CA AB2135

Requires state agencies not already subject to information security oversight to adopt and implement policies based on National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 and Federal Information Processing Standards (FIPS) 199 and 200.

Mandates state agencies perform comprehensive independent security assessments every two years, with costs funded by the agency being assessed; agencies may contract with the Military Department or qualified vendors for assessments.

Requires state agencies to certify annually by February 1 to the President pro Tempore of the Senate and Speaker of the Assembly that they comply with all adopted information security policies, including a plan of action and milestones.

Protects certification information and security assessment records from public disclosure, allowing sharing only with Legislature members and employees at the discretion of legislative leadership.

Authorizes the Military Department to conduct independent security assessments of local educational agencies at their request, with results disclosed only to the requesting agency and California Cybersecurity Integration Center.