CA AB869

Requires all California state agencies to implement Zero Trust architecture for all data, hardware, software, and systems, achieving "Advanced" maturity by June 1, 2026 and "Optimal" maturity by June 1, 2030 based on the CISA Maturity Model

Mandates prioritization of multifactor authentication for all system and data access, enterprise endpoint detection and response solutions, and robust logging practices for security investigations

Directs the Chief of the Office of Information Security to develop uniform technology policies and standards for Zero Trust implementation in the State Administrative Manual and Statewide Information Management Manual

Requires updated annual reporting on agencies' progress toward Zero Trust maturity, including completed steps, high-impact security activities not yet completed, and implementation schedules

Applies to University of California only if the Regents adopt these provisions by resolution