BILL ANALYSIS �Ó
AB 670
Page 1
Date of Hearing: May 20, 2015
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Jimmy Gomez, Chair
AB
670 (Irwin) - As Amended April 6, 2015
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill requires the Office of Information Security (OIS),
within the Department of Technology (CalTech), to conduct
security assessments of the information technology resources of
every state agency, department or office at least once every two
�
AB 670
Page 2
years. Specifically, this bill:
1)Requires the assessment to be conducted in compliance with the
National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-53 Controls, and to include, to the
extent practicable, vulnerability scanning, penetration
testing, and a report on the number, severity, and nature of
identified vulnerabilities and recommendations for remediation
and risk mitigation.
2)Authorizes CalTech to require any agency out of compliance
with the assessment requirement to redirect any funds within
the agency's budget, which may be legally expended for these
purposes, to pay the costs of the assessment.
3)Authorizes the Governor's Office of Emergency Services (OES)
to conduct the strategic direction of security assessments
performed by the Military Department's Computer Network
Defense Team (CND-T)
4)Requires CalTech to adopt standards that set forth the manner
for the assessed agency or entity to communicate the
assessment results to CalTech.
5)Requires assessment results and relative aggregated reports to
be confidential and exempt from Freedom of Information Act
distribution and protected from disclosure by Public Records
Act requests.
Requires data produced by assessments to be retained by all
parties for no longer than one year, unless determined otherwise
by OES
FISCAL EFFECT:
�
AB 670
Page 3
1)Major state costs of approximately $5 million (GF) for two
years, for 32 PYs for the California Military Department to
perform the CND-T assessments.
2)On-going costs to state agencies, in the range of $20,000 to
$200,000, per agency for the assessments. Costs will vary by
agency depending on their current security budgets and to what
extent this bill mandates a broader or more frequent security
assessment and redirection of funds.
COMMENTS:
1)Purpose. According to the author, "Cybersecurity attacks are
on the rise and California state government is a priority
target because of the value and sheer size of its networks and
data. The state bears a responsibility in actively defending
the information it collects as well as the critical networks
that Californians rely on for services. The State
Administrative Manual currently includes the provisions
contained in this bill, but there is no mechanism of
enforcement and less than one-third of state agencies,
departments, or offices have conducted or received an
assessment to date. These preventative assessments are a
vital tool in combating the increasingly sophisticated
cyber-attacks because they reveal vulnerabilities, demonstrate
the extent of potential exploitation, and provide
recommendations for remediation and risk mitigation."
This bill seeks to increase the security of California state
computer networks by requiring CalTech to conduct a security
assessment of each agency, department and office under its
jurisdiction every two years.
�
AB 670
Page 4
2)Background. According to the California Military Department
(CMD), California's size and prominence makes it vulnerable to
cyber incidents. In 2012, 17% of the data breaches recorded
in the United States took place in California - more than any
other state; and the number of reported breaches in California
increased by 28% in 2013. California leads the nation in high
tech employment and cyber innovation, with 40% of all U.S.
venture capital investment in cyber residing here. A targeted
attack on critical infrastructure and key resources could
cause up to $1 billion dollars of economic impact to
California each day until services are restored. According to
the State Attorney General's 2014 Data Breach Report,
organizations should conduct risk assessments at least
annually and update privacy and security practices based on
the findings.
3)CalTech and OIS. CalTech is the central IT organization for
the State and is responsible for the approval and oversight of
all state IT projects. OIS, within CalTech, is responsible for
ensuring the confidentiality, integrity, and availability of
state systems and applications, and ensuring the protection of
state information. OIS represents California to federal,
state, and local government entities, higher education,
private industry, and others on security-related matters.
According to the author's office, there are a total of 384
state entities subject to the OIS (which excludes some
constitutional offices). Under current law, OIS is authorized
to conduct independent security assessments of any state
agency, department or office, but is not required to do so.
4)National Guard. The CMD, which oversees the state's National
Guard units, supports state law enforcement and OES in the
prevention and protection of supported networks, which helps
enable the state to respond to vulnerabilities or attacks.
OES coordinates and requests the support of the CMD to provide
cyber defense, incident support and cyber recovery operations.
�
AB 670
Page 5
The CMD temporarily maintains CND-T, a pilot project funded in
the Budget Act of 2014. CND-T's goal is to "assist agencies
by providing actionable products, assistance, and services
designed to improve overall cyber security compliance, reduce
risk, and protect the public." CND-T currently has nine full
time staff, with the capability to add six more. CMD will also
draw upon a soon-to-be created 39-member Cyber Protection Team
under its command, which has been authorized by the federal
government; it will be based in San Diego and operational in
2017. According to the CMD, in the first quarter of FY2015,
the CND-T performed 2,863 end-point scans identifying 39,880
risks with an average of 13.6 vulnerabilities per system.
Agencies supported by the CND-T generally show a ten-fold
reduction in system vulnerabilities. According to the author's
office, a security assessment usually takes 1-2 days, with the
assessed entity receiving a written report on findings within
2-3 weeks.
This bill would authorize OES to direct assessments conducted
by the CND-T, and authorize CalTech to "redirect" funds from
an assessed agency to pay for the costs of the assessment.
5)Related legislation.
a) AB 1172 (Chau), pending in this Committee, continues in
existence the California Cyber Security Task Force, and
authorize the task force to act in an advisory capacity and
compile policy recommendations on cyber security for the
state until January 1, 2020. Also creates a State Director
of Cyber Security with within OES.
�
AB 670
Page 6
b) AB 739 (Irwin), pending in the Assembly Judiciary
Committee, requires the Attorney General to create a
registry of private entities that intend to engage in
communication of cyber security-threat information, and
provides that there is no civil or criminal liability for a
registered entity based upon its communication of cyber
security-threat information to another public or private
entity.
1)Previous legislation.
a) AB 2200 (Perez) of 2014 would have created a California
Cyber Security Steering Committee within OES, and would
have continued the existence of the California Cyber
Security Task Force until January 1, 2020. This bill was
held at the Assembly Desk.
b) SB 1286 (Corbett) of 2014 would have raised from $35
million to $65 million the amount that the PUC may devote
to research and development projects for the purposes of
cyber security and grid integration. This bill was held in
the Senate Rules Committee.
c) AB 1620 (Rodriguez) of 2014 would have established in
state government the California Emergency Management and
Disaster Preparedness Commission as a statewide
executive-level commission to assess and improve the
condition of the state's emergency preparedness,
management, and disaster recovery capabilities. This bill
was vetoed by Governor Brown.
�
AB 670
Page 7
d) SB 90 (Budget and Fiscal Review), Chapter 183, Statutes
of 2007, created the Office of Information Security and
Privacy Protection within the State and Consumer Services
Agency. The duties of the new office include providing
direction for information security and privacy to state
government agencies, conducting security assessments and
review of any state agency, providing educational
information to consumers on effective ways of protecting
personal information, and assisting in the prosecution of
identity theft and other privacy-related crimes.
Analysis Prepared by:Jennifer Swenson / APPR. / (916)
319-2081