The implementation of AB 2135 will compel state agencies to conduct independent security assessments every two years to evaluate compliance with established information security protocols. These assessments can be carried out by the Military Department or qualified vendors. Agencies are required to certify compliance annually to legislative leaders, furthering the accountability and transparency in handling sensitive state information. Notably, the bill confines the disclosure of these assessments and related certifications, heightening the confidentiality around information vulnerabilities, which was deemed essential to preclude misuse of such data.
Assembly Bill No. 2135, introduced by Irwin, focuses on enhancing information security measures across various state agencies in California. It amends Section 11549.3 of the Government Code and outlines the establishment of an information security program overseen by the Office of Information Security within the Department of Technology. The bill mandates that all state agencies adopt and implement comprehensive policies, standards, and procedures regarding information security and privacy, conforming to federally recognized standards such as those from the National Institute of Standards and Technology (NIST). This is aimed at strengthening the integrity and confidentiality of state-operated information systems.
Reactions to AB 2135 were largely supportive among stakeholders who prioritize enhanced cybersecurity measures, particularly in light of rising cyber threats. Proponents argue that strengthening security protocols is crucial for protecting the state's sensitive data and ensuring public trust in government operations. However, there are concerns related to the possible implications for public access to information, given that the bill creates certain limitations on access to security assessment details. This aspect has fueled debate regarding the balance between necessary secrecy for security and the public's right to know.
A significant point of contention surrounding AB 2135 arises from its confidentiality clauses, which restrict access to security assessments. Critics argue this could hinder transparency and accountability, as vital information about the state’s cybersecurity posture would be shielded from public scrutiny. Moreover, there is apprehension that making compliance certifications confidential could undermine the oversight role of legislative bodies. This tension reflects a wider struggle between proactive security measures and the principles of open government.