BILL ANALYSIS �Ó
AB 2623
Page 1
Date of Hearing: May 18, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
AB
2623 (Gordon) - As Amended April 28, 2016
-----------------------------------------------------------------
|Policy | Privacy and Consumer |Vote:|11 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY: This bill requires state agencies and entities to
annually report their information security expenditures to the
California Department of Technology (CDT). Specifically, this
bill:
1)Requires, on or before February 1, 2017, and annually
�
AB 2623
Page 2
thereafter, specified state agencies and state entities to
submit a summary of their actual and projected information
security costs, including the expenditure of federal grant
funds for information security purposes.
2)Requires CDT to develop and provide instructions and a format
for state agencies and entities to report their information
security costs.
FISCAL EFFECT:
1)Ongoing costs (GF/SF/FF) to various state agencies, likely
minor, to annually submit a summary report of information
security costs, including expenditures of federal grant funds.
The affected agencies currently submit similar reports on
other topics.
2)One-time minor costs to CDT (GF) to develop the reporting
instructions and format to be used by state agencies.
COMMENTS:
1)Purpose. This bill is intended to increase state government
transparency in information security spending so that CDT can
better manage agency performance and resource allocation for
cybersecurity. Existing law requires state agencies to
annually report their information technology and
telecommunications costs to CDT. This bill requires a similar
annual report for spending on information security costs. The
standardized reporting created by this bill would give CDT a
valuable data set to better manage state agencies' spending on
cybersecurity, including the ability to make spending
comparisons between agencies and facilitate benchmarking with
other states, so that they can identify state entities that
�
AB 2623
Page 3
may be over or under-resourcing cybersecurity efforts or
misspending available funds.
2)Oversight Hearing. On February 24, 2016, the Assembly
Committee on Privacy and Consumer Protection held an oversight
hearing on California's Cybersecurity Strategy. Part of that
hearing examined the findings of a 2015 California State
Auditor (Auditor) report entitled "High Risk Update -
Information Security." The Auditor found that "many state
entities have weaknesses in their controls over information
security. These weaknesses leave some of the State's
sensitive data vulnerable to unauthorized use, disclosure, or
disruption."
The Auditor explained that "CDT is responsible for ensuring
that state entities that are under the direct authority of the
governor maintain the confidentiality, integrity, and
availability of their information systems and protect the
privacy of the State's information." However, it was revealed
during the hearing that the state's Office of Information
Security within CDT does not track information on how much
state agencies were actually spending on cybersecurity.
This bill is intended to increase state government
transparency in information security spending so that CDT can
better manage agency performance and resource allocation for
cybersecurity.
3)Related legislation. This is one of five
cybersecurity-related bills before this Committee today:
a) AB 1841 (Irwin) requires the state OES in conjunction
with the CDT to develop, by July 1, 2017, a statewide
emergency services response plan for cybersecurity attacks
�
AB 2623
Page 4
against critical infrastructure (EF 18), and would require
OES and CDT to develop a comprehensive cybersecurity
strategy by January 1, 2018, with which all state agencies
must report compliance by January 1, 2019.
b) AB 1881 (Chang) requires the Director of CDT to develop
and update mandatory baseline security controls for state
networks based industry and national standards, and
annually measure the state's progress towards compliance.
c) AB 2595 (Linder) establishes the California
Cybersecurity Integration Center within the Office of
Emergency Services to develop a cybersecurity strategy for
California, and authorizes the administration of federal
homeland security grant funding by OES.
d) AB 2720 (Chau) authorizes the creation of a
Cybersecurity Vulnerability Reporting Reward Program that
would provide a monetary reward to eligible individuals who
identify and report previously unknown vulnerabilities in
state computer networks.
1)Previous Legislation. AB 670 (Irwin), Chapter 518, Statutes of
2015, required CDT to conduct, or require to be conducted, no
fewer than 35 independent security assessments of state
agencies, departments or offices annually.
�
AB 2623
Page 5
Analysis Prepared by:Jennifer Swenson / APPR. / (916)
319-2081