Bill Full Text
Home
-
Bills
-
Bill
-
Authors
-
Dates
-
Locations
-
Analyses
-
Organizations
<?xml version="1.0" ?>
<ns0:MeasureDoc xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://lc.ca.gov/legalservices/schemas/caml.1#" xmlns:ns3="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" xsi:schemaLocation="http://lc.ca.gov/legalservices/schemas/caml.1# xca.1.xsd">
<ns0:Description>
<ns0:Id>20250AB__086999INT</ns0:Id>
<ns0:VersionNum>99</ns0:VersionNum>
<ns0:History>
<ns0:Action>
<ns0:ActionText>INTRODUCED</ns0:ActionText>
<ns0:ActionDate>2025-02-19</ns0:ActionDate>
</ns0:Action>
</ns0:History>
<ns0:LegislativeInfo>
<ns0:SessionYear>2025</ns0:SessionYear>
<ns0:SessionNum>0</ns0:SessionNum>
<ns0:MeasureType>AB</ns0:MeasureType>
<ns0:MeasureNum>869</ns0:MeasureNum>
<ns0:MeasureState>INT</ns0:MeasureState>
</ns0:LegislativeInfo>
<ns0:AuthorText authorType="LEAD_AUTHOR">Introduced by Assembly Member Irwin</ns0:AuthorText>
<ns0:Authors>
<ns0:Legislator>
<ns0:Contribution>LEAD_AUTHOR</ns0:Contribution>
<ns0:House>ASSEMBLY</ns0:House>
<ns0:Name>Irwin</ns0:Name>
</ns0:Legislator>
</ns0:Authors>
<ns0:Title> An act to add Section 11549.45 to the Government Code, relating to state government. </ns0:Title>
<ns0:RelatingClause>state government</ns0:RelatingClause>
<ns0:GeneralSubject>
<ns0:Subject>State agencies: information security: Zero Trust architecture.</ns0:Subject>
</ns0:GeneralSubject>
<ns0:DigestText>
<html:p>Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires specified state entities to implement the policies and procedures issued by the office. Existing law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing law requires every state agency, as specified, to certify, by February 1 annually, to the office that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones,
as specified.</html:p>
<html:p>This bill would require every state agency, as specified, and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the office’s chief to develop or revise uniform technology policies, standards, and procedures for use by
all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislature’s intent that the bill’s provisions be implemented in a manner consistent with the state’s timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.</html:p>
</ns0:DigestText>
<ns0:DigestKey>
<ns0:VoteRequired>MAJORITY</ns0:VoteRequired>
<ns0:Appropriation>NO</ns0:Appropriation>
<ns0:FiscalCommittee>YES</ns0:FiscalCommittee>
<ns0:LocalProgram>NO</ns0:LocalProgram>
</ns0:DigestKey>
<ns0:MeasureIndicators>
<ns0:ImmediateEffect>NO</ns0:ImmediateEffect>
<ns0:ImmediateEffectFlags>
<ns0:Urgency>NO</ns0:Urgency>
<ns0:TaxLevy>NO</ns0:TaxLevy>
<ns0:Election>NO</ns0:Election>
<ns0:UsualCurrentExpenses>NO</ns0:UsualCurrentExpenses>
<ns0:BudgetBill>NO</ns0:BudgetBill>
<ns0:Prop25TrailerBill>NO</ns0:Prop25TrailerBill>
</ns0:ImmediateEffectFlags>
</ns0:MeasureIndicators>
</ns0:Description>
<ns0:Bill id="bill">
<ns0:Preamble>The people of the State of California do enact as follows:</ns0:Preamble>
<ns0:BillSection id="id_107F1781-FFA3-4747-95DC-0AE7B2F63371">
<ns0:Num>SECTION 1.</ns0:Num>
<ns0:Content>
<html:p>The Legislature finds and declares the following:</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
Recent cyber breaches have had wide-ranging consequences and demand a state-level response. Cyber defense requires greater speed and agility to mitigate cyber threats, limit the impact of data breaches, and better protect the state’s workforce and residents. These attacks not only significantly impact institutions financially, but they also erode public trust and confidence in government.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
To better defend against cyber threats, the Legislature intends for state agencies to embrace technologies and practices outlined in Executive Order 14028 on Improving the Nation’s Cybersecurity. At a minimum, this includes
formalizing Zero Trust as the desired model for security. Zero Trust is a security architecture requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining access to applications and data.
</html:p>
</ns0:Content>
</ns0:BillSection>
<ns0:BillSection id="id_DE513880-9C22-4F10-AECA-34AC8D5EFD07">
<ns0:Num>SEC. 2.</ns0:Num>
<ns0:ActionLine action="IS_ADDED" ns3:href="urn:caml:codes:GOV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2F%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'11549.45'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator">
Section 11549.45 is added to the
<ns0:DocName>Government Code</ns0:DocName>
, to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_CA9A8886-61B3-4436-ACE1-E83DBEDF913F">
<ns0:Num>11549.45.</ns0:Num>
<ns0:LawSectionVersion id="id_53E2BFED-0383-4D16-BE1A-1A89DF0F344D">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
For purposes of this section, the following definitions shall apply:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
“Chief” means the Chief of the Office of Information Security.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model” means the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
“Endpoint detection and response” means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
“Multifactor authentication” means using two or more different types of
identification factors to authenticate a user’s identity for the purpose of accessing systems and data.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
“State agency” has the same meaning as in Section 11000.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
“Zero Trust architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
Every state agency shall implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, according to the following levels of maturity
based upon the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Achieve “Advanced” maturity by June 1, 2026.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Achieve “Optimal” maturity by June 1, 2030.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
In implementing Zero Trust architecture, a state agency shall prioritize the use of solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including the Federal Risk and Authorization Management Program, the Continuous Diagnostics and Mitigation Program, and guidance and frameworks from the National Institute of Standards and Technology.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
Implementation shall, at a minimum, prioritize the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Multifactor authentication for access
to all systems and data owned, managed, maintained, or utilized by or on behalf of the state agency.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
The chief shall develop or revise uniform technology policies, standards, and procedures for use by each state agency in implementing Zero Trust architecture to achieve the “Advanced” and “Optimal” maturity levels stated in subdivision (b) in the State Administrative Manual and Statewide Information Management Manual. A state agency subject to subdivision (f) of Section 11549.3 may, but is not required to, use the policies,
standards, and procedures developed by the chief.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
The chief shall update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to collect information relating to a state agency’s progress in increasing the internal defenses of agency systems, including:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A description of any steps the state agency has completed, including advancements toward achieving Zero Trust architecture maturity levels.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Following an independent security assessment, an identification of activities that have not yet been completed and that would have the most immediate security impact.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
A schedule to implement any planned activities.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
The chief may update requirements for existing annual reporting activities, including standards for audits and independent security assessments, to also include information on how a state agency is progressing with respect to the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Shifting away from trusted networks to implement security controls based on a presumption of compromise.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Implementing principles of least privilege in administering information security programs.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Limiting the ability of entities that cause cyberattacks to move laterally through or between a state agency’s systems.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Identifying cyber threats quickly.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Isolating and removing unauthorized entities from state agencies’
systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.
</html:p>
<html:p>
(h)
<html:span class="EnSpace"/>
This section shall apply to the University of California only to the extent that the Regents of the University of California, by resolution, make any of these provisions applicable to the university.
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
It is the intent of the Legislature that this section be implemented in a manner that is consistent with the state’s timely compliance with requirements that are conditions to receipt of federal funds, including, but not limited to, funding from the Infrastructure Investment and Jobs Act (Public Law 117-58).
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
</ns0:Bill>
</ns0:MeasureDoc>