Article 6.4 - Cybersecurity

California Government Code — §§ 8592.30-8592.50

Sections (8)

§ 8592.3

Amended by Stats. 2006, Ch. 855, Sec. 3. Effective January 1, 2007.

(a)The committee shall consult with the following organizations and entities:

(1)California State Peace Officers Association.

(2)California Police Chiefs Association.

(3)California State Sheriffs’ Association.

(4)California Professional Firefighters.

(5)California Fire Chiefs Association.

(6)California State Association of Counties.

(7)League of California Cities.

(8)California State Firefighters Association.

(9)California Coalition of Law Enforcement Associations.

(10)California Correctional Peace Officers Association.

(11)CDF Firefighters.

(12)California Union of Safety Employees.

(b)Each organization or entity listed in subdivision (a) may designate a representative to work with the committee to develop agreements for interoperability or other shared use of the public safety spectrum between the state public safety departments listed in subdivision (b) of Section 8592.1 and local or federal agencies that operate a communication system on the public safety spectrum and that have capacity and technical ability for interoperability or other shared use.

(c)The committee shall develop a model memorandum of understanding that sets forth general terms for interoperability or other shared uses among jurisdictions, which may be modified as necessary for a particular agreement entered into pursuant to subdivision (b).

(d)A local agency may not be required to adopt the model memorandum of understanding developed pursuant to subdivision (c).

§ 8592.4

Amended by Stats. 2006, Ch. 903, Sec. 3. Effective January 1, 2007.

(a)The committee shall determine which state public safety departments listed in subdivision (b) of Section 8592.1 need new or upgraded communication equipment and shall establish a program for equipment purchase. In establishing this program, the committee shall recommend the purchase of public safety radio subscriber equipment that will enable state agencies to commence conforming to industry and governmental standards for interoperability as set forth in Section 8592.5. As technology continues to evolve, the committee shall recommend the purchase of nonproprietary equipment or systems that have open architecture and backward compatibility, and that are in compliance with paragraphs (1) and (2) of subdivision (a) of Section 8592.5.

(b)The committee may recommend to any other federal, state, regional, or local entity with responsibility for developing, operating, or monitoring interoperability of the public safety spectrum, the purchase of public safety radio subscriber equipment that will enable first response agencies to commence conforming to industry and governmental standards for interoperability as set forth in paragraphs (1) and (2) of subdivision (a) of Section 8592.5. As technology continues to evolve, the committee may recommend the purchase of nonproprietary equipment or systems that have open architecture and backward compatibility, and that are in compliance with paragraphs (1) and (2) of subdivision (a) of Section 8592.5.

(c)This section does not mandate that a state or local governmental agency affected by this section is required to compromise its immediate mission or ability to function and carry out its existing responsibilities.

§ 8592.5

Amended by Stats. 2013, Ch. 28, Sec. 7. (SB 71) Effective June 27, 2013. Operative July 1, 2013, by Sec. 93 of Ch. 28.

(a)Except as provided in subdivision (c), a state department that purchases public safety radio communication equipment shall ensure that the equipment purchased complies with applicable provisions of the following:

(1)The common system standards for digital public safety radio communications commonly referred to as the “Project 25 Standard,” as that standard may be amended, revised, or added to in the future jointly by the Association of Public-Safety Communications Officials, Inc., National Association of State Telecommunications Directors, and agencies of the federal government, commonly referred to as “APCO/NASTD/FED.”

(2)The operational and functional

requirements delineated in the Statement of Requirements for Public Safety Wireless Communications and Interoperability developed by the SAFECOM Program under the United States Department of Homeland Security.

(b)Except as provided in subdivision (c), a local first response agency that purchases public safety radio communication equipment, in whole or in part, with state funds or federal funds administered by the state, shall ensure that the equipment purchased complies with paragraphs (1) and (2) of subdivision (a).

(c)Subdivision (a) or (b) shall not apply to either of the following:

(1)Purchases of equipment to operate with existing state or local communications systems where the latest applicable standard will not be compatible, as verified by the Office of Emergency Services.

(2)Purchases of equipment for existing statewide low-band public safety communications systems.

(d)This section may not be construed to require an affected state or local governmental agency to compromise its immediate mission or ability to function and carry out its existing responsibilities.

§ 8592.30

Added by Stats. 2016, Ch. 508, Sec. 2. (AB 1841) Effective January 1, 2017.

As used in this article, the following definitions shall apply:

(a)“Critical infrastructure controls” means networks and systems controlling assets so vital to the state that the incapacity or destruction of those

networks, systems, or assets would have a debilitating impact on public health, safety, economic security, or any combination thereof.

(b)“Critical infrastructure information” means information not customarily in the public domain pertaining to any of the following:

(1)Actual, potential, or threatened interference with, or an attack on, compromise of, or incapacitation of critical infrastructure controls

by either physical or computer-based attack or other similar conduct, including, but not limited to, the misuse of, or unauthorized access to, all types of communications and data transmission systems, that violates federal, state, or local law or harms public health, safety, or economic security, or any combination thereof.

(2)The ability of critical infrastructure controls to resist any interference, compromise, or incapacitation, including, but not limited to, any planned or past

assessment or estimate of the vulnerability of critical

infrastructure.

(3)Any planned or past operational problem or solution

regarding critical infrastructure controls, including, but not limited to, repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to interference, compromise, or incapacitation of critical infrastructure controls.

(c)“Department” means the Department of Technology.

(d)“Office” means the Office of Emergency Services.

(e)“Secretary” means the secretary of each state agency as set forth in subdivision (a) of Section 12800.

(f)“State agency” or “state agencies” means the

same as “state agency” as set forth in Section 11000.

§ 8592.35

Amended by Stats. 2017, Ch. 790, Sec. 1. (AB 1022) Effective January 1, 2018.

(a)(1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.

(2)In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:

(A)Costs to implement the standards.

(B)Security of critical infrastructure information.

(C)Centralized management of risk.

(D)Industry best practices.

(E)Continuity of operations.

(F)Protection of personal information.

(b)Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.

(c)Each state agency shall, as part of its Technology Recovery Plan, provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the

agency.

§ 8592.40

Amended by Stats. 2017, Ch. 790, Sec. 2. (AB 1022) Effective January 1, 2018.

(a)Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.

(b)At the request of the department, any local entity that receives state funds

for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, may submit a Technology Recovery Plan, as specified by Section 8592.35, to the department.

(c)The department, in conjunction with the office, may provide suggestions for a state agency or local entity that provided a Technology Recovery Plan pursuant to subdivision (b) to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency or the head of the local

entity.

For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor.

§ 8592.45

Amended by Stats. 2021, Ch. 615, Sec. 155. (AB 474) Effective January 1, 2022. Operative January 1, 2023, pursuant to Sec. 463 of Stats. 2021, Ch. 615.

The information required by subdivisions (b) and (c) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, the plan authorized by subdivision (b) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (c) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1).

§ 8592.50

Added by Stats. 2022, Ch. 820, Sec. 2. (SB 892) Effective January 1, 2023.

(a)(1) The office shall direct the California Cybersecurity Integration Center to prepare a strategic, multiyear outreach plan that focuses on ways to assist the food and agriculture sector and the water and wastewater sector in their efforts to improve cybersecurity and that includes, but is not limited to, all of the following:

(A) A description of the need for greater cybersecurity outreach and assistance to the food and agriculture sector and the

water and wastewater sector.

(B) The goal of the outreach plan.

(C) Methods for coordinating with other state and federal agencies, nonprofit organizations, and associations that provide cybersecurity services or resources for the food and agricultural sector and the water and wastewater sector.

(D) An estimate of the funding needed to execute the outreach plan.

(E) Potential funding sources for the funding needed by the California Cybersecurity Integration Center for the plan.

(F) A plan to evaluate the success of the outreach plan that includes quantifiable measures of success.

(2)The office shall submit the outreach plan prepared pursuant to this subdivision to the Legislature, pursuant to Section 9795, no later than January 1, 2024. The requirement for submitting a report imposed by this paragraph is inoperative on January 1, 2028, pursuant to Section 10231.5.

(b)(1) The office shall direct the California Cybersecurity Integration Center to evaluate options for providing entities in the food and agriculture sector or the water and wastewater sector with grants or alternative forms

of funding to improve cybersecurity preparedness. Upon completion of the evaluation, the office shall submit a report to the Legislature, pursuant to Section 9795, no later than January 1, 2024, that includes, but is not limited to, all of the following:

(A) A summary of the evaluation performed by the California Cybersecurity Integration Center.

(B) The specific grants and forms of funding for improved cybersecurity preparedness, including, but not limited to, the following:

(i)Current overall funding level.

(ii) Potential funding sources.

funding and assist the food and agriculture sector and the water and wastewater sector in their efforts to improve cybersecurity preparedness.

(2)The requirement for submitting a report imposed by this subdivision is inoperative on January 1, 2028, pursuant to Section 10231.5.