as amended, Irwin.
begin deleteOffice of Emergency Services: duties: cybersecurity.end delete
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state.
This bill would require the Office of Emergency
begin delete Servicesend delete to transmit to the Legislature, on or before July 1, 2017, the Cyber Security Annex to the State Emergency Plan, begin delete also known asend delete Emergency Function begin delete 18end delete or EF 18. The bill would further require the begin delete officeend delete to
develop begin delete a comprehensiveend delete cybersecurity begin delete strategy settingend delete standards for state agencies, as defined, to, among other things, prepare for cybersecurity interference with, or the compromise or incapacitation of, critical infrastructure and would require state agencies to report begin delete itsend delete compliance with these standards to the office. The bill would require the begin delete officeend delete to provide suggestions for a state agency to improve compliance with these standards. The bill would prohibit public disclosure of public records relating to the cybersecurity strategies of state agencies, as specified.
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all the
3(a) The current pervasive use of information technology in
4public enterprises has resulted in an abundance of public access
5to information and services provided by the government, but the
6increased interdependence of information technology systems has
7created a new type of risk for society. Threats to public critical
8infrastructure that use information technology within the state
9present risks to public health and safety and could severely disrupt
10economic activity within California.
11(b) Ensuring sufficient
preparations are taken to protect
12infrastructure from interference, compromise, or incapacitation
13are in the public interest and serve a public purpose.
14(c) A comprehensive cybersecurity
begin delete strategy,end delete undertaken in a coordinated effort begin delete betweenend delete state
16agencies, will help prepare for threats to critical infrastructure,
17thereby reducing the potential consequences from those attacks.
P3 1(d) The Office of Emergency Services, in its role
as the lead
2executive entity that coordinates state resources for emergency
3preparedness, response, and damage mitigation, is a state entity
4appropriate to develop, implement, and manage a comprehensive
begin delete strategy,end delete undertaken in a
begin delete betweenend delete
state agencies, to protect critical
7infrastructure. The Office of Emergency Services is already
8developing the necessary expertise in cybersecurity through its
9current work developing methods to provide emergency services
10during an interference with, or the compromise or incapacitation
11of, critical infrastructure.
12(e) It is the intent of the Legislature in enacting this legislation
13to develop a comprehensive cybersecurity
begin delete strategy,end delete undertaken in a coordinated effort begin delete betweenend delete
15 state agencies, to prepare California for threats to critical
16infrastructure under the unifying coordination of the Office of
Article 6.4 (commencing with Section 8592.30) is
19added to Chapter 7 of Division 1 of Title 2 of the Government
20Code, to read:
As used in this article, the following definitions shall
26(a) “Critical infrastructure” means systems and assets so vital
27to the state that the incapacity or destruction of those systems or
28assets would have a debilitating impact on security, economic
29security, public health and safety, or any combination of those
31(b) “Critical infrastructure information” means information not
32customarily in the public domain pertaining to any of the following:
33(1) Actual, potential, or threatened interference with, or an attack
34on, compromise of, or incapacitation of critical infrastructure by
35either physical or computer-based attack or other similar conduct,
36 including, but not limited to, the misuse of, or unauthorized access
37to, all types of communications and data transmission systems,
38that violates federal, state, or local law, harms economic security,
39or threatens public health or safety.
P4 1(2) The ability of critical infrastructure to resist any interference,
2compromise, or incapacitation, including, but not limited to, any
3planned or past assessment or estimate of the vulnerability of
4critical infrastructure, including, but not limited to, security testing,
5risk evaluation, risk management planning, or risk audits.
6(3) Any planned or past operational problem or solution
7 regarding critical infrastructure, including, but not limited to, repair,
8recovery, reconstruction, insurance, or continuity, to the extent it
9is related to interference, compromise, or incapacitation of critical
11(c) “Secretary” means the secretary of each state agency as set
12forth in subdivision (a) of Section 12800.
13(d) “State agency” or “state agencies” means the same as “state
14agency” as set forth in Section 11000.
(a) On or before July 1, 2017, the
begin delete officeend delete shall transmit to
18 the Cyber Security Annex to the State Emergency Plan
begin delete, also Emergency Function
19known asend delete
begin delete 18end delete or EF 18, that includes, but
20is not limited to, all of the following:
21(1) Methods for providing emergency services.
22(2) Command structure for
begin delete state-wideend delete coordinated
24(3) Emergency service roles of appropriate state agencies.
25(4) Identification of resources to be mobilized.
26(5) Public information plans.
27(6) Continuity of government services.
28(b) The office shall transmit the plan to the Legislature
29to Section 9795.
begin delete(a)end delete begin delete end deleteOn or before begin delete Julyend delete 1, 2018, the office shall develop begin delete a cybersecurity
begin delete strategy settingend delete
33 standards for state agencies to prepare for cybersecurity
34interference with, or the compromise or incapacitation of, critical
35infrastructure and the development of critical infrastructure
36information, and to transmit critical infrastructure information to
37the office. In developing the standards, the office shall consider
38all of the following:
40 Costs to implement the standards.
P5 1(2)end delete
2 Security of critical infrastructure information.
4 Centralized management of risk.
6 National private industry best practices.
7(b) The office shall post the cybersecurity strategy on the
8Internet Web site of the office and transmit a copy to each
(a) Each state agency shall report on
begin delete theirend delete
11 compliance with the standards developed pursuant to Section
128592.40 to the office in the manner and at the time directed by the
begin delete officeend delete but no later than January 1, 2019.
begin delete officeend delete shall provide suggestions for
a state agency to improve
16compliance with the standards developed pursuant to Section
178592.40, if any, to the head of the state agency and the secretary
18responsible for the state agency. For a state agency that is not under
19the responsibility of a secretary, the office shall provide any
20suggestions to the head of the state agency and the Governor.
The report required by subdivision (a) of Section
22 8592.45 and any public records relating to any communication
23made pursuant to, or in furtherance of the purposes of, subdivision
24(b) of Section 8592.45 are confidential and shall not be disclosed
25pursuant to any state law, including, but not limited to, the
26California Public Records Act (Chapter 3.5 (commencing with
27Section 6250) of Division 7 of Title 1).
The Legislature finds and declares that Section 2 of
29this act, which adds Section 8592.50 to the Government Code,
30imposes a limitation on the public’s right of access to the meetings
31of public bodies or the writings of public officials and agencies
32within the meaning of Section 3 of Article I of the California
33Constitution. Pursuant to that constitutional provision, the
34Legislature makes the following findings to demonstrate the interest
35protected by this limitation and the need for protecting that interest:
36Preventing public disclosure of the individual cybersecurity
37preparations of state agencies promotes public safety by prohibiting
P6 1access to those who would use that information to thwart the
2cybersecurity of critical infrastructure within the state.