BILL ANALYSIS �Ó
Bill No: AB
2200
SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
Senator Lou Correa, Chair
2013-2014 Regular Session
Staff Analysis
AB 2200 Author: John A. Perez
As Amended: June 12, 2014
Hearing Date: June 24, 2014
Consultant: Art Terzakis
SUBJECT
California Cyber Security Commission
DESCRIPTION
AB 2200 creates, until January 1, 2019, a 12-member
"California Cyber Security Commission" (CCSC), within the
Department of Technology (DOT), as an advisory body to
discuss strategies for improving the state's cyber security
and cyber response capabilities. Specifically, this
measure:
1)Makes various legislative findings and declarations
relative to the State's growing dependence on technology
which has made it increasingly vulnerable technically,
legally, and financially to both foreign and domestic
cyber security attacks and that for the purposes of
public safety and protection of public assets, the State
has a role in coordinating and improving its overall
security and response capabilities.
2)Creates the CCSC within the DOT consisting of the
following members:
a) The Director of the Department of Technology.
b) The Chief of the Office of Information Security.
c) The Director of Emergency Services.
d) The Attorney General.
�
AB 2200 (John A. Perez) continued
Page 2
e) The Adjutant General of the Military Department.
f) The Insurance Commissioner.
g) The Secretary of Health and Human Services.
h) The Director of Transportation.
i) The Controller.
j) A representative from the private sector in the
technology or cybersecurity industry, appointed by the
Governor.
aa) A representative from the private sector in the
utility, energy, or telecommunications industry,
appointed by the Speaker of the Assembly.
bb) A representative of California's critical
infrastructure interests (e.g., air traffic control,
ports, and water systems), appointed the Senate
Committee on Rules.
3)Stipulates that members of the CCSC will meet at least
quarterly and serve without compensation, except that
members will be entitled to receive actual and necessary
travel expenses while on official business of the CCSC.
Also, provides that representatives appointed by the
Governor, Speaker of the Assembly, or Senate Committee on
Rules shall serve a 2-year term. In addition, any
designee shall serve at the pleasure of the official who
designated them. Furthermore, provides that nine members
will constitute a quorum.
4)Authorizes the CCSC to form an advisory board comprised
of one or more representatives from the following who
will serve at the pleasure of the CCSC:
a) The U.S. Department of Homeland Security.
b) The National Institute for Standards and
Technology.
c) State and Local Government.
d) California's utility grid, both private and public.
�
AB 2200 (John A. Perez) continued
Page 3
e) Technology firms, cybersecurity firms, critical
infrastructure operators, utility providers, financial
firms, health care providers, and other private
industries.
f) California's cybersecurity law enforcement
apparatus (the Attorney General's eCrimes Unit, the
California Highway Patrol, and the five regional task
forces of the High Technology Theft Apprehension and
Prosecution Program).
g) Entities operating with the CCSC to perform its
duties, including: the State Threat Assessment Center
and fusion centers, the California National Guard's
Computer Network Defense Team and California's
public/private universities and labs.
5)Stipulates that the duties of the CCSC shall include:
a) Developing cyber prevention, defense, and response
strategies and defining a hierarchy of command within
the State.
b) Partnering with the U.S. Department of Homeland
Security to develop an appropriate information sharing
system to effectively disseminate cyber threat and
response information and data to relevant private and
public sector entities.
c) Providing recommendations for information
technology security standards.
d) Compiling and integrating the research conducted by
academic institutions, federal laboratories, and other
cybersecurity experts.
e) Expanding the state's public-private cybersecurity
partnership network both domestically and
internationally.
f) Developing and providing a training program to
produce a credentialed and qualified state
cybersecurity taskforce.
g) Developing, in conjunction with the Department of
�
AB 2200 (John A. Perez) continued
Page 4
Insurance, a strategy to acquire and incorporate cyber
insurance into the procurement and administrative
processes of state agencies to protect state assets
and information.
h) Expanding collaboration with the state's law
enforcement apparatus.
i) Proposing potential governmental reorganization
options.
j) Coordinating the pursuit of fiscal resources to
enhance the state's cybersecurity, information
technology, data privacy, cyber research, and
technology-based emergency response capabilities.
6)Requires the CCSC to issue an annual report to the
Governor and the Legislature that details the activities
of the CCSC and makes recommendations to improve the
state's cybersecurity preparedness.
7)Contains a January 1, 2019 sunset provision.
EXISTING LAW
Existing law establishes the DOT within the Government
Operations Agency, responsible for establishing and
enforcing state information technology strategic plans,
policies, standards, and enterprise architecture. The
director of the DOT is the state's Chief Information
Officer (CIO), and is responsible for enhancing the
security, reliability, and quality of information
technology networks, services, and systems.
Existing law requires each state agency to have a chief
information officer who is appointed by the head of the
state entity, and is responsible for supervising all
information technology, including information security.
Existing law establishes the Office of Information Security
(OIS) within DOT, which is responsible for ensuring the
confidentiality, integrity, and availability of state
systems and applications. The law requires the OIS to
develop an information security program and establish
policies, standards, and procedures directing state
agencies to effectively manage security and risk.
�
AB 2200 (John A. Perez) continued
Page 5
BACKGROUND
The Office of Information Security (OIS), within the DOT,
is the primary state office charged with protecting state
information and ensuring confidentiality, integrity, and
availability of state systems and applications. In short,
the OIS is responsible, along with other agencies, for
ensuring the state's cyber security. However, various
other programs and agencies have roles related to managing
the state's cyber security.
This measure would create the 12-member CCSC within the DOT
to focus on improving the state's cyber security and cyber
response capabilities. Members, consisting of various
state agency department leaders as well as representatives
from private sector industries and other interests such as
air traffic control, ports, and water systems, would share
information to enable state government to protect and
secure important information, data, intellectual property,
financial networks, and critical infrastructure.
According to the author's office, AB 2200 "would advance
the state's overall cyber security assessment,
preparedness, and response systems, promote cyber security
information sharing and the use of best practices among the
private and public sectors, and identify funding and
research opportunities." The author's office contends that
different elements of the state's cyber security are
currently fragmented and the CCSC would help the state form
a coordinated strategy.
PRIOR/RELATED LEGISLATION
SB 1286 (Corbett), 2013-14 Session. Would raise from $35
million to $65 million the amount that the Public Utilities
Commission may devote to research and development projects
for the purposes of cyber security and grid integration.
(Held in Senate Committee on Rules)
AB 1620 (Rodriguez), 20013-14 Session. Would establish in
state government the California Emergency Management and
Disaster Preparedness Commission as a statewide
executive-level commission to assess and improve the
�
AB 2200 (John A. Perez) continued
Page 6
condition of the state's emergency preparedness,
management, and disaster recovery capabilities. (Pending in
this committee)
SUPPORT: None on file as of June 20, 2014.
OPPOSE: None on file as of June 20, 2014.
FISCAL COMMITTEE: Senate Appropriations Committee
**********