Assembly BillNo. 670

3

11549.3.  

(a) The director shall establish an information security
4program.begin insert The office shall report to the Department of Technology
5any state agency found to be noncompliant with information
6security program requirements.end insert The program responsibilities
7include, but are not limited to, all of the following:

8(1) The creation, updating, and publishing of information
9security and privacy policies, standards, and procedures for state
10agencies in the State Administrative Manual.

P4    1(2) The creation, issuance, and maintenance of policies,
2standards, and procedures directing state agencies to effectively
3manage security and risk for both of the following:

4(A) Information technology, which includes, but is not limited
5to, all electronic technology systems and services, automated
6information handling, system design and analysis, conversion of
7data, computer programming, information storage and retrieval,
8telecommunications, requisite system controls, simulation,
9electronic commerce, and all related interactions between people
10and machines.

11(B) Information that is identified as mission critical, confidential,
12sensitive, or personal, as defined and published by the Office of
13Information Security.

14(3) The creation, issuance, and maintenance of policies,
15standards, and procedures directing state agencies for the collection,
16tracking, and reporting of information regarding security and
17privacy incidents.

18(4) The creation, issuance, and maintenance of policies,
19standards, and procedures directing state agencies in the
20development, maintenance, testing, and filing of each agency’s
21disaster recovery plan.

22(5) Coordination of the activities of agency information security
23officers, for purposes of integrating statewide security initiatives
24and ensuring compliance with information security and privacy
25policies and standards.

26(6) Promotion and enhancement of the state agencies’ risk
27management and privacy programs through education, awareness,
28collaboration, and consultation.

29(7) Representing the state before the federal government, other
30state agencies, local government entities, and private industry on
31issues that have statewide impact on information security and
32privacy.

33(b) An information security officer appointed pursuant to Section
3411546.1 shall implement the policies and procedures issued by the
35Office of Information Security, including, but not limited to,
36performing both of the following duties:

37(1) Comply with the information security and privacy policies,
38standards, and procedures issued pursuant to this chapter by the
39Office of Information Security.

P5    1(2) Comply with filing requirements and incident notification
2by providing timely information and reports as required by policy
3or directives of the office.

4(c) begin insert(1)end insertbegin insert end insertThe office shall conduct, or require to be conducted, an
5independent security assessment of every state agency, department,
6or office at least once every two years. The cost of thebegin insert independentend insert
7 security assessment shall be funded by the state agency,
8department, or office being assessed.begin delete The assessment results shall
9be made available only to the assessed entity.end delete Thebegin insert independent
10securityend insert assessment shall include, to the extent practicable, all of
11the followingbegin delete components, whichend deletebegin insert components andend insert shall be
12conducted in compliance with the National Institute of Standards
13and Technology (NIST) Special Publication (SP) 800-53 Controls:

begin delete

14(1)

end delete

15begin insert(A)end insert Vulnerability scanning, that includes, but is not limited to,
16all of the following:

begin delete

17(A)

end delete

18begin insert(i)end insert Validation that IT systems have currently supported software,
19with all necessary security patches and updates applied.

begin delete

20(B)

end delete

21begin insert(ii)end insert Validation that system security configurations are in
22compliance with NIST standards.

begin delete

23(C)

end delete

24begin insert(iii)end insert Validation that the network architecture is arranged so as
25to separate internal, publicly accessible, and external zones, along
26with a mechanism to identify and alert on attempted intrusions.

begin delete

27(2)

end delete

28begin insert(B)end insert Penetration testing, when determined appropriate by the
29begin delete Governor’send delete Offices of Emergency Services.

begin delete

30(3)

end delete

31begin insert(C)end insert A report on the number, severity, and nature of identified
32vulnerabilities and recommendations for remediation and risk
33mitigation.

begin insert

34(2) (A) The Military Department may perform an independent
35security assessment required by paragraph (1).

end insertbegin insert

36(B) The Military Department may mitigate the impact of a cyber
37attack or assist a law enforcement investigation into cyber security
38upon the request of the Office of Emergency Services, a state law
39enforcement agency, or a state agency, department, or office.

end insertbegin insert

P6    1(C) The Miliary Department may perform a cyber security
2assessment or respond to a cyber security incident impacting state
3infrastructure upon the request of the Office of Emergency Services.

end insertbegin delete

4(d) The office shall report to the Department of Technology any
5state agency found to be noncompliant with information security
6program requirements.

end deletebegin delete

7(e)

end delete

8begin insert(d)end insert The Department of Technology may requirebegin delete that any agency
9in noncompliance with subdivision (c)end deletebegin insert a state agency, department,
10or office toend insert redirect any funds withinbegin delete the agency’s budget,end deletebegin insert its
11budgetend insert that may be legally expended for these purposes,begin delete for the
12purposes of payingend deletebegin insert to payend insert the costs ofbegin delete complianceend deletebegin insert becoming
13compliantend insert withbegin delete subdivision (c).end deletebegin insert any recommendation made in an
14independent security assessment.end insert

begin delete

15(f) The Governor’s Office of Emergency Services may conduct
16the strategic direction of security assessments performed by the
17Military Department’s Computer Network Defense Team, as
18budgeted in Item 8940-001-0001 of the Budget Act of 2014. Each
19assessment shall include all of the following:

end deletebegin delete

20(1) Contracting and negotiations with state agencies,
21departments, and offices, or private entities to be assessed.

end deletebegin delete

22(2) Setting an assessment calendar to be followed by the
23CND-T.

end deletebegin delete

24(3) Prioritizing of incident response.

end deletebegin insert

25(e) (1) The office, Military Department, or entity required to
26conduct an independent security assessment pursuant to
27subdivision (c) shall transmit the results of that assessment only
28to the state agency, department, or office that was the subject of
29that assessment.

end insertbegin insert

30(2) The office, Military Department, or entity required to
31conduct an independent security assessment pursuant to
32subdivision (c) shall transmit an aggregate of the results of that
33assessment to the Department of Technology.

end insertbegin delete

34(g)

end delete

35begin insert(3)end insert The Department of Technology shall adopt standards, to be
36included within the State Administrative Manual, setting forth the
37begin delete mannerend deletebegin insert requirementsend insert for thebegin delete assessed agency to communicate theend delete
38begin insert office, Military Department, or entity required to conduct an
39independent security assessment pursuant to subdivision (c) to
40transmit, pursuant to paragraph (2), the aggregate of the results
P7    1of thatend insert assessmentbegin delete resultsend delete to thebegin delete department,end deletebegin insert Department of
2Technology,end insert including, but not limited to, all of the following:

begin delete

3(1)

end delete

4begin insert(A)end insert Aggregated, statistical information relevant to the assessment
5results, including, but not limited to, the number of identified
6vulnerabilities categorized by high, medium, and low risk. These
7results shall not include any specific information relative to the
8nature of the risk that is potentially exploitable.

begin delete

9(2)

end delete

10begin insert(B)end insert Prioritization of vulnerabilities.

begin delete

11(3)

end delete

12begin insert(C)end insert Identification of relevant internal resources.

begin delete

13(4)

end delete

14begin insert(D)end insert Strategy for addressing and mitigating those vulnerabilities.

begin delete

15(h) Communication of assessment results shall be restricted to
16only approved government employees and validated contractors.
17Assessment results and related aggregated reports shall be
18confidential and, pursuant to Section 6254.19, shall be exempt
19from disclosure under the California Public Records Act (Chapter
203.5 (commencing with Section 6250) of Division 7 of Title 1).

end deletebegin delete

21(i) Data produced by assessments shall be retained by all parties
22for no longer than one year, unless the Governor’s Office of
23Emergency Services determines that retention for a longer period
24is necessary.

end deletebegin insert

25(f) (1) Transmission or communication of the results of an
26independent security assessment performed pursuant to subdivision
27(c) and any related information shall be restricted to state
28government employees and state contractors who have been
29approved as necessary to receive this information in order to
30perform that assessment by the office, Military Department, or
31entity required to conduct the independent security assessment.

end insertbegin insert

32(2) The results of an independent security assessment performed
33pursuant to subdivision (c), the aggregate of the results of an
34independent security assessment transmitted to the Department of
35Technology pursuant to subdivision (e), and any related
36information are confidential and shall not be disclosed pursuant
37to any state law, including, but not limited to, the California Public
38Records Act (Chapter 3.5 (commencing with Section 6250) of
39Division 7 of Title 1).

end insertbegin insert

P8    1(3) Data produced during the creation of an independent
2security assessment performed pursuant to subdivision (c) shall
3be destroyed within one year of its date of creation, unless the
4Office of Emergency Services determines that retention for a longer
5period of time is necessary for state security.

end insert