In a compromise with the Brown administration, Assemblymember Jacqui Irwin this week amended legislation that would have required the Office of Emergency Services to complete a statewide response plan for cybersecurity threats on critical infrastructure.
Instead, the Department of Technology will be tasked with crafting incident response standards, which each agency must incorporate to secure its own critical infrastructure controls and information.
The revised AB 1841 would require the department, in consultation with OES, to include the new cybersecurity standards in the State Administrative Manual by 2018.
In a statement, Irwin, D-Thousand Oaks, described her bill as a product of the partnership with the executive branch, and one that uses the department’s existing technology recovery planning process.
“Having an incident response plan in place prior to a breach or disruption ensures that we will have increased coordination, leveraged resources, reduced recovery time and costs, and ultimately limit the amount of damage that is done,” Irwin said in a statement to Techwire.
She added the incident response standards would build upon her bill, AB 670, which the governor signed last year, that mandates independent network security assessments of at least 35 state agencies per year.
OES has been working on a comprehensive cybersecurity plan for the last five years, but it has not said when the document would be finalized. That frustrated lawmakers who felt it was time for a final product, especially after a critical state audit last year found the state’s information systems were vulnerable to hackers.
Irwin’s original bill would have required a completed response plan by July 1, 2017, and a comprehensive cybersecurity strategy in place by January 1, 2018.
Since the introduction of her bill, the Office of Emergency Services has launched the California Cybersecurity Integration Center (Cal-CSIC) in an effort to foster collaboration among the varying state agencies that oversee cybersecurity. Personnel from OES, the Department of Technology, the California Highway Patrol, the state Attorney General and the California Military Department work as a team to identify potential cyberthreats.
Irwin, who on Tuesday toured Cal-CSIC, said the administration is “making cybersecurity a priority and addressing the cybersecurity threat to California.”
The Senate also amended related legislation that would require state agencies and entities to report their actual and projected information security costs. AB 2623 by Assemblymember Rich Gordon, D-Menlo Park, would require annual reports to begin January 2018. That’s a year later than the original bill.
Both bills are awaiting votes in the Senate.
