Amended IN Senate July 03, 2017 Amended IN Senate June 05, 2017 Amended IN Assembly April 17, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 22Introduced by Assembly Member BontaDecember 05, 2016 An act to amend Section 12168.7 of the Government Code, relating to state government.LEGISLATIVE COUNSEL'S DIGESTAB 22, as amended, Bonta. Secretary of State: storing and recording electronic media.Existing law requires the Secretary of State to approve and adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media, as specified, and requires those standards to include a requirement that a trusted system, as defined, be utilized.This bill would provide that a commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired is considered a trusted system and would require a commercial cloud-based archival storage service to be certified by the Federal Risk and Authorization Management Program and to meet federal cloud security requirements related to the records being stored, as specified. cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system and would require a cloud computing storage service to comply with standards published by the International Organization for Standardization, or other applicable industry recognized successor standard relating to security techniques and information security management systems.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 12168.7 of the Government Code is amended to read:12168.7. (a) The California Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State shall approve and adopt appropriate standards established by the American National Standards Institute or the Association for Information and Image Management.(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, trusted system means a combination of techniques, technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.(d)A commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A commercial cloud-based archival storage service shall be certified by the Federal Risk and Authorization Management Program and shall meet existing federal cloud security requirements related to the records, video recordings, or other media being stored, including, but not limited to, the Federal Bureau of Investigations Federal Criminal Justice Information Services standards and federal Health Insurance Portability and Accountability Act (Public Law 104-191) standards, as necessary.(d) A cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A cloud computing storage service shall comply with the International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry recognized successor standard relating to security techniques and information security management systems.(e) For purposes of this section cloud computing is defined by the National Institute of Standards and Technology Special Publication 800-145 or a successor publication, and includes the service and deployment models referenced therein.(e)(f) In order to develop statewide standards as expeditiously as possible, and until the time that statewide standards are adopted pursuant to subdivision (b), state officials shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute or the Association for Information and Image Management for recording of permanent records or nonpermanent records.
Amended IN Senate July 03, 2017 Amended IN Senate June 05, 2017 Amended IN Assembly April 17, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 22Introduced by Assembly Member BontaDecember 05, 2016 An act to amend Section 12168.7 of the Government Code, relating to state government.LEGISLATIVE COUNSEL'S DIGESTAB 22, as amended, Bonta. Secretary of State: storing and recording electronic media.Existing law requires the Secretary of State to approve and adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media, as specified, and requires those standards to include a requirement that a trusted system, as defined, be utilized.This bill would provide that a commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired is considered a trusted system and would require a commercial cloud-based archival storage service to be certified by the Federal Risk and Authorization Management Program and to meet federal cloud security requirements related to the records being stored, as specified. cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system and would require a cloud computing storage service to comply with standards published by the International Organization for Standardization, or other applicable industry recognized successor standard relating to security techniques and information security management systems.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Senate July 03, 2017 Amended IN Senate June 05, 2017 Amended IN Assembly April 17, 2017
Amended IN Senate July 03, 2017
Amended IN Senate June 05, 2017
Amended IN Assembly April 17, 2017
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Assembly Bill No. 22
Introduced by Assembly Member BontaDecember 05, 2016
Introduced by Assembly Member Bonta
December 05, 2016
An act to amend Section 12168.7 of the Government Code, relating to state government.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 22, as amended, Bonta. Secretary of State: storing and recording electronic media.
Existing law requires the Secretary of State to approve and adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media, as specified, and requires those standards to include a requirement that a trusted system, as defined, be utilized.This bill would provide that a commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired is considered a trusted system and would require a commercial cloud-based archival storage service to be certified by the Federal Risk and Authorization Management Program and to meet federal cloud security requirements related to the records being stored, as specified. cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system and would require a cloud computing storage service to comply with standards published by the International Organization for Standardization, or other applicable industry recognized successor standard relating to security techniques and information security management systems.
Existing law requires the Secretary of State to approve and adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media, as specified, and requires those standards to include a requirement that a trusted system, as defined, be utilized.
This bill would provide that a commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired is considered a trusted system and would require a commercial cloud-based archival storage service to be certified by the Federal Risk and Authorization Management Program and to meet federal cloud security requirements related to the records being stored, as specified. cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system and would require a cloud computing storage service to comply with standards published by the International Organization for Standardization, or other applicable industry recognized successor standard relating to security techniques and information security management systems.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 12168.7 of the Government Code is amended to read:12168.7. (a) The California Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State shall approve and adopt appropriate standards established by the American National Standards Institute or the Association for Information and Image Management.(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, trusted system means a combination of techniques, technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.(d)A commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A commercial cloud-based archival storage service shall be certified by the Federal Risk and Authorization Management Program and shall meet existing federal cloud security requirements related to the records, video recordings, or other media being stored, including, but not limited to, the Federal Bureau of Investigations Federal Criminal Justice Information Services standards and federal Health Insurance Portability and Accountability Act (Public Law 104-191) standards, as necessary.(d) A cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A cloud computing storage service shall comply with the International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry recognized successor standard relating to security techniques and information security management systems.(e) For purposes of this section cloud computing is defined by the National Institute of Standards and Technology Special Publication 800-145 or a successor publication, and includes the service and deployment models referenced therein.(e)(f) In order to develop statewide standards as expeditiously as possible, and until the time that statewide standards are adopted pursuant to subdivision (b), state officials shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute or the Association for Information and Image Management for recording of permanent records or nonpermanent records.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 12168.7 of the Government Code is amended to read:12168.7. (a) The California Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State shall approve and adopt appropriate standards established by the American National Standards Institute or the Association for Information and Image Management.(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, trusted system means a combination of techniques, technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.(d)A commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A commercial cloud-based archival storage service shall be certified by the Federal Risk and Authorization Management Program and shall meet existing federal cloud security requirements related to the records, video recordings, or other media being stored, including, but not limited to, the Federal Bureau of Investigations Federal Criminal Justice Information Services standards and federal Health Insurance Portability and Accountability Act (Public Law 104-191) standards, as necessary.(d) A cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A cloud computing storage service shall comply with the International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry recognized successor standard relating to security techniques and information security management systems.(e) For purposes of this section cloud computing is defined by the National Institute of Standards and Technology Special Publication 800-145 or a successor publication, and includes the service and deployment models referenced therein.(e)(f) In order to develop statewide standards as expeditiously as possible, and until the time that statewide standards are adopted pursuant to subdivision (b), state officials shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute or the Association for Information and Image Management for recording of permanent records or nonpermanent records.
SECTION 1. Section 12168.7 of the Government Code is amended to read:
### SECTION 1.
12168.7. (a) The California Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State shall approve and adopt appropriate standards established by the American National Standards Institute or the Association for Information and Image Management.(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, trusted system means a combination of techniques, technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.(d)A commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A commercial cloud-based archival storage service shall be certified by the Federal Risk and Authorization Management Program and shall meet existing federal cloud security requirements related to the records, video recordings, or other media being stored, including, but not limited to, the Federal Bureau of Investigations Federal Criminal Justice Information Services standards and federal Health Insurance Portability and Accountability Act (Public Law 104-191) standards, as necessary.(d) A cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A cloud computing storage service shall comply with the International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry recognized successor standard relating to security techniques and information security management systems.(e) For purposes of this section cloud computing is defined by the National Institute of Standards and Technology Special Publication 800-145 or a successor publication, and includes the service and deployment models referenced therein.(e)(f) In order to develop statewide standards as expeditiously as possible, and until the time that statewide standards are adopted pursuant to subdivision (b), state officials shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute or the Association for Information and Image Management for recording of permanent records or nonpermanent records.
12168.7. (a) The California Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State shall approve and adopt appropriate standards established by the American National Standards Institute or the Association for Information and Image Management.(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, trusted system means a combination of techniques, technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.(d)A commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A commercial cloud-based archival storage service shall be certified by the Federal Risk and Authorization Management Program and shall meet existing federal cloud security requirements related to the records, video recordings, or other media being stored, including, but not limited to, the Federal Bureau of Investigations Federal Criminal Justice Information Services standards and federal Health Insurance Portability and Accountability Act (Public Law 104-191) standards, as necessary.(d) A cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A cloud computing storage service shall comply with the International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry recognized successor standard relating to security techniques and information security management systems.(e) For purposes of this section cloud computing is defined by the National Institute of Standards and Technology Special Publication 800-145 or a successor publication, and includes the service and deployment models referenced therein.(e)(f) In order to develop statewide standards as expeditiously as possible, and until the time that statewide standards are adopted pursuant to subdivision (b), state officials shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute or the Association for Information and Image Management for recording of permanent records or nonpermanent records.
12168.7. (a) The California Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State shall approve and adopt appropriate standards established by the American National Standards Institute or the Association for Information and Image Management.(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, trusted system means a combination of techniques, technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.(d)A commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A commercial cloud-based archival storage service shall be certified by the Federal Risk and Authorization Management Program and shall meet existing federal cloud security requirements related to the records, video recordings, or other media being stored, including, but not limited to, the Federal Bureau of Investigations Federal Criminal Justice Information Services standards and federal Health Insurance Portability and Accountability Act (Public Law 104-191) standards, as necessary.(d) A cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A cloud computing storage service shall comply with the International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry recognized successor standard relating to security techniques and information security management systems.(e) For purposes of this section cloud computing is defined by the National Institute of Standards and Technology Special Publication 800-145 or a successor publication, and includes the service and deployment models referenced therein.(e)(f) In order to develop statewide standards as expeditiously as possible, and until the time that statewide standards are adopted pursuant to subdivision (b), state officials shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute or the Association for Information and Image Management for recording of permanent records or nonpermanent records.
12168.7. (a) The California Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording permanent and nonpermanent documents in electronic media.
(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State shall approve and adopt appropriate standards established by the American National Standards Institute or the Association for Information and Image Management.
(c) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, trusted system means a combination of techniques, technologies, policies, and procedures for which there is no plausible scenario in which a document retrieved from or reproduced by the system could differ substantially from the document that is originally stored.
(d)A commercial cloud-based archival storage service that provides integrated controls that prevent stored archive records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A commercial cloud-based archival storage service shall be certified by the Federal Risk and Authorization Management Program and shall meet existing federal cloud security requirements related to the records, video recordings, or other media being stored, including, but not limited to, the Federal Bureau of Investigations Federal Criminal Justice Information Services standards and federal Health Insurance Portability and Accountability Act (Public Law 104-191) standards, as necessary.
(d) A cloud computing storage service that provides administrative users with tools or controls to prevent stored records from being overwritten, deleted, or altered until the required retention period for the record has expired shall be considered a trusted system. A cloud computing storage service shall comply with the International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry recognized successor standard relating to security techniques and information security management systems.
(e) For purposes of this section cloud computing is defined by the National Institute of Standards and Technology Special Publication 800-145 or a successor publication, and includes the service and deployment models referenced therein.
(e)
(f) In order to develop statewide standards as expeditiously as possible, and until the time that statewide standards are adopted pursuant to subdivision (b), state officials shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute or the Association for Information and Image Management for recording of permanent records or nonpermanent records.