State agencies: information security: Zero Trust architecture.
- Requires all California state agencies to implement Zero Trust cybersecurity architecture by 2030.
- Mandates multifactor authentication and continuous monitoring for all state systems and data access.
- Establishes a two-phase implementation with Advanced maturity required by 2026 and Optimal by 2030.
- Requires agencies to submit annual security assessment reports tracking Zero Trust implementation progress.
Assembly Member Irwin's Zero Trust architecture mandate would require California state agencies to implement comprehensive cybersecurity protocols across all data systems and third-party software by 2030. The legislation establishes a two-phase implementation timeline, with agencies required to achieve "Advanced" maturity level by June 2026 and "Optimal" maturity level by June 2030, as defined by the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model.
The bill outlines three core security requirements for state agencies: multifactor authentication for all system access, enterprise-level endpoint detection and response capabilities, and enhanced logging practices for security monitoring. Agencies must prioritize solutions that align with federal guidelines, including the Federal Risk and Authorization Management Program and National Institute of Standards and Technology frameworks. The Office of Information Security would develop uniform policies and standards for implementation while collecting annual progress reports from agencies on their Zero Trust adoption.
The legislation's scope extends to all state agencies, though the University of California system may opt in through a Regents resolution. The bill's findings cite recent cyber breaches as the impetus for adopting Zero Trust principles, which require continuous verification of all users accessing state systems, regardless of their location. Implementation timelines align with federal funding requirements, including conditions attached to Infrastructure Investment and Jobs Act allocations.
This bill was recently introduced. Email the authors to let them know what you think about it.
Introduced By
Latest Voting History
 Jacqui IrwinD Assembly Member | Bill Author |  Not Contacted | |
 Rebecca Bauer-KahanD Assembly Member | Committee Member | Not Contacted | |
 Cottie Petrie-NorrisD Assembly Member | Committee Member | Not Contacted | |
 Buffy WicksD Assembly Member | Committee Member | Not Contacted | |
 Chris WardD Assembly Member | Committee Member | Not Contacted |
| Bill Number | Title | Introduced Date | Status | Link to Bill |
|---|---|---|---|---|
AB-749 | State agencies: information security: uniform standards. | February 2023 | Failed |
- Requires all California state agencies to implement Zero Trust cybersecurity architecture by 2030.
- Mandates multifactor authentication and continuous monitoring for all state systems and data access.
- Establishes a two-phase implementation with Advanced maturity required by 2026 and Optimal by 2030.
- Requires agencies to submit annual security assessment reports tracking Zero Trust implementation progress.
This bill was recently introduced. Email the authors to let them know what you think about it.
Introduced By
Assembly Member Irwin's Zero Trust architecture mandate would require California state agencies to implement comprehensive cybersecurity protocols across all data systems and third-party software by 2030. The legislation establishes a two-phase implementation timeline, with agencies required to achieve "Advanced" maturity level by June 2026 and "Optimal" maturity level by June 2030, as defined by the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model.
The bill outlines three core security requirements for state agencies: multifactor authentication for all system access, enterprise-level endpoint detection and response capabilities, and enhanced logging practices for security monitoring. Agencies must prioritize solutions that align with federal guidelines, including the Federal Risk and Authorization Management Program and National Institute of Standards and Technology frameworks. The Office of Information Security would develop uniform policies and standards for implementation while collecting annual progress reports from agencies on their Zero Trust adoption.
The legislation's scope extends to all state agencies, though the University of California system may opt in through a Regents resolution. The bill's findings cite recent cyber breaches as the impetus for adopting Zero Trust principles, which require continuous verification of all users accessing state systems, regardless of their location. Implementation timelines align with federal funding requirements, including conditions attached to Infrastructure Investment and Jobs Act allocations.
Latest Voting History
Jacqui IrwinD Assembly Member | Bill Author | Not Contacted | |
Rebecca Bauer-KahanD Assembly Member | Committee Member | Not Contacted | |
Cottie Petrie-NorrisD Assembly Member | Committee Member | Not Contacted | |
Buffy WicksD Assembly Member | Committee Member | Not Contacted | |
Chris WardD Assembly Member | Committee Member | Not Contacted |
| Bill Number | Title | Introduced Date | Status | Link to Bill |
|---|---|---|---|---|
AB-749 | State agencies: information security: uniform standards. | February 2023 | Failed |