as amended, Irwin. Cybersecurity incident response
begin delete plan andend delete standards.
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.
This bill would require the
begin delete Office of Emergency Services, in conjunction with the Department of Technology, to transmit to the Legislature, on or before July 1,
2017, a cybersecurity incident response plan, known as the Cyber Security Annex to the State Emergency Plan, Emergency Function 18, or EF 18. The bill would further require the office, in conjunction with the Department of Technology and on or before January 1, 2018, to develop cybersecurity incident response standards for state agencies, as defined, to, among other things, prepare for cybersecurity interference with, or the compromise or incapacitation of, critical infrastructure and would require state agencies to report their compliance with these standards to the office.end delete The bill would require begin delete the office, in conjunction with the Department of Technology,end delete to provide suggestions for a state agency to improve compliance with these standards. The bill would prohibit public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all the
3(a) The current pervasive use of information technology in
4public enterprises has resulted in an abundance of public access
5to information and services provided by the government, but the
6increased interdependence of information technology systems has
7created a new type of risk for society. Threats to public critical
8infrastructure that use information technology within the state
9present risks to public health and safety and could severely disrupt
10economic activity within California.
11(b) Ensuring sufficient preparations are taken
to protect critical
12infrastructure from interference, compromise, or incapacitation
13are in the public interest and serve a public purpose.
14(c) A comprehensive cybersecurity
begin delete incident response plan, in a coordinated effort among
17state agencies, will help prepare for threats to critical infrastructure,
18thereby reducing the potential consequences from those attacks.
27 The Office of Emergency Services, in its role as the lead
28executive entity that coordinates state resources for emergency
29preparedness, response, and damage mitigation, is
begin delete a state entity
30appropriate to develop, implement, and manage a comprehensive
31cybersecurity incident response plan, undertaken in a coordinated
32effort among state agencies, to protect critical infrastructure. The
33Office of Emergency Services is already developing the necessary
34expertise in cybersecurity through its current work developing
35methods to provide emergency services during an interference
36with, or the compromise or incapacitation of, critical infrastructure.end delete
8 It is the intent of the Legislature in enacting this legislation
begin delete develop aend delete comprehensive
begin delete incident response plan,end delete undertaken in a
11coordinated effort among state agencies, to prepare California for
12threats to critical infrastructure under the unifying coordination of
13the Office of Emergency Services.
Article 6.4 (commencing with Section 8592.30) is
15added to Chapter 7 of Division 1 of Title 2 of the Government
16Code, to read:
As used in this article, the following definitions shall
begin delete infrastructure”end delete means
begin delete andend delete assets so vital to the state
24that the incapacity or destruction of those
begin delete systemsend delete or assets would have a debilitating impact on begin delete security,
26economic security, public health and safety, or any combination
27of those matters.end delete
29(b) “Critical infrastructure information” means information not
30customarily in the public domain pertaining to any of the following:
31(1) Actual, potential, or threatened interference with, or an attack
32on, compromise of, or incapacitation of critical infrastructure
33 by either physical or computer-based attack or other
34similar conduct, including, but not limited to, the misuse of, or
35unauthorized access to, all types of communications and data
36transmission systems, that violates federal, state, or local
begin delete law,
37harms economic security, or threatens public health or safety.end delete
P5 1(2) The ability of critical infrastructure to resist any
2interference, compromise, or incapacitation, including, but not
3limited to, any planned or past assessment or estimate of the
4vulnerability of critical
begin delete infrastructure, including, but not limited
5to, security testing, risk evaluation, risk management planning, or
6risk audits.end delete
7(3) Any planned or past operational problem or solution
8 regarding critical
begin delete infrastructure,end delete including,
9but not limited to, repair, recovery, reconstruction, insurance, or
10continuity, to the extent it is related to interference, compromise,
11or incapacitation of critical
begin delete infrastructure.end delete
15 “Secretary” means the secretary of each state agency as set
16forth in subdivision (a) of Section 12800.
18 “State agency” or “state agencies” means the
same as “state
19agency” as set forth in Section 11000.
(a) On or before July 1, 2017, the office, in
21conjunction with the Department of Technology, shall transmit to
22the Legislature a cybersecurity incident response plan, known as
23the Cyber Security Annex to the State Emergency Plan Emergency
24Function 18, or EF 18, that includes, but is not limited to, all of
26(1) Methods for providing emergency services.
27(2) Command structure for statewide coordinated emergency
29(3) Emergency service roles of appropriate state agencies.
30(4) Identification of resources to be mobilized.
31(5) Public information plans.
32(6) Continuity of government services.
33(b) The office shall transmit the plan to the Legislature pursuant
34to Section 9795.
On or before
begin delete Januaryend delete 1, 2018, begin delete in
37conjunction with the Department of Technology, the office shall
38develop cybersecurity incident response standards for state agencies
39to prepare for cybersecurity interference with, or the compromise
40or incapacitation of, critical infrastructure and the development of
P6 1critical infrastructure information, and to transmit critical
2infrastructure information to the office. In developing the standards,
3the office shall consider all of the following:end delete
14 Costs to implement the standards.
16 Security of critical infrastructure information.
18 Centralized management of risk.
20 Industry best practices.
22 Continuity of operations.
24 Protection of personal information.
(a) Each state agency shall report on its compliance
29with the standards
begin delete developedend delete pursuant to Section begin delete 8592.40end delete
30 to the
begin delete officeend delete in the manner and at the time
31directed by the
begin delete office,end delete but no later than begin delete Januaryend delete
32 1, 2019.
begin delete office,end delete in conjunction with the begin delete Department provide suggestions for a state
34of Technology, shallend delete
35agency to improve compliance with the standards developed
36pursuant to Section
begin delete 8592.40,end delete if any, to the head of the
37state agency and the secretary responsible for the state agency. For
38a state agency that is not under the responsibility of a secretary,
begin delete officeend delete shall provide any suggestions to the head of
40the state agency and the Governor.
The report required by subdivision (a) of Section
5communication made pursuant to, or in furtherance of the purposes
6of, subdivision (b) of Section
begin delete 8592.45end delete are confidential
7and shall not be disclosed pursuant to any state law, including, but
8not limited to, the California Public Records Act (Chapter 3.5
9(commencing with Section 6250) of Division 7 of Title 1).
The Legislature finds and declares that Section 2 of
11this act, which adds Section
begin delete 8592.50end delete to the Government
12Code, imposes a limitation on the public’s right of access to the
13meetings of public bodies or the writings of public officials and
14agencies within the meaning of Section 3 of Article I of the
15California Constitution. Pursuant to that constitutional provision,
16the Legislature makes the following findings to demonstrate the
17interest protected by this limitation and the need for protecting
19Preventing public disclosure of the individual cybersecurity
20preparations of state
21agencies promotes public safety by prohibiting access to those
22who would use that information to thwart the cybersecurity of
23critical infrastructure within the state.