BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | AB 670| |Office of Senate Floor Analyses | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: AB 670 Author: Irwin (D) Amended: 6/23/15 in Senate Vote: 21 SENATE GOVERNMENTAL ORG. COMMITTEE: 12-0, 6/29/15 AYES: Hall, Berryhill, Block, Gaines, Glazer, Hernandez, Hill, Hueso, Lara, McGuire, Runner, Vidak NO VOTE RECORDED: Galgiani SENATE APPROPRIATIONS COMMITTEE: 6-0, 8/27/15 AYES: Lara, Bates, Beall, Hill, Leyva, Mendoza NO VOTE RECORDED: Nielsen ASSEMBLY FLOOR: 79-0, 6/2/15 - See last page for vote SUBJECT: Information technology security SOURCE: Author DIGEST: This bill requires the Office of Information Security (OIS), within the Department of Technology (Caltech), to conduct an independent security assessments of the information technology (IT) resources of every state agency, department or office at least once every two years. ANALYSIS: Existing law: 1)Establishes, within the Government Operations Agency (GOA), Caltech under the supervision of the Director of Technology, AB 670 Page 2 who is also known as the State Chief Information Officer. Caltech is generally responsible for the approval and oversight of IT projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. 2)Establishes, within Caltech, OIS under the supervision of the Chief of the Office of Information Security. The OIS has the authority to, including, but not limited to, conduct, or require to be conducted, an independent security assessment of any state agency, department, or office the cost of which is to be funded by the state agency, department, or office being assessed. 3)Requires the cost of an independent security assessment or information security program compliance audit to be funded by the state agency, department or office being assessed or audited. 4)Specifies that nothing in the California Public Records Act shall be construed to require the disclosure of an information security record of a public agency, if, on the fact of the particular case, disclosure of that record would reveal vulnerabilities to, or otherwise increase the potential for an attack on an IT system of a public agency. This bill: 1)Requires OIS, within Caltech to conduct an independent security assessment of the IT resources of every state agency, department or office at least once every two years. 2)Specifies that the cost of the assessment shall be funded by the state agency, department, or office being assessed. 3)Requires the assessment to be conducted in compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-53 Controls, and to include, to the extent practicable, all of the following components: a) Vulnerability scanning, that includes, but is not limited to, all of the following: AB 670 Page 3 i) Validation that IT systems have currently supported software, with all necessary security patches and updates applied. ii) Validation that system security configurations are in compliance with NIST standards. iii) Validation that the network architecture is arranged so as to separate internal, publicly accessible, and external zones, along with a mechanism to identify and alert on attempted intrusions. b) Penetration testing, when determined appropriate by the Office of Emergency Services (OES). c) A report on the number, severity, and nature of identified vulnerabilities and recommendations for remediation and risk mitigation 4)Specifies that the Military Department may perform an independent security assessment as specified in this bill. 5)Specifies that the Military Department may mitigate the impact of a cyber-attack or assist a law enforcement investigation into cyber security upon the request of OES, a state law enforcement agency, or a state agency, department or Caltech. 6)Specifies that the Military Department may perform a cyber security assessment or respond to a cyber security incident impacting state infrastructure upon the request of OES. 7)Requires the OIS, Military Department, or entity that performs the assessment to transmit the results of that assessment only to the state agency, department, or office that was the subject of that assessment. 8)Specifies that the OIS, Military Department, or entity required to conduct an independent security assessment shall transmit an aggregate of the results of that assessment to Caltech. 9)Authorizes Caltech to require a state agency, department, or office to redirect any funds within its budget that may be legally expended for the assessment to pay the costs of becoming compliant with any recommendation made in an independent security assessment. AB 670 Page 4 10) Requires Caltech to adopt standards, to be included within the State Administrative Manual that sets the requirements for the OIS, Military department, or entity required to conduct an independent security assessment to transmit the aggregate results of that assessment to Caltech, including, but not limited to, all of the following: a) Aggregated, statistical information relevant to the assessment results, including, but not limited to, the number of identified vulnerabilities categorized by high, medium, and low risk. These results shall not include any specific information relative to the nature of the risk that is potentially exploitable. b) Prioritization of vulnerabilities. c) Identification of relevant internal resources. d) Strategy for addressing and mitigating those vulnerabilities. 11) Restricts the communication of assessment results only to the assessed entity, approved government employees and validated contractors. 12) Specifies that the results of an independent security assessment, the aggregate of the results of an independent security assessment transmitted to Caltech, and any related information shall be subject to all disclosure and confidentiality provisions of the California Public Records Act. 13) Requires data produced by assessments to be retained by all parties for no longer than one year, unless determined otherwise by OES. 14) Deletes a pre-existing exemption from independent security assessments for the Department of Forestry and Fire Prevention. 15) Declares that the state have a very strong interest in protecting its IT systems from intrusion, because those systems contain confidential information and play a critical AB 670 Page 5 role in the performance of the duties of state government. Thus, information regarding the specific vulnerabilities of those systems must be protected to preclude use of that information to facilitate attacks on those systems. Background Purpose of the bill. According to the author, "cybersecurity attacks are on the rise and California state government is a priority target because of the value and sheer size of its networks and data. The state bears a responsibility in actively defending the information it collects as well as the critical networks that Californians rely on for services. The State Administrative Manual currently includes the provisions contained in this bill, but there is no mechanism of enforcement and compliance is lacking. These preventative assessments are a vital tool in combating the increasingly sophisticated cyber-attacks that threaten our economy and public safety." CalTech/OIS. CalTech is the central IT organization for the State of California and is responsible for the approval and oversight of all state IT projects. Among its various offices is the California Information Security Office, or OIS. OIS is the primary state government authority for ensuring the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information. The office represents California to federal, state, and local government entities, higher education, private industry, and others on security-related matters. According to the author's office, there are a total of 384 state entities subject to the OIS (which excludes some constitutional offices). It is not known how many attacks, whether successful or unsuccessful, have been made against state agency computers over the past year. Under current law, OIS is authorized to conduct independent security assessments of any state agency, department or office, but is not required to do so. Existing state policy found in the State Administrative Manual indicates that each state agency shall conduct a comprehensive IT risk assessment once every two years. It is not known how many security assessments were conducted by OIS in the past year. AB 670 Page 6 Cyber Threats in California. According to the California Military Department (CMD), California's size and importance makes it vulnerable to cyber incidents that disrupt business, shutdown critical infrastructure, and compromise intellectual property or national security. CMD calls cybercrime "a growth industry" causing $400 billion in negative impacts annually on the global economy. Thirty percent of all cyber-attacks and other malicious activity are targeted at the government, making these networks and systems the most vulnerable target of cybercrime. According to CMD, the threat to government networks has never been higher. "Hacktivists", nation states, cyber criminals and other threat groups are attacking government networks to steal sensitive information and make a political/economic statement. Prior/Related Legislation AB 1172 (Chau, 2015) creates a California Cyber Security Task Force within OES to act in an advisory capacity and make policy recommendations on cyber security for the State of California. (Pending on the Senate Floor) AB 739 (Irwin, 2015) Provides legal immunity for civil or criminal liability for private entities that communicate anonymized cyber security threat information and meet specified requirements, until January 1, 2020. (Held in Assembly Judiciary Committee) AB 2200 (Perez, 2014) would have created a 13 member California Cyber Security Steering Committee in OES and continue the existence of the California Cyber Security Task Force until January 1, 2020. (Held at the Assembly Desk) AB 1620 (Rodriguez, 2014) would have established the California Emergency Management and Disaster Preparedness Commission as a statewide executive-level commission to assess and improve the condition of the State's emergency preparedness, management, and disaster recovery capabilities. (Vetoed by Governor Brown) FISCAL EFFECT: Appropriation: No Fiscal Com.:YesLocal: No AB 670 Page 7 According to the Senate Appropriations Committee, CalTech would incur costs of approximately $2 million in 2016-17, and ongoing costs of approximately $1.9 million for 12 PY of staff to conduct security assessments. Staff estimates that OIS would have additional costs in the hundreds of thousands annually for travel and other associated charges. (Technology Services Revolving Fund) Further, ongoing, potentially significant cost pressures for state entities to make necessary IT improvements to address vulnerabilities identified through security assessments. However, these improvements would decrease the likelihood that agencies would experience a future data breach, thereby avoiding related costs in future years. (General Fund and/or Special Funds) Finally, an estimated Caltech costs in the range of $100,000 to $150,000 to develop and adopt standards for the OIS, Military Department, or entity conducting a security assessment to follow when conducting those assessments and reporting results. These costs include necessary updates to the State Administrative Manual. (Technology Services Revolving Fund) SUPPORT: (Verified8/28/15) Risk Management Society OPPOSITION: (Verified8/28/15) None received ARGUMENTS IN SUPPORT: According to the Risk Management Society, "this legislation is a prime example of proactive risk management for a risk, cyber terrorism that is quickly becoming a serious threat for many organizations, including state agencies. We believe it is critical that all organizations, including state agencies, assess their cyber security measures in order to mitigate the risk to those who utilize their services. AB 670 Page 8 ASSEMBLY FLOOR: 79-0, 6/2/15 AYES: Achadjian, Alejo, Travis Allen, Baker, Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang, Chau, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth Gaines, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper, Roger Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim, Lackey, Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes, McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte, O'Donnell, Olsen, Patterson, Perea, Quirk, Rendon, Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams, Wood, Atkins NO VOTE RECORDED: Chávez Prepared by:Felipe Lopez / G.O. / (916) 651-1530 8/31/15 10:14:03 **** END ****