Amended in Assembly April 14, 2016

Amended in Assembly March 28, 2016

California Legislature—2015–16 Regular Session

Assembly BillNo. 1841


Introduced by Assembly Member Irwin

February 9, 2016


An act to add Article 6.4 (commencing with Section 8592.30) to Chapter 7 of Division 1 of Title 2 of the Government Code, relating tobegin delete emergency services.end deletebegin insert state government.end insert

LEGISLATIVE COUNSEL’S DIGEST

AB 1841, as amended, Irwin. begin deleteOffice of Emergency Services: duties: cybersecurity.end deletebegin insert Cybersecurity incident response plan and standards.end insert

(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state.begin insert Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.end insert

This bill would require the Office of Emergencybegin delete Servicesend deletebegin insert Services, in conjunction with the Department of Technology,end insert to transmit to the Legislature, on or before July 1, 2017,begin insert a cybersecurity incident response plan, known asend insert the Cyber Security Annex to the State Emergency Plan,begin delete also known asend delete Emergency Functionbegin delete 18end deletebegin insert 18,end insert or EF 18. The bill would further require thebegin delete officeend deletebegin insert office, in conjunction with the Department of Technology and on or before January 1, 2018,end insert to developbegin delete a comprehensiveend delete cybersecuritybegin delete strategy settingend deletebegin insert incident responseend insert standards for state agencies, as defined, to, among other things, prepare for cybersecurity interference with, or the compromise or incapacitation of, critical infrastructure and would require state agencies to reportbegin delete itsend deletebegin insert theirend insert compliance with these standards to the office. The bill would require thebegin delete officeend deletebegin insert officeend insertbegin insert, in conjunction with the Department of Technology,end insert to provide suggestions for a state agency to improve compliance with these standards. The bill would prohibit public disclosure ofbegin insert reports andend insert public records relating to the cybersecurity strategies of state agencies, as specified.

(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.

This bill would make legislative findings to that effect.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

The Legislature finds and declares all the
2following:

3(a) The current pervasive use of information technology in
4public enterprises has resulted in an abundance of public access
5to information and services provided by the government, but the
6increased interdependence of information technology systems has
7created a new type of risk for society. Threats to public critical
8infrastructure that use information technology within the state
9present risks to public health and safety and could severely disrupt
10economic activity within California.

11(b) Ensuring sufficient preparations are taken to protect critical
12infrastructure from interference, compromise, or incapacitation
13are in the public interest and serve a public purpose.

14(c) A comprehensive cybersecuritybegin delete strategy,end deletebegin insert incident response
15plan,end insert
undertaken in a coordinated effortbegin delete betweenend deletebegin insert among end insert state
16agencies, will help prepare for threats to critical infrastructure,
17thereby reducing the potential consequences from those attacks.

P3    1(d) The Office of Emergency Services, in its role as the lead
2executive entity that coordinates state resources for emergency
3preparedness, response, and damage mitigation, is a state entity
4appropriate to develop, implement, and manage a comprehensive
5cybersecuritybegin delete strategy,end deletebegin insert incident response plan,end insert undertaken in a
6coordinated effortbegin delete betweenend deletebegin insert among end insert state agencies, to protect critical
7infrastructure. The Office of Emergency Services is already
8developing the necessary expertise in cybersecurity through its
9current work developing methods to provide emergency services
10during an interference with, or the compromise or incapacitation
11of, critical infrastructure.

12(e) It is the intent of the Legislature in enacting this legislation
13to develop a comprehensive cybersecuritybegin delete strategy,end deletebegin insert incident
14response plan,end insert
undertaken in a coordinated effortbegin delete betweenend deletebegin insert among end insert
15 state agencies, to prepare California for threats to critical
16infrastructure under the unifying coordination of the Office of
17Emergency Services.

18

SEC. 2.  

Article 6.4 (commencing with Section 8592.30) is
19added to Chapter 7 of Division 1 of Title 2 of the Government
20Code
, to read:

21 

22Article 6.4.  Cybersecurity
23

 

24

8592.30.  

As used in this article, the following definitions shall
25apply:

26(a) “Critical infrastructure” means systems and assets so vital
27to the state that the incapacity or destruction of those systems or
28assets would have a debilitating impact on security, economic
29security, public health and safety, or any combination of those
30matters.

31(b) “Critical infrastructure information” means information not
32customarily in the public domain pertaining to any of the following:

33(1) Actual, potential, or threatened interference with, or an attack
34on, compromise of, or incapacitation of critical infrastructure by
35either physical or computer-based attack or other similar conduct,
36 including, but not limited to, the misuse of, or unauthorized access
37to, all types of communications and data transmission systems,
38that violates federal, state, or local law, harms economic security,
39or threatens public health or safety.

P4    1(2) The ability of critical infrastructure to resist any interference,
2compromise, or incapacitation, including, but not limited to, any
3planned or past assessment or estimate of the vulnerability of
4critical infrastructure, including, but not limited to, security testing,
5risk evaluation, risk management planning, or risk audits.

6(3) Any planned or past operational problem or solution
7 regarding critical infrastructure, including, but not limited to, repair,
8recovery, reconstruction, insurance, or continuity, to the extent it
9is related to interference, compromise, or incapacitation of critical
10infrastructure.

11(c) “Secretary” means the secretary of each state agency as set
12forth in subdivision (a) of Section 12800.

13(d) “State agency” or “state agencies” means the same as “state
14agency” as set forth in Section 11000.

15

8592.35.  

(a) On or before July 1, 2017, thebegin delete officeend deletebegin insert office, in
16conjunction with the Department of Technology,end insert
shall transmit to
17the Legislaturebegin insert a cybersecurity incident response plan, known as end insert
18 the Cyber Security Annex to the State Emergency Planbegin delete, also
19known asend delete
Emergency Functionbegin delete 18end deletebegin insert 18,end insert or EF 18, that includes, but
20is not limited to, all of the following:

21(1) Methods for providing emergency services.

22(2) Command structure forbegin delete state-wideend deletebegin insert statewideend insert coordinated
23emergency services.

24(3) Emergency service roles of appropriate state agencies.

25(4) Identification of resources to be mobilized.

26(5) Public information plans.

27(6) Continuity of government services.

28(b) The office shall transmit the plan to the Legislature pursuant
29to Section 9795.

30

8592.40.  

begin delete(a)end deletebegin deleteend deleteOn or beforebegin delete Julyend deletebegin insert Januaryend insert 1, 2018,begin insert in conjunction
31with the Department of Technology,end insert
the office shall developbegin delete a
32comprehensiveend delete
cybersecuritybegin delete strategy settingend deletebegin insert incident responseend insert
33 standards for state agencies to prepare for cybersecurity
34interference with, or the compromise or incapacitation of, critical
35infrastructure and the development of critical infrastructure
36information, and to transmit critical infrastructure information to
37the office. In developing the standards, the office shall consider
38all of the following:

begin delete

39(1)

end delete

40begin insert(a)end insert Costs to implement the standards.

begin delete

P5    1(2)

end delete

2begin insert(b)end insert Security of critical infrastructure information.

begin delete

3(3)

end delete

4begin insert(c)end insert Centralized management of risk.

begin delete

5(4)

end delete

6begin insert(d)end insert National private industry best practices.

begin delete

7(b) The office shall post the cybersecurity strategy on the
8Internet Web site of the office and transmit a copy to each
9secretary.

end delete
10

8592.45.  

(a) Each state agency shall report onbegin delete theirend deletebegin insert itsend insert
11 compliance with the standards developed pursuant to Section
128592.40 to the office in the manner and at the time directed by the
13begin delete officeend deletebegin insert office,end insert but no later than January 1, 2019.

14(b) Thebegin delete officeend deletebegin insert office,end insertbegin insert in conjunction with the Department of
15Technology,end insert
shall provide suggestions for a state agency to improve
16compliance with the standards developed pursuant to Section
178592.40, if any, to the head of the state agency and the secretary
18responsible for the state agency. For a state agency that is not under
19the responsibility of a secretary, the office shall provide any
20suggestions to the head of the state agency and the Governor.

21

8592.50  

 The report required by subdivision (a) of Section
22 8592.45 and any public records relating to any communication
23made pursuant to, or in furtherance of the purposes of, subdivision
24(b) of Section 8592.45 are confidential and shall not be disclosed
25pursuant to any state law, including, but not limited to, the
26California Public Records Act (Chapter 3.5 (commencing with
27Section 6250) of Division 7 of Title 1).

28

SEC. 3.  

The Legislature finds and declares that Section 2 of
29this act, which adds Section 8592.50 to the Government Code,
30imposes a limitation on the public’s right of access to the meetings
31of public bodies or the writings of public officials and agencies
32within the meaning of Section 3 of Article I of the California
33Constitution. Pursuant to that constitutional provision, the
34Legislature makes the following findings to demonstrate the interest
35protected by this limitation and the need for protecting that interest:

36Preventing public disclosure of the individual cybersecurity
37preparations of state agencies promotes public safety by prohibiting
P6    1access to those who would use that information to thwart the
2cybersecurity of critical infrastructure within the state.



O

    97