BILL ANALYSIS                                                                                                                                                                                                    Ó




           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                       AB 2623|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 


                                   THIRD READING 


          Bill No:  AB 2623
          Author:   Gordon (D) and Irwin (D)
          Amended:  4/28/16 in Assembly
          Vote:     21 

           SENATE GOVERNMENTAL ORG. COMMITTEE:  13-0, 6/28/16
           AYES:  Hall, Berryhill, Bates, Block, Gaines, Galgiani, Glazer,  
            Hernandez, Hill, Hueso, Lara, McGuire, Vidak

           SENATE APPROPRIATIONS COMMITTEE:  7-0, 8/1/16
           AYES:  Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen

           ASSEMBLY FLOOR:  77-2, 5/31/16 - See last page for vote

           SUBJECT:   State information security costs:  annual report


          SOURCE:    Author
          
          DIGEST:    This bill requires state agencies to report their  
          information security expenditures on an annual basis to the  
          California Department of Technology (CDT).

          ANALYSIS:
          
          Existing law:
          
          1)Establishes CDT within the Government Operations Agency, under  
            the supervision of the Director of Technology.

          2)Requires specified state agencies and state entities to submit  
            annually, as instructed by CDT, a summary of their actual and  
            projected information technology and telecommunications costs,  
            including personnel, for the immediate preceding fiscal year  
            and current fiscal year, showing current expenses and  








                                                                    AB 2623  
                                                                    Page  2



            projected expenses for the current fiscal year, in a format  
            prescribed by CDT. 

          3)Defines a state agency, for purposes of the annual cost  
            report, to mean the Transportation Agency, Department of  
            Corrections and Rehabilitation, Department of Veterans  
            Affairs, Business, Consumer Services, and Housing Agency,  
            Natural Resources Agency, California Health and Human Services  
            Agency, California Environmental Protection Agency, Labor and  
            Workforce Development Agency, and Department of Food and  
            Agriculture,  as well as any entity within the executive  
            branch that is under the direct authority of the Governor,  
            including but not limited to, all departments, boards,  
            bureaus, commissions, councils, and offices that are not  
            directly defined as a state agency.

          4)Requires the Director of CDT to advise the Governor on the  
            strategic management and direction of the state's information  
            technology resources and provide technology direction to state  
            agencies and departments to ensure the integration of  
            statewide technologies initiatives. 

          5)Provides that the Office of Information Security may conduct,  
            or require to be conducted, an independent security assessment  
            of every state agency, department, or office. 

          This bill:

          1)Requires, on or before February 1, 2017, and annually  
            thereafter, specified state agencies and state entities to  
            submit a summary of their actual and projected information  
            security costs, including personnel, for the immediately  
            preceding fiscal year and current fiscal year, showing current  
            expenses and projected expenses for the current fiscal year,  
            in a format prescribed by CDT, in order to capture statewide  
            information security expenditures, including the expenditure  
            of federal grant funds for information security purposes. 

          2)Makes other technical and nonsubstantive amendments.

          Background









                                                                    AB 2623  
                                                                    Page  3



          Purpose of the bill.  According to the author, "a critical part  
          of our ability to organize and develop cybersecurity  
          capabilities is knowledge of what we are spending and where.   
          Without having oversight over whether state agencies are under  
          or over investing in cybersecurity, it makes it difficult to  
          prioritize spending, compare state spending with industry, and  
          ensure that state dollars are being used as effectively as  
          possible to bolster our cyber defenses.  AB 2623 would include a  
          requirement for state agencies to report their annual spending  
          on cybersecurity.  This knowledge will ensure that our state  
          leaders have strong understanding of how agencies are responding  
          to this new risk and mitigating appropriately. 

          This bill mirrors an existing requirement for state agencies to  
          annually report their information technology and  
          telecommunications to CDT, by requiring a similar annual report  
          for spending on information security costs.

          Current spending.  On February 24, 2016, the Assembly Privacy  
          and Consumer Protection Committee and the Select Committee on  
          Cybersecurity held a joint oversight hearing on California's  
          cybersecurity strategies.  Part of that hearing examined the  
          findings of a 2015 California State Auditor (Auditor) report  
          entitled "High Risk Update - Information Security."  The Auditor  
          found that "many state entities have weaknesses in their  
          controls over information security.  These weaknesses leave some  
          of the State's sensitive data vulnerable to unauthorized use,  
          disclosure, or disruption."


          The Auditor explained that " CDT is responsible for ensuring  
          that state entities that are under the direct authority of the  
          governor maintain the confidentiality, integrity, and  
          availability of their information systems and protect the  
          privacy of the State's information."  However, when the Chief  
          Information Security Officer (CISO) within CDT was asked during  
          the hearing to explain how much state agencies were actually  
          spending on cybersecurity, the CISO revealed that her office did  
          not know or track this information.  

          Prior/Related Legislation
          








                                                                    AB 2623  
                                                                    Page  4



          AB 1841 (Irwin, 2016) requires the Office of Emergency Services  
          in conjunction with CDT to transmit to the Legislature, by July  
          1, 2017, a statewide emergency services response plan for  
          cybersecurity, and further requires OES and CDT to develop a  
          comprehensive cybersecurity strategy against critical  
          infrastructure by January 1, 2018.  (Pending on the Senate  
          Floor)

          SB 949 (Jackson, 2016) authorizes the Governor to require owners  
          and operators of critical infrastructure, as defined, to submit  
          critical infrastructure information to OES.  (Never heard in  
          Senate Governmental Organization Committee)

          AB 2595 (Linder, 2016) establishes in statute the California  
          Cybersecurity Integration Center within OES to develop a  
          cybersecurity strategy for California in coordination with the  
          Cybersecurity Task Force.  (Held in Assembly Appropriations  
          Committee) 

          AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to  
          conduct, or require to be conducted, no fewer than 35  
          independent security assessments of state agencies, departments,  
          or offices annually.  


          FISCAL EFFECT:   Appropriation:    No          Fiscal  
          Com.:YesLocal:   No


          According to the Senate Appropriations Committee, minor and  
          absorbable CDT costs to develop reporting criteria.  In  
          addition, likely absorbable costs for individual state agencies  
          to segregate information security costs from overall information  
          technology expenditures and annually report to CDT. 


          SUPPORT:   (Verified8/2/16)


          None received










                                                                    AB 2623  
                                                                    Page  5



          OPPOSITION:   (Verified8/2/16)


          None received

          ASSEMBLY FLOOR:  77-2, 5/31/16
          AYES:  Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,  
            Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,  
            Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,  
            Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth  
            Gaines, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto,  
            Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper,  
            Roger Hernández, Irwin, Jones, Jones-Sawyer, Kim, Lackey,  
            Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes,  
            McCarty, Medina, Mullin, Nazarian, Obernolte, O'Donnell,  
            Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez, Salas,  
            Santiago, Steinorth, Mark Stone, Thurmond, Ting, Wagner,  
            Weber, Wilk, Williams, Wood, Rendon
          NOES:  Melendez, Waldron
          NO VOTE RECORDED:  Holden

          Prepared by:Felipe Lopez / G.O. / (916) 651-1530
          8/3/16 18:31:59


                                   ****  END  ****