CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 953Introduced by Assembly Member KileyFebruary 17, 2021 An act to add Section 11093.8 to the Government Code, relating to state government. LEGISLATIVE COUNSEL'S DIGESTAB 953, as introduced, Kiley. Information security: state entities.Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires an entity within the executive branch that is under the direct authority of the Governor to comply with the information security and privacy policies, standards, and procedures issued by the office. This bill would require state agencies not covered by the provisions described above to adopt and implement comparable information security and privacy policies, standards, and procedures, perform a security assessment at least every 3 years to determine compliance with the entirety of the adopted information security standards, and confidentially submit certification of compliance with the adopted standards, and, if applicable, corrective actions plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.Because the required certification would be made under penalty of perjury, the bill would expand the crime of perjury and impose a state-mandated local program.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that no reimbursement is required by this act for a specified reason.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 11093.8 is added to the Government Code, to read:11093.8. Every state agency, as defined in Section 11000, that is not included in the definition of state entities contained in subdivision (e) of Section 11546.1 shall do all of the following:(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 11093.8 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:The state has a interest in protecting its information technology systems from intrusion, thus, information regarding the specific vulnerabilities of those systems must be protected.SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIIIB of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIIIB of the California Constitution.
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 953Introduced by Assembly Member KileyFebruary 17, 2021 An act to add Section 11093.8 to the Government Code, relating to state government. LEGISLATIVE COUNSEL'S DIGESTAB 953, as introduced, Kiley. Information security: state entities.Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires an entity within the executive branch that is under the direct authority of the Governor to comply with the information security and privacy policies, standards, and procedures issued by the office. This bill would require state agencies not covered by the provisions described above to adopt and implement comparable information security and privacy policies, standards, and procedures, perform a security assessment at least every 3 years to determine compliance with the entirety of the adopted information security standards, and confidentially submit certification of compliance with the adopted standards, and, if applicable, corrective actions plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.Because the required certification would be made under penalty of perjury, the bill would expand the crime of perjury and impose a state-mandated local program.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that no reimbursement is required by this act for a specified reason.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION
Assembly Bill
No. 953
Introduced by Assembly Member KileyFebruary 17, 2021
Introduced by Assembly Member Kiley
February 17, 2021
An act to add Section 11093.8 to the Government Code, relating to state government.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 953, as introduced, Kiley. Information security: state entities.
Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires an entity within the executive branch that is under the direct authority of the Governor to comply with the information security and privacy policies, standards, and procedures issued by the office. This bill would require state agencies not covered by the provisions described above to adopt and implement comparable information security and privacy policies, standards, and procedures, perform a security assessment at least every 3 years to determine compliance with the entirety of the adopted information security standards, and confidentially submit certification of compliance with the adopted standards, and, if applicable, corrective actions plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.Because the required certification would be made under penalty of perjury, the bill would expand the crime of perjury and impose a state-mandated local program.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that no reimbursement is required by this act for a specified reason.
Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires an entity within the executive branch that is under the direct authority of the Governor to comply with the information security and privacy policies, standards, and procedures issued by the office.
This bill would require state agencies not covered by the provisions described above to adopt and implement comparable information security and privacy policies, standards, and procedures, perform a security assessment at least every 3 years to determine compliance with the entirety of the adopted information security standards, and confidentially submit certification of compliance with the adopted standards, and, if applicable, corrective actions plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.
Because the required certification would be made under penalty of perjury, the bill would expand the crime of perjury and impose a state-mandated local program.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 11093.8 is added to the Government Code, to read:11093.8. Every state agency, as defined in Section 11000, that is not included in the definition of state entities contained in subdivision (e) of Section 11546.1 shall do all of the following:(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 11093.8 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:The state has a interest in protecting its information technology systems from intrusion, thus, information regarding the specific vulnerabilities of those systems must be protected.SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIIIB of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIIIB of the California Constitution.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 11093.8 is added to the Government Code, to read:11093.8. Every state agency, as defined in Section 11000, that is not included in the definition of state entities contained in subdivision (e) of Section 11546.1 shall do all of the following:(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.
SECTION 1. Section 11093.8 is added to the Government Code, to read:
### SECTION 1.
11093.8. Every state agency, as defined in Section 11000, that is not included in the definition of state entities contained in subdivision (e) of Section 11546.1 shall do all of the following:(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.
11093.8. Every state agency, as defined in Section 11000, that is not included in the definition of state entities contained in subdivision (e) of Section 11546.1 shall do all of the following:(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.
11093.8. Every state agency, as defined in Section 11000, that is not included in the definition of state entities contained in subdivision (e) of Section 11546.1 shall do all of the following:(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.
11093.8. Every state agency, as defined in Section 11000, that is not included in the definition of state entities contained in subdivision (e) of Section 11546.1 shall do all of the following:(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.
(a) Adopt and implement information security and privacy policies, standards, and procedures that are comparable to those established by the Chief of the Office of Information Security pursuant to Chapter 5.7 (commencing with Section 11549).
(b) Perform, or cause to be performed, an information security assessment at least every three years to determine compliance with the entirety of the information security standards adopted pursuant to subdivision (a).
(c) Confidentially submit certification of compliance with the standards adopted pursuant to subdivision (a), and, if applicable, corrective action plans to address outstanding deficiencies, to the Assembly Privacy and Consumer Protection Committee.
SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 11093.8 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:The state has a interest in protecting its information technology systems from intrusion, thus, information regarding the specific vulnerabilities of those systems must be protected.
SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 11093.8 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:The state has a interest in protecting its information technology systems from intrusion, thus, information regarding the specific vulnerabilities of those systems must be protected.
SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 11093.8 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
### SEC. 2.
The state has a interest in protecting its information technology systems from intrusion, thus, information regarding the specific vulnerabilities of those systems must be protected.
SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIIIB of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIIIB of the California Constitution.
SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIIIB of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIIIB of the California Constitution.
SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIIIB of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIIIB of the California Constitution.
### SEC. 3.