AB 670, as amended, Irwin. Security assessments.
Existing law establishes the Department of Technology within the Government Operations Agency, headed by the Director of Technology who is also known as the State Chief Information Officer. The department is responsible for the approval and oversight of information technology projects by, among other things, consulting with agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.
Existing law establishes the Office of Technology Services within the department, under the supervision of the Chief of the Office of Technology Services, and sets forth its duties, including, but not limited to, the authority to conduct or require a securitybegin delete assessmentsend deletebegin insert
assessmentend insert of any state agency, as prescribed.
This bill would, instead, require the office to conduct, or require, an assessment of every state agency at least once every 2 years and would require the state agency being audited to pay the costs of the security assessment. The bill would authorize the department to require agencies that are not in compliance to redirect available funding to pay the costs of the assessments. The bill would require the department to adopt standards, to be included within the State Administrative Manual, setting forth the manner for the assessed agency to communicate the assessment results to the department.
This bill would authorizebegin delete the department andend delete the Governor’s Office of Emergency Services tobegin delete jointlyend delete
conduct the strategic direction ofbegin delete riskend deletebegin insert
securityend insert assessments performed by the Military Department’s Computer Network Defense Teambegin insert, and would require those assessments to contain certain elementsend insert.
Existing law requires that a statute that limits the public’s right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings to demonstrate the interest protected by the limitation and the need for protecting that interest.
end insertbegin insertThis bill would limit access to security assessment results, and would make findings to demonstrate the interest protected by the limitation and the need for protecting that interest.
end insertVote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 11549.3 of the Government Code is
2amended to read:
(a) The director shall establish an information security
4program. The program responsibilities include, but are not limited
5to, all of the following:
6(1) The creation, updating, and publishing of information
7security and privacy policies, standards, and procedures for state
8agencies in the State Administrative Manual.
9(2) The creation, issuance, and maintenance of policies,
10standards, and procedures directing state agencies to effectively
11manage security and risk for both of the following:
12(A) Information technology, which includes, but is not limited
13to, all
electronic technology systems and services, automated
14information handling, system design and analysis, conversion of
15data, computer programming, information storage and retrieval,
16telecommunications, requisite system controls, simulation,
17electronic commerce, and all related interactions between people
18and machines.
19(B) Information that is identified as mission critical, confidential,
20sensitive, or personal, as defined and published by the Office of
21Information Security.
P3 1(3) The creation, issuance, and maintenance of policies,
2standards, and procedures directing state agencies for the collection,
3tracking, and reporting of information regarding security and
4privacy incidents.
5(4) The creation, issuance, and
maintenance of policies,
6standards, and procedures directing state agencies in the
7development, maintenance, testing, and filing of each agency’s
8disaster recovery plan.
9(5) Coordination of the activities of agency information security
10officers, for purposes of integrating statewide security initiatives
11and ensuring compliance with information security and privacy
12policies and standards.
13(6) Promotion and enhancement of the state agencies’ risk
14management and privacy programs through education, awareness,
15collaboration, and consultation.
16(7) Representing the state before the federal government, other
17state agencies, local government entities, and private industry on
18issues that have statewide impact on information
security and
19privacy.
20(b) An information security officer appointed pursuant to Section
2111546.1 shall implement the policies and procedures issued by the
22Office of Information Security, including, but not limited to,
23performing both of the following duties:
24(1) Comply with the information security and privacy policies,
25standards, and procedures issued pursuant to this chapter by the
26Office of Information Security.
27(2) Comply with filing requirements and incident notification
28by providing timely information and reports as required by policy
29or directives of the office.
30(c) The office shall conduct, or require to be conducted, an
31independent security
assessment of every state agency, department,
32or office at least once every two years. The cost of the security
33assessment shall be funded by the state agency, department, or
34office being assessed.begin insert The assessment results shall be made
35available only to the assessed entity.end insert The assessment shall include,
36begin delete at a minimum,end deletebegin insert to the extent practicable,end insert all of the following
37components, which shall be conducted in compliance with the
38National Institute of Standards and Technology (NIST) Special
39Publication (SP) 800-53 Controls:
40(1) A legal, policy, standards, and procedure compliance review.
end delete33 P4 1(2)
end delete
2begin insert(1)end insert Vulnerabilitybegin delete scanning.end deletebegin insert scanning, that includes, but is not
3limited to, all of the following:end insert
4(A) Validation that IT systems have currently supported
5software, with all necessary security patches and updates applied.
6(B) Validation that system security configurations are in
7compliance with NIST standards.
8(C) Validation that the network architecture is arranged so as
9to separate internal, publicly accessible, and external zones, along
10with a mechanism to identify and alert on attempted intrusions.
34 11(3)
end delete
12begin insert(2)end insert Penetrationbegin delete testing.end deletebegin insert
testing, when determined appropriate
13by the Governor’s Offices of Emergency Services.end insert
14(3) A report on the number, severity, and nature of identified
15vulnerabilities and recommendations for remediation and risk
16mitigation.
17(d) The office shall report to the Department of Technology any
18state agency found to be noncompliant with information security
19program requirements.
20(e) The Department of Technology may require that any agency
21in noncompliance with subdivision (c) redirect any funds within
22the agency’s budget, that may be legally expended for these
23purposes, for the purposes of paying the costs of compliance
with
24subdivision (c).
25(f) Thebegin delete Department of Technology and theend delete Governor’s Office
26of Emergency Services maybegin delete jointlyend delete conduct the strategic direction
27ofbegin delete riskend deletebegin insert securityend insert assessments performed by the Military
28Department’s Computer Network Defense Team, as budgeted in
29Item 8940-001-0001 of the Budget Act of 2014.begin insert Each assessment
30shall include all of the following:end insert
31(1) Contracting and negotiations with state agencies,
32departments, and offices, or private entities to be assessed.
33(2) Setting an assessment calendar to be followed by the CND-T.
end insertbegin insert34(3) Prioritizing of incident response.
end insert
35(g) The Department of Technology shall adopt standards, to be
36included within the State Administrative Manual, setting forth the
37manner for the assessed agency to communicate the assessment
38results to the department, including, but not limited to, all of the
39following:
40(1) Identification of vulnerabilities.
end delete
P5 1(1) Aggregated, statistical information relevant to the assessment
2results, including, but not limited to, the number of identified
3vulnerabilities categorized by high, medium, and low risk. These
4results shall not include any specific information relative to the
5nature of the risk that is potentially exploitable.
6(2) Prioritization of vulnerabilities.
7(3) Identification of relevant internal resources.
8(4) Strategy for addressing and mitigating those vulnerabilities.
begin insert
9(h) Communication of assessment results shall be restricted to
10only approved government employees
and validated contractors.
11Assessment results and related aggregated reports shall be
12confidential and, pursuant to Section 6254.19, shall be exempt
13from disclosure under the California Public Records Act (Chapter
143.5 (commencing with Section 6250) of Division 7 of Title 1).
15(i) Data produced by assessments shall be retained by all parties
16for no longer than one year, unless the Governor’s Office of
17Emergency Services determines that retention for a longer period
18is necessary.
The Legislature finds and declares that Section 1 of
20this act, which amends Section 11549.3 of the Government Code,
21imposes a limitation on the public’s right of access to the meetings
22of public bodies or the writings of public officials and agencies
23within the meaning of Section 3 of Article I of the California
24Constitution. Pursuant to that constitutional provision, the
25Legislature makes the following findings to demonstrate the interest
26protected by this limitation and the need for protecting that
27interest:
28The state has a very strong interest in protecting its
information
29technology systems from intrusion, because those systems play a
30critical role in assisting the entities of state government in carrying
31out their duties. Thus, information regarding the specific
32vulnerabilities of those systems should be protected at least until
33those vulnerabilities have been remediated so as to preclude use
34of that information to facilitate attacks on those systems.
O
98