BILL NUMBER: AB 1881	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY  APRIL 13, 2016
	AMENDED IN ASSEMBLY  MARCH 17, 2016

INTRODUCED BY   Assembly Member Chang
    (   Coauthor:   Assembly Member  
Lackey   ) 

                        FEBRUARY 10, 2016

   An act to amend Section 11545 of the Government Code, relating to
state government.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 1881, as amended, Chang. Director of Technology: state baseline
security controls.
   Existing law establishes within the Government Operations Agency
the Department of Technology, under the supervision of the Director
of Technology, also known as the State Chief Information Officer.
Existing law requires the director to, among other things, advise the
Governor on the strategic management and direction of the state's
information technology resources and provide technology direction to
agency and department chief information officers to ensure the
integration of statewide technology initiatives. Existing law further
requires the director to produce an annual information technology
performance report that assesses and measures the state's progress
toward specified goals.
   This bill would require the director to develop, tailor, and
subsequently review and revise baseline security controls for the
state based on  emerging industry standards and  baseline
security controls published by the National Institute of Standards
and Technology. The bill would require state agencies to comply with,
and prohibit state agencies from tailoring their individual baseline
security controls to fall below, the state baseline security
controls. The bill would require that the director's annual
information technology performance report also assess and measure the
state's progress toward developing, tailoring, and complying with
the state baseline security controls.
   Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Section 11545 of the Government Code is amended to
read:
   11545.  (a) (1) There is in state government the Department of
Technology within the Government Operations Agency. The Director of
Technology shall be appointed by, and serve at the pleasure of, the
Governor, subject to Senate confirmation. The Director of Technology
shall supervise the Department of Technology and report directly to
the Governor on issues relating to information technology.
   (2) Unless the context clearly requires otherwise, whenever the
term "office of the State Chief Information Officer" or "California
Technology Agency" appears in any statute, regulation, or contract,
or any other code, it shall be construed to refer to the Department
of Technology, and whenever the term "State Chief Information Officer"
or "Secretary of California Technology" appears in any statute,
regulation, or contract, or any other code, it shall be construed to
refer to the Director of Technology.
   (3) The Director of Technology shall be the State Chief
Information Officer.
   (b) The duties of the Director of Technology shall include, but
are not limited to, all of the following:
   (1) Advising the Governor on the strategic management and
direction of the state's information technology resources.
   (2) Establishing and enforcing state information technology
strategic plans, policies, standards, and enterprise architecture.
This shall include the periodic review and maintenance of the
information technology sections of the State Administrative Manual,
except for sections on information technology procurement procedures,
and information technology fiscal policy. The Director of Technology
shall consult with the Director of General Services, the Director of
Finance, and other relevant agencies concerning policies and
standards these agencies are responsible to issue as they relate to
information technology.
   (3) Minimizing overlap, redundancy, and cost in state operations
by promoting the efficient and effective use of information
technology.
   (4) Providing technology direction to agency and department chief
information officers to ensure the integration of statewide
technology initiatives, compliance with information technology
policies and standards, and the promotion of the alignment and
effective management of information technology services. Nothing in
this paragraph shall be deemed to limit the authority of a
constitutional officer, cabinet agency secretary, or department
director to establish programmatic priorities and business direction
to the respective agency or department chief information officer.
   (5) Working to improve organizational maturity and capacity in the
effective management of information technology.
   (6) Establishing performance management and improvement processes
to ensure state information technology systems and services are
efficient and effective.
   (7) Approving, suspending, terminating, and reinstating
information technology projects.
   (8) Performing enterprise information technology functions and
services, including, but not limited to, implementing Geographic
Information Systems (GIS), shared services, applications, and program
and project management activities in partnership with the owning
agency or department.
   (9) Developing and tailoring baseline security controls for the
state based on  emerging industry standards and  baseline
security controls published by the National Institute of Standards
and Technology (NIST). The Director of Technology shall review and
revise the state baseline security controls whenever the NIST updates
its baseline security controls  or advancing industry standards
warrant  but, in no event, less frequently than once every
 three years.   year.  State agencies shall
comply with the state baseline security controls and shall not
tailor their individual baseline security controls to fall below the
state baseline security controls.
   (c) The Director of Technology shall produce an annual information
technology strategic plan that shall guide the acquisition,
management, and use of information technology. State agencies shall
cooperate with the department in the development of this plan, as
required by the Director of Technology.
   (1) Upon establishment of the information technology strategic
plan, the Director of Technology shall take all appropriate and
necessary steps to implement the plan, subject to any modifications
and adjustments deemed necessary and reasonable.
   (2) The information technology strategic plan shall be submitted
to the Joint Legislative Budget Committee by January 15 of every
year.
   (d) The Director of Technology shall produce an annual information
technology performance report that shall assess and measure the
state's progress toward enhancing information technology human
capital management; reducing and avoiding costs and risks associated
with the acquisition, development, implementation, management, and
operation of information technology assets, infrastructure, and
systems; improving energy efficiency in the use of information
technology assets; enhancing the security, reliability, and quality
of information technology networks, services, and systems;
developing, tailoring, and complying with state baseline security
controls; and improving the information technology procurement
process. The department shall establish those policies and procedures
required to improve the performance of the state's information
technology program.
   (1) The department shall submit an information technology
performance management framework to the Joint Legislative Budget
Committee by May 15, 2009, accompanied by the most current baseline
data for each performance measure or metric contained in the
framework. The information technology performance management
framework shall include the performance measures and targets that the
department will utilize to assess the performance of, and measure
the costs and risks avoided by, the state's information technology
program. The department shall provide notice to the Joint Legislative
Budget Committee within 30 days of making changes to the framework.
This notice shall include the rationale for changes in specific
measures or metrics.
   (2) State agencies shall take all necessary steps to achieve the
targets set forth by the department and shall report their progress
to the department on a quarterly basis.
   (3) Notwithstanding Section 10231.5, the information technology
performance report shall be submitted to the Joint Legislative Budget
Committee by January 15 of every year. To enhance transparency, the
department shall post performance targets and progress toward these
targets on its public Internet Web site.
   (4) The department shall at least annually report to the Director
of Finance cost savings and avoidances achieved through improvements
to the way the state acquires, develops, implements, manages, and
operates state technology assets, infrastructure, and systems. This
report shall be submitted in a timeframe determined by the Department
of Finance and shall identify the actual savings achieved by each
office, department, and agency. Notwithstanding Section 10231.5, the
department shall also, within 30 days, submit a copy of that report
to the Joint Legislative Budget Committee, the Senate Committee on
Appropriations, the Senate Committee on Budget and Fiscal Review, the
Assembly Committee on Appropriations, and the Assembly Committee on
Budget.
   (e) If the Governor's Reorganization Plan No. 2 of 2012 becomes
effective, this section shall prevail over Section 186 of the
Governor's Reorganization Plan No. 2 of 2012, regardless of the dates
on which this section and that plan take effect, and this section
shall become operative on July 1, 2013.