Amended IN Assembly March 25, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 581Introduced by Assembly Member IrwinFebruary 11, 2021 An act to add Section 11549.3.5 to the Government Code, relating to cybersecurity. LEGISLATIVE COUNSEL'S DIGESTAB 581, as amended, Irwin. Cybersecurity. Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2022. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to certain state governmental agencies, as defined, no later than April 1, 2022. The bill would authorize a state agency to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. systems, until that agency withdraws their request for assistance with implementation or cybersecurity.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of H.R. 1668 requires the Director of the National Institute of Standards and Technology to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) Section 6 of HR H.R. 1668 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by the National Institute of Standards and Technology.SEC. 2. Section 11549.3.5 is added to the Government Code, to read:11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2022. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state entity, as defined in paragraph (2) of subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to statewide governmental agencies no later than April 1, 2022. (c) (1) The Upon request by any state agency, the office shall provide assistance to any state agency that requests assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) The Upon request by any state agency, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.
Amended IN Assembly March 25, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 581Introduced by Assembly Member IrwinFebruary 11, 2021 An act to add Section 11549.3.5 to the Government Code, relating to cybersecurity. LEGISLATIVE COUNSEL'S DIGESTAB 581, as amended, Irwin. Cybersecurity. Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2022. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to certain state governmental agencies, as defined, no later than April 1, 2022. The bill would authorize a state agency to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. systems, until that agency withdraws their request for assistance with implementation or cybersecurity.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Assembly March 25, 2021
Amended IN Assembly March 25, 2021
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION
Assembly Bill
No. 581
Introduced by Assembly Member IrwinFebruary 11, 2021
Introduced by Assembly Member Irwin
February 11, 2021
An act to add Section 11549.3.5 to the Government Code, relating to cybersecurity.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 581, as amended, Irwin. Cybersecurity.
Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2022. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to certain state governmental agencies, as defined, no later than April 1, 2022. The bill would authorize a state agency to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. systems, until that agency withdraws their request for assistance with implementation or cybersecurity.
Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.
This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2022. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to certain state governmental agencies, as defined, no later than April 1, 2022. The bill would authorize a state agency to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. systems, until that agency withdraws their request for assistance with implementation or cybersecurity.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of H.R. 1668 requires the Director of the National Institute of Standards and Technology to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) Section 6 of HR H.R. 1668 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by the National Institute of Standards and Technology.SEC. 2. Section 11549.3.5 is added to the Government Code, to read:11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2022. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state entity, as defined in paragraph (2) of subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to statewide governmental agencies no later than April 1, 2022. (c) (1) The Upon request by any state agency, the office shall provide assistance to any state agency that requests assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) The Upon request by any state agency, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of H.R. 1668 requires the Director of the National Institute of Standards and Technology to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) Section 6 of HR H.R. 1668 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by the National Institute of Standards and Technology.
SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of H.R. 1668 requires the Director of the National Institute of Standards and Technology to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) Section 6 of HR H.R. 1668 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by the National Institute of Standards and Technology.
SECTION 1. The Legislature finds and declares all of the following:
### SECTION 1.
(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.
(b) Section 5 of H.R. 1668 requires the Director of the National Institute of Standards and Technology to publish guidelines by June 2, 2021, for both of the following:
(1) Reporting, coordinating, publishing, and receiving of information about both of the following:
(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).
(B) The resolution of that security vulnerability.
(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:
(A) Receiving information about a potential security vulnerability relating to the information system.
(B) Disseminating information about the resolution of a security vulnerability relating to the information system.
(c) Section 6 of HR H.R. 1668 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by the National Institute of Standards and Technology.
SEC. 2. Section 11549.3.5 is added to the Government Code, to read:11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2022. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state entity, as defined in paragraph (2) of subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to statewide governmental agencies no later than April 1, 2022. (c) (1) The Upon request by any state agency, the office shall provide assistance to any state agency that requests assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) The Upon request by any state agency, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.
SEC. 2. Section 11549.3.5 is added to the Government Code, to read:
### SEC. 2.
11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2022. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state entity, as defined in paragraph (2) of subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to statewide governmental agencies no later than April 1, 2022. (c) (1) The Upon request by any state agency, the office shall provide assistance to any state agency that requests assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) The Upon request by any state agency, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.
11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2022. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state entity, as defined in paragraph (2) of subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to statewide governmental agencies no later than April 1, 2022. (c) (1) The Upon request by any state agency, the office shall provide assistance to any state agency that requests assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) The Upon request by any state agency, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.
11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2022. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state entity, as defined in paragraph (2) of subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to statewide governmental agencies no later than April 1, 2022. (c) (1) The Upon request by any state agency, the office shall provide assistance to any state agency that requests assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) The Upon request by any state agency, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.
11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2022. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).
(2) Notwithstanding paragraph (1), a state entity, as defined in paragraph (2) of subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).
(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to statewide governmental agencies no later than April 1, 2022.
(c) (1) The Upon request by any state agency, the office shall provide assistance to any state agency that requests assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.
(2) The Upon request by any state agency, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance to state agencies on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.