AB 1841, as amended, Irwin. Cybersecurity incident response plan and standards.
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.
This bill would require the Office of Emergency Services, in conjunction with the Department of Technology, to transmit to the Legislature, on or before July 1, 2017, a cybersecurity incident response plan, known as the Cyber Security Annex to the State Emergency Plan, Emergency Function 18, or EF 18. The bill would further require the office, in conjunction with the Department of Technology and on or before January 1, 2018, to develop cybersecurity incident response standards for state agencies, as defined, to, among other things, prepare for cybersecurity interference with, or the compromise or incapacitation of, critical infrastructure and would require state agencies to report their compliance with these standards to the office. The bill would require the office, in conjunction with the Department of Technology, to provide suggestions for a state agency to improve compliance with these standards. The bill would prohibit public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all the
2following:
3(a) The current pervasive use of information technology in
4public enterprises has resulted in an abundance of public access
5to information and services provided by the government, but the
6increased interdependence of information technology systems has
7created a new type of risk for society. Threats to public critical
8infrastructure that use information technology within the state
9present risks to public health and safety and could severely disrupt
10economic activity within California.
11(b) Ensuring sufficient preparations are taken
to protect critical
12infrastructure from interference, compromise, or incapacitation
13are in the public interest and serve a public purpose.
14(c) A comprehensive cybersecurity incident response plan,
15undertaken in a coordinated effort among state agencies, will help
P3 1prepare for threats to critical infrastructure, thereby reducing the
2potential consequences from those attacks.
3(d) The Office of Emergency Services, in its role as the lead
4executive entity that coordinates state resources for emergency
5preparedness, response, and damage mitigation, is a state entity
6appropriate to develop, implement, and manage a comprehensive
7cybersecurity incident response plan, undertaken in a coordinated
8effort among state agencies, to protect critical infrastructure. The
9Office of Emergency
Services is already developing the necessary
10expertise in cybersecurity through its current work developing
11methods to provide emergency services during an interference
12with, or the compromise or incapacitation of, critical infrastructure.
13(e) It is the intent of the Legislature in enacting this legislation
14to develop a comprehensive cybersecurity incident response plan,
15undertaken in a coordinated effort among
state agencies, to prepare
16California for threats to critical infrastructure under the unifying
17coordination of the Office of Emergency Services.
Article 6.4 (commencing with Section 8592.30) is
19added to Chapter 7 of Division 1 of Title 2 of the Government
20Code, to read:
21
As used in this article, the following definitions shall
25apply:
26(a) “Critical infrastructure” means systems and assets so vital
27to the state that the incapacity or destruction of those systems or
28assets would have a debilitating impact on security, economic
29security, public health and safety, or any combination of those
30matters.
31(b) “Critical infrastructure information” means information not
32customarily in the public domain pertaining to any of the following:
33(1) Actual, potential, or threatened interference with, or an attack
34on, compromise of, or
incapacitation of critical infrastructure by
35either physical or computer-based attack or other similar conduct,
36including, but not limited to, the misuse of, or unauthorized access
37to, all types of communications and data transmission systems,
38that violates federal, state, or local law, harms economic security,
39or threatens public health or safety.
P4 1(2) The ability of critical infrastructure to resist any interference,
2compromise, or incapacitation, including, but not limited to, any
3planned or past assessment or estimate of the vulnerability of
4critical infrastructure, including, but not limited to, security testing,
5risk evaluation, risk management planning, or risk audits.
6(3) Any planned or past operational problem or solution
7
regarding critical infrastructure, including, but not limited to, repair,
8recovery, reconstruction, insurance, or continuity, to the extent it
9is related to interference, compromise, or incapacitation of critical
10infrastructure.
11(c) “Secretary” means the secretary of each state agency as set
12forth in subdivision (a) of Section 12800.
13(d) “State agency” or “state agencies” means the same as “state
14agency” as set forth in Section 11000.
(a) On or before July 1, 2017, the office, in
16conjunction with the Department of Technology, shall transmit to
17the Legislature a cybersecurity incident response plan, known as
18the Cyber Security Annex to the State Emergency Plan Emergency
19Function 18, or EF 18, that includes, but is not limited to, all of
20the following:
21(1) Methods for providing emergency services.
22(2) Command structure for statewide coordinated emergency
23services.
24(3) Emergency service roles of appropriate state agencies.
25(4) Identification of resources to be mobilized.
26(5) Public information plans.
27(6) Continuity of government services.
28(b) The office shall transmit the plan to the Legislature pursuant
29to Section 9795.
On or before January 1, 2018, in conjunction with
31the Department of Technology, the office shall develop
32cybersecurity incident response standards for state agencies to
33prepare for cybersecurity interference with, or the compromise or
34incapacitation of, critical infrastructure and the development of
35critical infrastructure information, and to transmit critical
36infrastructure information to the office. In developing the standards,
37the office shall consider all of the following:
38(a) Costs to implement the standards.
39(b) Security of critical infrastructure information.
40(c) Centralized management of risk.
P5 1(d) begin deleteNational private industry end deletebegin insertIndustryend insertbegin insert end insertbest practices.
2
(e) Continuity of operations.
3
(f) Protection of personal information.
(a) Each state agency shall report on its compliance
5with the standards developed pursuant to Section 8592.40 to the
6office in the manner and at the time directed by the office, but no
7later than January 1, 2019.
8(b) The office, in conjunction with the Department of
9Technology, shall provide suggestions for a state agency to improve
10compliance with the standards developed pursuant to Section
118592.40, if any, to the head of the state agency and the secretary
12responsible for the state agency. For a state agency that is not under
13the responsibility of a secretary, the office shall provide any
14suggestions to the head of the state agency and the
Governor.
The report required by subdivision (a) of Section
16
8592.45 and any public records relating to any communication
17made pursuant to, or in furtherance of the purposes of, subdivision
18(b) of Section 8592.45 are confidential and shall not be disclosed
19pursuant to any state law, including, but not limited to, the
20California Public Records Act (Chapter 3.5 (commencing with
21Section 6250) of Division 7 of Title 1).
The Legislature finds and declares that Section 2 of
23this act, which adds Section 8592.50 to the Government Code,
24imposes a limitation on the public’s right of access to the meetings
25of public bodies or the writings of public officials and agencies
26within the meaning of Section 3 of Article I of the California
27Constitution. Pursuant to that constitutional provision, the
28Legislature makes the following findings to demonstrate the interest
29protected by this limitation and the need for protecting that interest:
30Preventing public disclosure of the individual cybersecurity
31preparations of state agencies promotes public safety by prohibiting
32access to
those who would use that information to thwart the
33cybersecurity of critical infrastructure within the state.
O
96