CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 869Introduced by Assembly Member IrwinFebruary 19, 2025 An act to add Section 11549.45 to the Government Code, relating to state government. LEGISLATIVE COUNSEL'S DIGESTAB 869, as introduced, Irwin. State agencies: information security: Zero Trust architecture.Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires specified state entities to implement the policies and procedures issued by the office. Existing law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing law requires every state agency, as specified, to certify, by February 1 annually, to the office that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified.This bill would require every state agency, as specified, and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the offices chief to develop or revise uniform technology policies, standards, and procedures for use by all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislatures intent that the bills provisions be implemented in a manner consistent with the states timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares the following:(a) Recent cyber breaches have had wide-ranging consequences and demand a state-level response. Cyber defense requires greater speed and agility to mitigate cyber threats, limit the impact of data breaches, and better protect the states workforce and residents. These attacks not only significantly impact institutions financially, but they also erode public trust and confidence in government.(b) To better defend against cyber threats, the Legislature intends for state agencies to embrace technologies and practices outlined in Executive Order 14028 on Improving the Nations Cybersecurity. At a minimum, this includes formalizing Zero Trust as the desired model for security. Zero Trust is a security architecture requiring all users, whether in or outside the organizations network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining access to applications and data.SEC. 2. Section 11549.45 is added to the Government Code, to read:11549.45. (a) For purposes of this section, the following definitions shall apply:(1) Chief means the Chief of the Office of Information Security.(2) Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.(3) Endpoint detection and response means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.(4) Multifactor authentication means using two or more different types of identification factors to authenticate a users identity for the purpose of accessing systems and data.(5) State agency has the same meaning as in Section 11000.(6) Zero Trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:(1) Achieve Advanced maturity by June 1, 2026.(2) Achieve Optimal maturity by June 1, 2030.(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.(d) Implementation shall, at a minimum, prioritize the following:(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.(e) The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the Advanced and Optimal maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agencys progress in increasing the internal defenses of agency systems, including:(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.(3) A schedule to implement any planned activities.(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.(2) Implementing principles of least privilege in administering information security programs.(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agencys systems.(4) Identifying cyber threats quickly.(5) Isolating and removing unauthorized entities from state agencies systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the states timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).
CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 869Introduced by Assembly Member IrwinFebruary 19, 2025 An act to add Section 11549.45 to the Government Code, relating to state government. LEGISLATIVE COUNSEL'S DIGESTAB 869, as introduced, Irwin. State agencies: information security: Zero Trust architecture.Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires specified state entities to implement the policies and procedures issued by the office. Existing law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing law requires every state agency, as specified, to certify, by February 1 annually, to the office that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified.This bill would require every state agency, as specified, and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the offices chief to develop or revise uniform technology policies, standards, and procedures for use by all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislatures intent that the bills provisions be implemented in a manner consistent with the states timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION
Assembly Bill
No. 869
Introduced by Assembly Member IrwinFebruary 19, 2025
Introduced by Assembly Member Irwin
February 19, 2025
An act to add Section 11549.45 to the Government Code, relating to state government.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 869, as introduced, Irwin. State agencies: information security: Zero Trust architecture.
Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires specified state entities to implement the policies and procedures issued by the office. Existing law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing law requires every state agency, as specified, to certify, by February 1 annually, to the office that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified.This bill would require every state agency, as specified, and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the offices chief to develop or revise uniform technology policies, standards, and procedures for use by all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislatures intent that the bills provisions be implemented in a manner consistent with the states timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.
Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires specified state entities to implement the policies and procedures issued by the office. Existing law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing law requires every state agency, as specified, to certify, by February 1 annually, to the office that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified.
This bill would require every state agency, as specified, and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the offices chief to develop or revise uniform technology policies, standards, and procedures for use by all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislatures intent that the bills provisions be implemented in a manner consistent with the states timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares the following:(a) Recent cyber breaches have had wide-ranging consequences and demand a state-level response. Cyber defense requires greater speed and agility to mitigate cyber threats, limit the impact of data breaches, and better protect the states workforce and residents. These attacks not only significantly impact institutions financially, but they also erode public trust and confidence in government.(b) To better defend against cyber threats, the Legislature intends for state agencies to embrace technologies and practices outlined in Executive Order 14028 on Improving the Nations Cybersecurity. At a minimum, this includes formalizing Zero Trust as the desired model for security. Zero Trust is a security architecture requiring all users, whether in or outside the organizations network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining access to applications and data.SEC. 2. Section 11549.45 is added to the Government Code, to read:11549.45. (a) For purposes of this section, the following definitions shall apply:(1) Chief means the Chief of the Office of Information Security.(2) Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.(3) Endpoint detection and response means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.(4) Multifactor authentication means using two or more different types of identification factors to authenticate a users identity for the purpose of accessing systems and data.(5) State agency has the same meaning as in Section 11000.(6) Zero Trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:(1) Achieve Advanced maturity by June 1, 2026.(2) Achieve Optimal maturity by June 1, 2030.(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.(d) Implementation shall, at a minimum, prioritize the following:(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.(e) The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the Advanced and Optimal maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agencys progress in increasing the internal defenses of agency systems, including:(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.(3) A schedule to implement any planned activities.(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.(2) Implementing principles of least privilege in administering information security programs.(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agencys systems.(4) Identifying cyber threats quickly.(5) Isolating and removing unauthorized entities from state agencies systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the states timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. The Legislature finds and declares the following:(a) Recent cyber breaches have had wide-ranging consequences and demand a state-level response. Cyber defense requires greater speed and agility to mitigate cyber threats, limit the impact of data breaches, and better protect the states workforce and residents. These attacks not only significantly impact institutions financially, but they also erode public trust and confidence in government.(b) To better defend against cyber threats, the Legislature intends for state agencies to embrace technologies and practices outlined in Executive Order 14028 on Improving the Nations Cybersecurity. At a minimum, this includes formalizing Zero Trust as the desired model for security. Zero Trust is a security architecture requiring all users, whether in or outside the organizations network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining access to applications and data.
SECTION 1. The Legislature finds and declares the following:(a) Recent cyber breaches have had wide-ranging consequences and demand a state-level response. Cyber defense requires greater speed and agility to mitigate cyber threats, limit the impact of data breaches, and better protect the states workforce and residents. These attacks not only significantly impact institutions financially, but they also erode public trust and confidence in government.(b) To better defend against cyber threats, the Legislature intends for state agencies to embrace technologies and practices outlined in Executive Order 14028 on Improving the Nations Cybersecurity. At a minimum, this includes formalizing Zero Trust as the desired model for security. Zero Trust is a security architecture requiring all users, whether in or outside the organizations network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining access to applications and data.
SECTION 1. The Legislature finds and declares the following:
### SECTION 1.
(a) Recent cyber breaches have had wide-ranging consequences and demand a state-level response. Cyber defense requires greater speed and agility to mitigate cyber threats, limit the impact of data breaches, and better protect the states workforce and residents. These attacks not only significantly impact institutions financially, but they also erode public trust and confidence in government.
(b) To better defend against cyber threats, the Legislature intends for state agencies to embrace technologies and practices outlined in Executive Order 14028 on Improving the Nations Cybersecurity. At a minimum, this includes formalizing Zero Trust as the desired model for security. Zero Trust is a security architecture requiring all users, whether in or outside the organizations network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining access to applications and data.
SEC. 2. Section 11549.45 is added to the Government Code, to read:11549.45. (a) For purposes of this section, the following definitions shall apply:(1) Chief means the Chief of the Office of Information Security.(2) Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.(3) Endpoint detection and response means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.(4) Multifactor authentication means using two or more different types of identification factors to authenticate a users identity for the purpose of accessing systems and data.(5) State agency has the same meaning as in Section 11000.(6) Zero Trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:(1) Achieve Advanced maturity by June 1, 2026.(2) Achieve Optimal maturity by June 1, 2030.(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.(d) Implementation shall, at a minimum, prioritize the following:(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.(e) The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the Advanced and Optimal maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agencys progress in increasing the internal defenses of agency systems, including:(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.(3) A schedule to implement any planned activities.(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.(2) Implementing principles of least privilege in administering information security programs.(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agencys systems.(4) Identifying cyber threats quickly.(5) Isolating and removing unauthorized entities from state agencies systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the states timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).
SEC. 2. Section 11549.45 is added to the Government Code, to read:
### SEC. 2.
11549.45. (a) For purposes of this section, the following definitions shall apply:(1) Chief means the Chief of the Office of Information Security.(2) Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.(3) Endpoint detection and response means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.(4) Multifactor authentication means using two or more different types of identification factors to authenticate a users identity for the purpose of accessing systems and data.(5) State agency has the same meaning as in Section 11000.(6) Zero Trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:(1) Achieve Advanced maturity by June 1, 2026.(2) Achieve Optimal maturity by June 1, 2030.(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.(d) Implementation shall, at a minimum, prioritize the following:(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.(e) The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the Advanced and Optimal maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agencys progress in increasing the internal defenses of agency systems, including:(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.(3) A schedule to implement any planned activities.(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.(2) Implementing principles of least privilege in administering information security programs.(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agencys systems.(4) Identifying cyber threats quickly.(5) Isolating and removing unauthorized entities from state agencies systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the states timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).
11549.45. (a) For purposes of this section, the following definitions shall apply:(1) Chief means the Chief of the Office of Information Security.(2) Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.(3) Endpoint detection and response means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.(4) Multifactor authentication means using two or more different types of identification factors to authenticate a users identity for the purpose of accessing systems and data.(5) State agency has the same meaning as in Section 11000.(6) Zero Trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:(1) Achieve Advanced maturity by June 1, 2026.(2) Achieve Optimal maturity by June 1, 2030.(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.(d) Implementation shall, at a minimum, prioritize the following:(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.(e) The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the Advanced and Optimal maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agencys progress in increasing the internal defenses of agency systems, including:(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.(3) A schedule to implement any planned activities.(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.(2) Implementing principles of least privilege in administering information security programs.(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agencys systems.(4) Identifying cyber threats quickly.(5) Isolating and removing unauthorized entities from state agencies systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the states timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).
11549.45. (a) For purposes of this section, the following definitions shall apply:(1) Chief means the Chief of the Office of Information Security.(2) Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.(3) Endpoint detection and response means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.(4) Multifactor authentication means using two or more different types of identification factors to authenticate a users identity for the purpose of accessing systems and data.(5) State agency has the same meaning as in Section 11000.(6) Zero Trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:(1) Achieve Advanced maturity by June 1, 2026.(2) Achieve Optimal maturity by June 1, 2030.(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.(d) Implementation shall, at a minimum, prioritize the following:(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.(e) The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the Advanced and Optimal maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agencys progress in increasing the internal defenses of agency systems, including:(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.(3) A schedule to implement any planned activities.(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.(2) Implementing principles of least privilege in administering information security programs.(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agencys systems.(4) Identifying cyber threats quickly.(5) Isolating and removing unauthorized entities from state agencies systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the states timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).
11549.45. (a) For purposes of this section, the following definitions shall apply:
(1) Chief means the Chief of the Office of Information Security.
(2) Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.
(3) Endpoint detection and response means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.
(4) Multifactor authentication means using two or more different types of identification factors to authenticate a users identity for the purpose of accessing systems and data.
(5) State agency has the same meaning as in Section 11000.
(6) Zero Trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.
(b) Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:
(1) Achieve Advanced maturity by June 1, 2026.
(2) Achieve Optimal maturity by June 1, 2030.
(c) In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.
(d) Implementation shall, at a minimum, prioritize the following:
(1) Multifactor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.
(2) Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.
(3) Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.
(e) The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the Advanced and Optimal maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies, standards, and procedures developed by the chief.
(f) The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agencys progress in increasing the internal defenses of agency systems, including:
(1) A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.
(2) Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.
(3) A schedule to implement any planned activities.
(g) The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:
(1) Shifting away from trusted networks to implement security controls based on a presumption of compromise.
(2) Implementing principles of least privilege in administering information security programs.
(3) Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agencys systems.
(4) Identifying cyber threats quickly.
(5) Isolating and removing unauthorized entities from state agencies systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.
(h) This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.
(i) It is the intent of the Legislature that this section be implemented in a manner that is consistent with the states timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).