Amended  IN  Senate  June 08, 2022

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Assembly Bill
No. 2190

Introduced by Assembly Member Irwin
(Coauthor: Assembly Member Gabriel)

February 15, 2022

An act to add Section 11549.4.1 to the Government Code, relating to information technology.


LEGISLATIVE COUNSEL'S DIGEST


AB 2190, as amended, Irwin. Office of Information Security: annual statewide information security status report.
Existing law establishes the Office of Information Security in the Department of Technology for purposes of ensuring the confidentiality, integrity, and availability of state systems and applications and promoting and protecting privacy as part of the development and operations of state systems and applications, as specified. Existing law requires the office to be under the direction of a chief.
This bill would require the chief to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection, Protection and the Senate Governmental Organization Committee, as described. The bill would require the first report to be submitted no later than January 2023. The bill would require the status report and any information or records included with the status report to be confidential and prohibit the information or records from being disclosed, except as provided.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 11549.4.1 is added to the Government Code, to read:

11549.4.1.
 (a) The chief shall submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection. Protection and the Senate Governmental Organization Committee. The report shall include all of the following items:
(1) The maturity metric scores it has calculated for each state agency or state entity, as those terms are defined in Section 11546.1. For purposes of this subdivision, “maturity metric scores” means the scores for each of the five categories of and overall score from the Statewide Information Management Manual 5300-C, or its equivalent, for each state agency and state entity.
(2) The results of the National Cyber Security Review for each state agency or and state entity, as conducted by the United States Department of Homeland Security and Security, the Multi-State Information Sharing and Analysis Center. Center, and as available to the chief.
(b) The chief shall submit the first report no later than January 2023. This status report shall include the Department of Technology’s plan for assisting state agencies and state entities in improving their information security.
(c) Notwithstanding any law, the status report and any information or records included with the status report shall be confidential and shall not be disclosed. However, the information and records may be shared with members of the Legislature and legislative employees, at the discretion of the chairperson of the committee.

SEC. 2.

 The Legislature finds and declares that Section 1 of this act, which adds Section 11549.4.1 to the Government Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
The state has a very strong interest in protecting its information technology systems from intrusion because those systems contain confidential information and play a critical role in the performance of the duties of state government. In order to protect information regarding the security status or specific vulnerabilities of those systems to preclude use of that information to facilitate attacks on those systems, it is necessary that this act limit the public’s right of access to that information.