BILL ANALYSIS �Ó
AB 670
Page 1
ASSEMBLY THIRD READING
AB
670 (Irwin)
As Amended April 6, 2015
Majority vote
-------------------------------------------------------------------
|Committee |Votes |Ayes |Noes |
| | | | |
| | | | |
|----------------+------+---------------------+---------------------|
|Privacy |11-0 |Gatto, Wilk, Baker, | |
| | |Calderon, Chang, | |
| | |Chau, Cooper, | |
| | |Dababneh, Dahle, | |
| | |Gordon, Low | |
| | | | |
|----------------+------+---------------------+---------------------|
|Appropriations |17-0 |Gomez, Bigelow, | |
| | |Bonta, Calderon, | |
| | |Chang, Daly, Eggman, | |
| | |Gallagher, | |
| | | | |
| | | | |
| | |Eduardo Garcia, | |
| | |Gordon, Holden, | |
| | |Jones, Quirk, | |
| | |Rendon, Wagner, | |
| | |Weber, Wood | |
| | | | |
| | | | |
-------------------------------------------------------------------
�
AB 670
Page 2
SUMMARY: Requires the Department of Technology (CalTech) to
conduct security assessments of the information technology
resources of every state agency, department or office at least
once every two years. Specifically, this bill:
1)Requires the Office of Information Security (OIS) within CalTech
to conduct an independent security assessment of every state
agency, department, or office at least once every two years.
2)Requires the assessment to be conducted in compliance with the
National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-53 Controls, and to include, to the extent
practicable, all of the following components:
a) Vulnerability scanning, as specified.
b) Penetration testing, when determined to be appropriate by
the Governor's Office of Emergency Services.
c) A report on the number, severity, and nature of identified
vulnerabilities and recommendations for remediation and risk
mitigation.
3)Authorizes CalTech to require any agency out of compliance with
the assessment requirement to redirect any funds within the
agency's budget, which may be legally expended for these
purposes, to pay the costs of the assessment.
4)Deletes a pre-existing exemption from independent security
assessments for the Department of Forestry and Fire Prevention.
�
AB 670
Page 3
5)Authorizes the Governor's Office of Emergency Services to
conduct the strategic direction of security assessments
performed by the Military Department's Computer Network Defense
Team (CND-T), as specified
6)Requires CalTech to adopt standards to be included in the State
Administrative Manual that set forth the manner for the assessed
agency or entity to communicate the assessment results to
CalTech, as specified:
7)Restricts the communication of assessment results only to the
assessed entity, approved government employees and validated
contractors.
8)Requires assessment results and relative aggregated reports to
be confidential and exempt from Freedom of Information Act
distribution and protected from disclosure by Public Records Act
requests.
9)Requires data produced by assessments to be retained by all
parties for no longer than one year, unless determined otherwise
by the Governor's Office of Emergency Services.
FISCAL EFFECT: According to the Assembly Appropriations
Committee:
1)Major state costs of approximately $5 million (General Fund) for
two years, for 32 Personal Years for the California Military
Department to perform the CND-T assessments.
�
AB 670
Page 4
2)On-going costs to state agencies, in the range of $20,000 to
$200,000, per agency for the assessments. Costs will vary by
agency depending on their current security budgets and to what
extent this bill mandates a broader or more frequent security
assessment and redirection of funds.
COMMENTS:
Purpose of this bill. This bill is intended to increase the
security of California state computer networks by requiring
CalTech to conduct a security assessment of the 384 state
agencies, departments and offices under its jurisdiction every two
years. This bill is author-sponsored.
Analysis Prepared by:
Hank Dempsey / P. & C.P. / (916) 319-2200 FN:
0000578