CA AB1242

Requires each state agency, as defined in Section 11000, to submit annual summaries to the Department of Technology of actual and projected information technology, telecommunications, and information security costs by February 1 of each year.

Expands the requirement for state agencies to comply with policies and procedures issued by the Office of Information Security, with "state agency" defined as every state office, officer, department, division, bureau, board, and commission, except the California State University.

Requires the Office of Information Security to conduct independent security assessments of at least 35 state entities annually, with costs funded by the entities being assessed, and to rank entities based on an information security risk index.

Establishes procedures for confidentiality of security assessment information during the assessment process, while subjecting completed assessment results to the California Public Records Act and other applicable disclosure laws.

Requires notification to the Office of Emergency Services, Department of the California Highway Patrol, and Department of Justice regarding any criminal or alleged criminal cyber activity affecting state entities or critical infrastructure.