Report 2018-611 All Recommendation Responses

Report 2018-611: Gaps in Oversight Contribute to Weaknesses in the State's Information Security (Release Date: July 2019)

Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require all nonreporting entities to adopt information security standards comparable to SAM 5300.

Description of Legislative Action

AB 2135 (Irwin, 2021) would require all nonreporting state agencies to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards, as specified. Additionally, this bill would allow nonreporting state agencies to adopt and implement information security and privacy policies, standards, and procedures following Chapter 5300 - Information Technology - Office of Information Security of the State Administrative Manual. As of September 14, 2022, this bill passed the Legislature and has been submitted to the Governor for signature.

California State Auditor's Assessment of Status: Legislation Introduced

As of September 14, 2022, this bill passed the Legislature and has been submitted to the Governor for signature.


Description of Legislative Action

AB 809 (Irwin) would require state agencies not subject to the authority of the Department of Technology to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards.

California State Auditor's Assessment of Status: Legislation Introduced


Description of Legislative Action

AB 2669 (Irwin) would require state agencies not subject to the authority of the Department of Technology to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards.

California State Auditor's Assessment of Status: Legislation Introduced


Description of Legislative Action

As of January 2020, the Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Status: No Action Taken


Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require all nonreporting entities to obtain or perform comprehensive information security assessments no less frequently than every three years to determine compliance with the entirety of their adopted information security standards.

Description of Legislative Action

AB 2135 (Irwin, 2021) would require nonreporting state agencies to perform a comprehensive, independent security assessment every 2 years, which shall assess all policies, standards, and procedures adopted and would authorize them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. As of September 14, 2022, this bill passed the Legislature and has been submitted to the Governor for signature.

California State Auditor's Assessment of Status: Legislation Introduced

As of September 14, 2022, this bill passed the Legislature and has been submitted to the Governor for signature.


Description of Legislative Action

AB 809 (Irwin) would require state agencies not subject to the authority of the Department of Technology to perform a comprehensive, independent security assessment every two years and would authorize them to contract with the Military Department for that purpose.

California State Auditor's Assessment of Status: Legislation Introduced


Description of Legislative Action

AB 2669 would require state agencies not subject to the authority of the Department of Technology to perform a comprehensive, independent security assessment every two years and would authorize them to contract with the Military Department for that purpose.

California State Auditor's Assessment of Status: Legislation Introduced


Description of Legislative Action

As of January 2020, the Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Status: No Action Taken


Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require all nonreporting entities to confidentially submit certifications of their compliance with their adopted standards to the Assembly Privacy and Consumer Protection Committee and, if applicable, to confidentially submit corrective action plans to address any outstanding deficiencies.

Description of Legislative Action

AB 2135 (Irwin, 2021) would require nonreporting state agencies to certify to the President pro Tempore of the Senate and the Speaker of the Assembly annually by February 1 that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified. This bill would require that the certification be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly. As of September 14, 2022, this bill passed the Legislature and has been submitted to the Governor for signature.

California State Auditor's Assessment of Status: Legislation Introduced

As of September 14, 2022, AB 2135 (Irwin, 2021) passed the Legislature and has been submitted to the Governor for signature.


Description of Legislative Action

AB 809 (Irwin) would require state agencies not subject to the authority of the Department of Technology to certify, by February 1, annually, to the Assembly Committee on Privacy and Consumer Protection that the agency is in compliance with all adopted policies, standards, and procedures and include a corrective action plan to address any outstanding deficiencies, the estimated dates of compliance, and any additional resources it requires in order to cure each deficiency. The bill would require that the certification be kept confidential and not be disclosed, except that the information and records would be allowed to be shared with the members of the Legislature and legislative employees, at the discretion of the chairperson of the committee.

California State Auditor's Assessment of Status: Legislation Introduced


Description of Legislative Action

AB 2669 would require state agencies not subject to the authority of the Department of Technology to certify, by February 1, annually, to the Assembly Committee on Privacy and Consumer Protection that the agency is in compliance with all adopted policies, standards, and procedures and include a corrective action plan to address any outstanding deficiencies, the estimated dates of compliance, and any additional resources it requires in order to cure each deficiency.

California State Auditor's Assessment of Status: Legislation Introduced


Description of Legislative Action

As of January 2020, the Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Status: No Action Taken


All Recommendations in 2018-611

Agency responses received are posted verbatim.