AB 1841,
as amended, Irwin. begin deleteOffice of Emergency Services: duties: cybersecurity.end deletebegin insert Cybersecurity incident response plan and standards.end insert
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state.begin insert Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.end insert
This bill would require the Office of Emergencybegin delete Servicesend deletebegin insert
Services, in conjunction with the Department of Technology,end insert to transmit to the Legislature, on or before July 1, 2017,begin insert a cybersecurity incident response plan, known asend insert the Cyber Security Annex to the State Emergency Plan,begin delete also known asend delete Emergency Functionbegin delete 18end deletebegin insert 18,end insert or EF 18. The bill would further require thebegin delete officeend deletebegin insert office, in conjunction with the Department of Technology and on or before January 1, 2018,end insert to
developbegin delete a comprehensiveend delete cybersecuritybegin delete strategy settingend deletebegin insert incident responseend insert standards for state agencies, as defined, to, among other things, prepare for cybersecurity interference with, or the compromise or incapacitation of, critical infrastructure and would require state agencies to reportbegin delete itsend deletebegin insert theirend insert compliance with these standards to the office. The bill would require thebegin delete officeend deletebegin insert officeend insertbegin insert,
in conjunction with the Department of Technology,end insert to provide suggestions for a state agency to improve compliance with these standards. The bill would prohibit public disclosure ofbegin insert reports andend insert public records relating to the cybersecurity strategies of state agencies, as specified.
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all the
2following:
3(a) The current pervasive use of information technology in
4public enterprises has resulted in an abundance of public access
5to information and services provided by the government, but the
6increased interdependence of information technology systems has
7created a new type of risk for society. Threats to public critical
8infrastructure that use information technology within the state
9present risks to public health and safety and could severely disrupt
10economic activity within California.
11(b) Ensuring sufficient
preparations are taken to protect
critical
12infrastructure from interference, compromise, or incapacitation
13are in the public interest and serve a public purpose.
14(c) A comprehensive cybersecuritybegin delete strategy,end deletebegin insert incident response
15plan,end insert undertaken in a coordinated effortbegin delete betweenend deletebegin insert among end insert state
16agencies, will help prepare for threats to critical infrastructure,
17thereby reducing the potential consequences from those attacks.
P3 1(d) The Office of Emergency Services, in its role
as the lead
2executive entity that coordinates state resources for emergency
3preparedness, response, and damage mitigation, is a state entity
4appropriate to develop, implement, and manage a comprehensive
5cybersecuritybegin delete strategy,end deletebegin insert incident response plan,end insert undertaken in a
6coordinated effortbegin delete betweenend deletebegin insert among end insert
state agencies, to protect critical
7infrastructure. The Office of Emergency Services is already
8developing the necessary expertise in cybersecurity through its
9current work developing methods to provide emergency services
10during an interference with, or the compromise or incapacitation
11of, critical infrastructure.
12(e) It is the intent of the Legislature in enacting this legislation
13to develop a comprehensive cybersecuritybegin delete strategy,end deletebegin insert incident
14response plan,end insert undertaken in a coordinated effortbegin delete betweenend deletebegin insert among end insert
15
state agencies, to prepare California for threats to critical
16infrastructure under the unifying coordination of the Office of
17Emergency Services.
Article 6.4 (commencing with Section 8592.30) is
19added to Chapter 7 of Division 1 of Title 2 of the Government
20Code, to read:
21
As used in this article, the following definitions shall
25apply:
26(a) “Critical infrastructure” means systems and assets so vital
27to the state that the incapacity or destruction of those systems or
28assets would have a debilitating impact on security, economic
29security, public health and safety, or any combination of those
30matters.
31(b) “Critical infrastructure information” means information not
32customarily in the public domain pertaining to any of the following:
33(1) Actual, potential, or threatened interference with, or an attack
34on, compromise of, or
incapacitation of critical infrastructure by
35either physical or computer-based attack or other similar conduct,
36 including, but not limited to, the misuse of, or unauthorized access
37to, all types of communications and data transmission systems,
38that violates federal, state, or local law, harms economic security,
39or threatens public health or safety.
P4 1(2) The ability of critical infrastructure to resist any interference,
2compromise, or incapacitation, including, but not limited to, any
3planned or past assessment or estimate of the vulnerability of
4critical infrastructure, including, but not limited to, security testing,
5risk evaluation, risk management planning, or risk audits.
6(3) Any planned or past operational problem or solution
7
regarding critical infrastructure, including, but not limited to, repair,
8recovery, reconstruction, insurance, or continuity, to the extent it
9is related to interference, compromise, or incapacitation of critical
10infrastructure.
11(c) “Secretary” means the secretary of each state agency as set
12forth in subdivision (a) of Section 12800.
13(d) “State agency” or “state agencies” means the same as “state
14agency” as set forth in Section 11000.
(a) On or before July 1, 2017, thebegin delete officeend deletebegin insert office, in
16conjunction with the Department of Technology,end insert shall transmit to
17the Legislaturebegin insert a cybersecurity incident response plan, known as end insert
18 the Cyber Security Annex to the State Emergency Planbegin delete, also Emergency Function
19known asend deletebegin delete 18end deletebegin insert
18,end insert or EF 18, that includes, but
20is not limited to, all of the following:
21(1) Methods for providing emergency services.
22(2) Command structure forbegin delete state-wideend deletebegin insert
statewideend insert coordinated
23emergency services.
24(3) Emergency service roles of appropriate state agencies.
25(4) Identification of resources to be mobilized.
26(5) Public information plans.
27(6) Continuity of government services.
28(b) The office shall transmit the plan to the Legislature
pursuant
29to Section 9795.
begin delete(a)end deletebegin delete end deleteOn or beforebegin delete Julyend deletebegin insert Januaryend insert 1, 2018,begin insert in conjunction
31with the Department of Technology,end insert the office shall developbegin delete a cybersecurity
32comprehensiveend deletebegin delete strategy settingend deletebegin insert
incident responseend insert
33 standards for state agencies to prepare for cybersecurity
34interference with, or the compromise or incapacitation of, critical
35infrastructure and the development of critical infrastructure
36information, and to transmit critical infrastructure information to
37the office. In developing the standards, the office shall consider
38all of the following:
39(1)
end delete40begin insert(a)end insert Costs to implement the standards.
P5 1(2)
end delete2begin insert(b)end insert Security of critical infrastructure information.
3(3)
end delete4begin insert(c)end insert Centralized management of risk.
5(4)
end delete6begin insert(d)end insert National private industry best practices.
7(b) The office shall post the cybersecurity strategy on the
8Internet Web site of the office and transmit a copy to each
9secretary.
(a) Each state agency shall report onbegin delete theirend deletebegin insert itsend insert
11 compliance with the standards developed pursuant to Section
128592.40 to the office in the manner and at the time directed by the
13begin delete officeend deletebegin insert office,end insert but no later than January 1, 2019.
14(b) Thebegin delete officeend deletebegin insert
office,end insertbegin insert in conjunction with the Department of
15Technology,end insert shall provide suggestions for
a state agency to improve
16compliance with the standards developed pursuant to Section
178592.40, if any, to the head of the state agency and the secretary
18responsible for the state agency. For a state agency that is not under
19the responsibility of a secretary, the office shall provide any
20suggestions to the head of the state agency and the Governor.
The report required by subdivision (a) of Section
22
8592.45 and any public records relating to any communication
23made pursuant to, or in furtherance of the purposes of, subdivision
24(b) of Section 8592.45 are confidential and shall not be disclosed
25pursuant to any state law, including, but not limited to, the
26California Public Records Act (Chapter 3.5 (commencing with
27Section 6250) of Division 7 of Title 1).
The Legislature finds and declares that Section 2 of
29this act, which adds Section 8592.50 to the Government Code,
30imposes a limitation on the public’s right of access to the meetings
31of public bodies or the writings of public officials and agencies
32within the meaning of Section 3 of Article I of the California
33Constitution. Pursuant to that constitutional provision, the
34Legislature makes the following findings to demonstrate the interest
35protected by this limitation and the need for protecting that interest:
36Preventing public disclosure of the individual cybersecurity
37preparations of state agencies promotes public safety by prohibiting
P6 1access to
those who would use that information to thwart the
2cybersecurity of critical infrastructure within the state.
O
97