Report 2021-602 Recommendation Responses

Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)

Recommendation for Legislative Action

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require each nonreporting entity to adopt information security standards comparable to SAM 5300 and to provide a confidential, annual status update on its compliance with its adopted information security standards to legislative leadership, including the president pro tempore of the California State Senate, the speaker of the California State Assembly, and minority leaders in both houses. It should also require each nonreporting entity to perform or obtain an audit of its information security no less frequently than every three years.

Description of Legislative Action

AB 2135 (Chapter 773, Statutes of 2022) requires certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill requires these state agencies to perform a comprehensive, independent security assessment every two years and authorizes them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill requires certain nonreporting agencies to certify annually by February 1 to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.

California State Auditor's Assessment of Status: Legislation Enacted


Description of Legislative Action

AB 2135 (Irwin, 2022) would require certain nonreporting entities to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards. The bill would require these state agencies to perform a comprehensive, independent security assessment every two years and would authorize them to contract with the Military Department, or with a qualified responsible vendor, for that purpose. Further, this bill would require certain nonreporting agencies to certify, by February 1 annually, to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a risk register and plan of action and milestones. The certification would be required to be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly.

California State Auditor's Assessment of Status: Legislation Introduced


All Recommendations in 2021-602