11549.45.
(a) For purposes of this section, the following definitions shall apply:(1) “Chief” means the Chief of the Office of Information Security.
(2) “Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model” means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.
(3) “Endpoint detection and response” means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.
(4) “Multifactor authentication” means using two or more different types of identification factors to authenticate a user’s identity for the purpose of accessing systems and data.
(5) “State agency” has the same meaning as in Section 11000.
(6) “Zero Trust architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.
(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:
(1) Achieve “Initial” maturity by June 1, 2024.
(2) Achieve “Advanced” maturity by June 1, 2026.
(3) Achieve “Optimal” maturity by June 1, 2030.
(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.
(d) Implementation shall, at a minimum, prioritize the following:
(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.
(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.
(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.
(e) No later than January 1, 2025, the chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the “Advanced” and “Optimal” maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.
(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agency’s progress in increasing the internal defenses of agency systems, including:
(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.
(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.
(3) A schedule to implement any planned activities.
(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:
(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.
(2) Implementing principles of least privilege in administering information security programs.
(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agency’s systems.
(4) Identifying cyber threats quickly.
(5) Isolating and removing unauthorized entities from state agencies’ systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.
(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.
(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the state’s timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).