BILL ANALYSIS �Ó
AB 2623
Page 1
ASSEMBLY THIRD READING
AB
2623 (Gordon and Irwin)
As Amended April 28, 2016
Majority vote
------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Privacy |11-0 |Chau, Wilk, Baker, | |
| | |Calderon, Chang, | |
| | |Cooper, Dababneh, | |
| | |Gatto, Gordon, Low, | |
| | |Olsen | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Appropriations |20-0 |Gonzalez, Bigelow, | |
| | |Bloom, Bonilla, | |
| | |Bonta, Calderon, | |
| | |Chang, Daly, Eggman, | |
| | |Gallagher, Eduardo | |
| | |Garcia, Roger | |
| | |Hernández, Holden, | |
| | |Jones, Obernolte, | |
| | |Quirk, Santiago, | |
| | |Wagner, Weber, Wood | |
| | | | |
| | | | |
------------------------------------------------------------------
�
AB 2623
Page 2
SUMMARY: Requires state agencies and entities to report their
information security expenditures on an annual basis to the
California Department of Technology (CDT). Specifically, this
bill:
1)Requires, on or before February 1, 2017, and annually
thereafter, specified state agencies and entities to submit a
summary of their actual and projected information security
costs, including personnel, for the immediately preceding
fiscal year and current fiscal year, showing current expenses
and projected expenses for the current fiscal year in order to
capture statewide information security expenditures, including
the expenditure of federal grant funds for information
security purposes.
2)Requires CDT to develop and provide instructions and a format
for state agencies and entities to report their information
security costs.
3)Makes other technical and nonsubstantive amendments.
FISCAL EFFECT: According to the Assembly Appropriations
Committee:
1)Ongoing costs (General Fund/SF/FF) to various state agencies,
likely minor, to annually submit a summary report of
information security costs, including expenditures of federal
grant funds. The affected agencies currently submit similar
reports on other topics.
2)One-time minor costs to CDT (General Fund) to develop the
reporting instructions and format to be used by state
agencies.
�
AB 2623
Page 3
COMMENTS:
1)Purpose of this bill. This bill is intended to increase state
government transparency in information security spending so
that CDT, the Governor's Office and the Legislature can better
manage agency performance and resource allocation for
cybersecurity. This bill is author-sponsored.
2)Questions regarding state oversight of cybersecurity. On
February 24, 2016, the Assembly Privacy and Consumer
Protection Committee and the Select Committee on Cybersecurity
held a joint oversight hearing on California's Cybersecurity
Strategy. Part of that hearing examined the findings of a
2015 California State Auditor (Auditor) report entitled "High
Risk Update - Information Security" (Report 2015-611). The
Auditor found that "many state entities have weaknesses in
their controls over information security. These weaknesses
leave some of the State's sensitive data vulnerable to
unauthorized use, disclosure, or disruption."
The Auditor explained that "[CDT] is responsible for ensuring
that state entities that are under the direct authority of the
governor maintain the confidentiality, integrity, and
availability of their information systems and protect the
privacy of the State's information." However, when the Chief
Information Security Officer (CISO) within CDT was asked
during the hearing to explain how much state agencies were
actually spending on cybersecurity, the CISO revealed that her
office did not know or track this information.
This information is important to effective oversight and
management of cybersecurity, as well as benchmarking against
other agencies and states. A July 2015 article in Government
�
AB 2623
Page 4
Technology magazine entitled "4 Critical Challenges to State
and Local Government Cybersecurity Efforts (Industry
Perspective)," notes that cybersecurity has become the number
one strategic information technology priority for state and
local government agencies. The article also noted that: "The
typical state or local government agency spends less than 5%
of its IT [information technology] budget on cybersecurity,
compared to over 10% in the typical commercial enterprise."
3)Questions regarding the use of homeland security funds.
Tracking state spending on cybersecurity is complicated by the
fact that some of the expended funds come to the state in the
form of federal grants. According to the government
information Web site Allgov.com, "California has been the
recipient of at least $1.9 billion worth of major
anti-terrorism grants from Washington, D.C. since the
September 11, 2001, attacks, and a succession of reports by
the federal government indicate the money hasn't always been
spent wisely. While a U.S. [United States] Department of
Homeland Security report released in February 2011 found the
state generally 'did an efficient and effective job of
administering the program requirements, distributing grant
funds, and ensuring that all of the available funds were
used,' its inspector general also listed a series of costly
missteps." This bill would require federal funds used for
information security purposes to be included in the annual
report to CDT.
4)This bill in practice. This bill would mirror an existing
requirement for state agencies to annually report their
information technology and telecommunications costs to CDT, by
requiring a similar annual report for spending on information
security costs. CDT would be responsible for developing
instructions and a format for those reports, and would have
the flexibility to determine the accounting methodology used
to collect the data.
�
AB 2623
Page 5
Analysis Prepared by:
Hank Dempsey / P. & C.P. / (916) 319-2200 FN:
0003234