BILL ANALYSIS �Ó
AB 1841
Page 1
Date of Hearing: May 18, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
AB
1841 (Irwin) - As Amended April 14, 2016
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| |Governmental Organization | |21 - 0 |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill requires the state Office of Emergency Services (OES),
in conjunction with the Department of Technology (CDT), to
develop, by July 1, 2017, a statewide emergency services
response plan for cybersecurity attacks against critical
�
AB 1841
Page 2
infrastructure (EF 18), and further requires OES and CDT to
develop a comprehensive cybersecurity strategy by January 1,
2018, with which all state agencies must report compliance by
January 1, 2019.
FISCAL EFFECT:
1)Unknown costs to OES to complete EF 18. This final piece of
the emergency services response plan has been pending
completion since 2011, and efforts are underway to complete
it. Some additional resources may be required to support
necessary hardware, software, and development of a secure
database.
2)Ongoing costs to OES of approximately $1 million (GF) for data
base management and IT Services Division and Critical
Infrastructure Protection Unit functions, once the project is
complete.
COMMENTS:
1)Purpose. This bill is intended to speed the creation of a
statewide cybersecurity response plan, otherwise known as EF
18, and a related strategy with standards for state agencies,
by imposing various statutory deadlines. According to the
author, "Cybersecurity threats are on the rise and California
is a priority target because of the size of our economy and
the value of our networks and other assets. The state bears a
responsibility in actively defending the critical networks
that Californians rely on for services."
2)Background. In 2009, the California Legislature merged the
powers, purposes, and responsibilities of the former OES with
�
AB 1841
Page 3
those of the Office of Homeland Security (OHS) into the newly-
created California Emergency Management Agency (CalEMA). On
July 1, 2013, Governor Edmund G. Brown Jr.'s Reorganization
Plan #2 eliminated CalEMA and restored it to the Governor's
Office, renaming it the California Governor's Office of
Emergency Services (OES), and merging it with the Office of
Public Safety Communications. Today, OES is responsible for
overseeing and coordinating emergency preparedness, response,
recovery and homeland security activities within the state.
3)State Emergency Plan (SEP). The SEP addresses the state's
response to extraordinary emergency situations associated with
natural disasters or human-caused emergencies. In accordance
with the California Emergency Services Act, the plan describes
the methods for carrying out emergency operations, the process
for rendering mutual aid, the emergency services of
governmental agencies, how resources are mobilized, how the
public will be informed, and the process to ensure continuity
of government during emergency or disaster.
The SEP, amongst other things, establishes the California
Emergency Functions (CA-EFs), which consist of 18 primary
activities deemed essential to addressing the emergency
management needs of communities in all phases of emergency
management.
4)OES and EF 18. OES, in its role as the state's lead agency
on emergency preparedness, response, and damage mitigation,
has responsibility to develop, implement, and manage a
comprehensive strategy to protect the critical
infrastructure systems of federal and state governments,
and private entities. OES meets that responsibility in
part by preparing SEP.
According to OES, only EF 18 remains incomplete, and is
noted as being "in development." According to a briefing
document from CDT provided by the author, CDT has completed
�
AB 1841
Page 4
two of five steps in the development of EF 18: identifying
and engaging stakeholders, and forming a working group.
The three remaining steps: clarify authorities, roles and
responsibilities; develop functional annex; and develop
concept of operations; are listed as "work in progress."
EF 18 has been pending completion since 2011.
This bill requires OES to finish EF 18 and provides
deadlines for doing so.
5)Related legislation. This is one of five
cybersecurity-related bills before this Committee today:
a) AB 1881 (Chang) requires the Director of CDT to develop
and update mandatory baseline security controls for state
networks based industry and national standards, and
annually measure the state's progress towards compliance.
b) AB 2623 (Gordon) requires state agencies and entities to
report their information security expenditures on an annual
basis to the CDT, including the expenditure of federal
grant funds for information security purposes.
c) AB 2595 (Linder) establishes the California
Cybersecurity Integration Center within the Office of
Emergency Services to develop a cybersecurity strategy for
California, and authorizes the administration of federal
homeland security grant funding by OES.
d) AB 2720 (Chau) authorizes the creation of a
Cybersecurity Vulnerability Reporting Reward Program that
would provide a monetary reward to eligible individuals who
�
AB 1841
Page 5
identify and report previously unknown vulnerabilities in
state computer networks.
Analysis Prepared by:Jennifer Swenson / APPR. / (916)
319-2081