BILL ANALYSIS                                                                                                                                                                                                    Ó

          |SENATE RULES COMMITTEE            |                       AB 2623|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |

                                   THIRD READING 

          Bill No:  AB 2623
          Author:   Gordon (D) and Irwin (D)
          Amended:  8/15/16 in Senate
          Vote:     21 

           SENATE GOVERNMENTAL ORG. COMMITTEE:  13-0, 6/28/16
           AYES:  Hall, Berryhill, Bates, Block, Gaines, Galgiani, Glazer,  
            Hernandez, Hill, Hueso, Lara, McGuire, Vidak

           AYES:  Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen

           ASSEMBLY FLOOR:  77-2, 5/31/16 - See last page for vote

           SUBJECT:   State information security costs:  annual report

          SOURCE:    Author
          DIGEST:    This bill requires state agencies to report their  
          information security expenditures on an annual basis to the  
          California Department of Technology (CDT) beginning on January  
          1, 2018.

          Senate Floor Amendments of 8/15/16 delay the requirement that  
          each state agency submit a summary of their information security  
          costs to CDT, from February 1, 2017, to January 1, 2018.

          Existing law:
          1)Establishes CDT within the Government Operations Agency, under  
            the supervision of the Director of Technology.


                                                                    AB 2623  
                                                                    Page  2

          2)Requires specified state agencies and state entities to submit  
            annually, as instructed by CDT, a summary of their actual and  
            projected information technology and telecommunications costs,  
            including personnel, for the immediate preceding fiscal year  
            and current fiscal year, showing current expenses and  
            projected expenses for the current fiscal year, in a format  
            prescribed by CDT. 

          3)Defines a state agency, for purposes of the annual cost  
            report, to mean the Transportation Agency, Department of  
            Corrections and Rehabilitation, Department of Veterans  
            Affairs, Business, Consumer Services, and Housing Agency,  
            Natural Resources Agency, California Health and Human Services  
            Agency, California Environmental Protection Agency, Labor and  
            Workforce Development Agency, and Department of Food and  
            Agriculture,  as well as any entity within the executive  
            branch that is under the direct authority of the Governor,  
            including but not limited to, all departments, boards,  
            bureaus, commissions, councils, and offices that are not  
            directly defined as a state agency.

          4)Requires the Director of CDT to advise the Governor on the  
            strategic management and direction of the state's information  
            technology resources and provide technology direction to state  
            agencies and departments to ensure the integration of  
            statewide technologies initiatives. 

          5)Provides that the Office of Information Security may conduct,  
            or require to be conducted, an independent security assessment  
            of every state agency, department, or office. 

          This bill:

          1)Requires, on or before January 1, 2018, and annually  
            thereafter, specified state agencies and state entities to  
            submit a summary of their actual and projected information  
            security costs, including personnel, for the immediately  
            preceding fiscal year and current fiscal year, showing current  
            expenses and projected expenses for the current fiscal year in  
            order to capture statewide information security expenditures,  
            including the expenditure of federal grant funds for  
            information security purposes. 


                                                                    AB 2623  
                                                                    Page  3

          2)Makes other technical and nonsubstantive changes.


          Purpose of the bill.  According to the author, "a critical part  
          of our ability to organize and develop cybersecurity  
          capabilities is knowledge of what we are spending and where.   
          Without having oversight over whether state agencies are under  
          or over investing in cybersecurity, it makes it difficult to  
          prioritize spending, compare state spending with industry, and  
          ensure that state dollars are being used as effectively as  
          possible to bolster our cyber defenses.  AB 2623 would include a  
          requirement for state agencies to report their annual spending  
          on cybersecurity.  This knowledge will ensure that our state  
          leaders have strong understanding of how agencies are responding  
          to this new risk and mitigating appropriately. 

          This bill mirrors an existing requirement for state agencies to  
          annually report their information technology and  
          telecommunications to CDT, by requiring a similar annual report  
          for spending on information security costs.

          Current spending.  On February 24, 2016, the Assembly Privacy  
          and Consumer Protection Committee and the Select Committee on  
          Cybersecurity held a joint oversight hearing on California's  
          cybersecurity strategies.  Part of that hearing examined the  
          findings of a 2015 California State Auditor (Auditor) report  
          entitled "High Risk Update - Information Security."  The Auditor  
          found that "many state entities have weaknesses in their  
          controls over information security.  These weaknesses leave some  
          of the State's sensitive data vulnerable to unauthorized use,  
          disclosure, or disruption."

          The Auditor explained that " CDT is responsible for ensuring  
          that state entities that are under the direct authority of the  
          governor maintain the confidentiality, integrity, and  
          availability of their information systems and protect the  
          privacy of the State's information."  However, when the Chief  
          Information Security Officer (CISO) within CDT was asked during  
          the hearing to explain how much state agencies were actually  


                                                                    AB 2623  
                                                                    Page  4

          spending on cybersecurity, the CISO revealed that her office did  
          not know or track this information.  

          Prior/Related Legislation
          AB 1841 (Irwin, 2016) requires CDT to on or before July 1, 2018,  
          in conjunction with the Office of Emergency Services, to update  
          the Technology Recovery Plan of the State Administrative Manual  
          to ensure the inclusion of cybersecurity strategy incident  
          response standards for each state agency to secure its critical  
          infrastructure controls and critical infrastructure information  
          .  (Pending on the Senate Floor)

          SB 949 (Jackson, 2016) authorizes the Governor to require owners  
          and operators of critical infrastructure, as defined, to submit  
          critical infrastructure information to OES.  (Never heard in  
          Senate Governmental Organization Committee)

          AB 2595 (Linder, 2016) establishes in statute the California  
          Cybersecurity Integration Center within OES to develop a  
          cybersecurity strategy for California in coordination with the  
          Cybersecurity Task Force.  (Held in Assembly Appropriations  

          FISCAL EFFECT:   Appropriation:    No          Fiscal  
          Com.:YesLocal:   No

          According to the Senate Appropriations Committee, minor and  
          absorbable CDT costs to develop reporting criteria.  In  
          addition, likely absorbable costs for individual state agencies  
          to segregate information security costs from overall information  
          technology expenditures and annually report to CDT. 

          SUPPORT:   (Verified8/15/16)

          None received


                                                                    AB 2623  
                                                                    Page  5

          OPPOSITION:   (Verified8/15/16)

          None received

          ASSEMBLY FLOOR:  77-2, 5/31/16
          AYES:  Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,  
            Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,  
            Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,  
            Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth  
            Gaines, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto,  
            Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper,  
            Roger Hernández, Irwin, Jones, Jones-Sawyer, Kim, Lackey,  
            Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes,  
            McCarty, Medina, Mullin, Nazarian, Obernolte, O'Donnell,  
            Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez, Salas,  
            Santiago, Steinorth, Mark Stone, Thurmond, Ting, Wagner,  
            Weber, Wilk, Williams, Wood, Rendon
          NOES:  Melendez, Waldron
          NO VOTE RECORDED:  Holden

          Prepared by:Felipe Lopez / G.O. / (916) 651-1530
          8/16/16 17:38:41

                                   ****  END  ****