BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 670|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 670
Author: Irwin (D)
Amended: 6/23/15 in Senate
Vote: 21
SENATE GOVERNMENTAL ORG. COMMITTEE: 12-0, 6/29/15
AYES: Hall, Berryhill, Block, Gaines, Glazer, Hernandez, Hill,
Hueso, Lara, McGuire, Runner, Vidak
NO VOTE RECORDED: Galgiani
SENATE APPROPRIATIONS COMMITTEE: 6-0, 8/27/15
AYES: Lara, Bates, Beall, Hill, Leyva, Mendoza
NO VOTE RECORDED: Nielsen
ASSEMBLY FLOOR: 79-0, 6/2/15 - See last page for vote
SUBJECT: Information technology security
SOURCE: Author
DIGEST: This bill requires the Office of Information Security
(OIS), within the Department of Technology (Caltech), to conduct
an independent security assessments of the information
technology (IT) resources of every state agency, department or
office at least once every two years.
ANALYSIS:
Existing law:
1)Establishes, within the Government Operations Agency (GOA),
Caltech under the supervision of the Director of Technology,
�
AB 670
Page 2
who is also known as the State Chief Information Officer.
Caltech is generally responsible for the approval and
oversight of IT projects by, among other things, consulting
with state agencies during initial project planning to ensure
that project proposals are based on well-defined programmatic
needs.
2)Establishes, within Caltech, OIS under the supervision of the
Chief of the Office of Information Security. The OIS has the
authority to, including, but not limited to, conduct, or
require to be conducted, an independent security assessment of
any state agency, department, or office the cost of which is
to be funded by the state agency, department, or office being
assessed.
3)Requires the cost of an independent security assessment or
information security program compliance audit to be funded by
the state agency, department or office being assessed or
audited.
4)Specifies that nothing in the California Public Records Act
shall be construed to require the disclosure of an information
security record of a public agency, if, on the fact of the
particular case, disclosure of that record would reveal
vulnerabilities to, or otherwise increase the potential for an
attack on an IT system of a public agency.
This bill:
1)Requires OIS, within Caltech to conduct an independent
security assessment of the IT resources of every state agency,
department or office at least once every two years.
2)Specifies that the cost of the assessment shall be funded by
the state agency, department, or office being assessed.
3)Requires the assessment to be conducted in compliance with the
National Institute of Standards and Technology (NIST) Special
Publication 800-53 Controls, and to include, to the extent
practicable, all of the following components:
a) Vulnerability scanning, that includes, but is not
limited to, all of the following:
�
AB 670
Page 3
i) Validation that IT systems have currently supported
software, with all necessary security patches and updates
applied.
ii) Validation that system security configurations are
in compliance with NIST standards.
iii) Validation that the network architecture is arranged
so as to separate internal, publicly accessible, and
external zones, along with a mechanism to identify and
alert on attempted intrusions.
b) Penetration testing, when determined appropriate by the
Office of Emergency Services (OES).
c) A report on the number, severity, and nature of
identified vulnerabilities and recommendations for
remediation and risk mitigation
4)Specifies that the Military Department may perform an
independent security assessment as specified in this bill.
5)Specifies that the Military Department may mitigate the impact
of a cyber-attack or assist a law enforcement investigation
into cyber security upon the request of OES, a state law
enforcement agency, or a state agency, department or Caltech.
6)Specifies that the Military Department may perform a cyber
security assessment or respond to a cyber security incident
impacting state infrastructure upon the request of OES.
7)Requires the OIS, Military Department, or entity that performs
the assessment to transmit the results of that assessment only
to the state agency, department, or office that was the
subject of that assessment.
8)Specifies that the OIS, Military Department, or entity
required to conduct an independent security assessment shall
transmit an aggregate of the results of that assessment to
Caltech.
9)Authorizes Caltech to require a state agency, department, or
office to redirect any funds within its budget that may be
legally expended for the assessment to pay the costs of
becoming compliant with any recommendation made in an
independent security assessment.
�
AB 670
Page 4
10) Requires Caltech to adopt standards, to be included within
the State Administrative Manual that sets the requirements
for the OIS, Military department, or entity required to
conduct an independent security assessment to transmit the
aggregate results of that assessment to Caltech, including,
but not limited to, all of the following:
a) Aggregated, statistical information relevant to the
assessment results, including, but not limited to, the
number of identified vulnerabilities categorized by high,
medium, and low risk. These results shall not include any
specific information relative to the nature of the risk
that is potentially exploitable.
b) Prioritization of vulnerabilities.
c) Identification of relevant internal resources.
d) Strategy for addressing and mitigating those
vulnerabilities.
11) Restricts the communication of assessment results only to
the assessed entity, approved government employees and
validated contractors.
12) Specifies that the results of an independent security
assessment, the aggregate of the results of an independent
security assessment transmitted to Caltech, and any related
information shall be subject to all disclosure and
confidentiality provisions of the California Public Records
Act.
13) Requires data produced by assessments to be retained by
all parties for no longer than one year, unless determined
otherwise by OES.
14) Deletes a pre-existing exemption from independent security
assessments for the Department of Forestry and Fire
Prevention.
15) Declares that the state have a very strong interest in
protecting its IT systems from intrusion, because those
systems contain confidential information and play a critical
�
AB 670
Page 5
role in the performance of the duties of state government.
Thus, information regarding the specific vulnerabilities of
those systems must be protected to preclude use of that
information to facilitate attacks on those systems.
Background
Purpose of the bill. According to the author, "cybersecurity
attacks are on the rise and California state government is a
priority target because of the value and sheer size of its
networks and data. The state bears a responsibility in actively
defending the information it collects as well as the critical
networks that Californians rely on for services. The State
Administrative Manual currently includes the provisions
contained in this bill, but there is no mechanism of enforcement
and compliance is lacking. These preventative assessments are a
vital tool in combating the increasingly sophisticated
cyber-attacks that threaten our economy and public safety."
CalTech/OIS. CalTech is the central IT organization for the
State of California and is responsible for the approval and
oversight of all state IT projects. Among its various offices
is the California Information Security Office, or OIS.
OIS is the primary state government authority for ensuring the
confidentiality, integrity, and availability of state systems
and applications, and ensuring the protection of state
information. The office represents California to federal,
state, and local government entities, higher education, private
industry, and others on security-related matters. According to
the author's office, there are a total of 384 state entities
subject to the OIS (which excludes some constitutional offices).
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
the past year.
Under current law, OIS is authorized to conduct independent
security assessments of any state agency, department or office,
but is not required to do so. Existing state policy found in
the State Administrative Manual indicates that each state agency
shall conduct a comprehensive IT risk assessment once every two
years. It is not known how many security assessments were
conducted by OIS in the past year.
�
AB 670
Page 6
Cyber Threats in California. According to the California
Military Department (CMD), California's size and importance
makes it vulnerable to cyber incidents that disrupt business,
shutdown critical infrastructure, and compromise intellectual
property or national security.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty percent
of all cyber-attacks and other malicious activity are targeted
at the government, making these networks and systems the most
vulnerable target of cybercrime.
According to CMD, the threat to government networks has never
been higher. "Hacktivists", nation states, cyber criminals and
other threat groups are attacking government networks to steal
sensitive information and make a political/economic statement.
Prior/Related Legislation
AB 1172 (Chau, 2015) creates a California Cyber Security Task
Force within OES to act in an advisory capacity and make policy
recommendations on cyber security for the State of California.
(Pending on the Senate Floor)
AB 739 (Irwin, 2015) Provides legal immunity for civil or
criminal liability for private entities that communicate
anonymized cyber security threat information and meet specified
requirements, until January 1, 2020. (Held in Assembly
Judiciary Committee)
AB 2200 (Perez, 2014) would have created a 13 member California
Cyber Security Steering Committee in OES and continue the
existence of the California Cyber Security Task Force until
January 1, 2020. (Held at the Assembly Desk)
AB 1620 (Rodriguez, 2014) would have established the California
Emergency Management and Disaster Preparedness Commission as a
statewide executive-level commission to assess and improve the
condition of the State's emergency preparedness, management, and
disaster recovery capabilities. (Vetoed by Governor Brown)
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: No
�
AB 670
Page 7
According to the Senate Appropriations Committee, CalTech would
incur costs of approximately $2 million in 2016-17, and ongoing
costs of approximately $1.9 million for 12 PY of staff to
conduct security assessments. Staff estimates that OIS would
have additional costs in the hundreds of thousands annually for
travel and other associated charges. (Technology Services
Revolving Fund)
Further, ongoing, potentially significant cost pressures for
state entities to make necessary IT improvements to address
vulnerabilities identified through security assessments.
However, these improvements would decrease the likelihood that
agencies would experience a future data breach, thereby avoiding
related costs in future years. (General Fund and/or Special
Funds)
Finally, an estimated Caltech costs in the range of $100,000 to
$150,000 to develop and adopt standards for the OIS, Military
Department, or entity conducting a security assessment to follow
when conducting those assessments and reporting results. These
costs include necessary updates to the State Administrative
Manual. (Technology Services Revolving Fund)
SUPPORT: (Verified8/28/15)
Risk Management Society
OPPOSITION: (Verified8/28/15)
None received
ARGUMENTS IN SUPPORT: According to the Risk Management
Society, "this legislation is a prime example of proactive risk
management for a risk, cyber terrorism that is quickly becoming
a serious threat for many organizations, including state
agencies. We believe it is critical that all organizations,
including state agencies, assess their cyber security measures
in order to mitigate the risk to those who utilize their
services.
�
AB 670
Page 8
ASSEMBLY FLOOR: 79-0, 6/2/15
AYES: Achadjian, Alejo, Travis Allen, Baker, Bigelow, Bloom,
Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang,
Chau, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd,
Eggman, Frazier, Beth Gaines, Gallagher, Cristina Garcia,
Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray,
Grove, Hadley, Harper, Roger Hernández, Holden, Irwin, Jones,
Jones-Sawyer, Kim, Lackey, Levine, Linder, Lopez, Low,
Maienschein, Mathis, Mayes, McCarty, Medina, Melendez, Mullin,
Nazarian, Obernolte, O'Donnell, Olsen, Patterson, Perea,
Quirk, Rendon, Ridley-Thomas, Rodriguez, Salas, Santiago,
Steinorth, Mark Stone, Thurmond, Ting, Wagner, Waldron, Weber,
Wilk, Williams, Wood, Atkins
NO VOTE RECORDED: Chávez
Prepared by:Felipe Lopez / G.O. / (916) 651-1530
8/31/15 10:14:03
**** END ****