Today's Law As Amended


Bill PDF |Add To My Favorites | print page

AB-2190 Office of Information Security: annual statewide information security status report.(2021-2022)



As Amends the Law Today


SECTION 1.

 Section 11549.4.1 is added to the Government Code, to read:

11549.4.1.
 (a) The chief shall submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee. The report shall include all of the following items:
(1) The maturity metric scores it has calculated for each state agency or state entity, as those terms are defined in Section 11546.1. For purposes of this subdivision, “maturity metric scores” means the scores for each of the five categories of and overall score from the Statewide Information Management Manual 5300-C, or its equivalent, for each state agency and state entity.
(2) The results of the National Cyber Security Review for each state agency and state entity, as conducted by the United States Department of Homeland Security, the Multi-State Information Sharing and Analysis Center, and as available to the chief.
(b) The chief shall submit the first report no later than January 2023. This status report shall include the Department of Technology’s plan for assisting state agencies and state entities in improving their information security.
(c) Notwithstanding any law, the status report and any information or records included with the status report shall be confidential and shall not be disclosed. However, the information and records may be shared with members of the Legislature and legislative employees, at the discretion of the chairperson of the committee.
SEC. 2.
 The Legislature finds and declares that Section 1 of this act, which adds Section 11549.4.1 to the Government Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
The state has a very strong interest in protecting its information technology systems from intrusion because those systems contain confidential information and play a critical role in the performance of the duties of state government. In order to protect information regarding the security status or specific vulnerabilities of those systems to preclude use of that information to facilitate attacks on those systems, it is necessary that this act limit the public’s right of access to that information.