AB 1841, as amended, Irwin. Office of Emergency Services: duties: cybersecurity.
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state.
This bill would require the Office of Emergency Services tobegin delete develop andend delete transmit to thebegin delete Legislature a state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems, as defined.end deletebegin insert Legislature, on or before July 1, 2017, the Cyber Security Annex to the State Emergency Plan, also known as Emergency Function 18 or EF 18.end insert
The bill would further require the office to develop a comprehensive cybersecurity strategy setting standards for state agencies, as defined,begin delete and private entities toend deletebegin insert to, among other things,end insert prepare for cybersecuritybegin delete attacks onend deletebegin insert interference with, or the compromise or incapacitation of,end insert critical infrastructurebegin delete systems. The billend deletebegin insert andend insert would require statebegin delete agencies, and authorize private entities,end deletebegin insert
agenciesend insert to report itsbegin delete cybersecurity strategyend deletebegin insert compliance with these standardsend insert to the office. The bill would require the office to provide suggestions forbegin delete improvement to the cybersecurity strategy of a state agency, and authorize the office to do the same for a private entity, but only for purposes of protecting public health and safety.end deletebegin insert a state agency to improve compliance with these standards.end insert The bill would prohibit public disclosure ofbegin delete the office’s state-wide emergency services response plan andend deletebegin insert
public records relating toend insert thebegin delete individualend delete cybersecurity strategies of statebegin delete agencies and private entities.end deletebegin insert agencies, as specified.end insert
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all the
2following:
3(a) The current pervasive use of information technology in
4publicbegin delete and privateend delete enterprises has resulted in an abundance of
5public access to information and services provided by the
6begin delete government and businesses,end deletebegin insert government,end insert but the increased
7interdependencebegin delete onend deletebegin insert
ofend insert information technology systems has created
8a new type of risk for society.begin delete Cybersecurity threatsend deletebegin insert
Threatsend insert
to
9publicbegin delete and privateend delete critical infrastructurebegin delete systemsend delete that use
10information technology within the state present risks to public
11health and safety and could severely disruptbegin delete privateend delete economic
12activity within California.
13(b) Ensuring sufficient preparations are taken to protectbegin delete theseend delete
14
critical infrastructurebegin delete systemsend delete frombegin delete attacks to cybersecurityend delete
15begin insert interference, compromise, or incapacitationend insert are in the public
16interest and serve a public purpose.
17(c) A comprehensive cybersecurity strategy, undertaken in a
18coordinated effort betweenbegin delete federal and state governments and begin insert state agencies,end insert will help prepare for
19private entities,end deletebegin delete cyberattacks
20
on theseend deletebegin delete infrastructure systems,end deletebegin insert infrastructure,end insert
21 thereby reducing the potential consequences from those attacks.
22(d) The Office of Emergency Services, in its role as the lead
23executive entity that coordinates state resources for emergency
P3 1preparedness, response, and damage mitigation, isbegin delete the properend deletebegin insert aend insert
2 state entitybegin insert
appropriateend insert
to develop, implement, and manage a
3comprehensive cybersecurity strategy, undertaken in a coordinated
4effort betweenbegin delete federal and state governments and private entities,end delete
5begin insert
state agencies,end insert
to protectbegin delete theseend delete criticalbegin delete infrastructure systems from begin insert infrastructure.end insert The Office of Emergency
6attacks to cybersecurity.end delete
7Services is already developing the necessary expertise in
8cybersecurity through its current work developing methods to
9provide emergency services duringbegin delete a cyberattack.end deletebegin insert an interference
10with, or the compromise or incapacitation of, critical
11infrastructure.end insert
12(e) It is the intent of the Legislature in enacting this
legislation
13to develop a comprehensive cybersecurity strategy, undertaken in
14a coordinated effort betweenbegin delete federal and state governments and begin insert state agencies,end insert to prepare California for
15private entities,end delete
16begin delete cyberattacks onend deletebegin insert threats toend insert critical infrastructurebegin delete systemsend delete under the
17unifying coordination of the Office of Emergency Services.
Article 6.4 (commencing with Section 8592.30) is
19added to Chapter 7 of Division 1 of Title 2 of the Government
20Code, to read:
21
(a) For purposes of this article, “critical infrastructure
25systems” shall mean a public or private information technology
26system that services any of the following sectors:
27(1) Communications.
28(2) Emergency services.
29(3) Energy.
30(4) Financial Services.
31(5) Food and Agriculture.
32(6) Healthcare and public health.
33(7) Transportation systems.
34(8) Water and wastewater systems.
35(b)
As used in this article, the following definitions shall
37apply:
38
(a) “Critical infrastructure” means systems and assets so vital
39to the state that the incapacity or destruction of those systems or
40assets would have a debilitating impact on security, economic
P4 1security, public health and safety, or any combination of those
2matters.
3
(b) “Critical infrastructure information” means information
4not customarily in the public domain pertaining to any of the
5following:
6
(1) Actual, potential, or threatened interference with, or an
7attack on, compromise of, or incapacitation of critical
8infrastructure by either physical or computer-based attack or other
9similar conduct, including, but not limited to, the misuse of, or
10unauthorized access to, all types of communications and data
11transmission systems, that violates federal, state, or local law,
12harms economic security, or threatens public health or safety.
13
(2) The ability of critical infrastructure to resist any interference,
14compromise, or incapacitation, including, but not limited to, any
15planned or past assessment or estimate of the vulnerability of
16critical infrastructure, including, but not limited to, security testing,
17risk evaluation, risk management planning, or risk audits.
18
(3) Any planned or past operational problem or solution
19
regarding critical infrastructure, including, but not limited to,
20repair, recovery, reconstruction, insurance, or continuity, to the
21extent it is related to interference, compromise, or incapacitation
22of critical infrastructure.
23begin insert(c)end insert “Secretary”begin delete shall meanend deletebegin insert meansend insert the secretary of each state
24agency as set forth in subdivision (a) of Section 12800.
25 (c)
end delete
26begin insert(d)end insert “State agency” or “state agencies”begin delete shall haveend deletebegin insert meansend insert the
27samebegin delete meaningend delete
as “state agency” as set forth in Section 11000.
(a) On or before July 1, 2017, the office shall transmit
29to the Legislaturebegin delete a state-wide emergency services response plan begin insert the
30for cybersecurity attacks on critical infrastructure systemsend delete
31Cyber Security Annex to the State Emergency Plan, also known
32as Emergency Function 18 or EF 18,end insert that includes, but is not
33limited to, all of the following:
34(1) Methods for providing emergency services.
35(2) Command structure for state-wide coordinated emergency
36services.
37(3) Emergency service roles of appropriate state agencies.
38(4) Identification of resources to be mobilized.
39(5) Public information plans.
40(6) Continuity of government services.
P5 1(b) begin deleteNotwithstanding Section 9795, the end deletebegin insertThe end insertoffice shall transmit
2the plan to the Legislaturebegin delete by providing a printed copy to the
3Secretary of the Senate and the Chief Clerk of the Assembly.end delete
4
begin insert
pursuant to Section 9795.end insert
(a) On or before July 1, 2018, the office shall develop
6a comprehensive cybersecurity strategy setting standards for state
7agenciesbegin delete and private entitiesend delete to prepare for cybersecuritybegin delete attacks begin insert interference with, or the compromise or incapacitation of,end insert
8onend delete
9 critical infrastructurebegin delete systems.end deletebegin insert and the development of critical
10infrastructure information, and to
transmit critical infrastructure
11information to the office.end insert In developing the standards, the office
12shall consider all of the following:
13(1) Costs to implement the standards.
14(2) Regional business impacts.
end delete15(3) National
end delete
16
(2) Security of critical infrastructure information.
17
(3) Centralized management of risk.
18begin insert(4)end insertbegin insert end insertbegin insertNationalend insert private industry best practices.
19(b) The office shall post the cybersecurity strategy on the
20Internet Web site of the office and transmit a copy to each
21secretary.
(a) Each state agency shallbegin delete transmit a cybersecurity begin insert report on their
23strategy that meets the standards set forth inend delete
24compliance with the standards developed pursuant toend insert Section
258592.40 to the office in the manner and at the time directed by the
26
begin delete office.end deletebegin insert office but no later than January 1, 2019.end insert
27(b) The office shall provide suggestions forbegin delete improvement to the begin insert
a state agency to
28cybersecurity strategy of a state agency, if any,end delete
29improve compliance with the standards developed pursuant to
30Section 8592.40, if any,end insert to the head of the state agency and the
31secretary responsible for the state agency. For a state agency that
32is not under the responsibility of a secretary, the office shall provide
33begin insert anyend insert suggestionsbegin delete for improvement to a cybersecurity strategy, if to the head of the state agency and the Governor.
34any,end delete
(a) A private entity may transmit a cybersecurity
36strategy that meets the standards set forth in Section 8592.40 to
37the office.
38(b) The office shall review and provide suggestions for
39improvement, if any, to the cybersecurity strategy of a private
40entity for the purposes of protecting public health and safety, and
P6 1shall not review or make suggestions to the cybersecurity strategy
2of a private entity solely for the private benefit of the private entity.
begin delete(a)end delete Thebegin delete plan required by Section 8592.35, a state begin insert reportend insert required bybegin insert subdivision (a)
5agency cybersecurity strategyend delete
6ofend insert Sectionbegin delete 8592.45, or a private entity cybersecurity strategy begin insert
8592.45 and any public records
7authorized by Section 8592.50 areend delete
8relating to any communication made pursuant to, or in furtherance
9of the purposes of, subdivision (b) of Section 8592.45 areend insert
10 confidential and shall not be disclosed pursuant to any state law,
11including, but not limited to, the California Public Records Act
12(Chapter 3.5 (commencing with Section 6250) of Division 7 of
13Title 1).
14(b) The report to the Legislature required by Section 8592.35
15shall not be subject to production pursuant to the Legislative Open
16Records Act (Article 3.5 (commencing with Section 9070) of
17Chapter 1.5 of Part 1 of Division 2).
The Legislature finds and declares that Section 2 of
19this act, which adds Sectionbegin delete 8592.55end deletebegin insert 8592.50end insert to the Government
20Code, imposes a limitation on the public’s right of access to the
21meetings of public bodies or the writings of public officials and
22agencies within the meaning of Section 3 of Article I of the
23California Constitution. Pursuant to that constitutional provision,
24the Legislature makes the following findings to demonstrate the
25interest protected by this limitation and the need for protecting
26that interest:
27Preventing public disclosure of thebegin delete Office of Emergency begin insert end insert
28Services’ state-wide emergency services response plan for
29cybersecurity attacks on critical infrastructure systems and the end delete
30individual cybersecuritybegin delete strategiesend deletebegin insert preparationsend insert of state agencies
31begin delete and private entitiesend delete promotes public safety by prohibiting access
32to those who would use that information to thwart the cybersecurity
33of critical infrastructurebegin delete systemsend delete
within the state.
O
98