KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to California

AB-869 • 2026

State agencies: information security: Zero Trust architecture.

State agencies: information security: Zero Trust architecture.

Privacy Taxes Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Irwin
Last action
2025-08-29
Official status
In committee: Held under submission.
Effective date
Not listed

Plain English Breakdown

The bill does not provide detailed information on exceptions or exact compliance deadlines, leaving some aspects open to interpretation.

State Agencies Must Use Zero Trust Security

This law requires state agencies to use a security system called Zero Trust architecture for all their data, hardware, software, and systems by certain dates.

What This Bill Does

  • Requires state agencies to implement the Zero Trust architecture for all technology needs including on-premises, cloud, and hybrid environments.
  • Sets specific goals based on the Cybersecurity and Infrastructure Security Agency's Maturity Model.
  • Prioritizes using solutions that meet federal guidelines such as multifactor authentication and robust logging practices.
  • Updates existing policies and procedures in manuals used by state agencies to align with Zero Trust architecture.
  • Requires annual reporting on progress towards these security goals.

Who It Names or Affects

  • State agencies
  • The Office of Information Security within the Department of Technology

Terms To Know

Zero Trust Architecture
A security model that assumes no one inside or outside a network should be trusted without verification.
Multifactor Authentication (MFA)
A method of verifying someone's identity using two or more different ways, like a password and fingerprint.

Limits and Unknowns

  • The bill does not specify the exact dates for achieving certain levels of security maturity.
  • It is unclear how much funding will be provided to help state agencies implement these changes.
  • Some exceptions are allowed but are not clearly defined in the summary.

Bill History

  1. 2025-08-29 California Legislative Information

    In committee: Held under submission.

  2. 2025-08-18 California Legislative Information

    In committee: Referred to suspense file.

  3. 2025-07-08 California Legislative Information

    From committee: Do pass and re-refer to Com. on APPR. with recommendation: To Consent Calendar. (Ayes 15. Noes 0.) (July 8). Re-referred to Com. on APPR.

  4. 2025-06-11 California Legislative Information

    Referred to Com. on G.O.

  5. 2025-06-03 California Legislative Information

    In Senate. Read first time. To Com. on RLS. for assignment.

  6. 2025-06-02 California Legislative Information

    Read third time. Passed. Ordered to the Senate. (Ayes 78. Noes 0. Page 1860.)

  7. 2025-05-27 California Legislative Information

    Read second time. Ordered to third reading.

  8. 2025-05-23 California Legislative Information

    From committee: Do pass. (Ayes 14. Noes 0.) (May 23).

  9. 2025-04-30 California Legislative Information

    In committee: Set, first hearing. Referred to suspense file.

  10. 2025-04-02 California Legislative Information

    From committee: Do pass and re-refer to Com. on APPR. with recommendation: To Consent Calendar. (Ayes 15. Noes 0.) (April 1). Re-referred to Com. on APPR.

  11. 2025-03-10 California Legislative Information

    Referred to Com. on P. & C.P.

  12. 2025-02-20 California Legislative Information

    From printer. May be heard in committee March 22.

  13. 2025-02-19 California Legislative Information

    Read first time. To print.

Official Summary Text

AB 869, as introduced, Irwin.
State agencies: information security: Zero Trust architecture.
Existing law establishes the Office of Information Security within the Department of Technology for the purpose of ensuring the confidentiality, integrity, and availability of state systems and applications and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. Existing law requires specified state entities to implement the policies and procedures issued by the office. Existing law additionally authorizes the office to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing law requires every state agency, as specified, to certify, by February 1 annually, to the office that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones,
as specified.
This bill would require every state agency, as specified, and subject to specified exceptions, to implement Zero Trust architecture for all data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, to achieve prescribed levels of maturity based on the Cybersecurity and Infrastructure Security Agency (CISA) Maturity Model, as defined, by specified dates. In implementing Zero Trust architecture, the bill would require state agencies to prioritize the use of solutions that comply with, are authorized by, or align to federal guidelines, programs, and frameworks and, at a minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response solutions, and robust logging practices, as specified. The bill would require the office’s chief to develop or revise uniform technology policies, standards, and procedures for use by
all state agencies in Zero Trust architecture to achieve specified maturity levels on all systems in the State Administrative Manual and Statewide Information Management Manual. The bill would require the chief to update requirements for existing annual reporting activities to collect information relating to the progress state agencies are making to increase internal defenses of agency systems. The bill would authorize the chief to update existing annual reporting activities to include how a state agency is progressing with respect to specified goals. The bill would also state the Legislature’s intent that the bill’s provisions be implemented in a manner consistent with the state’s timely compliance with requirements that are conditions to receipt of federal funds. The bill would also make related legislative findings and declarations.

Current Bill Text

Read the full stored bill text 
Download Bill PDF