Bill Text: CA AB2777 | 2023-2024 | Regular Session | Amended


Bill Title: Office of Information Security: Baseline Information Security Score.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Engrossed) 2024-08-15 - In committee: Held under submission. [AB2777 Detail]

Download: California-2023-AB2777-Amended.html

Amended  IN  Assembly  April 25, 2024
Amended  IN  Assembly  March 19, 2024

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Assembly Bill
No. 2777


Introduced by Assembly Member Calderon

February 15, 2024


An act to add Section 11547.65 to the Government Code, relating to state government. An act to amend Section 11549.3 of the Government Code, relating to state government.


LEGISLATIVE COUNSEL'S DIGEST


AB 2777, as amended, Calderon. Department of Technology: state agencies: California Cybersecurity Maturity Metric. Office of Information Security: Baseline Information Security Score.
Existing law establishes the Office of Information Security, within the Department of Technology, to, among other things, ensure the confidentiality, integrity, and availability of state systems and applications. Existing law requires the Chief of the Office of Information Security to establish an information security program that includes, among other things, creating, updating, and publishing information security and privacy policies, standards, and procedures for state agencies, and requires state agencies, as described, to certify to the office that the agency is in compliance with those policies, standards, and procedures. Existing law authorizes the office to, among other things, conduct or require to be conducted an independent security assessment of every state agency, department, or office, as specified.
This bill would require the office, on or before January 1, 2026, to develop a Baseline Information Security Score metric to estimate the information security status of applicable state agencies, departments, and offices, and would require the metric to utilize readily available information, including, among other things, compliance certifications submitted to the office and results of relevant independent security assessments completed as described above. The bill would also require the office, beginning January 1, 2027, and annually on or before January 1 thereafter, to calculate a Baseline Information Security Score based on the above-described metric for each applicable state agency, department, and office. The bill would make related findings and declarations.

Existing law tasks the Director of Technology, who supervises the Department of Technology and is also the State Chief Information Officer, with, among other things, providing technology direction to agency and department chief information officers to ensure compliance with information technology policies and standards and establishing performance management and improvement processes to ensure state information technology systems and services are efficient and effective. Existing law requires the Chief of the Office of Information Security to establish an information security program that includes creating, updating, and publishing information security and privacy policies, standards, and procedures for state agencies. Existing law requires all state entities, as specified, to implement the policies and procedures issued by the Office of Information Security and authorizes the office to conduct an independent security assessment of every state agency, department, or office.

This bill would require the Department of Technology to make changes to the California Cybersecurity Maturity Metric, including the Maturity Metric Score criteria, to accomplish specified goals, including to achieve a score for all state agencies every 3 years. The bill would require a Maturity Metric Score to be comprised of information from the 2 most recent independent security assessments performed by, or at the direction of, the Office of Information Security that measured the agency’s network and any other relevant and available information. The bill would define terms for these purposes, and make related findings and declarations.

Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) Californians are often required to provide personally identifiable information to state agencies. Protecting that information is critical to maintaining public trust and safety.
(b) Knowledge of the security status of state agencies is critical to identifying vulnerabilities, managing cybersecurity threats, and avoiding costly disruptions to state services.
(c) Simplifying the existing process for evaluating the cybersecurity of state agencies is critical to ensuring timely reports.

SEC. 2.

 Section 11549.3 of the Government Code is amended to read:

11549.3.
 (a) The chief shall establish an information security program. The program responsibilities include, but are not limited to, all of the following:
(1) The creation, updating, and publishing of information security and privacy policies, standards, and procedures for state agencies in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies to effectively manage security and risk for both of the following:
(A) Information technology, which includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical, confidential, sensitive, or personal, as defined and published by the office.
(3) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies for the collection, tracking, and reporting of information regarding security and privacy incidents.
(4) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies in the development, maintenance, testing, and filing of each state agency’s disaster recovery plan.
(5) Coordination of the activities of state agency information security officers, for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards.
(6) Promotion and enhancement of the state agencies’ risk management and privacy programs through education, awareness, collaboration, and consultation.
(7) Representing the state before the federal government, other state agencies, local government entities, and private industry on issues that have statewide impact on information security and privacy.
(b) All state entities defined in Section 11546.1 shall implement the policies and procedures issued by the office, including, but not limited to, performing both of the following duties:
(1) Comply with the information security and privacy policies, standards, and procedures issued pursuant to this chapter by the office.
(2) Comply with filing requirements and incident notification by providing timely information and reports as required by the office.
(c) (1) The office may conduct, or require to be conducted, an independent security assessment of every state agency, department, or office. The cost of the independent security assessment shall be funded by the state agency, department, or office being assessed.
(2) In addition to the independent security assessments authorized by paragraph (1), the office, in consultation with the Office of Emergency Services, shall perform all the following duties:
(A) Annually require no fewer than 35 state entities to perform an independent security assessment, the cost of which shall be funded by the state agency, department, or office being assessed.
(B) Determine criteria and rank state entities based on an information security risk index that may include, but not be limited to, analysis of the relative amount of the following factors within state agencies:
(i) Personally identifiable information protected by law.
(ii) Health information protected by law.
(iii) Confidential financial data.
(iv) Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:
(I) Information asset management.
(II) Risk management.
(III) Information security program management.
(IV) Information security incident management.
(V) Technology recovery planning.
(C) Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.
(3) The Military Department may perform an independent security assessment of any state agency, department, or office, the cost of which shall be funded by the state agency, department, or office being assessed.
(d) State agencies and entities required to conduct or receive an independent security assessment pursuant to subdivision (c) shall transmit the complete results of that assessment and recommendations for mitigating system vulnerabilities, if any, to the office and the Office of Emergency Services.
(e) (1) On or before January 1, 2026, the office shall develop a Baseline Information Security Score metric to estimate the information security status of applicable state agencies, departments, and offices. The metric shall utilize readily available information, including, but not limited to, all of the following information:
(A) Results of relevant independent security assessments completed pursuant to subdivision (c).
(B) Information that state entities annually self-report to the federal government as part of the federal Nationwide Cybersecurity Review.
(C) Custom reports provided by the federal government to state entities as part of the federal Nationwide Cybersecurity Review.
(D) Compliance certifications and other required supplementary materials submitted by state agencies pursuant to paragraph (4) of subdivision (g).
(E) Any relevant incidents reported through the California Compliance and Security Incident Reporting System.
(F) Any relevant compliance audits completed by the Department of Technology pursuant to subdivision (i).
(G) Any other relevant information that the office has in its possession or is able to quickly and easily obtain.
(2) Beginning January 1, 2027, and annually on or before January 1 thereafter, the office shall calculate a Baseline Information Security Score based on the metric described in paragraph (1) for each applicable state agency, department, and office.

(e)

(f) The office shall report to the Department of Technology and the Office of Emergency Services any state entity found to be noncompliant with information security program requirements.

(f)

(g) (1) Every state agency, as defined in Section 11000, that is not subject to subdivision (b) shall do all of the following:
(A) Adopt and implement information security and privacy policies, standards, and procedures that adhere to the following standards:
(i) The National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations, and its successor publications.
(ii) Federal Information Processing Standards (FIPS) 199 Standards for Security Categorization of Federal Information and Information Systems, and its successor publications.
(iii) Federal Information Processing Standards (FIPS) 200 Minimum Security Requirements for Federal Information and Information Systems, and its successor publications.
(B) Perform a comprehensive, independent security assessment every two years. The independent assessment shall assess all policies, standards, and procedures adopted pursuant to subparagraph (A) and paragraph (2), if applicable.
(2) A state agency described in paragraph (1) may adopt and implement information security and privacy policies, standards, and procedures following Chapter 5300 - Information Technology - Office of Information Security of the State Administrative Manual. A state agency described in paragraph (1) may discontinue a policy, standard, or procedure adopted pursuant to this paragraph at any time.
(3) A state agency described in paragraph (1) may contract with the Military Department, or with a qualified responsible vendor, to perform an independent security assessment of the state agency pursuant to subparagraph (B) of paragraph (1), the cost of which shall be funded by the state agency being assessed.
(4) (A) Every state agency described in paragraph (1) shall certify, on a form developed pursuant to subparagraph (C), by February 1 annually, to the office that the agency is in compliance with all policies, standards, and procedures adopted pursuant to this subdivision. The certification shall include a plan of action and milestones.
(B) Notwithstanding any other law, the certification made to the office shall be kept confidential and shall not be disclosed, except as provided in subparagraph (E). The office shall ensure the transferring, receiving, possessing, or disclosing of certifications is done in a manner that ensures the confidentiality and security of the certification, including restricting transfer and storage methods to electronic means and ensuring that certification data is encrypted in transport and at rest. The office shall only provide access to certifications to employees who have submitted to a criminal background check as a condition of employment.
(C) The office shall develop a form for certification based on the Statewide Information Management Manual (SIMM) 5330-B, making modifications as necessary to encompass the requirements on state agencies under paragraphs (1) to (4), inclusive.
(D) The office may make recommendations and offer assistance to any state agency described in paragraph (1) on completing the plan of action and milestones required under paragraph (A). However, the office shall not have the authority to require any recommendation be followed or to compel acceptance of any assistance.
(E) The office shall review the certifications and make an annual summary report available, by May 1, 2024, and by March 1 every year thereafter, to the appropriate legislative committees and the Legislative Analyst’s Office to further their oversight and budgetary responsibilities.
(5) As an alternative to complying with the requirements of paragraphs (1) to (4), inclusive, a state agency described in paragraph (1) may annually submit, by January 15, a declaration to the chief confirming that the state agency voluntarily and fully complies with subdivisions (b) and (c).
(6) This subdivision shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the University.

(g)

(h) (1) Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to subdivision (c) or (f), (g), information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees and state contractors who have been approved as necessary to receive the information and records to perform that independent security assessment, subsequent remediation activity, or monitoring of remediation activity.
(2) The results of a completed independent security assessment performed pursuant to subdivision (c), (f), or (j), (g), or (k), and any related information shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1), but not limited to Section 7929.210.

(h)

(i) The office may conduct or require to be conducted an audit of information security to ensure program compliance.

(i)

(j) The office shall notify the Office of Emergency Services, Department of the California Highway Patrol, and the Department of Justice regarding any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government.

(j)

(k) (1) At the request of a local educational agency, and in consultation with the California Cybersecurity Integration Center, the Military Department may perform an independent security assessment of the local educational agency, or an individual schoolsite under its jurisdiction, the cost of which shall be funded by the local educational agency.
(2) The criteria for the independent security assessment shall be established by the Military Department in coordination with the local educational agency.
(3) The Military Department shall disclose the results of an independent security assessment only to the local educational agency and the California Cybersecurity Integration Center.
(4) For purposes of this subdivision, “local educational agency” means a school district, county office of education, charter school, or state special school.

SECTION 1.

The Legislature finds and declares all of the following:

(a)Californians are often required to provide personally identifiable information to state agencies. Protecting that information is critical to maintaining public trust and safety.

(b)Knowledge of the security status of state agencies is critical to identifying vulnerabilities, managing cybersecurity threats, and avoiding costly disruptions to state services.

(c)Simplifying the existing process for evaluating the cybersecurity of state agencies is critical to ensuring timely reports.

SEC. 2.Section 11547.65 is added to the Government Code, to read:
11547.65.

(a)For purposes of this section, the following definitions apply:

(1)“California Cybersecurity Maturity Metric” means the Statewide Information Management Manual Section 5300-C, or any successor Statewide Information Management Manual section that describes a metric that objectively measures the effective implementation of cybersecurity policies, standards, and procedures by every state agency.

(2)“Maturity Metric Score” means the Statewide Information Management Manual Section 5300-C, or any successor Statewide Information Management Manual section that describes a single score a state agency received following the completion of the calculation that reflects an agency’s information security status.

(3)(A)“State agency” has the same meaning as in Section 11000.

(B)“State agency” does not include the State Compensation Insurance Fund, the Legislature, or the Legislative Data Center in the Legislative Counsel Bureau pursuant to Section 11548.

(b)The Department of Technology shall make changes to the California Cybersecurity Maturity Metric, including the Maturity Metric Score criteria, to accomplish the following goals:

(1)Improve reliability, efficiency, and timeliness of reporting Maturity Metric Scores.

(2)Achieve a Maturity Metric Score for all state agencies every three years.

(c)A Maturity Metric Score shall be comprised of information from the two most recent independent security assessments performed pursuant to subdivision (c) of Section 11549.3 that measured the agency’s network and any other relevant and available information.

feedback