California Office of Information Security

California Office of Information Security
Name	California Office of Information Security
Formed	2013
Jurisdiction	State of California
Headquarters	Sacramento, California
Parent agency	California Department of Technology

Contents

California Office of Information Security The California Office of Information Security is the centralized information security arm within the California Department of Technology responsible for setting statewide cybersecurity direction, managing risk, and coordinating incident response. It interacts with federal counterparts such as the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation while advising California institutions including the University of California, the California State University system, and local agencies in cities like Los Angeles, San Francisco, and San Diego. The office’s activities touch on statutory frameworks such as the California Consumer Privacy Act and the California Public Records Act and on national standards like NIST Cybersecurity Framework and FIPS 199.

History

The office traces origins to statewide modernization efforts following high-profile incidents and initiatives involving actors such as Governor Jerry Brown, Governor Gavin Newsom, and the California State Legislature. Early influences included federal reports by the Department of Homeland Security and recommendations from task forces aligned with the National Institute of Standards and Technology and the Council of Governors. Milestones involved coordination with the California Office of Emergency Services during major events like the 2018 Camp Fire and policy shifts prompted by legislation such as the California Consumer Privacy Act and amendments to the State Administrative Manual.

The office’s mission emphasizes risk reduction, threat detection, and resilience for executive branch entities including the California Department of Motor Vehicles, the California Franchise Tax Board, and the Employment Development Department (EDD). Responsibilities include issuing statewide standards tied to NIST SP 800-53, overseeing vulnerability management in conjunction with the Multi-State Information Sharing and Analysis Center and the Information Sharing and Analysis Organization ecosystem, and advising the California Legislature on budgetary priorities for cybersecurity. The office also supports elections security linked to the California Secretary of State and critical infrastructure coordination with agencies such as the California Energy Commission and the California Department of Water Resources.

Organizationally the office sits within the California Department of Technology and reports to the state Chief Information Officer and interacts with the California State Auditor and the California Department of Finance on resource allocation. Units within the office map to functions familiar to peers like the United States Computer Emergency Readiness Team and include teams for incident response, risk management, governance, and outreach that coordinate with entities such as the Governor’s Office and statewide chief information security officers in agencies including the California Highway Patrol and the California Department of Corrections and Rehabilitation.

Key programs involve statewide security assessments, continuous diagnostics and mitigation efforts modeled on Continuous Diagnostics and Mitigation (CDM) concepts, and secure configuration baselines informed by Center for Internet Security benchmarks. Initiatives have included workforce development partnerships with institutions like the University of California, Berkeley, Stanford University, and community colleges across the state; grant and funding coordination tied to federal programs such as those run by the Department of Homeland Security and training collaborations with SANS Institute and ISACA. The office also sponsors tabletop exercises and participates in multistate exercises coordinated with the National Governors Association and the Multi-State Information Sharing and Analysis Center.

The office issues policy guidance aligning with the California Information Practices Act, the California Consumer Privacy Act, and federal obligations such as Federal Information Security Modernization Act of 2014. Compliance activities include statewide audits coordinated with the California State Auditor and controls mapping to NIST SP 800-53 and ISO/IEC 27001. The office works with legal entities including the California Attorney General and the Judicial Council of California on statutory interpretation, and it contributes to procurement standards affecting vendors such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform used by state agencies.

The office has been involved in responses to major incidents affecting state systems, coordinating with federal investigative agencies such as the Federal Bureau of Investigation and recovery partners including vendors like CrowdStrike and FireEye (Mandiant). Oversight mechanisms include audits from the California State Auditor, legislative hearings before the California State Senate and California State Assembly, and reporting obligations to the Governor of California. High-profile incidents in state history that informed the office’s posture involved breaches and outages influencing policy dialogues with stakeholders including the California Employment Development Department and the Department of Motor Vehicles.

Category:California state agencies