BILL ANALYSIS �Ó
AB 1881
Page 1
Date of Hearing: April 19, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 1881
(Chang) - As Amended April 13, 2016
SUBJECT: Director of Technology: state baseline security
controls
SUMMARY: Requires the Director of the California Department of
Technology (Director) to develop and update mandatory baseline
security controls for state networks based on industry and
national standards, and annually measure the state's progress
towards compliance. Specifically, this bill:
1)Requires the Director to develop and tailor baseline security
controls for the state based on emerging industry standards
and baseline security controls published by the National
Institute of Standards and Technology (NIST).
2)Requires the Director to review and revise the state baseline
security controls whenever NIST updates its baseline security
controls or advancing industry standards warrant, but no less
frequently than once every year.
3)Requires state agencies to comply with the state baseline
security controls, and prohibits them from tailoring their
individual baseline security controls so that they fall below
�
AB 1881
Page 2
the state baseline security controls.
4)Requires the Director to assess and measure the state's
progress toward developing, tailoring, and complying with
state baseline security controls in her or his annual
information technology performance report.
EXISTING LAW:
1)Establishes within the Government Operations Agency the
California Department of Technology (CDT), under the
supervision of the Director of Technology, also known as the
State Chief Information Officer. (Government Code Section
(GC) 11545(a))
2)Requires the Director to, among other things, advise the
Governor on the strategic management and direction of the
state's information technology resources and provide
technology direction to agency and department chief
information officers to ensure the integration of statewide
technology initiatives. (GC 11545(b))
3)Requires the Director to produce an annual information
technology performance report that assesses and measures the
state's progress toward specified goals. (GC 11545(d))
4)Establishes the Office of Information Security (OIS) within
CDT, which is responsible for ensuring the confidentiality,
integrity, and availability of state systems and applications,
and to promote and protect privacy as part of the development
and operations of state systems and applications to ensure the
trust of the residents of this state. (GC 11549(a))
�
AB 1881
Page 3
5)Provides for the creation of a chief information security
officer (CISO) to lead OIS and is tasked with providing
direction for information security and privacy to state
government agencies, departments, and officers. (GC
11549(a)-(c))
6) Requires the CISO to establish an information security
program, which includes the creation, updating and publishing
of policies and standards for information security in the
State Administrative Manual, information technology risk
management, tracking of security and privacy incidents, and
disaster recovery, as well as statewide coordination with
other agencies, promotion of state agency risk management
programs, and generally representing the state on matters of
information security and privacy. (GC 11549.3(a))
7)Requires state entities to implement the information security
and privacy policies, standards and procedures issued by OIS.
(GC 11549.3(b))
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to improve state
network cybersecurity by mandating that CDT apply industry
best practices and national cybersecurity standards for state
agencies and departments to follow, and requiring that CDT
address agency compliance with those standards in its annual
performance report. This bill is author-sponsored.
2)Author's statement . According to the author, "[s]tate
�
AB 1881
Page 4
government is responsible for securing highly sensitive
information. From social security numbers and medical
records, to the integrity of wastewater treatment plants,
state government's information systems ensure our privacy as
well as the reliability of critical infrastructure and
resources. The size and scope of California's departments and
agencies as well as the confidential information under their
purview make state government a major target for hacking
attempts. Unfortunately, the state of California's cyber
security and risk management operations are lacking critical
components of information security programs. AB 1881 will
establish a strong underpinning for California's cyber
security system by requiring the state's Chief Information
Officer (CIO) to establish security baseline controls for all
agencies and departments under its jurisdiction. This will
help ensure California's departments and agencies are meeting
adequate security requirements to protect the integrity of
information systems."
3)NIST, Special Publication 800-53, and 'Security Control
Baselines' . The National Institute for Standards and
Technology (NIST) is the nation's measurement standards
laboratory, which exists to promote innovation and industrial
competitiveness by advancing measurement science, standards,
and technology in ways that enhance economic security and
improve our quality of life.
While this bill does not reference a specific standard, NIST's
most recent baseline security control standard is described in
its Special Publication 800-53 "Security and Privacy Controls
for Federal Information Systems and Organizations". SP 800-53
was developed and is maintained by the Joint Task Force
Transformation Initiative Interagency Working Group, as part
of an ongoing information security partnership among the U.S.
Department of Defense, the Intelligence Community, the
Committee on National Security Systems, the Department of
Homeland Security, and U.S. federal civil agencies.
�
AB 1881
Page 5
That document, most recently presented as Revision 4 in
February 2014, provides the 'security control baselines' that
should be used as the starting point for the security control
selection process. The baselines are chosen based on the
security category and associated impact level of information
systems. SP 800-53 provides a listing of baseline security
controls corresponding to the low-impact, moderate-impact, and
high-impact information systems.
According to NIST, "the security controls and control
enhancements listed in the initial baselines are not a
minimum- but rather a proposed starting point from which
controls and controls enhancements may be removed or added.
The security control baselines address the security needs of a
broad and diverse set of constituencies, and are developed
based on a number of general assumptions, including common
environmental, operational, and functional considerations.
The baselines also assume typical threats facing common
information systems. Articulating the underlying assumptions
is a key element in the initial risk framing step of the risk
management process..."
Because these controls are generic, they must be customized,
or "tailored" to the specific situation of a specific agency.
4)Concerns over the level of information security guidance given
to state agencies . According to the author, state agencies
are falling behind in their cybersecurity preparations, in
part because of a lack of guidance from CDT:
"In 2015, the California state auditor outlined an extensive
assessment of the Department of Technology's oversight of
California's State's information security operations. The
�
AB 1881
Page 6
results of the audit painted an alarming picture of
California's cyber security system and practices.
95% of surveyed departments and agencies stated they are not
fully in compliance with state security standards. According
to the audit, '[t]hese reporting entities noted deficiencies
in their controls over information asset and risk management,
information security program management, information security
incident management, and technology recovery.' Worse yet,
some departments certified they were in compliance with
security standards when they were not. The audit made clear
that departments are looking for guidance when it comes to
risk management procedures."
As an example of that guidance, the author points to the
security framework standard from the National Institute of
Standards and Technology (NIST) Special Publication 800-53
that is used to establish baseline controls for computer
networks. The author contends that this standard is broadly
accepted and required for state agencies, yet the more
detailed step of establishing baselines for individual
agencies has largely gone undeveloped at a state level -
leaving individual departments to the task: "Thus, the state
has left one of the most fundamental components of cyber
security incomplete, and sensitive information networks
vulnerable?California has lacked baseline controls for three
years and has in part led to the unsettling audit showing
California's information systems are vulnerable to attack."
By codifying the development of baseline security controls,
the author intends to drive CDT to complete the work of
tailoring the NIST standards (and applicable industry
�
AB 1881
Page 7
standards) for individual state agencies and thereby improve
the cybersecurity of state networks.
5)Arguments in support . According to Microsoft, "Microsoft
believes governments should have a strategy for cybersecurity,
and we strongly support states taking steps to protect their
most essential information and [information and communications
technology] systems - those needed to support state security,
the economy and public safety. By requiring baseline security
controls for the state, AB 1881 would help protect the
integrity of the state's information systems."
According to the Electronic Frontier Foundation, "In today's
world, computer security is at least as important as physical
security. State agencies run computer systems that contain
sensitive data about Californians, systems that are used to
make decisions that affect the lives of Californians every
day, and systems that are vital to the operation of state
government). Strong baseline security controls for these
computer systems are a must. Additionally, requiring all
state agencies to comply with these baseline security controls
will ensure that there are no weak links in the state
government's defenses."
6)Question for the Committee . While this bill currently
requires the state CIO to develop baseline security controls
for state networks, it may be more appropriate for that
responsibility to fall with the CISO instead.
Existing statute explicitly states that the "duties of the
Office of Information Security, under the direction of the
chief, shall be to provide direction for information security
and privacy to state government agencies, departments, and
offices?" (Government Code Section 11549(c)) The creation of
state agency baseline security controls from national and
industry cybersecurity standards mandated by this bill would
appear to fit the definition here of providing direction for
�
AB 1881
Page 8
information security.
Given the CISO's statutory responsibilities and expertise in
cybersecurity, the author and Committee may wish to amend the
bill to shift the responsibilities created by this bill over
to OIS and the CISO.
7)Related legislation . AB 1841 (Irwin) would require the state
Office of Emergency Services (OES) to develop, by July 1,
2017, a statewide emergency services response plan for
cybersecurity attacks against critical infrastructure, and
further requires OES to develop a comprehensive cybersecurity
strategy by July 1, 2018, with which all state agencies must
report compliance by January 1, 2019. AB 1841 passed this
Committee on April 5, 2016, on an 11-0 vote and is currently
pending in the Assembly Governmental Organization Committee.
SB 949 (Jackson) would authorize the Governor to require owners
and operators of critical infrastructure to submit critical
infrastructure information to OES or any other designee for
the purposes of gathering, analyzing, communicating, or
disclosing critical infrastructure information. SB 949 is
pending in the Senate Governmental Organization Committee.
8)Previous legislation . AB 670 (Irwin), Chapter 518, Statutes of
2015, requires CDT to conduct, or require to be conducted, no
fewer than 35 independent security assessments of state
agencies, departments or offices annually.
REGISTERED SUPPORT / OPPOSITION:
Support
�
AB 1881
Page 9
Electronic Frontier Foundation (EFF)
Microsoft Corporation
Opposition
None on file.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200