BILL ANALYSIS Ó AB 1841 Page 1 ASSEMBLY THIRD READING AB 1841 (Irwin) As Amended April 14, 2016 Majority vote ------------------------------------------------------------------ |Committee |Votes|Ayes |Noes | | | | | | | | | | | | | | | | |----------------+-----+----------------------+--------------------| |Privacy |11-0 |Chau, Wilk, Baker, | | | | |Calderon, Chang, | | | | |Cooper, Dababneh, | | | | |Gatto, Gordon, Low, | | | | |Olsen | | | | | | | |----------------+-----+----------------------+--------------------| |Governmental |21-0 |Gray, Bigelow, Alejo, | | |Organization | |Bonta, Campos, | | | | |Cooley, Cooper, Daly, | | | | |Gallagher, Cristina | | | | |Garcia, Eduardo | | | | |Garcia, Gipson, | | | | | | | | | | | | | | |Roger Hernández, | | | | | | | | | | | | | | |Jones-Sawyer, Levine, | | | | |Linder, Maienschein, | | AB 1841 Page 2 | | |Salas, Steinorth, | | | | |Waldron, Wilk | | | | | | | |----------------+-----+----------------------+--------------------| |Appropriations |20-0 |Gonzalez, Bigelow, | | | | |Bloom, Bonilla, | | | | |Bonta, Calderon, | | | | |Chang, Daly, Eggman, | | | | |Gallagher, Eduardo | | | | |Garcia, Roger | | | | |Hernández, Holden, | | | | |Jones, Obernolte, | | | | |Quirk, Santiago, | | | | |Wagner, Weber, Wood | | | | | | | | | | | | ------------------------------------------------------------------ SUMMARY: Requires the state Office of Emergency Services (OES), in conjunction with the California Department of Technology (CDT), to develop a cybersecurity incident response plan for cybersecurity attacks against critical infrastructure, and further requires OES to jointly develop cybersecurity incident response standards by January 1, 2018, with which all state agencies must report compliance by January 1, 2019. Specifically, this bill: 1)Requires, on or before July 1, 2017, OES, in conjunction with CDT, to transmit to the Legislature the Cyber Security Annex to the State Emergency Plan (SEP), a cybersecurity incident response plan also known as Emergency Function 18 (or EF 18) that includes, but is not limited to, all of the following: a) Methods for providing emergency services; AB 1841 Page 3 b) Command structure for statewide coordinated emergency services; c) Emergency service roles of appropriate state agencies; d) Identification of resources to be mobilized; e) Public information plans; and, f) Continuity of government services. 1)Requires, on or before January 1, 2018, OES, in conjunction with CDT, to develop cybersecurity incident response standards for state agencies to prepare for cybersecurity interference with, or compromise or incapacitation of, critical infrastructure and the development of critical infrastructure information, and to transmit critical infrastructure information to OES. 2)Requires the standards developed by OES to consider all of the following factors: a) Costs to implement the standards; b) Security of critical infrastructure information; c) Centralized management of risk; and, d) National private industry best practices. 3)Requires each state agency to report to OES on its compliance AB 1841 Page 4 with the OES cybersecurity standards, no later than January 1, 2019. 4)Requires OES, in conjunction with CDT, to provide suggestions for a state agency to improve its compliance with the OES cybersecurity standards, if any, to specified public officials. 5)Declares that a cybersecurity compliance report, and any related communication records, are confidential and may not be disclosed pursuant to the California Public Records Act. 6)Defines the terms "critical infrastructure," "critical infrastructure information," "secretary," and "state agency." 7)Makes findings and declarations relative to the importance of cybersecurity of state networks. FISCAL EFFECT: According to the Assembly Appropriations Committee: 1)Unknown costs to OES to complete EF 18. This final piece of the emergency services response plan has been pending completion since 2011, and efforts are underway to complete it. Some additional resources may be required to support necessary hardware, software, and development of a secure database. 2)Ongoing costs to OES of approximately $1 million General Fund (GF) for data base management and Information Technology (IT) Services Division and Critical Infrastructure Protection Unit functions, once the project is complete. AB 1841 Page 5 COMMENTS: This bill is intended to speed the creation of a statewide cybersecurity incident response plan, also known as EF 18, and related incident response standards for state agencies, by imposing statutory deadlines for the plan, standards, and compliance reporting. This bill is author-sponsored. Analysis Prepared by: Hank Dempsey / P. & C.P. / (916) 319-2200 FN: 0003233