BILL ANALYSIS Ó AB 1841 Page 1 CONCURRENCE IN SENATE AMENDMENTS AB 1841 (Irwin) As Amended August 15, 2016 Majority vote -------------------------------------------------------------------- |ASSEMBLY: |79-0 |(May 31, 2016) |SENATE: |39-0 |(August 23, | | | | | | |2016) | | | | | | | | | | | | | | | -------------------------------------------------------------------- Original Committee Reference: P. & C.P. SUMMARY: Requires the Department of Technology (CDT), in conjunction with the Office of Emergency Services (OES), by July 1, 2018, to update the Technology Recovery Plan (TRP) element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency. The Senate amendments: 1)Delete the requirement that OES transmit to the Legislature a cybersecurity incident response plan by July 1, 2017. 2)Delete the requirement that OES develop cybersecurity incident response standards for state agencies and that state agencies transmit critical infrastructure information to OES. AB 1841 Page 2 3)Require CDT, in conjunction with OES, to update the TRP element of the State Administrative Manual by July 1, 2018, to ensure the inclusion of cybersecurity strategy incident response standards for each state agency for the purpose of securing its critical infrastructure controls and critical infrastructure information. 4)Expand the required updated cybersecurity strategy incident response standards to address continuity of operations and protection of personal information. 5)Require each state agency to provide CDT with an updated copy of its TRP. 6)Require each state agency to report on its compliance with the updated standards by July 1, 2019, and authorizes CDT, in conjunction with OES, to provide suggestions for state agencies to improve compliance with the standards. 7)Declare that each state agency's updated TRP provided to CDT is confidential and shall not be disclosed pursuant to any state law, including the California Public Records Act. 8)Define the term "critical infrastructure controls", delete the previously defined term "critical infrastructure," and expand the definition of "critical infrastructure information" to incorporate the new term "critical infrastructure controls." 9)Define the terms "department" and "office." 10)Revise the legislative findings and declarations to better clarify the respective roles of CDT and OES. AB 1841 Page 3 FISCAL EFFECT: According to the Senate Appropriations Committee: 1)Minor and absorbable costs to CDT and OES for updating the Technology Recovery Plan. (GF and Special Fund) 2)Unknown, but likely absorbable costs to each state agency to update and report on its Technology Recovery Plan. (GF) COMMENTS: This bill is intended to speed the creation of cybersecurity response plans for state agencies by imposing a July 2018 deadline for updating the state's Technology Recovery Plan (TRP), and requiring state agencies to update their own plans accordingly and report on their compliance to CDT by July 2019. This bill is author-sponsored. The TRP is a subset of the state entity's Business Continuity Plan. The TRP is activated immediately after a disaster strikes and focuses on getting critical systems back online. Each state entity is required to develop a TRP in support of the state entity's Continuity Plan and the business need to protect critical information assets to ensure their availability following an interruption or disaster. The TRP was last updated in August 2013. According to the California Military Department, California's size and importance makes it vulnerable to cyber incidents that disrupt business, shutdown critical infrastructure, and compromise intellectual property or national security. Analysis Prepared by: Hank Dempsey / P. & C.P. / (916) 319-2200 FN: 0004305 AB 1841 Page 4