Alarmed that California’s agencies and departments are grappling with how to secure their information systems against potential hackers, one state lawmaker is calling upon the state chief information officer to provide that guidance.
A bill by Assemblymember Ling Ling Chang, R-Diamond Bar, would require the CIO to tailor baseline security controls for all agencies and departments under its jurisdiction. She added the requirement this month to AB 1881 after reading a 2015 state auditor report critical of the state’s cybersecurity preparedness.
At an Assembly committee hearing in February, State Auditor Elaine Howle told lawmakers that many state agencies want to protect the data they store, but they just don’t know how.
That is concerning to Chang.
“It’s unclear to departments what they need to follow,” Chang told Techwire in an interview Thursday. “They have generic language that is confusing for them.”
The technology department currently follows so-called baseline security controls published by the National Institute of Standards and Technology (NIST) for federal information systems and organizations. Each state entity is required to follow those standards in the planning, development, implementation and maintenance of their information security systems, according to the Department of Technology.
Chang’s bill would essentially codify those NIST standards into state law and also require the CIO to tailor the standards for each state agency’s requirements, a process she contends has not been carried out.
“Each agency has different needs,” Chang said.
Her bill is scheduled to be heard April 19 in the Assembly Privacy and Consumer Protection Committee. The same panel is scheduled on Tuesday to hear from Assemblymember Jacqui Irwin, D-Thousand Oaks, who has authored another cybersecurity measure.
AB 1841 would require the Office of Emergency Services to develop a statewide emergency services response plan for cybersecurity threats on critical infrastructure. OES has been working on such a plan since Gov. Jerry Brown in 2013 created a task force to address cybersecurity threats, but it has not said when the document would be finalized.
OES director Mark Ghilarducci told lawmakers at the February cybersecurity hearing that OES is working on the plan “each and every day” incorporating evolving threats and assessments and working with the private sector, which owns and operates most of the state’s critical infrastructure.
Irwin’s bill would require the plan be completed by July 1, 2017.
“This process is too important to be left incomplete,” Irwin said in a statement to Techwire.
“This bill would provide clear authority and an established time frame to produce an incident response plan and require state agencies to report on their compliance with that planning.”
