BILL ANALYSIS                                                                                                                                                                                                    

                                                                    AB 1841

                                                                    Page  1


          1841 (Irwin)

          As Amended  August 15, 2016

          Majority vote

          |ASSEMBLY:  |79-0  |(May 31, 2016) |SENATE: |39-0  |(August 23,      |
          |           |      |               |        |      |2016)            |
          |           |      |               |        |      |                 |
          |           |      |               |        |      |                 |

          Original Committee Reference:  P. & C.P.

          SUMMARY:  Requires the Department of Technology (CDT), in  
          conjunction with the Office of Emergency Services (OES), by July  
          1, 2018, to update the Technology Recovery Plan (TRP) element of  
          the State Administrative Manual to ensure the inclusion of  
          cybersecurity strategy incident response standards for each  
          state agency.

          The Senate amendments: 

          1)Delete the requirement that OES transmit to the Legislature a  
            cybersecurity incident response plan by July 1, 2017. 

          2)Delete the requirement that OES develop cybersecurity incident  
            response standards for state agencies and that state agencies  
            transmit critical infrastructure information to OES. 


                                                                    AB 1841

                                                                    Page  2

          3)Require CDT, in conjunction with OES, to update the TRP  
            element of the State Administrative Manual by July 1, 2018, to  
            ensure the inclusion of cybersecurity strategy incident  
            response standards for each state agency for the purpose of  
            securing its critical infrastructure controls and critical  
            infrastructure information.

          4)Expand the required updated cybersecurity strategy incident  
            response standards to address continuity of operations and  
            protection of personal information.

          5)Require each state agency to provide CDT with an updated copy  
            of its TRP.

          6)Require each state agency to report on its compliance with the  
            updated standards by July 1, 2019, and authorizes CDT, in  
            conjunction with OES, to provide suggestions for state  
            agencies to improve compliance with the standards.

          7)Declare that each state agency's updated TRP provided to CDT  
            is confidential and shall not be disclosed pursuant to any  
            state law, including the California Public Records Act. 

          8)Define the term "critical infrastructure controls", delete the  
            previously defined term "critical infrastructure," and expand  
            the definition of "critical infrastructure information" to  
            incorporate the new term "critical infrastructure controls." 

          9)Define the terms "department" and "office."

          10)Revise the legislative findings and declarations to better  
            clarify the respective roles of CDT and OES. 


                                                                    AB 1841

                                                                    Page  3

          FISCAL EFFECT:  According to the Senate Appropriations  

          1)Minor and absorbable costs to CDT and OES for updating the  
            Technology Recovery Plan. (GF and Special Fund)

          2)Unknown, but likely absorbable costs to each state agency to  
            update and report on its Technology Recovery Plan. (GF)

          COMMENTS:  This bill is intended to speed the creation of  
          cybersecurity response plans for state agencies by imposing a  
          July 2018 deadline for updating the state's Technology Recovery  
          Plan (TRP), and requiring state agencies to update their own  
          plans accordingly and report on their compliance to CDT by July  
          2019.  This bill is author-sponsored.  

          The TRP is a subset of the state entity's Business Continuity  
          Plan.  The TRP is activated immediately after a disaster strikes  
          and focuses on getting critical systems back online.  Each state  
          entity is required to develop a TRP in support of the state  
          entity's Continuity Plan and the business need to protect  
          critical information assets to ensure their availability  
          following an interruption or disaster.  The TRP was last updated  
          in August 2013.

          According to the California Military Department, California's  
          size and importance makes it vulnerable to cyber incidents that  
          disrupt business, shutdown critical infrastructure, and  
          compromise intellectual property or national security.  

          Analysis Prepared by:                        Hank Dempsey / P. &  
          C.P. / (916) 319-2200                                 FN:  


                                                                    AB 1841

                                                                    Page  4