CDT Letter Spells Out New Security Rules, Deadline

The California Department of Technology (CDT) has issued a notice, in the form of an official Technology Letter, that all state agencies and entities have just over a year to submit their updated incident reporting and response plans, Technology Recovery Plans (TRPs), and corresponding processes and procedures to comply with new security requirements. The updated plans are due to CDT by July 1, 2019.

By way of background, the letter, issued Monday, notes that AB 1841 amended the California Emergency Services Act to require the CDT and the Office of Information Security (OIS), in consultation with the Governor’s Office of Emergency Services and the Department of General Services, to enhance the cybersecurity incident response strategy for the state. The legislation also instructs those entities to help state agencies secure critical infrastructure controls and information.

Under state policy, each agency and state entity must provide updated Technology Recovery Plans to CDT and report compliance with updated standards.

"This policy also defines the terms 'Critical Infrastructure Controls' and 'Critical Infrastructure Information' to support these provisions," the letter says. "Additionally, this policy prohibits the public disclosure of reports and public records related to the cybersecurity strategies and requires agencies/state entities to protect critical infrastructure from interference, compromise, or incapacitation."

CDT has published a FAQ page, and anyone with questions about the letter should contact the OIS at (916) 445-5239 or Security@state.ca.gov.