AB 749: State agencies: information security: uniform standards.

Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. The law requires state entities, as specified, to implement the policies and procedures issued by the office. The law additionally authorizes the office, under direction of the chief, to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. State agencies must certify, by February 1 annually, to the President pro Tempore of the Senate and the Speaker of the Assembly that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified.

This bill would require every state agency, as defined, defined and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the offices chief, no later than January 1, 2025, to develop or revise uniform technology policies, standards, and procedures for use by all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislatures intent that the bills provisions be implemented in a manner consistent with the states timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.