Existing law establishes the Office of Information Security, within the Department of Technology, to, among other things, ensure the confidentiality, integrity, and availability of state systems and applications. Existing law requires the Chief of the Office of Information Security to establish an information security program that includes, among other things, creating, updating, and publishing information security and privacy policies, standards, and procedures for state agencies, and requires state agencies, as described, to certify to the office that the agency is in compliance with those policies, standards, and procedures. Existing law authorizes the office to, among other things, conduct or require to be conducted an independent security assessment of every state agency, department, or office, as specified.
This bill would require the office, on or before January 1, 2026, to develop a Baseline Information Security Score metric to estimate the information security status of applicable state agencies, departments, and offices, and would require the metric to utilize readily available information, including, among other things, compliance certifications submitted to the office and results of relevant independent security assessments completed as described above. The bill would also require the office, beginning January 1, 2027, and annually on or before January 1 thereafter, to calculate a Baseline Information Security Score based on the above-described metric for each applicable state agency, department, and office. The bill would make related findings and declarations.

Statutes affected:
AB2777: 33428 EDC
02/15/24 - Introduced: 33428 EDC
03/19/24 - Amended Assembly: 33428 EDC
04/25/24 - Amended Assembly: 11549.3 GOV
AB 2777: 33428 EDC