BILL NUMBER: AB 1881AMENDED BILL TEXT AMENDED IN ASSEMBLY MARCH 17, 2016 INTRODUCED BY Assembly Member Chang FEBRUARY 10, 2016An act to amend Section 11546 of the Government Code, relating to state government.An act to amend Section 11545 of the Government Code, relating to state government. LEGISLATIVE COUNSEL'S DIGEST AB 1881, as amended, Chang.Office of Information Security.Director of Technology: state baseline security controls. Existing law establishes within the Government Operations Agency the Department of Technology, under the supervision of the Director of Technology, also known as the State Chief Information Officer. Existing law requires the director to, among other things, advise the Governor on the strategic management and direction of the state's information technology resources and provide technology direction to agency and department chief information officers to ensure the integration of statewide technology initiatives. Existing law further requires the director to produce an annual information technology performance report that assesses and measures the state's progress toward specified goals. This bill would require the director to develop, tailor, and subsequently review and revise baseline security controls for the state based on baseline security controls published by the National Institute of Standards and Technology. The bill would require state agencies to comply with, and prohibit state agencies from tailoring their individual baseline security controls to fall below, the state baseline security controls. The bill would require that the director' s annual information technology performance report also assess and measure the state's progress toward developing, tailoring, and complying with the state baseline security controls.Existing law creates in the Department of Technology, the Office of Information Security, under the direction of a chief, to ensure the confidentiality, integrity, and availability of state systems and applications.This bill would make nonsubstantive changes to those provisions.Vote: majority. Appropriation: no. Fiscal committee:noyes . State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 11545 of the Government Code is amended to read: 11545. (a) (1) There is in state government the Department of Technology within the Government Operations Agency. The Director of Technology shall be appointed by, and serve at the pleasure of, the Governor, subject to Senate confirmation. The Director of Technology shall supervise the Department of Technology and report directly to the Governor on issues relating to information technology. (2) Unless the context clearly requires otherwise, whenever the term "office of the State Chief Information Officer" or "California Technology Agency" appears in any statute, regulation, or contract, or any other code, it shall be construed to refer to the Department of Technology, and whenever the term "State Chief Information Officer" or "Secretary of California Technology" appears in any statute, regulation, or contract, or any other code, it shall be construed to refer to the Director of Technology. (3) The Director of Technology shall be the State Chief Information Officer. (b) The duties of the Director of Technology shall include, but are not limited to, all of the following: (1) Advising the Governor on the strategic management and direction of the state's information technology resources. (2) Establishing and enforcing state information technology strategic plans, policies, standards, and enterprise architecture. This shall include the periodic review and maintenance of the information technology sections of the State Administrative Manual, except for sections on information technology procurement procedures, and information technology fiscal policy. The Director of Technology shall consult with the Director of General Services, the Director of Finance, and other relevant agencies concerning policies and standards these agencies are responsible to issue as they relate to information technology. (3) Minimizing overlap, redundancy, and cost in state operations by promoting the efficient and effective use of information technology. (4) Providing technology direction to agency and department chief information officers to ensure the integration of statewide technology initiatives, compliance with information technology policies and standards, and the promotion of the alignment and effective management of information technology services. Nothing in this paragraph shall be deemed to limit the authority of a constitutional officer, cabinet agency secretary, or department director to establish programmatic priorities and business direction to the respective agency or department chief information officer. (5) Working to improve organizational maturity and capacity in the effective management of information technology. (6) Establishing performance management and improvement processes to ensure state information technology systems and services are efficient and effective. (7) Approving, suspending, terminating, and reinstating information technology projects. (8) Performing enterprise information technology functions and services, including, but not limited to, implementing Geographic Information Systems (GIS), shared services, applications, and program and project management activities in partnership with the owning agency or department. (9) Developing and tailoring baseline security controls for the state based on baseline security controls published by the National Institute of Standards and Technology (NIST). The Director of Technology shall review and revise the state baseline security controls whenever the NIST updates its baseline security controls but, in no event, less frequently than once every three years. State agencies shall comply with the state baseline security controls and shall not tailor their individual baseline security controls to fall below the state baseline security controls. (c) The Director of Technology shall produce an annual information technology strategic plan that shall guide the acquisition, management, and use of information technology. State agencies shall cooperate with the department in the development of this plan, as required by the Director of Technology. (1) Upon establishment of the information technology strategic plan, the Director of Technology shall take all appropriate and necessary steps to implement the plan, subject to any modifications and adjustments deemed necessary and reasonable. (2) The information technology strategic plan shall be submitted to the Joint Legislative Budget Committee by January 15 of every year. (d) The Director of Technology shall produce an annual information technology performance report that shall assess and measure the state's progress toward enhancing information technology human capital management; reducing and avoiding costs and risks associated with the acquisition, development, implementation, management, and operation of information technology assets, infrastructure, and systems; improving energy efficiency in the use of information technology assets; enhancing the security, reliability, and quality of information technology networks, services, and systems; developing, tailoring, and complying with state baseline security controls; and improving the information technology procurement process. The department shall establish those policies and procedures required to improve the performance of the state's information technology program. (1) The department shall submit an information technology performance management framework to the Joint Legislative Budget Committee by May 15, 2009, accompanied by the most current baseline data for each performance measure or metric contained in the framework. The information technology performance management framework shall include the performance measures and targets that the department will utilize to assess the performance of, and measure the costs and risks avoided by, the state's information technology program. The department shall provide notice to the Joint Legislative Budget Committee within 30 days of making changes to the framework. This notice shall include the rationale for changes in specific measures or metrics. (2) State agencies shall take all necessary steps to achieve the targets set forth by the department and shall report their progress to the department on a quarterly basis. (3) Notwithstanding Section 10231.5, the information technology performance report shall be submitted to the Joint Legislative Budget Committee by January 15 of every year. To enhance transparency, the department shall post performance targets and progress toward these targets on its public Internet Web site. (4) The department shall at least annually report to the Director of Finance cost savings and avoidances achieved through improvements to the way the state acquires, develops, implements, manages, and operates state technology assets, infrastructure, and systems. This report shall be submitted in a timeframe determined by the Department of Finance and shall identify the actual savings achieved by each office, department, and agency. Notwithstanding Section 10231.5, the department shall also, within 30 days, submit a copy of that report to the Joint Legislative Budget Committee, the Senate Committee on Appropriations, the Senate Committee on Budget and Fiscal Review, the Assembly Committee on Appropriations, and the Assembly Committee on Budget. (e) If the Governor's Reorganization Plan No. 2 of 2012 becomes effective, this section shall prevail over Section 186 of the Governor's Reorganization Plan No. 2 of 2012, regardless of the dates on which this section and that plan take effect, and this section shall become operative on July 1, 2013.SECTION 1.Section 11549 of the Government Code is amended to read: 11549. (a) There is in state government, in the Department of Technology, the Office of Information Security. The purpose of the office is to ensure the confidentiality, integrity, and availability of state systems and applications, and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. (b) The office shall be under the direction of a chief, who shall be appointed by, and serve at the pleasure of, the Governor. The chief shall report to the Director of Technology, and shall lead the Office of Information Security in carrying out its mission. (c) The duties of the Office of Information Security, under the direction of the chief, shall be to provide direction for information security and privacy to state government agencies, departments, and offices, pursuant to Section 11549.3. (d) (1) Unless the context clearly requires otherwise, whenever the term "Office of Information Security and Privacy Protection" appears in any statute, regulation, or contract, it shall be deemed to refer to the Office of Information Security, and whenever the term "executive director of the Office of Information Security and Privacy Protection" appears in statute, regulation, or contract, it shall be deemed to refer to the Chief of the Office of Information Security. (2) All employees serving in state civil service, other than temporary employees, who are engaged in the performance of functions transferred from the Office of Information Security and Privacy Protection to the Office of Information Security, are transferred to the Office of Information Security. The status, positions, and rights of those persons shall not be affected by their transfer and shall continue to be retained by them pursuant to the State Civil Service Act (Part 2 (commencing with Section 18500) of Division 5), except as to positions the duties of which are vested in a position exempt from civil service. The personnel records of all transferred employees shall be transferred to the Office of Information Security. (3) The property of any office, agency, or department related to functions transferred to the Office of Information Security is transferred to the Office of Information Security. If any doubt arises as to where that property is transferred, the Department of General Services shall determine where the property is transferred. (4) All unexpended balances of appropriations and other funds available for use in connection with any function or the administration of any law transferred to the Office of Information Security shall be transferred to the Office of Information Security for the use and for the purpose for which the appropriation was originally made or the funds were originally available. If there is any doubt as to where those balances and funds are transferred, the Department of Finance shall determine where the balances and funds are transferred.