Bill Text: CA AB3193 | 2017-2018 | Regular Session | Amended

California Assembly Bill 3193 (Prior Session Legislation)

Bill Title: Information security.

Spectrum: Slight Partisan Bill (Democrat 2-1)

Status: (Engrossed - Dead) 2018-06-26 - In committee: Set, first hearing. Failed passage. [AB3193 Detail]

Download: California-2017-AB3193-Amended.html

Amended IN Assembly March 23, 2018

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill

No. 3193

Introduced by Assembly Member Chau

February 16, 2018

An act to amend Section ~~12101.2 of the Public Contract Code, relating to public contracts.~~ 11549.3 of the Government Code, relating to information security.

LEGISLATIVE COUNSEL'S DIGEST

AB 3193, as amended, Chau. ~~Public information technology contracts.~~ Information security.

Existing law establishes the Department of Technology within the Government Operations Agency, headed by the Director of Technology, who is also known as the State Chief Information Officer. Existing law requires the chief to establish an information security program, including, among other things, the creation, updating, and publishing of information security and privacy policies, standards, and procedures the State Administrative Manual. Existing law requires certain state entities to implement and comply with the policies and procedures issued by the office.
This bill would revise the implementation requirement described above to provide that all state agencies, as defined, must implement and comply with the policies and procedures issued by the office.
Existing law requires all contracts for the acquisition of information technology goods or services, whether by lease or purchase, to be made by or under the supervision of the Department of General Services, unless otherwise expressly provided. Under existing law, the department is required to prenegotiate the repetitively used terms and conditions in the state’s model contract with each interested vendor who bids or proposes on electronic data processing or telecommunications procurements. Under existing law, a bidder or proposer for one of these contracts is required to propose a negotiated change or standard contract language change to the contract within a specified timeframe.
~~This bill would make a nonsubstantive change to that provision.~~

Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO

The people of the State of California do enact as follows:

SECTION 1.

Section 11549.3 of the Government Code is amended to read:

11549.3.

(a) The chief shall establish an information security program. The program responsibilities include, but are not limited to, all of the following:

(1) The creation, updating, and publishing of information security and privacy policies, standards, and procedures for state agencies in the State Administrative Manual.

(2) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies to effectively manage security and risk for both of the following:

(A) Information technology, which includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines.

(B) Information that is identified as mission critical, confidential, sensitive, or personal, as defined and published by the office.

(3) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies for the collection, tracking, and reporting of information regarding security and privacy incidents.

(4) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies in the development, maintenance, testing, and filing of each state agency’s disaster recovery plan.

(5) Coordination of the activities of state agency information security officers, for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards.

(6) Promotion and enhancement of the state agencies’ risk management and privacy programs through education, awareness, collaboration, and consultation.

(7) Representing the state before the federal government, other state agencies, local government entities, and private industry on issues that have statewide impact on information security and privacy.

(b) All state ~~entities defined in Section 11546.1~~ agencies defined in Section 11000 shall implement the policies and procedures issued by the office, including, but not limited to, performing both of the following duties:

(1) Comply with the information security and privacy policies, standards, and procedures issued pursuant to this chapter by the office.

(2) Comply with filing requirements and incident notification by providing timely information and reports as required by the office.

(c) (1) The office may conduct, or require to be conducted, an independent security assessment of every state agency, department, or office. The cost of the independent security assessment shall be funded by the state agency, department, or office being assessed.

(2) In addition to the independent security assessments authorized by paragraph (1), the office, in consultation with the Office of Emergency Services, shall perform all the following duties:

(A) Annually require no fewer than thirty-five (35) state entities to perform an independent security assessment, the cost of which shall be funded by the state agency, department, or office being assessed.

(B) Determine criteria and rank state entities based on an information security risk index that may include, but not be limited to, analysis of the relative amount of the following factors within state agencies:

(i) Personally identifiable information protected by law.

(ii) Health information protected by law.

(iii) Confidential financial data.

(iv) Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:

(I) Information asset management.

(II) Risk management.

(III) Information security program management.

(IV) Information security incident management.

(V) Technology recovery planning.

(C) Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.

(3) The Military Department may perform an independent security assessment of any state agency, department, or office, the cost of which shall be funded by the state agency, department, or office being assessed.

(d) State agencies and entities required to conduct or receive an independent security assessment pursuant to subdivision (c) shall transmit the complete results of that assessment and recommendations for mitigating system vulnerabilities, if any, to the office and the Office of Emergency Services.

(e) The office shall report to the Department of Technology and the Office of Emergency Services any state entity found to be noncompliant with information security program requirements.

(f) (1) Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to subdivision (c), information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees and state contractors who have been approved as necessary to receive the information and records to perform that independent security assessment, subsequent remediation activity, or monitoring of remediation activity.

(2) The results of a completed independent security assessment performed pursuant to subdivision (c), and any related information shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1), including, but not limited to, Section 6254.19.

(g) The office may conduct or require to be conducted an audit of information security to ensure program compliance, the cost of which shall be funded by the state agency, department, or office being audited.

(h) The office shall notify the Office of Emergency Services, Department of the California Highway Patrol, and the Department of Justice regarding any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government.

SECTION 1.Section 12101.2 of the Public Contract Code is amended to read:
12101.2.
The Department of General Services shall prenegotiate the repetitively used terms and conditions in the state’s model contract with each interested vendor who bids or proposes on electronic data processing or telecommunications procurements. The contract language shall be kept on file, as a matter of public record, and shall remain operational until either the state or the vendor provides 30 days’ notice to the other party that new negotiations are deemed appropriate.
If, for a particular procurement, the state seeks to make any further changes to either the negotiated or the standard contract language, or both, it shall identify those changes to each bidder or proposer prior to the due date for the bid or proposal. If, for a particular procurement, a bidder or proposer seeks to propose a negotiated change or standard contract language change, it shall make this identification within the timeframe identified in the solicitation document.