BILL ANALYSIS �Ó
AB 670
Page 1
Date of Hearing: April 7, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
AB 670
(Irwin) - As Amended April 6, 2015
SUBJECT: Security assessments
SUMMARY: Requires the Department of Technology (CalTech) to
conduct security assessments of the information technology
resources of every state agency, department or office at least
once every two years. Specifically, this bill:
1)Requires the Office of Information Security (OIS) within
CalTech to conduct an independent security assessment of every
state agency, department, or office at least once every two
years.
2)Requires the assessment to be conducted in compliance with the
National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-53 Controls, and to include, to the
extent practicable, all of the following components:
a) Vulnerability scanning, which includes, but is not
limited to, the following:
�
AB 670
Page 2
i. validation that information technology
(IT) systems have currently supported software,
security patches, and updates applied;
ii. validation that system security
configurations are in compliance with NIST
standards; and,
iii. validation that the network architecture
is arranged so as to separate internal, publicly
accessible, and external zones, along with a
mechanism to identify and alert on attempted
intrusions.
b) Penetration testing, when determined to be
appropriate by the Governor's Office of Emergency
Services.
c) A report on the number, severity, and nature of
identified vulnerabilities and recommendations for
remediation and risk mitigation.
3)Authorizes CalTech to require any agency out of compliance
with the assessment requirement to redirect any funds within
the agency's budget, which may be legally expended for these
purposes, to pay the costs of the assessment.
4)Deletes a pre-existing exemption from independent security
assessments for the Department of Forestry and Fire
Prevention.
5)Authorizes the Governor's Office of Emergency Services to
conduct the strategic direction of security assessments
performed by the Military Department's Computer Network
�
AB 670
Page 3
Defense Team (CND-T), which shall include:
a) Contracting and negotiating with state agencies,
departments, offices, or private entities to be assessed;
b) Setting an assessment calendar to be followed by the
CND-T; and,
c) Prioritizing incident response.
6)Requires CalTech to adopt standards to be included in the
State Administrative Manual that set forth the manner for the
assessed agency or entity to communicate the assessment
results to CalTech, including, but not limited to, all of the
following:
a) Aggregated, statistical information relevant to the
assessment results, including the number of identified
vulnerabilities categorized by high, medium, or low risk,
but not to include any specific and potentially
exploitable information relative to the nature of risk;
b) Prioritization of vulnerabilities;
c) Identification of relevant internal resources; and,
d) Strategy for addressing and mitigating those
vulnerabilities.
�
AB 670
Page 4
7)Restricts the communication of assessment results only to the
assessed entity, approved government employees and validated
contractors.
8)Requires assessment results and relative aggregated reports to
be confidential and exempt from Freedom of Information Act
distribution and protected from disclosure by Public Records
Act requests.
9)Requires data produced by assessments to be retained by all
parties for no longer than one year, unless determined
otherwise by the Governor's Office of Emergency Services.
EXISTING LAW:
1)Establishes CalTech within the Government Operations Agency,
headed by the Director of Technology who is also known as the
State Chief Information Officer. The department is responsible
for the approval and oversight of IT projects by, among other
things, consulting with agencies during initial project
planning to ensure that project proposals are based on
well-defined programmatic needs. (Government Code (GC)
Section 11545 and 12803.2)
2)Establishes the Office of Technology Services within the
department, under the supervision of the Chief of the Office
of Technology Services, and sets forth its duties, including,
but not limited to, the authority to conduct or require a
security assessment of any state agency, as prescribed. (GC
11549.3)
3)Requires the cost of an independent security assessment or
information security program compliance audit to be funded by
the state agency, department or office being assessed or
�
AB 670
Page 5
audited. (GC 11549.3(c-d))
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to increase the
security of California state computer networks by requiring
CalTech to conduct a security assessment of each agency,
department and office under its jurisdiction every two years.
AB 670 is author-sponsored.
2)Author's statement . According to the author, "Cybersecurity
attacks are on the rise and California state government is a
priority target because of the value and sheer size of its
networks and data. The state bears a responsibility in
actively defending the information it collects as well as the
critical networks that Californians rely on for services.
"The State Administrative Manual currently includes the
provisions contained in this bill, but there is no mechanism
of enforcement and less than one-third of state agencies,
departments, or offices have conducted or received an
assessment to date. These preventative assessments are a
vital tool in combating the increasingly sophisticated
cyber-attacks because they reveal vulnerabilities, demonstrate
the extent of potential exploitation, and provide
recommendations for remediation and risk mitigation.
"AB 670 would require state agencies, departments, and offices
to receive a network security assessment at least once every 2
years. The bill would authorize the Department of Technology
to require agencies that are not in compliance to redirect
�
AB 670
Page 6
available funding to pay the costs of the assessments. The
bill would require the Department to adopt standards for the
assessed agency to report the results. The bill would give
the Office of Emergency Services the authority to direct the
activity of the Military Department's Computer Network Defense
Team, which performs these network assessments."
3)Understanding the cyber security threat. According to the
California Military Department, California's size and
prominence makes it vulnerable to cyber incidents that disrupt
business, shutdown critical infrastructure, and compromise
intellectual property or national security. In 2012, 17% of
the data breaches recorded in the United States took place in
California - more than any other state; and the number of
reported breaches in California increased by 28% in 2013.
California leads the nation in high tech employment and cyber
innovation with 40% of all U.S. venture capital investment in
cyber residing here.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty
percent of all cyber-attacks and other malicious activity is
targeted at the government, making these networks and systems
the most vulnerable target of cybercrime.
According to CMD, the State of California is extremely
vulnerable to cyber incidents that can disrupt industry,
compromise personal information, shutdown critical
infrastructure and compromise intellectual property or
national security. A targeted attack on critical
infrastructure and key resources could cause up to $1 billion
dollars of economic impact to California each day until
services are restored.
According to the State Attorney General's 2014 Data Breach
Report, organizations should conduct risk assessments at least
annually and update privacy and security practices based on
the findings.
�
AB 670
Page 7
4)CalTech and OIS . CalTech is the central IT organization for
the State of California and is responsible for the approval
and oversight of all state IT projects. Among its various
offices and subdivisions is the California Information
Security Office, or OIS.
OIS is the primary state government authority for ensuring the
confidentiality, integrity, and availability of state systems
and applications, and ensuring the protection of state
information. The office represents California to federal,
state, and local government entities, higher education,
private industry, and others on security-related matters.
According to the author's office, there are a total of 384
state entities subject to the OIS (which excludes some
constitutional offices). It not known how many attacks,
whether successful or unsuccessful, have been made against
state agency computers over the past year.
Under current law, OIS is authorized to conduct independent
security assessments of any state agency, department or
office, but is not required to do so. It is not known how
many security assessments were conducted by OIS in the past
year.
5)The role of the California National Guard in cyber security.
The CMD, which oversees the state's National Guard units,
supports state law enforcement and emergency services in the
prevention and protection of supported networks, which helps
enable the state to respond to vulnerabilities or attacks.
The California Office of Emergency Services, which is
responsible for assuring the state's readiness to respond to
and recover from all hazards, coordinates and requests the
support of the CMD to provide cyber defense, incident support
�
AB 670
Page 8
and cyber recovery operations.
The CMD temporarily maintains CND-T, a pilot project funded as
Item 8940-001-0001 of the Budget Act of 2014. CND-T's goal is
to "assist agencies by providing actionable products,
assistance, and services designed to improve overall cyber
security compliance, reduce risk, and protect the public.
These high-quality reduced cost services are easily accessible
via an Interagency Agreement. This simplifies the request and
procurement process." CND-T currently has nine full time
staff, with the capability to add six more.
CMD can leverage other resources as well, such as the Air
National Guard's Emergency State Active Duty Component. In
the near future, CMD will also be able to draw upon a
soon-to-be created 39-member Cyber Protection Team under its
command, which has been authorized by the federal government
and will be based in San Diego and operational in 2017.
CND-T provides a wide range of consulting, training and direct
services, from pre-incident cyber security services such as
vulnerability assessments, best practice analysis, and the
development of mitigation strategies for government and
critical infrastructure providers, to cyber security incident
recovery services designed to facilitate restoration to secure
normal operations.
According to the CMD, in the first quarter of FY2015, the CND-T
performed 2,863 end-point scans identifying 39,880 risks with
an average of 13.6 vulnerabilities per system. Agencies
supported by the CND-T generally show a ten-fold reduction in
system vulnerabilities.
According to the author's office, a security assessment will
generally cost a public entity between $10,000 and $40,000 to
complete, depending on its size and sophistication. The
assessment usually takes 1-2 days, with the assessed entity
receiving a written report on findings within 2-3 weeks.
�
AB 670
Page 9
This bill would authorize OES to direct assessments conducted
by the CND-T, and authorize CalTech to "redirect" funds from
an assessed agency to pay for the costs of the assessment.
6)The NIST SP 800-53 cyber security standard . This bill
requires that the security assessments be conducted in
compliance with the NIST SP 800-53 Controls. That standard,
released as Revision 4 on April 20, 2013, and titled "Security
and Privacy Controls for Federal Information Systems and
Organizations," is the most comprehensive update to the
security controls catalog since the introduction of the
standard in 2005. The standard was developed by NIST, the
Department of Defense, the Intelligence Community (a coalition
of 17 federal agencies within the Executive Branch), and the
Committee on National Security Systems, and was motivated
principally by the increasing sophistication of cyber-attacks
and the quicker operations tempo of adversaries.
According to NIST, the standard "provides a more holistic
approach to information security and risk management by
providing organizations with the breadth and depth of security
controls necessary to fundamentally strengthen their
information systems and the environments in which those
systems operate-contributing to systems that are more
resilient in the face of cyber attacks and other threats."
Because the language of the bill references the publication
number of the NIST standard but not the revision number, OIS
should be able to continue to use the most recent version of
the standard as new revisions are published.
7)Exemption from open records laws . This bill provides that
assessment results are documents not available to the public
via a federal Freedom of Information Act request or
California's own Public Records Act (CPRA). The CPRA already
contains a provision which protects from disclosure any
government record that "would reveal vulnerabilities to, or
�
AB 670
Page 10
otherwise increase the potential for an attack on, an
information technology system of a public agency."
8)Questions for the Committee . The Committee may wish to
consider whether OIS has the capacity to conduct the
assessments required by this bill. Given that California has
approximately 384 state agencies, departments and commissions
that would be subject to this mandate, the question arises as
to how many security assessments OIS could realistically
complete over the course of a year and at what cost. And
while the bill authorizes CND-T to help complete the
assessments as directed, CND-T's capacity is also unknown. As
a result, it is not yet clear whether it will be feasible for
OIS (and CND-T) to complete the security assessments required
by this bill within the given two years.
The Committee may wish to inquire of the author as to what
evidence exists that a two-year assessment cycle is feasible
given available resources. And if current resources are not
sufficient, whether or not new resources should be allocated
or the assessment cycle should be extended beyond two years.
9)Arguments in support . According to RIMS, a risk management
society, "We view this legislation as a prime example of
pro-active risk management for a risk, cyber terrorism, that
is quickly becoming a serious threat for many organizations
including state agencies. We believe it is critical that all
organizations, including state agencies, assess their cyber
security measures in order to mitigate the risk to those who
utilize their services."
10)Related legislation . AB 1172 (Chau) would continue in
existence the California Cyber Security Task Force, and
�
AB 670
Page 11
authorize the task force to convene stakeholders to act in an
advisory capacity and compile policy recommendations on cyber
security for the state until January 1, 2020. The measure
would also create a State Director of Cyber Security with
specified duties within the Governor's Office of Emergency
Services. AB 1172 is currently pending in the Assembly
Privacy and Consumer Protection Committee.
AB 739 (Irwin) would require the Attorney General to create a
registry of private entities that intend to engage in
communication of cyber security-threat information, and would
further provide that there is no civil or criminal liability
for a registered entity based upon its communication of cyber
security-threat information to another public or private
entity. AB 739 is currently pending in the Assembly Privacy
and Consumer Protection Committee.
11)Previous legislation . AB 2200 (Perez) of 2014 would have
created a thirteen member California Cyber Security Steering
Committee within the Governor's Office of Emergency Services
(OES), and would have continued the existence of the
California Cyber Security Task Force until January 1, 2020.
This bill was held at the Assembly Desk.
SB 1286 (Corbett) of 2014 would have raised from $35 million
to $65 million the amount that the Public Utilities Commission
may devote to research and development projects for the
purposes of cyber security and grid integration. This bill
was held in the Senate Rules Committee.
AB 1620 (Rodriguez) of 2014 would have established in state
government the California Emergency Management and Disaster
Preparedness Commission as a statewide executive-level
commission to assess and improve the condition of the state's
�
AB 670
Page 12
emergency preparedness, management, and disaster recovery
capabilities. This bill was vetoed by Governor Brown.
SB 90 (Budget and Fiscal Review), Chapter 183, Statutes of
2007, created the Office of Information Security and Privacy
Protection within the State and Consumer Services Agency. The
duties of the new office include, but are not limited to:
providing direction for information security and privacy to
state government agencies; conducting security assessments and
review of any state agency; providing educational information
to consumers on effective ways of protecting personal
information; and assisting in the prosecution of identity
theft and other privacy-related crimes.
REGISTERED SUPPORT / OPPOSITION:
Support
RIMS
Opposition
None received.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200
�
AB 670
Page 13