Both pieces of legislation were on the committee’s consent agenda April 8 and passed with no discussion. Their author, Assemblymember Jacqui Irwin, D-Thousand Oaks confirmed the vote to Techwire in discussing her work this session on cybersecurity and government IT. Among the takeaways:
- Existing law requires executive branch entities under Gov. Gavin Newsom’s direct authority to “implement the policies and procedures” issued by his office, which is authorized to have independent security assessments done by the California Military Department (CMD) of “any state agency, department or office.” Irwin’s Assembly Bill 809 would require state agencies not already covered to “adopt and implement information security and privacy policies, standards and procedures” based upon those provided by the National Institute of Standards and Technology (NIST), and make them obtain independent security assessments from CMD every two years. The agencies — essentially, the so-called “Constitutionals,” including the Attorney General's and Secretary of State’s offices — would also have to certify their compliance with “all adopted policies standards and procedures” annually to the Privacy Committee.
“We think it’s a really critical step to make sure that they’re able to validate or verify that their systems are safe,” Irwin said. “Hopefully, they’ll understand the importance of making sure that ... it’s verified that the Constitutionals have the same standards that the rest of the executive branch has.” AB 809 is headed to the Assembly Committee on Accountability and Administrative Review; it’s not clear when it will be heard. - AB 581, which Irwin also wrote, would require “all state agencies, as generally defined” to review and implement specified NIST guidelines for “among other things, reporting, coordinating, publishing and receiving information” on a security vulnerability relating to information systems and how it was resolved, no later than July 1, 2022. It would also require the chief to update and publish, based on NIST guidelines, “any appropriate standards or procedures in the State Administrative Manual and Statewide Information Management Manual to apply the NIST guidelines” to “certain government agencies” by April 1, 2022.
“It’s using the NIST standards that are going to be published later this year. Coordinated vulnerability disclosure programs,” Irwin said. - The Assembly Select Committee on Cybersecurity, which Irwin was recently reappointed to chair for the seventh year, could get an update this session on how the state is “protecting our critical infrastructure like the local water utilities,” she said, pointing to the February breach of a remote access platform to a city water system. “So, having another oversight hearing to see where we are now, I think, is something a high priority for this year,” Irwin said. Other areas of interest for the committee are the $50 million in Gov. Gavin Newsom’s proposed 2021-2022 fiscal year budget for cybersecurity, including cybersecurity audits of state entities; and the prefunding of Independent Security Assessments by the California Military Department, as required in 2015 by Assembly Bill 670.
- Irwin said her office is seeking money to fund a pilot program that would rapidly upskill or reskill displaced workers with what her office calls “highly transferable digital literacy and technical skills via short-term certificate programs.” It has made the request to the budget committee. The goal is to train them to work in IT and communications, clean technology and other industries. One potential path could be to “leverage the existing Employment Training Panel (ETP) infrastructure within the Labor and Workforce Development Agency,” Irwin’s office said, to generate competitive grants to counties that partner with community-based organizations. Irwin said the request is for $10 million, and the Digital Upskill Sacramento Program is a model for “the type of program I’d like to see tried out in other counties.”
