Bill Text: CA AB2748 | 2017-2018 | Regular Session | Amended

California Assembly Bill 2748 (Prior Session Legislation)

NOTE: There are more recent revisions of this legislation. Read Latest Draft

Bill Title: Election infrastructure: independent security assessments.

Spectrum: Partisan Bill (Democrat 2-0)

Status: (Engrossed - Dead) 2018-08-20 - Ordered to inactive file at the request of Senator Stern. [AB2748 Detail]

Download: California-2017-AB2748-Amended.html

Amended IN Assembly March 23, 2018

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill

No. 2748

Introduced by Assembly Member Chau

February 16, 2018

An act to ~~amend Section 8592.35~~ add and repeal Section 11549.45 of the Government Code, relating to ~~technology.~~ election infrastructure.

LEGISLATIVE COUNSEL'S DIGEST

AB 2748, as amended, Chau. ~~Information technology.~~Election infrastructure: independent security assessments.

Existing federal law charges various federal agencies with responsibilities related to the security of critical infrastructure, including election infrastructure. By Executive Order, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center, with its primary mission to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in the state. Existing state law authorizes the Chief of the Office of Information Security in the Department of Technology to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing state law also requires the Secretary of State and county elections official to perform specified tasks related to the security of voting systems, ballots and other election materials.
This bill would require the Office of Information Security in the Department of Technology, the Office of Emergency Services, and the California Military Department to establish a pilot program to conduct, or require to be conducted, an independent security assessment of election infrastructure in participating counties, as specified. The bill would require the Office of Information Security in the Department of Technology, the Office of Emergency Services, and the California Military Department to transmit the complete results of each independent security assessment and recommendations for mitigating system vulnerabilities, if any, to the applicable county elections officials and the Secretary of State.
The bill would repeal these provisions on January 1, 2023.
Existing law requires the Department of Technology, on or before July 1, 2018, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency, as specified.
~~This bill would make a nonsubstantive change to that provision.~~

Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO

The people of the State of California do enact as follows:

SECTION 1.

The Legislature finds and declares all of the following:

(a) Information technology networks and critical infrastructure are threatened by increasingly sophisticated cyber attacks. These cyber attacks present a major cybersecurity risk and increase the state’s vulnerability to economic disruption, critical infrastructure damage, potential disruption to our election systems, and violations of individuals’ rights.
(b) The federal Critical Infrastructures Protection Act of 2001 defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
(c) Presidential Policy Directive 21, released on February 12, 2013, states the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats. The directive identifies 16 critical infrastructure sectors, including the Government Facilities Sector for which the Department of Homeland Security and General Services Administration have responsibilities.
(d) This state recognizes the 16 critical infrastructure sections identified by the federal government.
(e) On January 6, 2017, the Department of Homeland Security designated election systems as critical infrastructure and created the Election Infrastructure Subsector within the existing Government Facilities Sector to enable the Department of Homeland Security to prioritize its cybersecurity assistance to state and local elections officials. The department clarified that its reference to “election infrastructure” means “storage facilities, polling places, and centralized vote tabulations locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
(f) In 2015, in Executive Order B-34-15, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center (Cal-CSIC), with the primary mission to reduce the likelihood and severity of cyber incidents that could damage this state’s economy, its critical infrastructure, or the public and private sector computer networks in this state. Cal-CSIC is required to serve as the central organizing hub of the state government’s cybersecurity activities and coordinate information sharing with local, state, and federal agencies, tribal governments, utilities, and other service providers, academic institutions, and non-governmental organizations.
(g) Protecting our election infrastructure from cybersecurity threats is of vital importance to this state and to our national interests.
(h) It is the intent of the Legislature to leverage the state’s cybersecurity resources to assist county elections officials in their assessments of election infrastructure in order to be best prepared for future cybersecurity threats. It is also the intent of the Legislature to recognize election infrastructure as critical infrastructure and an important subsector within the existing Government Facilities Sector identified by the federal government and this state.

SEC. 2.

Section 11549.45 is added to the Government Code, to read:

11549.45.
(a) The office, the Office of Emergency Services, and the California Military Department shall establish a pilot program to conduct, or require to be conducted, an independent security assessment of election infrastructure in participating counties. The office, the Office of Emergency Services, and the California Military Department shall consult with county elections officials to identify and select counties to participate in the pilot program. The independent security assessments for the first group of participating counties shall be completed no later than January 1, 2020. After completion of those assessments, the office, the Office of Emergency Services, and the California Military Department may conduct additional independent security assessments of election infrastructure in other counties.
(b) The office, the Office of Emergency Services, and the California Military Department, in coordination with the county elections officials in the participating counties, shall do all of the following:
(1) Determine criteria and rank counties based on an information security risk index that may include analysis of the relative amount of the following factors within counties:
(A) Personally identifiable information protected by law.
(B) Voter registration information.
(C) Information on voted ballots.
(D) Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:
(i) Information asset management.
(ii) Risk management.
(iii) Information security program management.
(iv) Information security incident management.
(v) Technology recovery planning.
(E) Other information identified by the office, the Office of Emergency Services, and the California Military Department, in coordination with the county elections officials, that may present a security risk.
(2) Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.
(c) The office, the Office of Emergency Services, and the California Military Department shall transmit the complete results of each independent security assessment and recommendations for mitigating system vulnerabilities, if any, to the applicable county elections officials and the Secretary of State.
(d) (1) Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to this section, information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees and state contractors who have been approved as necessary to receive the information and records to perform that independent security assessment, subsequent remediation activity, or monitoring of remediation activity.
(2) The results of a completed independent security assessment performed pursuant to this section, and any related information, shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1), including, but not limited to, Section 6254.19.
(e) The office, the Office of Emergency Services, and the California Military Department shall notify the Department of the California Highway Patrol and the Department of Justice regarding any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government.
(f) For purposes of this section, the following terms of the following meanings:
(1) “Election infrastructure” means storage facilities, polling places, and centralized vote tabulations locations used to support the election process, and information and communications technology to include voter registration databases, vote tabulating devices, and other systems to manage the election process and report and display results.
(2) “Program” means the pilot program established pursuant to this section.
(g) This section shall remain in effect only until January 1, 2023, and as of that date is repealed, unless a later enacted statute, that is enacted before January 1, 2023, deletes or extends that date.

SECTION 1.Section 8592.35 of the Government Code is amended to read:
8592.35.
(a)(1)On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.
~~(2)In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, each of the following:~~
~~(A)Costs to implement the standards.~~
~~(B)Security of critical infrastructure information.~~
~~(C)Centralized management of risk.~~
~~(D)Industry best practices.~~
~~(E)Continuity of operations.~~
~~(F)Protection of personal information.~~
~~(b)Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.~~
(c)Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency.