Bill Text: CA AB740 | 2023-2024 | Regular Session | Amended

California Assembly Bill 740

Bill Title: Department of General Services: drone cybersecurity.

Spectrum: Partisan Bill (Democrat 2-0)

Status: (Failed) 2024-02-01 - Filed with the Chief Clerk pursuant to Joint Rule 56. [AB740 Detail]

Download: California-2023-AB740-Amended.html

Amended IN Assembly March 09, 2023

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Assembly Bill

No. 740

Introduced by Assembly ~~Member~~ Members Gabriel and Petrie-Norris

February 13, 2023

An act to add Article 9 (commencing with Section 14718) to Chapter 2 of Part 5.5 of Division 3 of Title 2 of the Government Code, relating to information security.

LEGISLATIVE COUNSEL'S DIGEST

AB 740, as amended, Gabriel. Department of General Services: drone cybersecurity.

Existing law requires the Department of General Services to perform a variety of duties in connection with the acquisition of goods and services by state agencies, and requires the department to issue rules and regulations in administering its duties.

This bill would require the department, in consultation with the Chief of the Office of Information Security, to adopt rules and regulations, ~~no later than~~ by January 1, 2025, to ensure that each unmanned aircraft and unmanned aircraft system used by a government entity, as defined, in part, to include local governmental entities, for any purpose ~~meet~~ meets appropriate safeguards to ensure the confidentiality, integrity, and availability of any data collected, transmitted, or stored by that unmanned ~~aircraft. By~~ aircraft or unmanned aircraft system, as specified; and to specify requirements for a comprehensive plan to be adopted by a government entity to discontinue the use of noncompliant aircraft and systems, as specified.

This bill would, beginning on the date the department adopts the rules and regulations, authorize a government entity to use unmanned aircraft or unmanned aircraft systems it did not previously use only if that aircraft or system complies with those rules and regulations. The bill would, by July 1, 2025, require a government entity that uses a noncompliant aircraft or system to submit to the department a comprehensive plan for discontinuing its use, as specified.

By January 1, 2026, the bill ~~would~~ would, with certain exceptions, require any government entity to ~~discontinue~~ cease the use of unmanned aircraft or unmanned aircraft systems not in compliance with these regulations. The bill would require the regulations to apply to unmanned aircraft operated under contract between a government entity and a third party, as provided. By requiring these regulations to apply to local governmental agencies, this bill would establish a state-mandated local program.

The bill would include findings that changes proposed by this bill address a matter of statewide concern rather than a municipal affair and, therefore, apply to all cities, including charter cities.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.

Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES

The people of the State of California do enact as follows:

SECTION 1.

Article 9 (commencing with Section 14718) is added to Chapter 2 of Part 5.5 of Division 3 of Title 2 of the Government Code, to read:

Article 9. Drone Cybersecurity

14718.

(a) As used in this section, the following terms apply:

(1) “Government entity” includes ~~state agencies, the California State University, cities, counties, cities and counties, and political subdivisions thereof.~~ all of the following:

(A) Each state agency as that term is defined in subdivision (a) of Section 8557.
(B) The California State University.
(C) Each political subdivision, as that term is defined in subdivision (b) of Section 8557.

(2) “Unmanned aircraft” ~~shall have~~ has the same ~~meanings~~ meaning as ~~under~~ defined in Section 853.5.

(3) “Unmanned aircraft system” has the same meaning as defined in Section 853.5.

(b) ~~No later than~~ By January 1, 2025, the department, in consultation with the Chief of the Office of Information Security, shall adopt rules and regulations ~~to ensure~~ that do all of the following:

(1) Ensure that each unmanned aircraft and unmanned aircraft system used by a government entity for any purpose ~~meet~~ meets appropriate safeguards to ensure the confidentiality, integrity, and availability of any data collected, transmitted, or stored by that unmanned ~~aircraft. The department may consult state and federal agencies and departments and any relevant federal guidance in developing these rules and regulations.~~ aircraft or unmanned aircraft system. These safeguards shall, at a minimum, do all of the following:

(A) Prohibit the use of unmanned aircraft or unmanned aircraft systems that are manufactured by an entity identified pursuant to any of the following:
(i) Section 889 of the National Defense Authorization Act for Fiscal Year 2019.
(ii) The United States Department of Defense pursuant to Section 1260H of the National Defense Authorization Act for Fiscal Year 2021.
(iii) Section 817 of the National Defense Authorization Act for Fiscal Year 2023.
(B) Prohibit use of unmanned aircraft or unmanned aircraft systems that are manufactured by an entity included on the Entity List as designated by the United States Secretary of Commerce.
(C) Prohibit use of unmanned aircraft or unmanned aircraft systems that are manufactured by a subsidiary of an entity identified pursuant to subparagraph (A) or (B).
(D) Prohibit any government entity from selling, renting, leasing, or engaging in any other commercial transaction pursuant to which the government entity receives monetary or other valuable consideration for the data.
(E) Require collection, transmission, storage, processing, and use of the data to be conducted in a manner that is reasonably necessary and proportionate to the lawful purposes for which the data is collected, transmitted, stored, processed, or used.
(2) Specify requirements for a comprehensive plan to be adopted by a government entity to discontinue the use of unmanned aircraft and unmanned aircraft systems that are not in compliance with the rules and regulations adopted under paragraph (1). The requirements for the plan shall, at a minimum, include ensuring the confidentiality, integrity, and availability of data collected, transmitted, or stored by unmanned aircraft or unmanned aircraft systems, the use of which is discontinued under this section.
(c) The department may consult with state and federal agencies and departments and any relevant federal guidance in developing the rules and regulations under subdivision (b).
~~(c)~~

(d) Beginning on the date the department adopts the rules and regulations ~~under~~ pursuant to paragraph (1) of subdivision (b), a government entity ~~shall only~~ may use an unmanned aircraft ~~that~~ or unmanned aircraft system it did not previously use only if that unmanned aircraft or unmanned aircraft system complies with all of the requirements set by those rules and regulations.

(d)(1)By July 1, 2025, a government entity that uses unmanned aircraft not in compliance with the rules and regulations shall submit to the department a comprehensive plan for discontinuing the use of the noncompliant unmanned aircraft.
(2)The department shall adopt rules and regulations identifying the requirements of the comprehensive plan required under this subdivision, which shall include ensuring the confidentiality, integrity, and availability of any data collected, transmitted, or stored by unmanned aircraft, the use of which is discontinued under this section.
(e) (1) By July 1, 2025, a government entity that uses an unmanned aircraft or unmanned aircraft system not in compliance with the rules and regulations adopted pursuant to paragraph (1) of subdivision (b) shall submit to the department a comprehensive plan that complies with the rules and regulations adopted pursuant to paragraph (2) of subdivision (b) for discontinuing the use of the noncompliant unmanned aircraft or unmanned aircraft system.
~~(3)~~

(2) By January 1, 2026, each government entity shall ~~discontinue~~ cease the use of any unmanned aircraft or unmanned aircraft system that does not comply with the rules and regulations adopted under subdivision (b). ~~Upon~~

(3) Upon approval by the department, each government entity that submitted a comprehensive plan under paragraph (1) shall execute that plan.

~~(e)~~

(f) (1) The requirements of this section shall apply to unmanned aircraft and unmanned aircraft systems purchased or otherwise acquired by a government entity, as well as to unmanned aircraft and unmanned aircraft systems used by a government entity pursuant to a contractual arrangement or other agreement with a third party, regardless of whether the unmanned aircraft or unmanned aircraft systems is operated by the government entity or by the third party.

(2) This subdivision shall only apply to contracts entered into, amended, or renewed on or after the effective date of this section.

(g) Notwithstanding any other requirements of this section, use of unmanned aircraft or unmanned aircraft systems that would otherwise be prohibited under this section is permitted in either of the following circumstances:
(1) If, on application by a government entity, the department finds both of the following:
(A) The proposed use is necessary or essential for the government entity.
(B) No nonprohibited unmanned aircraft or unmanned aircraft system can fulfill the proposed use.
(2) The use is for purposes of cybersecurity research.
(h) The department shall prepare an annual report setting forth each finding made pursuant to paragraph (1) of subdivision (g) during that calendar year and submit the report to the Assembly Committee on Privacy and Consumer Protection and the Senate Committee on Judiciary by February 15 of the following year.
(i) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

SEC. 2.

The Legislature finds and declares that cybersecurity and the transmission of sensitive information is a matter of statewide concern and is not a municipal affair as that term is used in Section 5 of Article XI of the California Constitution. Therefore, Section 1 of this act Article 9 (commencing with Section 14718) to Chapter 2 of Part 5.5 of Division 3 of Title 2 of the Government Code applies to all cities, including charter cities.

SEC. 3.

If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.