| 1 | | - | Assembly Bill No. 1022 CHAPTER 790 An act to amend Sections 8592.35, 8592.40, and 8592.45 of the Government Code, relating to technology. [ Approved by Governor October 14, 2017. Filed with Secretary of State October 14, 2017. ] LEGISLATIVE COUNSEL'S DIGESTAB 1022, Irwin. Information technology: Technology Recovery Plans: inventory.The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would authorize a local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, upon the request of the department, to submit a Technology Recovery Plan, as specified, to the department. The bill would authorize the department to provide suggestions with regard to the plans. The bill would prohibit public disclosure of these plans.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.This bill would make legislative findings to that effect.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 8592.35 of the Government Code is amended to read:8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:(A) Costs to implement the standards.(B) Security of critical infrastructure information.(C) Centralized management of risk.(D) Industry best practices.(E) Continuity of operations.(F) Protection of personal information.(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency.SEC. 2. Section 8592.40 of the Government Code is amended to read:8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.(c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor.SEC. 3. Section 8592.45 of the Government Code is amended to read:8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).SEC. 4. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the individual and statewide critical infrastructure control inventories of state agencies promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.SEC. 5. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings:This act strikes the appropriate balance between the publics right to access information about the conduct of their governmental agencies and the need to protect the cybersecurity of critical infrastructure controls within the state. |
|---|
| 1 | + | Enrolled September 15, 2017 Passed IN Senate September 11, 2017 Passed IN Assembly September 13, 2017 Amended IN Senate September 06, 2017 Amended IN Assembly April 17, 2017 Amended IN Assembly March 28, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1022Introduced by Assembly Member IrwinFebruary 16, 2017 An act to amend Sections 8592.35, 8592.40, and 8592.45 of the Government Code, relating to technology. LEGISLATIVE COUNSEL'S DIGESTAB 1022, Irwin. Information technology: Technology Recovery Plans: inventory.The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would authorize a local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, upon the request of the department, to submit a Technology Recovery Plan, as specified, to the department. The bill would authorize the department to provide suggestions with regard to the plans. The bill would prohibit public disclosure of these plans.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.This bill would make legislative findings to that effect.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 8592.35 of the Government Code is amended to read:8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:(A) Costs to implement the standards.(B) Security of critical infrastructure information.(C) Centralized management of risk.(D) Industry best practices.(E) Continuity of operations.(F) Protection of personal information.(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency.SEC. 2. Section 8592.40 of the Government Code is amended to read:8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.(c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor.SEC. 3. Section 8592.45 of the Government Code is amended to read:8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).SEC. 4. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the individual and statewide critical infrastructure control inventories of state agencies promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.SEC. 5. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings:This act strikes the appropriate balance between the publics right to access information about the conduct of their governmental agencies and the need to protect the cybersecurity of critical infrastructure controls within the state. |
|---|
| 3 | | - | Assembly Bill No. 1022 CHAPTER 790 An act to amend Sections 8592.35, 8592.40, and 8592.45 of the Government Code, relating to technology. [ Approved by Governor October 14, 2017. Filed with Secretary of State October 14, 2017. ] LEGISLATIVE COUNSEL'S DIGESTAB 1022, Irwin. Information technology: Technology Recovery Plans: inventory.The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would authorize a local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, upon the request of the department, to submit a Technology Recovery Plan, as specified, to the department. The bill would authorize the department to provide suggestions with regard to the plans. The bill would prohibit public disclosure of these plans.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.This bill would make legislative findings to that effect.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO |
|---|
| 3 | + | Enrolled September 15, 2017 Passed IN Senate September 11, 2017 Passed IN Assembly September 13, 2017 Amended IN Senate September 06, 2017 Amended IN Assembly April 17, 2017 Amended IN Assembly March 28, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1022Introduced by Assembly Member IrwinFebruary 16, 2017 An act to amend Sections 8592.35, 8592.40, and 8592.45 of the Government Code, relating to technology. LEGISLATIVE COUNSEL'S DIGESTAB 1022, Irwin. Information technology: Technology Recovery Plans: inventory.The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would authorize a local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, upon the request of the department, to submit a Technology Recovery Plan, as specified, to the department. The bill would authorize the department to provide suggestions with regard to the plans. The bill would prohibit public disclosure of these plans.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.This bill would make legislative findings to that effect.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO |
|---|
| 4 | + | |
|---|
| 5 | + | Enrolled September 15, 2017 Passed IN Senate September 11, 2017 Passed IN Assembly September 13, 2017 Amended IN Senate September 06, 2017 Amended IN Assembly April 17, 2017 Amended IN Assembly March 28, 2017 |
|---|
| 6 | + | |
|---|
| 7 | + | Enrolled September 15, 2017 |
|---|
| 8 | + | Passed IN Senate September 11, 2017 |
|---|
| 9 | + | Passed IN Assembly September 13, 2017 |
|---|
| 10 | + | Amended IN Senate September 06, 2017 |
|---|
| 11 | + | Amended IN Assembly April 17, 2017 |
|---|
| 12 | + | Amended IN Assembly March 28, 2017 |
|---|
| 13 | + | |
|---|
| 14 | + | CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION |
|---|
| 11 | 24 | | |
|---|
| 12 | 25 | | LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 13 | 26 | | |
|---|
| 14 | 27 | | ## LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 15 | 28 | | |
|---|
| 16 | 29 | | AB 1022, Irwin. Information technology: Technology Recovery Plans: inventory. |
|---|
| 17 | 30 | | |
|---|
| 18 | 31 | | The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would authorize a local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, upon the request of the department, to submit a Technology Recovery Plan, as specified, to the department. The bill would authorize the department to provide suggestions with regard to the plans. The bill would prohibit public disclosure of these plans.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.This bill would make legislative findings to that effect. |
|---|
| 19 | 32 | | |
|---|
| 20 | 33 | | The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified. |
|---|
| 21 | 34 | | |
|---|
| 22 | 35 | | This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would authorize a local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, upon the request of the department, to submit a Technology Recovery Plan, as specified, to the department. The bill would authorize the department to provide suggestions with regard to the plans. The bill would prohibit public disclosure of these plans. |
|---|
| 23 | 36 | | |
|---|
| 24 | 37 | | Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest. |
|---|
| 25 | 38 | | |
|---|
| 26 | 39 | | This bill would make legislative findings to that effect. |
|---|
| 27 | 40 | | |
|---|
| 28 | 41 | | The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose. |
|---|
| 29 | 42 | | |
|---|
| 30 | 43 | | This bill would make legislative findings to that effect. |
|---|
| 31 | 44 | | |
|---|
| 32 | 45 | | ## Digest Key |
|---|
| 33 | 46 | | |
|---|
| 34 | 47 | | ## Bill Text |
|---|
| 35 | 48 | | |
|---|
| 36 | 49 | | The people of the State of California do enact as follows:SECTION 1. Section 8592.35 of the Government Code is amended to read:8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:(A) Costs to implement the standards.(B) Security of critical infrastructure information.(C) Centralized management of risk.(D) Industry best practices.(E) Continuity of operations.(F) Protection of personal information.(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency.SEC. 2. Section 8592.40 of the Government Code is amended to read:8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.(c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor.SEC. 3. Section 8592.45 of the Government Code is amended to read:8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).SEC. 4. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the individual and statewide critical infrastructure control inventories of state agencies promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.SEC. 5. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings:This act strikes the appropriate balance between the publics right to access information about the conduct of their governmental agencies and the need to protect the cybersecurity of critical infrastructure controls within the state. |
|---|
| 37 | 50 | | |
|---|
| 38 | 51 | | The people of the State of California do enact as follows: |
|---|
| 39 | 52 | | |
|---|
| 40 | 53 | | ## The people of the State of California do enact as follows: |
|---|
| 41 | 54 | | |
|---|
| 42 | 55 | | SECTION 1. Section 8592.35 of the Government Code is amended to read:8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:(A) Costs to implement the standards.(B) Security of critical infrastructure information.(C) Centralized management of risk.(D) Industry best practices.(E) Continuity of operations.(F) Protection of personal information.(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. |
|---|
| 43 | 56 | | |
|---|
| 44 | 57 | | SECTION 1. Section 8592.35 of the Government Code is amended to read: |
|---|
| 45 | 58 | | |
|---|
| 46 | 59 | | ### SECTION 1. |
|---|
| 47 | 60 | | |
|---|
| 48 | 61 | | 8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:(A) Costs to implement the standards.(B) Security of critical infrastructure information.(C) Centralized management of risk.(D) Industry best practices.(E) Continuity of operations.(F) Protection of personal information.(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. |
|---|
| 49 | 62 | | |
|---|
| 50 | 63 | | 8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:(A) Costs to implement the standards.(B) Security of critical infrastructure information.(C) Centralized management of risk.(D) Industry best practices.(E) Continuity of operations.(F) Protection of personal information.(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. |
|---|
| 51 | 64 | | |
|---|
| 52 | 65 | | 8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:(A) Costs to implement the standards.(B) Security of critical infrastructure information.(C) Centralized management of risk.(D) Industry best practices.(E) Continuity of operations.(F) Protection of personal information.(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.(c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. |
|---|
| 53 | 66 | | |
|---|
| 54 | 67 | | |
|---|
| 55 | 68 | | |
|---|
| 56 | 69 | | 8592.35. (a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. |
|---|
| 57 | 70 | | |
|---|
| 58 | 71 | | (2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following: |
|---|
| 59 | 72 | | |
|---|
| 60 | 73 | | (A) Costs to implement the standards. |
|---|
| 61 | 74 | | |
|---|
| 62 | 75 | | (B) Security of critical infrastructure information. |
|---|
| 63 | 76 | | |
|---|
| 64 | 77 | | (C) Centralized management of risk. |
|---|
| 65 | 78 | | |
|---|
| 66 | 79 | | (D) Industry best practices. |
|---|
| 67 | 80 | | |
|---|
| 68 | 81 | | (E) Continuity of operations. |
|---|
| 69 | 82 | | |
|---|
| 70 | 83 | | (F) Protection of personal information. |
|---|
| 71 | 84 | | |
|---|
| 72 | 85 | | (b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan. |
|---|
| 73 | 86 | | |
|---|
| 74 | 87 | | (c) Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. |
|---|
| 75 | 88 | | |
|---|
| 76 | 89 | | SEC. 2. Section 8592.40 of the Government Code is amended to read:8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.(c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor. |
|---|
| 77 | 90 | | |
|---|
| 78 | 91 | | SEC. 2. Section 8592.40 of the Government Code is amended to read: |
|---|
| 79 | 92 | | |
|---|
| 80 | 93 | | ### SEC. 2. |
|---|
| 81 | 94 | | |
|---|
| 82 | 95 | | 8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.(c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor. |
|---|
| 83 | 96 | | |
|---|
| 84 | 97 | | 8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.(c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor. |
|---|
| 85 | 98 | | |
|---|
| 86 | 99 | | 8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.(c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor. |
|---|
| 87 | 100 | | |
|---|
| 88 | 101 | | |
|---|
| 89 | 102 | | |
|---|
| 90 | 103 | | 8592.40. (a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019. |
|---|
| 91 | 104 | | |
|---|
| 92 | 105 | | (b) At the request of the department, any local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department. |
|---|
| 93 | 106 | | |
|---|
| 94 | 107 | | (c) The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local entity. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor. |
|---|
| 95 | 108 | | |
|---|
| 96 | 109 | | SEC. 3. Section 8592.45 of the Government Code is amended to read:8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). |
|---|
| 97 | 110 | | |
|---|
| 98 | 111 | | SEC. 3. Section 8592.45 of the Government Code is amended to read: |
|---|
| 99 | 112 | | |
|---|
| 100 | 113 | | ### SEC. 3. |
|---|
| 101 | 114 | | |
|---|
| 102 | 115 | | 8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). |
|---|
| 103 | 116 | | |
|---|
| 104 | 117 | | 8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). |
|---|
| 105 | 118 | | |
|---|
| 106 | 119 | | 8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). |
|---|
| 107 | 120 | | |
|---|
| 108 | 121 | | |
|---|
| 109 | 122 | | |
|---|
| 110 | 123 | | 8592.45. The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). |
|---|
| 111 | 124 | | |
|---|
| 112 | 125 | | SEC. 4. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the individual and statewide critical infrastructure control inventories of state agencies promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state. |
|---|
| 113 | 126 | | |
|---|
| 114 | 127 | | SEC. 4. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the individual and statewide critical infrastructure control inventories of state agencies promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state. |
|---|
| 115 | 128 | | |
|---|
| 116 | 129 | | SEC. 4. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest: |
|---|
| 117 | 130 | | |
|---|
| 118 | 131 | | ### SEC. 4. |
|---|
| 119 | 132 | | |
|---|
| 120 | 133 | | Preventing public disclosure of the individual and statewide critical infrastructure control inventories of state agencies promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state. |
|---|
| 121 | 134 | | |
|---|
| 122 | 135 | | SEC. 5. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings:This act strikes the appropriate balance between the publics right to access information about the conduct of their governmental agencies and the need to protect the cybersecurity of critical infrastructure controls within the state. |
|---|
| 123 | 136 | | |
|---|
| 124 | 137 | | SEC. 5. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings:This act strikes the appropriate balance between the publics right to access information about the conduct of their governmental agencies and the need to protect the cybersecurity of critical infrastructure controls within the state. |
|---|
| 125 | 138 | | |
|---|
| 126 | 139 | | SEC. 5. The Legislature finds and declares that Section 3 of this act, which amends Section 8592.45 of the Government Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings: |
|---|
| 127 | 140 | | |
|---|
| 128 | 141 | | ### SEC. 5. |
|---|
| 129 | 142 | | |
|---|
| 130 | 143 | | This act strikes the appropriate balance between the publics right to access information about the conduct of their governmental agencies and the need to protect the cybersecurity of critical infrastructure controls within the state. |
|---|