Bill Text: CA AB749 | 2023-2024 | Regular Session | Amended

California Assembly Bill 749

Bill Title: State agencies: information security: uniform standards.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Engrossed) 2023-09-01 - In committee: Held under submission. [AB749 Detail]

Download: California-2023-AB749-Amended.html

Amended IN Senate August 14, 2023

Amended IN Senate July 03, 2023

Amended IN Assembly April 25, 2023

Amended IN Assembly April 13, 2023

Amended IN Assembly March 14, 2023

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Assembly Bill

No. 749

Introduced by Assembly Member Irwin

February 13, 2023

An act to add Section 11549.45 to the Government Code, relating to state government.

LEGISLATIVE COUNSEL'S DIGEST

AB 749, as amended, Irwin. State agencies: information security: uniform standards.

Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires state entities, as specified, to implement the policies and procedures issued by the office. The law additionally authorizes the office, under direction of the chief, to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. State agencies must certify, by February 1 annually, to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified.

This bill would require every state agency, as ~~defined,~~ defined and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the office’s chief, no later than January 1, 2025, to develop or revise uniform technology policies, standards, and procedures for use by all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislature’s intent that the bill’s provisions be implemented in a manner consistent with the state’s timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.

Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO

The people of the State of California do enact as follows:

SECTION 1.

The Legislature finds and declares the following:

(a) Recent cyber breaches have had wide-ranging consequences and demand a state-level response. Cyber defense requires greater speed and agility to mitigate cyber threats, limit the impact of data breaches, and better protect the state’s workforce and residents. These attacks not only significantly impact institutions financially, but they also erode public trust and confidence in government.

(b) To better defend against cyber threats, the Legislature intends for state agencies to embrace technologies and practices outlined in Executive Order 14028 on Improving the Nation’s Cybersecurity. At a minimum, this includes formalizing Zero Trust as the desired model for security. Zero Trust is a security architecture requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining access to applications and data.

SEC. 2.

Section 11549.45 is added to the Government Code, to read:

11549.45.

(a) For purposes of this section, the following definitions shall apply:

(1) “Chief” means the Chief of the Office of Information Security.

(2) “Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model” means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.

(3) “Endpoint detection and response” means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.

(4) “Multifactor authentication” means using two or more different types of identification factors to authenticate a user’s identity for the purpose of accessing systems and data.

(5) “State agency” has the same meaning as in Section 11000.

(6) “Zero Trust architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.

(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:

(1) Achieve “Initial” maturity by June 1, 2024.

(2) Achieve “Advanced” maturity by June 1, 2026.

(3) Achieve “Optimal” maturity by June 1, 2030.

(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.

(d) Implementation shall, at a minimum, prioritize the following:

(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.

(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.

(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.

(e) No later than January 1, 2025, the chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the “Advanced” and “Optimal” maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.

(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agency’s progress in increasing the internal defenses of agency systems, including:

(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.

(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.

(3) A schedule to implement any planned activities.

(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:

(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.

(2) Implementing principles of least privilege in administering information security programs.

(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agency’s systems.

(4) Identifying cyber threats quickly.

(5) Isolating and removing unauthorized entities from state agencies’ systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.

(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.
~~(h)~~

(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the state’s timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).