BILL ANALYSIS                                                                                                                                                                                                    



                                                                    AB 1841


                                                                    Page  1





          Date of Hearing:  May 18, 2016


                        ASSEMBLY COMMITTEE ON APPROPRIATIONS


                               Lorena Gonzalez, Chair


          AB  
          1841 (Irwin) - As Amended April 14, 2016


           ----------------------------------------------------------------- 
          |Policy       |Privacy and Consumer           |Vote:|11 - 0       |
          |Committee:   |Protection                     |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |-------------+-------------------------------+-----+-------------|
          |             |Governmental Organization      |     |21 - 0       |
          |             |                               |     |             |
          |             |                               |     |             |
          |-------------+-------------------------------+-----+-------------|
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
           ----------------------------------------------------------------- 


          Urgency:  No  State Mandated Local Program:  NoReimbursable:  No


          SUMMARY:


          This bill requires the state Office of Emergency Services (OES),  
          in conjunction with the Department of Technology (CDT), to  
          develop, by July 1, 2017, a statewide emergency services  
          response plan for cybersecurity attacks against critical  








                                                                    AB 1841


                                                                    Page  2





          infrastructure (EF 18), and further requires OES and CDT to  
          develop a comprehensive cybersecurity strategy by January 1,  
          2018, with which all state agencies must report compliance by  
          January 1, 2019.  


          FISCAL EFFECT:


          1)Unknown costs to OES to complete EF 18.  This final piece of  
            the emergency services response plan has been pending  
            completion since 2011, and efforts are underway to complete  
            it. Some additional resources may be required to support  
            necessary hardware, software, and development of a secure  
            database.


          2)Ongoing costs to OES of approximately $1 million (GF) for data  
            base management and IT Services Division and Critical  
            Infrastructure Protection Unit functions, once the project is  
            complete.


          COMMENTS:


          1)Purpose. This bill is intended to speed the creation of a  
            statewide cybersecurity response plan, otherwise known as EF  
            18, and a related strategy with standards for state agencies,  
            by imposing various statutory deadlines. According to the  
            author, "Cybersecurity threats are on the rise and California  
            is a priority target because of the size of our economy and  
            the value of our networks and other assets.  The state bears a  
            responsibility in actively defending the critical networks  
            that Californians rely on for services."


          2)Background. In 2009, the California Legislature merged the  
            powers, purposes, and responsibilities of the former OES with  








                                                                    AB 1841


                                                                    Page  3





            those of the Office of Homeland Security (OHS) into the newly-  
            created California Emergency Management Agency (CalEMA). On  
            July 1, 2013, Governor Edmund G. Brown Jr.'s Reorganization  
            Plan #2 eliminated CalEMA and restored it to the Governor's  
            Office, renaming it the California Governor's Office of  
            Emergency Services (OES), and merging it with the Office of  
            Public Safety Communications. Today, OES is responsible for  
            overseeing and coordinating emergency preparedness, response,  
            recovery and homeland security activities within the state.



          3)State Emergency Plan (SEP). The SEP addresses the state's  
            response to extraordinary emergency situations associated with  
            natural disasters or human-caused emergencies.  In accordance  
            with the California Emergency Services Act, the plan describes  
            the methods for carrying out emergency operations, the process  
            for rendering mutual aid, the emergency services of  
            governmental agencies, how resources are mobilized, how the  
            public will be informed, and the process to ensure continuity  
            of government during emergency or disaster.

            The SEP, amongst other things, establishes the California  
            Emergency Functions (CA-EFs), which consist of 18 primary  
            activities deemed essential to addressing the emergency  
            management needs of communities in all phases of emergency  
            management.

          4)OES and EF 18.  OES, in its role as the state's lead agency  
            on emergency preparedness, response, and damage mitigation,  
            has responsibility to develop, implement, and manage a  
            comprehensive strategy to protect the critical  
            infrastructure systems of federal and state governments,  
            and private entities.  OES meets that responsibility in  
            part by preparing SEP. 

            According to OES, only EF 18 remains incomplete, and is  
            noted as being "in development." According to a briefing  
            document from CDT provided by the author, CDT has completed  








                                                                    AB 1841


                                                                    Page  4





            two of five steps in the development of EF 18: identifying  
            and engaging stakeholders, and forming a working group.   
            The three remaining steps: clarify authorities, roles and  
            responsibilities; develop functional annex; and develop  
            concept of operations; are listed as "work in progress."   
            EF 18 has been pending completion since 2011.  

            This bill requires OES to finish EF 18 and provides  
            deadlines for doing so.

          5)Related legislation.  This is one of five  
            cybersecurity-related bills before this Committee today:


             a)   AB 1881 (Chang) requires the Director of CDT to develop  
               and update mandatory baseline security controls for state  
               networks based industry and national standards, and  
               annually measure the state's progress towards compliance.



             b)   AB 2623 (Gordon) requires state agencies and entities to  
               report their information security expenditures on an annual  
               basis to the CDT, including the expenditure of federal  
               grant funds for information security purposes.



             c)   AB 2595 (Linder) establishes the California  
               Cybersecurity Integration Center within the Office of  
               Emergency Services to develop a cybersecurity strategy for  
               California, and authorizes the administration of federal  
               homeland security grant funding by OES.



             d)   AB 2720 (Chau) authorizes the creation of a  
               Cybersecurity Vulnerability Reporting Reward Program that  
               would provide a monetary reward to eligible individuals who  








                                                                    AB 1841


                                                                    Page  5





               identify and report previously unknown vulnerabilities in  
               state computer networks.






           Analysis Prepared by:Jennifer Swenson / APPR. / (916)  
          319-2081