BILL ANALYSIS �Ó
AB 1881
Page 1
Date of Hearing: May 18, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
AB
1881 (Chang) - As Amended April 13, 2016
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY: This bill requires the Director of the California
Department of Technology (CDT) to develop and update mandatory
baseline security controls for state networks based on industry
and national standards, and annually measure the state's
progress towards compliance. Specifically, this bill:
�
AB 1881
Page 2
1)Requires the Director to develop and tailor baseline security
controls for the state based on emerging industry standards
and baseline security controls published by the National
Institute of Standards and Technology (NIST).
2)Requires the Director to review and revise the state baseline
security controls whenever NIST updates its baseline security
controls or advancing industry standards warrant, but no less
frequently than once every year.
3)Requires state agencies to comply with the state baseline
security controls, and prohibits them from tailoring their
individual baseline security controls so that they fall below
the state baseline security controls.
4)Requires the Director to assess and measure the state's
progress toward developing, tailoring, and complying with
state baseline security controls in her or his annual
information technology performance report.
FISCAL EFFECT:
1)Unknown ongoing costs, likely in the hundreds of thousands of
dollars (GF) annually, to regularly review and potentially
revise the state baseline security controls. Additional costs
to state agencies to comply with frequent revisions.
2)Minor costs to CDT to comply with the additional reporting
requirements.
COMMENTS:
�
AB 1881
Page 3
1)Purpose. This bill is intended to improve state network
cybersecurity by mandating that CDT apply industry best
practices and national cybersecurity standards for state
agencies and departments to follow, and requiring that CDT
address agency compliance with those standards in its annual
performance report.
According to the author, "State government is responsible for
securing highly sensitive information. State government's
information systems ensure our privacy as well as the
reliability of critical infrastructure and resources. The
size and scope of California's departments and agencies as
well as the confidential information under their purview make
state government a major target for hacking attempts.
Unfortunately, the state of California's cyber security and
risk management operations are lacking critical components of
information security programs. AB 1881 will establish a
strong underpinning for California's cyber security system by
requiring the state's Chief Information Officer (CIO) to
establish security baseline controls for all agencies and
departments under its jurisdiction. This will help ensure
California's departments and agencies are meeting adequate
security requirements to protect the integrity of information
systems."
2)State Auditor's Report. In 2015, the California state auditor
outlined an extensive assessment of the Department of
Technology's oversight of California's State's information
security operations. According to the author, "the results of
the audit painted an alarming picture of California's cyber
security system and practices. 95% of surveyed departments and
agencies stated they are not fully in compliance with state
security standards."
In response, the author notes that the National Institute of
Standards and Technology (NIST) Special Publication 800-53
contains a security standard framework that is used to
�
AB 1881
Page 4
establish baseline controls for computer networks. The author
contends that this standard is broadly accepted and required
for state agencies, yet the more detailed step of establishing
baselines for individual agencies has largely gone undeveloped
at a state level - leaving individual departments to the task.
By codifying the development of baseline security controls,
the author intends to drive CDT to complete the work of
tailoring the NIST standards (and applicable industry
standards) for individual state agencies and thereby improve
the cybersecurity of state networks.
3)Related legislation. This is one of five
cybersecurity-related bills before this Committee today:
a) AB 1841 (Irwin) requires the state OES in conjunction
with the CDT to develop, by July 1, 2017, a statewide
emergency services response plan for cybersecurity attacks
against critical infrastructure (EF 18), and would require
OES and CDT to develop a comprehensive cybersecurity
strategy by January 1, 2018, with which all state agencies
must report compliance by January 1, 2019.
b) AB 2623 (Gordon) requires state agencies and entities to
report their information security expenditures on an annual
basis to the CDT, including the expenditure of federal
grant funds for information security purposes.
c) AB 2595 (Linder) establishes the California
Cybersecurity Integration Center within the Office of
Emergency Services to develop a cybersecurity strategy for
�
AB 1881
Page 5
California, and authorizes the administration of federal
homeland security grant funding by OES.
d) AB 2720 (Chau) authorizes the creation of a
Cybersecurity Vulnerability Reporting Reward Program that
would provide a monetary reward to eligible individuals who
identify and report previously unknown vulnerabilities in
state computer networks.
Analysis Prepared by:Jennifer Swenson / APPR. / (916)
319-2081