Bill Summary – FastDemocracy

Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.
This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2023. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to state agencies and state entities no later than April 1, 2023. The bill would authorize a state agency, and require certain state agencies and state entities, to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency or state entity that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies and state entities on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems, until that agency or entity withdraws their request for assistance with implementation or cybersecurity.