BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 2623|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 2623
Author: Gordon (D) and Irwin (D)
Amended: 8/15/16 in Senate
Vote: 21
SENATE GOVERNMENTAL ORG. COMMITTEE: 13-0, 6/28/16
AYES: Hall, Berryhill, Bates, Block, Gaines, Galgiani, Glazer,
Hernandez, Hill, Hueso, Lara, McGuire, Vidak
SENATE APPROPRIATIONS COMMITTEE: 7-0, 8/1/16
AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen
ASSEMBLY FLOOR: 77-2, 5/31/16 - See last page for vote
SUBJECT: State information security costs: annual report
SOURCE: Author
DIGEST: This bill requires state agencies to report their
information security expenditures on an annual basis to the
California Department of Technology (CDT) beginning on January
1, 2018.
Senate Floor Amendments of 8/15/16 delay the requirement that
each state agency submit a summary of their information security
costs to CDT, from February 1, 2017, to January 1, 2018.
ANALYSIS:
Existing law:
1)Establishes CDT within the Government Operations Agency, under
the supervision of the Director of Technology.
�
AB 2623
Page 2
2)Requires specified state agencies and state entities to submit
annually, as instructed by CDT, a summary of their actual and
projected information technology and telecommunications costs,
including personnel, for the immediate preceding fiscal year
and current fiscal year, showing current expenses and
projected expenses for the current fiscal year, in a format
prescribed by CDT.
3)Defines a state agency, for purposes of the annual cost
report, to mean the Transportation Agency, Department of
Corrections and Rehabilitation, Department of Veterans
Affairs, Business, Consumer Services, and Housing Agency,
Natural Resources Agency, California Health and Human Services
Agency, California Environmental Protection Agency, Labor and
Workforce Development Agency, and Department of Food and
Agriculture, as well as any entity within the executive
branch that is under the direct authority of the Governor,
including but not limited to, all departments, boards,
bureaus, commissions, councils, and offices that are not
directly defined as a state agency.
4)Requires the Director of CDT to advise the Governor on the
strategic management and direction of the state's information
technology resources and provide technology direction to state
agencies and departments to ensure the integration of
statewide technologies initiatives.
5)Provides that the Office of Information Security may conduct,
or require to be conducted, an independent security assessment
of every state agency, department, or office.
This bill:
1)Requires, on or before January 1, 2018, and annually
thereafter, specified state agencies and state entities to
submit a summary of their actual and projected information
security costs, including personnel, for the immediately
preceding fiscal year and current fiscal year, showing current
expenses and projected expenses for the current fiscal year in
order to capture statewide information security expenditures,
including the expenditure of federal grant funds for
information security purposes.
�
AB 2623
Page 3
2)Makes other technical and nonsubstantive changes.
Background
Purpose of the bill. According to the author, "a critical part
of our ability to organize and develop cybersecurity
capabilities is knowledge of what we are spending and where.
Without having oversight over whether state agencies are under
or over investing in cybersecurity, it makes it difficult to
prioritize spending, compare state spending with industry, and
ensure that state dollars are being used as effectively as
possible to bolster our cyber defenses. AB 2623 would include a
requirement for state agencies to report their annual spending
on cybersecurity. This knowledge will ensure that our state
leaders have strong understanding of how agencies are responding
to this new risk and mitigating appropriately.
This bill mirrors an existing requirement for state agencies to
annually report their information technology and
telecommunications to CDT, by requiring a similar annual report
for spending on information security costs.
Current spending. On February 24, 2016, the Assembly Privacy
and Consumer Protection Committee and the Select Committee on
Cybersecurity held a joint oversight hearing on California's
cybersecurity strategies. Part of that hearing examined the
findings of a 2015 California State Auditor (Auditor) report
entitled "High Risk Update - Information Security." The Auditor
found that "many state entities have weaknesses in their
controls over information security. These weaknesses leave some
of the State's sensitive data vulnerable to unauthorized use,
disclosure, or disruption."
The Auditor explained that " CDT is responsible for ensuring
that state entities that are under the direct authority of the
governor maintain the confidentiality, integrity, and
availability of their information systems and protect the
privacy of the State's information." However, when the Chief
Information Security Officer (CISO) within CDT was asked during
the hearing to explain how much state agencies were actually
�
AB 2623
Page 4
spending on cybersecurity, the CISO revealed that her office did
not know or track this information.
Prior/Related Legislation
AB 1841 (Irwin, 2016) requires CDT to on or before July 1, 2018,
in conjunction with the Office of Emergency Services, to update
the Technology Recovery Plan of the State Administrative Manual
to ensure the inclusion of cybersecurity strategy incident
response standards for each state agency to secure its critical
infrastructure controls and critical infrastructure information
. (Pending on the Senate Floor)
SB 949 (Jackson, 2016) authorizes the Governor to require owners
and operators of critical infrastructure, as defined, to submit
critical infrastructure information to OES. (Never heard in
Senate Governmental Organization Committee)
AB 2595 (Linder, 2016) establishes in statute the California
Cybersecurity Integration Center within OES to develop a
cybersecurity strategy for California in coordination with the
Cybersecurity Task Force. (Held in Assembly Appropriations
Committee)
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: No
According to the Senate Appropriations Committee, minor and
absorbable CDT costs to develop reporting criteria. In
addition, likely absorbable costs for individual state agencies
to segregate information security costs from overall information
technology expenditures and annually report to CDT.
SUPPORT: (Verified8/15/16)
None received
�
AB 2623
Page 5
OPPOSITION: (Verified8/15/16)
None received
ASSEMBLY FLOOR: 77-2, 5/31/16
AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,
Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,
Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,
Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth
Gaines, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto,
Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper,
Roger Hernández, Irwin, Jones, Jones-Sawyer, Kim, Lackey,
Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes,
McCarty, Medina, Mullin, Nazarian, Obernolte, O'Donnell,
Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez, Salas,
Santiago, Steinorth, Mark Stone, Thurmond, Ting, Wagner,
Weber, Wilk, Williams, Wood, Rendon
NOES: Melendez, Waldron
NO VOTE RECORDED: Holden
Prepared by:Felipe Lopez / G.O. / (916) 651-1530
8/16/16 17:38:41
**** END ****