BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 670|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 670
Author: Irwin (D)
Amended: 9/3/15 in Senate
Vote: 21
SENATE GOVERNMENTAL ORG. COMMITTEE: 12-0, 6/29/15
AYES: Hall, Berryhill, Block, Gaines, Glazer, Hernandez, Hill,
Hueso, Lara, McGuire, Runner, Vidak
NO VOTE RECORDED: Galgiani
SENATE APPROPRIATIONS COMMITTEE: 6-0, 8/27/15
AYES: Lara, Bates, Beall, Hill, Leyva, Mendoza
NO VOTE RECORDED: Nielsen
ASSEMBLY FLOOR: 79-0, 6/2/15 - See last page for vote
SUBJECT: Information technology security
SOURCE: Author
DIGEST: Requires the Office of Information Security (OIS), in
consultation with the Office of Emergency Services (OES), to
require no fewer than 35 independent security assessments of
state entities each year and determine basic standards of
services to be performed as part of that assessment.
Senate Floor amendments of 9/3/15 simplified the components of
the independent security assessment and increased the role of
the OES. The amendments also clarified that information
collected during the process of conducting an independent
�
AB 670
Page 2
security assessment shall remain confidential.
ANALYSIS:
Existing law:
1)Establishes, within the Government Operations Agency (GOA),
the California Department of Technology (Caltech) under the
supervision of the Director of Technology, who is also known
as the State Chief Information Officer. Caltech is generally
responsible for the approval and oversight of IT projects by,
among other things, consulting with state agencies during
initial project planning to ensure that project proposals are
based on well-defined programmatic needs.
2)Establishes, within Caltech, OIS under the supervision of the
Chief of the Office of Information Security. The OIS has the
authority to, including, but not limited to, conduct, or
require to be conducted, an independent security assessment of
any state agency, department, or office the cost of which is
to be funded by the state agency, department, or office being
assessed.
3)Requires the cost of an independent security assessment or
information security program compliance audit to be funded by
the state agency, department or office being assessed or
audited.
4)Specifies that nothing in the California Public Records Act
shall be construed to require the disclosure of an information
security record of a public agency, if, on the fact of the
particular case, disclosure of that record would reveal
vulnerabilities to, or otherwise increase the potential for an
attack on an IT system of a public agency.
5)Creates, within the office of the Governor, the OES which,
under the Director of Emergency Services, coordinates disaster
response, emergency planning, emergency preparedness, disaster
recovery, disaster mitigation, and homeland security
activities.
This bill:
�
AB 670
Page 3
1)Specifies that the OIS may conduct, or require to be
conducted, an independent security assessment of every state
agency, department, or office. The cost of the assessment
shall be funded by the state agency, department, or office
being assessed.
2)Requires the OIS, in consultation with the OES to perform all
of the following duties:
a) Annually require no fewer than 35 state entities to
perform an independent security assessment, the cost of
which shall be funded by the state agency, department, or
office being assessed.
b) Determine criteria and rank state entities based on an
information security risk index, as specified.
c) Determine the basic standards of services to be
performed as part of independent security assessments.
3)Specifies that the Military Department may perform an
independent security assessment of any state agency,
department, or office, the cost of which shall be funded by
the state agency, department, or office being assessed.
4)Requires state agencies and entities that are required to
conduct or receive an independent security assessment to
transmit the complete results of that assessment and
recommendations for mitigating system vulnerabilities if any,
to the OIS and the OES.
5)Specifies that during the process of conducting an independent
security assessment, information and records concerning the
independent security assessment are confidential and shall not
be disclosed, except that the information and records may be
transmitted to state employees and state contractors who have
been approved as necessary to receive the information and
records to perform the assessment.
6)Specifies that the results of a completed assessment and any
related information shall be subject to all disclosure and
confidentiality provisions pursuant to any state law including
the California Public Records Act.
�
AB 670
Page 4
7)Requires the OIS to notify the OES, Department of the
California Highway Patrol, and the Department of Justice
regarding any criminal or alleged criminal cyber activity
affecting any state entity or critical infrastructure of state
government.
8)Requires the OIS to report to Caltech and the OES any state
entity found to be noncompliant with information security
requirements.
9)Authorizes the OIS to conduct or require to be conducted an
audit of information security to ensure program compliance,
the cost of which is to be funded by the state agency,
department, or office being audited.
10) Requires state entities, as defined, rather than certain
information security officers, to comply with policies and
procedures issued by the OIS.
11) Limits access to information and records of an ongoing
independent security assessment and would make findings to
demonstrate the interest protected by the limitation and the
need for protecting that interest.
Background
Purpose of the bill. According to the author, "cybersecurity
attacks are on the rise and California state government is a
priority target because of the value and sheer size of its
networks and data. The state bears a responsibility in actively
defending the information it collects as well as the critical
networks that Californians rely on for services. The State
Administrative Manual currently includes the provisions
contained in this bill, but there is no mechanism of enforcement
and compliance is lacking. These preventative assessments are a
vital tool in combating the increasingly sophisticated
cyber-attacks that threaten our economy and public safety."
CalTech/OIS. CalTech is the central IT organization for the
State of California and is responsible for the approval and
oversight of all state IT projects. Among its various offices
is the California Information Security Office, or OIS.
OIS is the primary state government authority for ensuring the
�
AB 670
Page 5
confidentiality, integrity, and availability of state systems
and applications, and ensuring the protection of state
information. The OIS represents California to federal, state,
and local government entities, higher education, private
industry, and others on security-related matters. According to
the author's office, there are a total of 384 state entities
subject to the OIS (which excludes some constitutional offices).
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
the past year.
Under current law, OIS is authorized to conduct independent
security assessments of any state agency, department or office,
but is not required to do so. Existing state policy found in
the State Administrative Manual indicates that each state agency
shall conduct a comprehensive IT risk assessment once every two
years. It is not known how many security assessments were
conducted by OIS in the past year.
Cyber Threats in California. According to the California
Military Department (CMD), California's size and importance
makes it vulnerable to cyber incidents that disrupt business,
shutdown critical infrastructure, and compromise intellectual
property or national security.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty percent
of all cyber-attacks and other malicious activity are targeted
at the government, making these networks and systems the most
vulnerable target of cybercrime.
According to CMD, the threat to government networks has never
been higher. "Hacktivists", nation states, cyber criminals and
other threat groups are attacking government networks to steal
sensitive information and make a political/economic statement.
Prior/Related Legislation
AB 1172 (Chau, 2015) creates a California Cyber Security Task
Force within OES to act in an advisory capacity and make policy
recommendations on cyber security for the State of California.
(Pending on the Senate Floor)
AB 739 (Irwin, 2015) provides legal immunity for civil or
�
AB 670
Page 6
criminal liability for private entities that communicate
anonymized cyber security threat information and meet specified
requirements, until January 1, 2020. (Held in Assembly
Judiciary Committee)
AB 2200 (Perez, 2014) would have created a 13 member California
Cyber Security Steering Committee in OES and continue the
existence of the California Cyber Security Task Force until
January 1, 2020. (Held at the Assembly Desk)
AB 1620 (Rodriguez, 2014) would have established the California
Emergency Management and Disaster Preparedness Commission as a
statewide executive-level commission to assess and improve the
condition of the State's emergency preparedness, management, and
disaster recovery capabilities. (Vetoed by Governor Brown)
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: No
According to the Senate Appropriations Committee, CalTech would
incur costs of approximately $2 million in 2016-17, and ongoing
costs of approximately $1.9 million for 12 PY of staff to
conduct security assessments. Staff estimates that OIS would
have additional costs in the hundreds of thousands annually for
travel and other associated charges. (Technology Services
Revolving Fund)
Further, ongoing, potentially significant cost pressures for
state entities to make necessary IT improvements to address
vulnerabilities identified through security assessments.
However, these improvements would decrease the likelihood that
agencies would experience a future data breach, thereby avoiding
related costs in future years. (General Fund and/or Special
Funds)
Finally, an estimated Caltech costs in the range of $100,000 to
$150,000 to develop and adopt standards for the OIS, Military
Department, or entity conducting a security assessment to follow
when conducting those assessments and reporting results. These
costs include necessary updates to the State Administrative
Manual. (Technology Services Revolving Fund)
SUPPORT: (Verified9/4/15)
�
AB 670
Page 7
Risk Management Society
OPPOSITION: (Verified9/4/15)
None received
ARGUMENTS IN SUPPORT: According to the Risk Management
Society, "this legislation is a prime example of proactive risk
management for a risk, cyber terrorism that is quickly becoming
a serious threat for many organizations, including state
agencies. We believe it is critical that all organizations,
including state agencies, assess their cyber security measures
in order to mitigate the risk to those who utilize their
services.
ASSEMBLY FLOOR: 79-0, 6/2/15
AYES: Achadjian, Alejo, Travis Allen, Baker, Bigelow, Bloom,
Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang,
Chau, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd,
Eggman, Frazier, Beth Gaines, Gallagher, Cristina Garcia,
Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray,
Grove, Hadley, Harper, Roger Hernández, Holden, Irwin, Jones,
Jones-Sawyer, Kim, Lackey, Levine, Linder, Lopez, Low,
Maienschein, Mathis, Mayes, McCarty, Medina, Melendez, Mullin,
Nazarian, Obernolte, O'Donnell, Olsen, Patterson, Perea,
Quirk, Rendon, Ridley-Thomas, Rodriguez, Salas, Santiago,
Steinorth, Mark Stone, Thurmond, Ting, Wagner, Waldron, Weber,
Wilk, Williams, Wood, Atkins
NO VOTE RECORDED: Chávez
Prepared by:Felipe Lopez / G.O. / (916) 651-1530
9/4/15 14:17:00
**** END ****
�
AB 670
Page 8