Amended in Senate August 15, 2016

Amended in Senate August 2, 2016

Amended in Assembly April 14, 2016

Amended in Assembly March 28, 2016

California Legislature—2015–16 Regular Session

Assembly BillNo. 1841


Introduced by Assembly Member Irwin

(Coauthor: Senator Jackson)

February 9, 2016


An act to add Article 6.4 (commencing with Section 8592.30) to Chapter 7 of Division 1 of Title 2 of the Government Code, relating to state government.

LEGISLATIVE COUNSEL’S DIGEST

AB 1841, as amended, Irwin. Cybersecuritybegin insert strategyend insert incident responsebegin delete plan andend delete standards.

(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.begin insert Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology.end insert

This bill would require thebegin delete Office of Emergency Services, in conjunction with the Department of Technology, to transmit to the Legislature, on or before July 1, 2017, a cybersecurity incident response plan, known as the Cyber Security Annex to the State Emergency Plan, Emergency Function 18, or EF 18. The bill would further require the office, in conjunction with the Department of Technology and on or before January 1, 2018, to develop cybersecurity incident response standards for state agencies, as defined, to, among other things, prepare for cybersecurity interference with, or the compromise or incapacitation of, critical infrastructure and would require state agencies to report their compliance with these standards to the office.end deletebegin insert Department of Technology, in consultation with the Office of Emergency Services and compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.end insert The bill would requirebegin delete the office, in conjunction with the Department of Technology,end deletebegin insert each state agency to end insertbegin insertprovide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorize the department, in consultation with the Office of Emergency Services,end insert to provide suggestions for a state agency to improve compliance with these standards.begin insert The bill would define terms for its purposes and make legislative findings in support of its provisions.end insert The bill would prohibit public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.

(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.

This bill would make legislative findings to that effect.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P3    1

SECTION 1.  

The Legislature finds and declares all the
2following:

3(a) The current pervasive use of information technology in
4public enterprises has resulted in an abundance of public access
5to information and services provided by the government, but the
6increased interdependence of information technology systems has
7created a new type of risk for society. Threats to public critical
8infrastructure that use information technology within the state
9present risks to public health and safety and could severely disrupt
10economic activity within California.

11(b) Ensuring sufficient preparations are taken to protect critical
12infrastructure from interference, compromise, or incapacitation
13are in the public interest and serve a public purpose.

14(c) A comprehensive cybersecuritybegin delete incident response plan,
15undertakenend delete
begin insert strategy, related to state agency critical infrastructure
16information and control, developedend insert
in a coordinated effort among
17state agencies, will help prepare for threats to critical infrastructure,
18thereby reducing the potential consequences from those attacks.

begin insert

19
(d) The Department of Technology, in its role as the lead entity
20that coordinates state resources in the development of information
21technology (IT) strategy and policy, directs state agency
22information security and privacy standards and procedures for
23the day-to-day protection of state information assets from a variety
24of threats, including, but not limited to, cybersecurity threats and
25attacks.

end insert
begin delete

26(d)

end delete

27begin insert(e)end insert The Office of Emergency Services, in its role as the lead
28executive entity that coordinates state resources for emergency
29preparedness, response, and damage mitigation, is begin delete a state entity
30appropriate to develop, implement, and manage a comprehensive
31cybersecurity incident response plan, undertaken in a coordinated
32effort among state agencies, to protect critical infrastructure. The
33Office of Emergency Services is already developing the necessary
34expertise in cybersecurity through its current work developing
35methods to provide emergency services during an interference
36with, or the compromise or incapacitation of, critical infrastructure.end delete

37
begin insert integrating cybersecurity into the State Emergency Plan.end insert

begin insert

P4    1
(f) The Department of Technology is continuing its state
2government oversight and compliance monitoring program, and
3enhancing day-to-day information security incident response
4coordination with the Office of Emergency Services, Department
5of the California Highway Patrol’s Computer Crimes Investigation
6Unit, and the Military Department.

end insert
begin delete

7(e)

end delete

8begin insert(g)end insert It is the intent of the Legislature in enacting this legislation
9tobegin delete develop aend deletebegin insert add to the ongoing work of the state’send insert comprehensive
10cybersecuritybegin delete incident response plan,end deletebegin insert strategy,end insert undertaken in a
11coordinated effort among state agencies, to prepare California for
12threats to critical infrastructure under the unifying coordination of
13the Office of Emergency Services.

14

SEC. 2.  

Article 6.4 (commencing with Section 8592.30) is
15added to Chapter 7 of Division 1 of Title 2 of the Government
16Code
, to read:

17 

18Article 6.4.  Cybersecurity
19

 

20

8592.30.  

As used in this article, the following definitions shall
21apply:

22(a) “Criticalbegin delete infrastructure”end deletebegin insert infrastructure controls”end insert means
23begin insert networks andend insert systemsbegin delete andend deletebegin insert controllingend insert assets so vital to the state
24that the incapacity or destruction of thosebegin delete systemsend deletebegin insert networks,
25systems,end insert
or assets would have a debilitating impact onbegin delete security,
26economic security, public health and safety, or any combination
27of those matters.end delete
begin insert public health, safety, economic security, or any
28combination thereof.end insert

29(b) “Critical infrastructure information” means information not
30customarily in the public domain pertaining to any of the following:

31(1) Actual, potential, or threatened interference with, or an attack
32on, compromise of, or incapacitation of critical infrastructure
33begin insert controlsend insert by either physical or computer-based attack or other
34similar conduct, including, but not limited to, the misuse of, or
35unauthorized access to, all types of communications and data
36transmission systems, that violates federal, state, or localbegin delete law,
37harms economic security, or threatens public health or safety.end delete
begin insert law
38or harms public health, safety, or economic security, or any
39combination thereof.end insert

P5    1(2) The ability of critical infrastructurebegin insert controlsend insert to resist any
2interference, compromise, or incapacitation, including, but not
3limited to, any planned or past assessment or estimate of the
4vulnerability of criticalbegin delete infrastructure, including, but not limited
5to, security testing, risk evaluation, risk management planning, or
6risk audits.end delete
begin insert infrastructure.end insert

7(3) Any planned or past operational problem or solution
8 regarding criticalbegin delete infrastructure,end deletebegin insert infrastructure controls,end insert including,
9but not limited to, repair, recovery, reconstruction, insurance, or
10continuity, to the extent it is related to interference, compromise,
11or incapacitation of criticalbegin delete infrastructure.end deletebegin insert infrastructure controls.end insert

begin insert

12
(c) “Department” means the Department of Technology.

end insert
begin insert

13
(d) “Office” means the Office of Emergency Services.

end insert
begin delete

14(c)

end delete

15begin insert(e)end insert “Secretary” means the secretary of each state agency as set
16forth in subdivision (a) of Section 12800.

begin delete

17(d)

end delete

18begin insert(f)end insert “State agency” or “state agencies” means the same as “state
19agency” as set forth in Section 11000.

begin delete
20

8592.35.  

(a) On or before July 1, 2017, the office, in
21conjunction with the Department of Technology, shall transmit to
22the Legislature a cybersecurity incident response plan, known as
23the Cyber Security Annex to the State Emergency Plan Emergency
24Function 18, or EF 18, that includes, but is not limited to, all of
25the following:

26(1) Methods for providing emergency services.

27(2) Command structure for statewide coordinated emergency
28services.

29(3) Emergency service roles of appropriate state agencies.

30(4) Identification of resources to be mobilized.

31(5) Public information plans.

32(6) Continuity of government services.

33(b) The office shall transmit the plan to the Legislature pursuant
34to Section 9795.

end delete
35

begin delete8592.40.end delete
36
begin insert8592.35.end insert  

begin insert(a)end insertbegin insertend insertbegin insert(1)end insertbegin insertend insertOn or beforebegin delete Januaryend deletebegin insert Julyend insert 1, 2018,begin delete in
37conjunction with the Department of Technology, the office shall
38develop cybersecurity incident response standards for state agencies
39to prepare for cybersecurity interference with, or the compromise
40or incapacitation of, critical infrastructure and the development of
P6    1critical infrastructure information, and to transmit critical
2infrastructure information to the office. In developing the standards,
3the office shall consider all of the following:end delete
begin insert the department shall,
4in consultation with the office and compliance with Section
511549.3, update the Technology Recovery Plan element of the
6State Administrative Manual to ensure the inclusion of
7cybersecurity strategy incident response standards for each state
8agency to secure its critical infrastructure controls and critical
9infrastructure information.end insert

begin insert

10
(2) In updating the standards in paragraph (1), the department
11shall consider, but not be limited to considering, all of the
12following:

end insert
begin delete

13(a)

end delete

14begin insert(A)end insert Costs to implement the standards.

begin delete

15(b)

end delete

16begin insert(B)end insert Security of critical infrastructure information.

begin delete

17(c)

end delete

18begin insert(C)end insert Centralized management of risk.

begin delete

19(d)

end delete

20begin insert(D)end insert Industry best practices.

begin delete

21(e)

end delete

22begin insert(E)end insert Continuity of operations.

begin delete

23(f)

end delete

24begin insert(F)end insert Protection of personal information.

begin insert

25
(b) Each state agency shall provide the department with a copy
26of its updated Technology Recovery Plan.

end insert
27

begin delete8592.45.end delete
28
begin insert8592.40.end insert  

(a) Each state agency shall report on its compliance
29with the standardsbegin delete developedend deletebegin insert updatedend insert pursuant to Sectionbegin delete 8592.40end delete
30begin insert 8592.35end insert to thebegin delete officeend deletebegin insert departmentend insert in the manner and at the time
31directed by thebegin delete office,end deletebegin insert department,end insert but no later thanbegin delete Januaryend deletebegin insert Julyend insert
32 1, 2019.

33(b) Thebegin delete office,end deletebegin insert department,end insert in conjunction with thebegin delete Department
34of Technology, shallend delete
begin insert office, mayend insert provide suggestions for a state
35agency to improve compliance with the standards developed
36pursuant to Sectionbegin delete 8592.40,end deletebegin insert 8592.35,end insert if any, to the head of the
37state agency and the secretary responsible for the state agency. For
38a state agency that is not under the responsibility of a secretary,
39thebegin delete officeend deletebegin insert departmentend insert shall provide any suggestions to the head of
40the state agency and the Governor.

P7    1

begin delete8592.50end delete
2
begin insert8592.45.end insert  

 Thebegin insert information required by subdivision (b) of
3Section 8592.35, theend insert
report required by subdivision (a) of Section begin delete4 8592.45end delete begin insert 8592.40,end insert and any public records relating to any
5communication made pursuant to, or in furtherance of the purposes
6of, subdivision (b) of Sectionbegin delete 8592.45end deletebegin insert 8592.40end insert are confidential
7and shall not be disclosed pursuant to any state law, including, but
8not limited to, the California Public Records Act (Chapter 3.5
9(commencing with Section 6250) of Division 7 of Title 1).

10

SEC. 3.  

The Legislature finds and declares that Section 2 of
11this act, which adds Sectionbegin delete 8592.50end deletebegin insert 8592.45end insert to the Government
12Code, imposes a limitation on the public’s right of access to the
13meetings of public bodies or the writings of public officials and
14agencies within the meaning of Section 3 of Article I of the
15California Constitution. Pursuant to that constitutional provision,
16the Legislature makes the following findings to demonstrate the
17interest protected by this limitation and the need for protecting
18that interest:

19Preventing public disclosure of the individual cybersecurity
20preparationsbegin insert and critical infrastructure informationend insert of state
21agencies promotes public safety by prohibiting access to those
22who would use that information to thwart the cybersecurity of
23critical infrastructurebegin insert controlsend insert within the state.



O

    95