BILL ANALYSIS �Ó
AB 1841
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB
1841 (Irwin)
As Amended August 15, 2016
Majority vote
--------------------------------------------------------------------
|ASSEMBLY: |79-0 |(May 31, 2016) |SENATE: |39-0 |(August 23, |
| | | | | |2016) |
| | | | | | |
| | | | | | |
--------------------------------------------------------------------
Original Committee Reference: P. & C.P.
SUMMARY: Requires the Department of Technology (CDT), in
conjunction with the Office of Emergency Services (OES), by July
1, 2018, to update the Technology Recovery Plan (TRP) element of
the State Administrative Manual to ensure the inclusion of
cybersecurity strategy incident response standards for each
state agency.
The Senate amendments:
1)Delete the requirement that OES transmit to the Legislature a
cybersecurity incident response plan by July 1, 2017.
2)Delete the requirement that OES develop cybersecurity incident
response standards for state agencies and that state agencies
transmit critical infrastructure information to OES.
�
AB 1841
Page 2
3)Require CDT, in conjunction with OES, to update the TRP
element of the State Administrative Manual by July 1, 2018, to
ensure the inclusion of cybersecurity strategy incident
response standards for each state agency for the purpose of
securing its critical infrastructure controls and critical
infrastructure information.
4)Expand the required updated cybersecurity strategy incident
response standards to address continuity of operations and
protection of personal information.
5)Require each state agency to provide CDT with an updated copy
of its TRP.
6)Require each state agency to report on its compliance with the
updated standards by July 1, 2019, and authorizes CDT, in
conjunction with OES, to provide suggestions for state
agencies to improve compliance with the standards.
7)Declare that each state agency's updated TRP provided to CDT
is confidential and shall not be disclosed pursuant to any
state law, including the California Public Records Act.
8)Define the term "critical infrastructure controls", delete the
previously defined term "critical infrastructure," and expand
the definition of "critical infrastructure information" to
incorporate the new term "critical infrastructure controls."
9)Define the terms "department" and "office."
10)Revise the legislative findings and declarations to better
clarify the respective roles of CDT and OES.
�
AB 1841
Page 3
FISCAL EFFECT: According to the Senate Appropriations
Committee:
1)Minor and absorbable costs to CDT and OES for updating the
Technology Recovery Plan. (GF and Special Fund)
2)Unknown, but likely absorbable costs to each state agency to
update and report on its Technology Recovery Plan. (GF)
COMMENTS: This bill is intended to speed the creation of
cybersecurity response plans for state agencies by imposing a
July 2018 deadline for updating the state's Technology Recovery
Plan (TRP), and requiring state agencies to update their own
plans accordingly and report on their compliance to CDT by July
2019. This bill is author-sponsored.
The TRP is a subset of the state entity's Business Continuity
Plan. The TRP is activated immediately after a disaster strikes
and focuses on getting critical systems back online. Each state
entity is required to develop a TRP in support of the state
entity's Continuity Plan and the business need to protect
critical information assets to ensure their availability
following an interruption or disaster. The TRP was last updated
in August 2013.
According to the California Military Department, California's
size and importance makes it vulnerable to cyber incidents that
disrupt business, shutdown critical infrastructure, and
compromise intellectual property or national security.
Analysis Prepared by: Hank Dempsey / P. &
C.P. / (916) 319-2200 FN:
0004305
�
AB 1841
Page 4