Amended IN Senate June 20, 2022 Amended IN Senate June 08, 2022 Amended IN Assembly January 24, 2022 Amended IN Assembly March 25, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 581Introduced by Assembly Member IrwinFebruary 11, 2021 An act to add Section 11549.3.5 to the Government Code, relating to cybersecurity. LEGISLATIVE COUNSEL'S DIGESTAB 581, as amended, Irwin. Cybersecurity. Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2023. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to state agencies and state entities no later than April 1, 2023. The bill would authorize a state agency, and require certain state agencies and state entities, to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency or state entity that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies and state entities on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems, until that agency or entity withdraws their request for assistance with implementation or cybersecurity.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of Public Law 116-207 requires the Director of the National Institute of Standards and Technology (NIST) to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) In June 2021, NIST published Draft NIST Special Publication 800-216 Recommendations for Federal Vulnerability Disclosure Guidelines to comply with the requirements of Public Law 116-207. (d) Section 6 of Public Law 116-207 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by NIST.SEC. 2. Section 11549.3.5 is added to the Government Code, to read:11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2023. A state agencys review and implementation of the guidelines may include modifying terms and structures applicable to federal entities to appropriately apply to a state agency, including establishing procedures for receiving vulnerability information and resolving reported vulnerabilities. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state agency or state entity, as defined in subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to state agencies and state entities no later than April 1, 2023.(c) (1) Upon request by any state agency or state entity, the office shall provide assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) Upon request by any state agency or state entity, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.(d) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of its provisions applicable to the university. Amended IN Senate June 20, 2022 Amended IN Senate June 08, 2022 Amended IN Assembly January 24, 2022 Amended IN Assembly March 25, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 581Introduced by Assembly Member IrwinFebruary 11, 2021 An act to add Section 11549.3.5 to the Government Code, relating to cybersecurity. LEGISLATIVE COUNSEL'S DIGESTAB 581, as amended, Irwin. Cybersecurity. Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2023. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to state agencies and state entities no later than April 1, 2023. The bill would authorize a state agency, and require certain state agencies and state entities, to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency or state entity that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies and state entities on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems, until that agency or entity withdraws their request for assistance with implementation or cybersecurity.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Amended IN Senate June 20, 2022 Amended IN Senate June 08, 2022 Amended IN Assembly January 24, 2022 Amended IN Assembly March 25, 2021 Amended IN Senate June 20, 2022 Amended IN Senate June 08, 2022 Amended IN Assembly January 24, 2022 Amended IN Assembly March 25, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 581 Introduced by Assembly Member IrwinFebruary 11, 2021 Introduced by Assembly Member Irwin February 11, 2021 An act to add Section 11549.3.5 to the Government Code, relating to cybersecurity. LEGISLATIVE COUNSEL'S DIGEST ## LEGISLATIVE COUNSEL'S DIGEST AB 581, as amended, Irwin. Cybersecurity. Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office.This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2023. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to state agencies and state entities no later than April 1, 2023. The bill would authorize a state agency, and require certain state agencies and state entities, to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency or state entity that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies and state entities on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems, until that agency or entity withdraws their request for assistance with implementation or cybersecurity. Existing law establishes the Office of Information Security within the Department of Technology, under the direction of the Chief of the Office of Information Security, for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires an entity within the executive branch that is under the direct authority of the Governor to implement the policies and procedures issued by the office. The law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. The law authorizes the Military Department to perform an independent security assessment of any state agency, department, or office. This bill would require all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2023. The bill would require the chief to review the NIST guidelines and to create, update, and publish any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines to state agencies and state entities no later than April 1, 2023. The bill would authorize a state agency, and require certain state agencies and state entities, to satisfy their requirement to implement NIST guidelines by adopting those standards and procedures published in the State Administrative Manual and Statewide Information Management Manual. The bill would require the office to provide assistance to any state agency or state entity that requests assistance in implementing the guidelines or the standards and procedures, and to provide operational and technical assistance to state agencies and state entities on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems, until that agency or entity withdraws their request for assistance with implementation or cybersecurity. ## Digest Key ## Bill Text The people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of Public Law 116-207 requires the Director of the National Institute of Standards and Technology (NIST) to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) In June 2021, NIST published Draft NIST Special Publication 800-216 Recommendations for Federal Vulnerability Disclosure Guidelines to comply with the requirements of Public Law 116-207. (d) Section 6 of Public Law 116-207 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by NIST.SEC. 2. Section 11549.3.5 is added to the Government Code, to read:11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2023. A state agencys review and implementation of the guidelines may include modifying terms and structures applicable to federal entities to appropriately apply to a state agency, including establishing procedures for receiving vulnerability information and resolving reported vulnerabilities. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state agency or state entity, as defined in subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to state agencies and state entities no later than April 1, 2023.(c) (1) Upon request by any state agency or state entity, the office shall provide assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) Upon request by any state agency or state entity, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.(d) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of its provisions applicable to the university. The people of the State of California do enact as follows: ## The people of the State of California do enact as follows: SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of Public Law 116-207 requires the Director of the National Institute of Standards and Technology (NIST) to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) In June 2021, NIST published Draft NIST Special Publication 800-216 Recommendations for Federal Vulnerability Disclosure Guidelines to comply with the requirements of Public Law 116-207. (d) Section 6 of Public Law 116-207 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by NIST. SECTION 1. The Legislature finds and declares all of the following:(a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207.(b) Section 5 of Public Law 116-207 requires the Director of the National Institute of Standards and Technology (NIST) to publish guidelines by June 2, 2021, for both of the following:(1) Reporting, coordinating, publishing, and receiving of information about both of the following:(A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency).(B) The resolution of that security vulnerability.(2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following:(A) Receiving information about a potential security vulnerability relating to the information system.(B) Disseminating information about the resolution of a security vulnerability relating to the information system.(c) In June 2021, NIST published Draft NIST Special Publication 800-216 Recommendations for Federal Vulnerability Disclosure Guidelines to comply with the requirements of Public Law 116-207. (d) Section 6 of Public Law 116-207 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by NIST. SECTION 1. The Legislature finds and declares all of the following: ### SECTION 1. (a) On December 4, 2020, House Resolution 1668, the Internet of Things Cybersecurity Improvement Act of 2020, became Public Law 116-207. (b) Section 5 of Public Law 116-207 requires the Director of the National Institute of Standards and Technology (NIST) to publish guidelines by June 2, 2021, for both of the following: (1) Reporting, coordinating, publishing, and receiving of information about both of the following: (A) A security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency). (B) The resolution of that security vulnerability. (2) For a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing that information system to that contractor, on both of the following: (A) Receiving information about a potential security vulnerability relating to the information system. (B) Disseminating information about the resolution of a security vulnerability relating to the information system. (c) In June 2021, NIST published Draft NIST Special Publication 800-216 Recommendations for Federal Vulnerability Disclosure Guidelines to comply with the requirements of Public Law 116-207. (d) Section 6 of Public Law 116-207 requires all federal agencies, by December 4, 2022, to develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems consistent with the standards published by NIST. SEC. 2. Section 11549.3.5 is added to the Government Code, to read:11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2023. A state agencys review and implementation of the guidelines may include modifying terms and structures applicable to federal entities to appropriately apply to a state agency, including establishing procedures for receiving vulnerability information and resolving reported vulnerabilities. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state agency or state entity, as defined in subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to state agencies and state entities no later than April 1, 2023.(c) (1) Upon request by any state agency or state entity, the office shall provide assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) Upon request by any state agency or state entity, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.(d) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of its provisions applicable to the university. SEC. 2. Section 11549.3.5 is added to the Government Code, to read: ### SEC. 2. 11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2023. A state agencys review and implementation of the guidelines may include modifying terms and structures applicable to federal entities to appropriately apply to a state agency, including establishing procedures for receiving vulnerability information and resolving reported vulnerabilities. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state agency or state entity, as defined in subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to state agencies and state entities no later than April 1, 2023.(c) (1) Upon request by any state agency or state entity, the office shall provide assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) Upon request by any state agency or state entity, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.(d) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of its provisions applicable to the university. 11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2023. A state agencys review and implementation of the guidelines may include modifying terms and structures applicable to federal entities to appropriately apply to a state agency, including establishing procedures for receiving vulnerability information and resolving reported vulnerabilities. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state agency or state entity, as defined in subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to state agencies and state entities no later than April 1, 2023.(c) (1) Upon request by any state agency or state entity, the office shall provide assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) Upon request by any state agency or state entity, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.(d) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of its provisions applicable to the university. 11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2023. A state agencys review and implementation of the guidelines may include modifying terms and structures applicable to federal entities to appropriately apply to a state agency, including establishing procedures for receiving vulnerability information and resolving reported vulnerabilities. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b).(2) Notwithstanding paragraph (1), a state agency or state entity, as defined in subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b).(b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to state agencies and state entities no later than April 1, 2023.(c) (1) Upon request by any state agency or state entity, the office shall provide assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time.(2) Upon request by any state agency or state entity, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time.(d) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of its provisions applicable to the university. 11549.3.5. (a) (1) All state agencies, as defined in Section 11000, shall review and implement the National Institute of Standards and Technology (NIST) guidelines established pursuant to Section 5 of Public Law 116-207 no later than July 1, 2023. A state agencys review and implementation of the guidelines may include modifying terms and structures applicable to federal entities to appropriately apply to a state agency, including establishing procedures for receiving vulnerability information and resolving reported vulnerabilities. Any state agency may elect to satisfy this requirement by implementing the standards and procedures published pursuant to subdivision (b). (2) Notwithstanding paragraph (1), a state agency or state entity, as defined in subdivision (e) of Section 11546.1, shall satisfy the requirement to implement the guidelines by implementing the standards and procedures published pursuant to subdivision (b). (b) The chief shall review the NIST guidelines established pursuant to Section 5 of Public Law 116-207 and shall create, update, and publish any appropriate standards or procedures in the State Administrative Manual and State Information Management Manual to apply the NIST guidelines published pursuant to Section 5 of Public Law 116-207 to state agencies and state entities no later than April 1, 2023. (c) (1) Upon request by any state agency or state entity, the office shall provide assistance in implementing the guidelines referred to in subdivision (a) or the standards and procedures in subdivision (b). A state agency may withdraw their request and discontinue any assistance from the office at any time. (2) Upon request by any state agency or state entity, the office and the California Cybersecurity Integration Center shall provide operational and technical assistance on reporting, coordinating, publishing, and receiving information about cybersecurity vulnerabilities of information systems. A state agency may withdraw their request and discontinue any operational or technical assistance from the office or the center at any time. (d) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of its provisions applicable to the university.