California Cybersecurity Integration Center: artificial intelligence.

Assembly Member Irwin, joined by Senator McNerney, advances a measure that broadens the California Cybersecurity Integration Center’s governance and codifies an AI-focused playbook to coordinate cyber and AI threat information sharing. The core shift centers on expanding Cal-CSIC’s leadership and decision-making scope while introducing a California AI Cybersecurity Collaboration Playbook aimed at aligning state practice with federal guidance and enabling structured information sharing across cyber and AI communities.

Key mechanisms include a broadened Cal-CSIC composition that explicitly adds federal partners and other designations, with representation from the Office of Emergency Services, the Office of Information Security, the State Threat Assessment Center, the CHP, the Military Department, the Attorney General, health and higher education agencies, utilities and schools, plus DHS, the FBI, the Secret Service, the Coast Guard, and others as the Director of Emergency Services may designate. The center is charged with operating in coordination with the California State Threat Assessment System and the National Cybersecurity and Communications Integration Center, sharing threat information received from utilities, universities, private companies, and other sources, and providing warnings and risk assessments to public and private partners. It must develop a statewide cybersecurity strategy, establish a Cyber Incident Response Team drawn from participating agencies, and implement information-sharing practices that protect privacy and sensitive information while aiding detection, investigation, response, and resilience across sectors. The bill also requires four annual reports detailing state expenditures under the federal State and Local Cybersecurity Improvement Act, with deadlines tied to fiscal years 2021–22 through 2024–25, and directs development of the Playbook by January 1, 2027, after consulting the Office of Information Security and the Government Operations Agency and reviewing federal requirements and best practices, including the Joint Cyber Defense Collaborative framework. The Playbook would include mandatory information-sharing mechanisms for state contractors and AI service providers, with voluntary mechanisms for other entities, and would shield shared information from public disclosure under existing protections and confidentiality rules, including explicit limitations on transmission and access for state employees and approved contractors.

The policy framework situates these changes within a constitutional rationale for limiting public access to certain cybersecurity information, arguing that protecting vulnerabilities and IT system integrity serves essential public interests. In practice, the measure expands Cal-CSIC’s governance, formalizes an AI-specific information-sharing pathway, and tightens confidentiality around threat indicators and defensive measures, while tying state reporting to federal funding streams and aligning state playbook development with federal playbooks and standards. Implementers face substantial coordination across multiple agencies, potential obligations on AI vendors and contractors, and funding considerations not expressly appropriated within the measure, along with ambiguities around the scope of “AI services” and enforcement mechanisms, topics likely to be clarified through budget processes and implementing guidance.