Bill Text: CA AB2748 | 2017-2018 | Regular Session | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Election infrastructure: independent security assessments.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Engrossed - Dead) 2018-08-20 - Ordered to inactive file at the request of Senator Stern. [AB2748 Detail]
Download: California-2017-AB2748-Amended.html
participating counties. counties that voluntarily choose to participate in the pilot program. The office, the Office of Emergency Services, and the California Military Department shall consult with county elections officials to identify and select counties to participate in the pilot program. The independent security assessments for the
first group of participating counties shall be completed no later than January 1, 2020. After completion of those assessments, the office, the Office of Emergency Services, and the California Military Department may conduct additional independent security assessments of election infrastructure in other counties.
Bill Title: Election infrastructure: independent security assessments.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Engrossed - Dead) 2018-08-20 - Ordered to inactive file at the request of Senator Stern. [AB2748 Detail]
Download: California-2017-AB2748-Amended.html
Amended
IN
Assembly
April 30, 2018 |
Amended
IN
Assembly
March 23, 2018 |
CALIFORNIA LEGISLATURE—
2017–2018 REGULAR SESSION
Assembly Bill | No. 2748 |
Introduced by Assembly Member Chau (Coauthor: Assembly Member Berman) |
February 16, 2018 |
An act to add and repeal Section 11549.45 of the Government Code, relating to election infrastructure.
LEGISLATIVE COUNSEL'S DIGEST
AB 2748, as amended, Chau.
Election infrastructure: independent security assessments.
Existing federal law charges various federal agencies with responsibilities related to the security of critical infrastructure, including election infrastructure. By Executive Order, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center, with its primary mission to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in the state. Existing state law authorizes the Chief of the Office of Information Security in the Department of Technology to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing state law also requires the Secretary of State and county elections official to perform specified tasks related to the
security of voting systems, ballots ballots, and other election materials.
This bill would require the Office of Information Security in the Department of Technology, the Office of Emergency Services, and the California Military Department to establish a pilot program to conduct, or require to be conducted, an independent security assessment of election infrastructure in participating counties, counties that voluntarily choose to participate in the pilot program, as specified. The bill would require the Office of Information Security in the Department of Technology, the Office of Emergency
Services, and the California Military Department to transmit the complete results of each independent security assessment and recommendations for mitigating system vulnerabilities, if any, to the applicable county elections officials
elections official of the county in which the assessment was conducted and the Secretary of State. The bill would require these agencies to also prepare and submit a joint report to the Legislature regarding any assessments conducted.
The bill would repeal these provisions on January 1, 2023.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
The Legislature finds and declares all of the following:(a) Information technology networks and critical infrastructure are threatened by increasingly sophisticated cyber attacks. cyberattacks. These cyber attacks cyberattacks
present a major cybersecurity risk and increase the state’s vulnerability to economic disruption, critical infrastructure damage, potential disruption to our election systems, and violations of individuals’ rights.
(b) The federal Critical Infrastructures Protection Act of 2001 defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
(c) Presidential Policy Directive 21, released on February 12, 2013, states the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical
and cyber threats. The directive identifies 16 critical infrastructure sectors, including the Government Facilities Sector for which the Department of Homeland Security and General Services Administration have responsibilities.
(d) This state recognizes the 16 critical infrastructure sections identified by the federal government.
(e) On January 6, 2017, the Department of Homeland Security designated election systems as critical infrastructure and created the Election Infrastructure Subsector within the existing Government Facilities Sector to enable the Department of Homeland Security to prioritize its cybersecurity assistance to state and local elections officials. The department clarified that its reference to “election infrastructure” means “storage facilities, polling places,
and centralized vote tabulations locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
(f) In 2015, in Executive Order B-34-15, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center (Cal-CSIC), with the primary mission to reduce the likelihood and severity of cyber incidents that could damage this state’s economy, its critical infrastructure, or the public and private sector computer networks in this state. Cal-CSIC is required to serve as the central organizing hub of the state government’s cybersecurity activities and coordinate information
sharing with local, state, and federal agencies, tribal governments, utilities, and other service providers, academic institutions, and non-governmental nongovernmental organizations.
(g) Protecting our election infrastructure from cybersecurity threats is of vital importance to this state and to our national interests.
(h) It is the intent of the Legislature to leverage the state’s cybersecurity resources to assist county elections officials in their assessments of election infrastructure in order to be best prepared for future cybersecurity threats. It is also the intent of the Legislature to recognize election
infrastructure as critical infrastructure and an important subsector within the existing Government Facilities Sector identified by the federal government and this state.
SEC. 2.
Section 11549.45 is added to the Government Code, to read:11549.45.
(a) The office, the Office of Emergency Services, and the California Military Department shall establish a pilot program to conduct, or require to be conducted, an independent security assessment of election infrastructure in(b) The office, the Office of Emergency Services, and the California Military Department, in coordination with the county elections officials in the participating counties, shall do all of the following:
(1) Determine criteria and rank counties based on an information security risk index that may include analysis of the relative amount of the following factors within counties:
(A) Personally identifiable
information protected by law.
(B) Voter registration information.
(C) Information on voted ballots.
(D) Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:
(i) Information asset management.
(ii) Risk management.
(iii) Information security program management.
(iv) Information security incident management.
(v) Technology recovery planning.
(E) Other information identified by the office, the Office of Emergency Services, and the California Military Department, in coordination with the county elections officials, that may present a security risk.
(2) Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.
(c) The office, the Office of Emergency Services, and the California Military Department shall transmit the complete results of each independent security assessment and recommendations for mitigating system vulnerabilities, if any, to the applicable county elections officials
elections official of the county in which the assessment was conducted and the Secretary of State.
(d) (1) Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to this section, information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees and state employees, state contractors, county employees, and county contractors who have been approved as necessary to receive the information and records to perform that independent security assessment,
subsequent remediation activity, or monitoring of remediation activity.
(2) The results of a completed independent security assessment performed pursuant to this section, and any related information, shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1), including, but not limited to, Section 6254.19.
(e) The office, the Office of Emergency Services, and the California Military Department shall notify the Department of the California Highway Patrol and the Department of Justice regarding any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government.
government, and shall notify the district attorney of the county regarding any criminal or alleged criminal cyber activity affecting any county entity or critical infrastructure of the county government.
(f) (1) If one or more independent security assessments are conducted pursuant to this section, the office, the Office of Emergency Services, and the California Military Department shall prepare and submit, pursuant to Section 9795 and by January 1, 2022, a joint report to the Legislature regarding the assessments conducted.
(2) The office, the Office of Emergency Services, and the California Military Department shall develop the report in consultation with the counties in which the assessments were performed.
(3) The report shall include, but not be limited to, all of the following:
(A) An identification of the counties in which assessments were performed.
(B) Information about the costs of the assessments.
(C) A summary of relevant performance metrics, including county satisfaction with the performance of the assessments and a summary of the results of completed assessments, subject to all confidentiality provided for in state law, including, but not limited to, Section 6254.19.
(D) Any legislative recommendations.
(f)
(g) For purposes of this section, the following terms of have the following meanings:
(1) “Election infrastructure” means storage facilities, polling places, and centralized vote tabulations
tabulation locations used to support the election process, and information and communications technology to include voter registration databases, vote tabulating devices, and other systems to manage the election process and report and display results.
(2) “Program” means the pilot program established pursuant to this section.
(g)
(h) This section shall remain in effect only until January 1, 2023, and as of that date is repealed, unless a later enacted statute, that is enacted before January
1, 2023, deletes or extends that date.