CA AB2669

Requires state agencies not covered by existing information security programs to adopt and implement policies, standards, and procedures based on National Institute of Standards and Technology (NIST) and Federal Information Processing Standards (FIPS) publications.

Mandates state agencies perform comprehensive, independent security assessments every two years, with option to contract with the Military Department for this purpose.

Requires state agencies to certify annually by February 1 to the Assembly Committee on Privacy and Consumer Protection that they comply with adopted security policies, including corrective action plans and timelines for addressing any deficiencies.

Protects information and records from independent security assessments as confidential during the assessment process, while completed assessment results remain subject to California Public Records Act disclosure provisions.

Makes legislative findings that confidentiality protections for security assessment information are necessary to protect state information technology systems from intrusion and safeguard system vulnerabilities.