BILL ANALYSIS Ó AB 670 Page 1 ASSEMBLY THIRD READING AB 670 (Irwin) As Amended April 6, 2015 Majority vote ------------------------------------------------------------------- |Committee |Votes |Ayes |Noes | | | | | | | | | | | |----------------+------+---------------------+---------------------| |Privacy |11-0 |Gatto, Wilk, Baker, | | | | |Calderon, Chang, | | | | |Chau, Cooper, | | | | |Dababneh, Dahle, | | | | |Gordon, Low | | | | | | | |----------------+------+---------------------+---------------------| |Appropriations |17-0 |Gomez, Bigelow, | | | | |Bonta, Calderon, | | | | |Chang, Daly, Eggman, | | | | |Gallagher, | | | | | | | | | | | | | | |Eduardo Garcia, | | | | |Gordon, Holden, | | | | |Jones, Quirk, | | | | |Rendon, Wagner, | | | | |Weber, Wood | | | | | | | | | | | | ------------------------------------------------------------------- AB 670 Page 2 SUMMARY: Requires the Department of Technology (CalTech) to conduct security assessments of the information technology resources of every state agency, department or office at least once every two years. Specifically, this bill: 1)Requires the Office of Information Security (OIS) within CalTech to conduct an independent security assessment of every state agency, department, or office at least once every two years. 2)Requires the assessment to be conducted in compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Controls, and to include, to the extent practicable, all of the following components: a) Vulnerability scanning, as specified. b) Penetration testing, when determined to be appropriate by the Governor's Office of Emergency Services. c) A report on the number, severity, and nature of identified vulnerabilities and recommendations for remediation and risk mitigation. 3)Authorizes CalTech to require any agency out of compliance with the assessment requirement to redirect any funds within the agency's budget, which may be legally expended for these purposes, to pay the costs of the assessment. 4)Deletes a pre-existing exemption from independent security assessments for the Department of Forestry and Fire Prevention. AB 670 Page 3 5)Authorizes the Governor's Office of Emergency Services to conduct the strategic direction of security assessments performed by the Military Department's Computer Network Defense Team (CND-T), as specified 6)Requires CalTech to adopt standards to be included in the State Administrative Manual that set forth the manner for the assessed agency or entity to communicate the assessment results to CalTech, as specified: 7)Restricts the communication of assessment results only to the assessed entity, approved government employees and validated contractors. 8)Requires assessment results and relative aggregated reports to be confidential and exempt from Freedom of Information Act distribution and protected from disclosure by Public Records Act requests. 9)Requires data produced by assessments to be retained by all parties for no longer than one year, unless determined otherwise by the Governor's Office of Emergency Services. FISCAL EFFECT: According to the Assembly Appropriations Committee: 1)Major state costs of approximately $5 million (General Fund) for two years, for 32 Personal Years for the California Military Department to perform the CND-T assessments. AB 670 Page 4 2)On-going costs to state agencies, in the range of $20,000 to $200,000, per agency for the assessments. Costs will vary by agency depending on their current security budgets and to what extent this bill mandates a broader or more frequent security assessment and redirection of funds. COMMENTS: Purpose of this bill. This bill is intended to increase the security of California state computer networks by requiring CalTech to conduct a security assessment of the 384 state agencies, departments and offices under its jurisdiction every two years. This bill is author-sponsored. Analysis Prepared by: Hank Dempsey / P. & C.P. / (916) 319-2200 FN: 0000578