevant agencies concerning policies, standards, and procedures related to information security, privacy, and the cybersecurity of the state.

SEC. 5.Chapter 1.5 (commencing with Section 12095) is added to Part 2 of Division 3 of Title 2 of the Government Code, to read:
1.5.Office of Cybersecurity
12095.

(a)There is in state government, in the office of the Governor, the Office of Cybersecurity. The purpose of the Office of Cybersecurity is to advise the Governor on information security, privacy, and the cybersecurity posture of the state and to lead and coordinate the state’s day to day response to cybersecurity incidents, as well as statewide information security, privacy, and cybersecurity initiatives.

(b)The Governor shall appoint the Director of the Office of Cybersecurity who shall serve at the pleasure of the Governor. The director shall lead the Office of Cybersecurity in carrying out its powers and duties. The director shall have all rights and powers of a head of a department, as provided by Chapter 2 (commencing with Section 11150) of Part 1.

(c)The Office of Cybersecurity under the direction of the director shall perform all of the following duties:

(1)The director shall be chief advisor to the Governor on matters pertaining to information security, privacy, and cybersecurity.

(2)(A)The director shall be the lead coordinator for nonemergency response to any breach or attempted breach of the confidentiality, integrity, or availability of state systems and applications. The Office of Cybersecurity shall coordinate among other state and local agencies the emergency response, monitoring, mitigation, and long-term management of a cybersecurity breach or attempted breach.

(B)The Office of Emergency Services and the State Operations Center shall lead the response to an emergency proclaimed by the Governor related to a cybersecurity event and designate an incident commander and response team pursuant to state policy and law.

(3)The director shall operate and maintain the California Cybersecurity Integration Center pursuant to Section 8586.5.

(4)The director shall lead private sector and education partnership efforts to build out a workforce pathway of cybersecurity expertise.

(5)The director shall be responsible for oversight of the Office of Information Security in providing strategic direction for information security and privacy to state government agencies, departments, and offices, pursuant to Section 11549.3.

(6)The Office of Cybersecurity may conduct, or require to be conducted, an independent security assessment of every state agency, department, or office. The cost of the independent security assessment shall be funded by the state agency, department, or office being assessed.

(7)The director shall coordinate with state, local, tribal, and territorial governments and stakeholders for the purpose of collaborating on state cybersecurity initiatives.

(8)The director shall act as the state’s Chief Information Security Officer representative in the Senior Advisory Council and Urban Area Working Group in accordance with Federal Emergency Management Agency guidance.

(d)The director shall represent the state before the federal government, other state agencies, local government entities, and private industry on issues that have statewide impact on cybersecurity.

(e)The Office of Cybersecurity shall report to the Governor, the Director of Finance, and the appropriate committees of the Legislature any state entity found to be noncompliant with information security program requirements or failing to adequately address security risks.

(f)The Office of Cybersecurity may conduct or require to be conducted an audit of information security to ensure program compliance, the cost of which shall be funded by the state agency, department, or office being audited.

(g)The Office of Cybersecurity shall notify the Office of Emergency Services, the Department of the California Highway Patrol, the Office of Information Security, and the Department of Justice regarding any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government.

(h)Any property of any office, agency, or department that relates to functions transferred to the Office of Cybersecurity by the act adding this section is hereby transferred to the Office of Cybersecurity. If any doubt arises as to whether that property is required to be transferred, the Department of General Services shall determine whether any property is required to be transferred pursuant to this subdivision.

(i)Any unencumbered balance of any appropriation and any other funds that was available for use in connection with any function, or the administration of any law, transferred to the Office of Cybersecurity by the act adding this section shall be transferred to the Office of Cybersecurity for the use and for the purpose for which the appropriation was originally made or the funds were originally available. If there is any doubt as to whether any funds are required to be transferred, the Department of Finance shall determine whether the transfer is required pursuant to this subdivision.