State agencies: information security: Zero Trust architecture.
- Requires all California state agencies to implement Zero Trust cybersecurity architecture by 2030.
- Mandates multifactor authentication and continuous monitoring for all state systems and data access.
- Establishes a two-phase implementation with Advanced maturity required by 2026 and Optimal by 2030.
- Requires agencies to submit annual security assessment reports tracking Zero Trust implementation progress.
Assembly Member Irwin's Zero Trust architecture mandate would require California state agencies to implement comprehensive cybersecurity protocols across all data systems and third-party software by 2030. The legislation establishes a two-phase implementation timeline, with agencies required to achieve "Advanced" maturity level by June 2026 and "Optimal" maturity level by June 2030, as defined by the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model.
The bill outlines three core security requirements for state agencies: multifactor authentication for all system access, enterprise-level endpoint detection and response capabilities, and enhanced logging practices for security monitoring. Agencies must prioritize solutions that align with federal guidelines, including the Federal Risk and Authorization Management Program and National Institute of Standards and Technology frameworks. The Office of Information Security would develop uniform policies and standards for implementation while collecting annual progress reports from agencies on their Zero Trust adoption.
The legislation's scope extends to all state agencies, though the University of California system may opt in through a Regents resolution. The bill's findings cite recent cyber breaches as the impetus for adopting Zero Trust principles, which require continuous verification of all users accessing state systems, regardless of their location. Implementation timelines align with federal funding requirements, including conditions attached to Infrastructure Investment and Jobs Act allocations.
 Jacqui IrwinD Assemblymember | Bill Author |  Not Contacted | |
 Joaquin ArambulaD Assemblymember | Committee Member | Not Contacted | |
 Buffy WicksD Assemblymember | Committee Member | Not Contacted | |
 Lisa CalderonD Assemblymember | Committee Member | Not Contacted | |
 Mike FongD Assemblymember | Committee Member | Not Contacted |
| Bill Number | Title | Introduced Date | Status | Link to Bill |
|---|---|---|---|---|
AB-749 | State agencies: information security: uniform standards. | February 2023 | Failed |
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 15 | 0 | 0 | 15 | PASS |
- Requires all California state agencies to implement Zero Trust cybersecurity architecture by 2030.
- Mandates multifactor authentication and continuous monitoring for all state systems and data access.
- Establishes a two-phase implementation with Advanced maturity required by 2026 and Optimal by 2030.
- Requires agencies to submit annual security assessment reports tracking Zero Trust implementation progress.
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Assembly Member Irwin's Zero Trust architecture mandate would require California state agencies to implement comprehensive cybersecurity protocols across all data systems and third-party software by 2030. The legislation establishes a two-phase implementation timeline, with agencies required to achieve "Advanced" maturity level by June 2026 and "Optimal" maturity level by June 2030, as defined by the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model.
The bill outlines three core security requirements for state agencies: multifactor authentication for all system access, enterprise-level endpoint detection and response capabilities, and enhanced logging practices for security monitoring. Agencies must prioritize solutions that align with federal guidelines, including the Federal Risk and Authorization Management Program and National Institute of Standards and Technology frameworks. The Office of Information Security would develop uniform policies and standards for implementation while collecting annual progress reports from agencies on their Zero Trust adoption.
The legislation's scope extends to all state agencies, though the University of California system may opt in through a Regents resolution. The bill's findings cite recent cyber breaches as the impetus for adopting Zero Trust principles, which require continuous verification of all users accessing state systems, regardless of their location. Implementation timelines align with federal funding requirements, including conditions attached to Infrastructure Investment and Jobs Act allocations.
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 15 | 0 | 0 | 15 | PASS |
Jacqui IrwinD Assemblymember | Bill Author | Not Contacted | |
Joaquin ArambulaD Assemblymember | Committee Member | Not Contacted | |
Buffy WicksD Assemblymember | Committee Member | Not Contacted | |
Lisa CalderonD Assemblymember | Committee Member | Not Contacted | |
Mike FongD Assemblymember | Committee Member | Not Contacted |
| Bill Number | Title | Introduced Date | Status | Link to Bill |
|---|---|---|---|---|
AB-749 | State agencies: information security: uniform standards. | February 2023 | Failed |