AB 869 directs every California state agency to implement a Zero Trust architecture across on‑premises, cloud, and hybrid environments and to reach specific maturity levels in line with the CISA Zero Trust Maturity Model: “Advanced” by June 1, 2026, and “Optimal” by June 1, 2030. The bill names minimum technical priorities—multifactor authentication, enterprise endpoint detection and response, and robust logging—and requires the state’s Chief of the Office of Information Security to publish uniform policies in the State Administrative Manual and Statewide Information Management Manual.
The law also revamps reporting and audit requirements so agencies must document steps taken, assessment findings, and implementation schedules; the Chief may extend reporting to measure Zero Trust concepts such as least privilege and lateral‑movement prevention. The Regents of the University of California are exempt unless they opt in by resolution.
The measure ties implementation to federal alignment and expresses legislative intent to implement in ways that preserve the state's eligibility for federal funds.
At a Glance
What It Does
Mandates statewide adoption of Zero Trust architecture using the CISA Zero Trust Maturity Model, with two hard deadlines (Advanced by 6/1/2026; Optimal by 6/1/2030), prescribes minimum controls (MFA, enterprise EDR, and logging), and charges the Office of Information Security chief with issuing uniform policies and updating reporting standards.
Who It Affects
All California state agencies as defined in Section 11000, their IT and security teams, procurement officers, vendors providing essential third‑party software, independent auditors conducting security assessments, and the Office of Information Security staff charged with policy and reporting changes.
Why It Matters
It creates one statewide roadmap for moving away from perimeter‑based defenses to continuous, risk‑based controls and forces agencies to align procurement and operations with federal frameworks—changing budgets, vendor relationships, and audit expectations across California’s executive branch.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill begins by defining key terms so there is a common understanding of what Zero Trust means for California agencies — not just a slogan but a defined architecture involving continuous monitoring, risk‑based access, identity controls, and automation. By anchoring the implementation to the CISA Zero Trust Maturity Model, the statute substitutes an established, externally maintained metric for ad hoc local standards.
AB 869 sets two maturity targets: achieve an “Advanced” designation within roughly a year of enactment and reach “Optimal” maturity by 2030. Those deadlines apply broadly — the statute covers agency data, hardware, software, internal systems, and “essential third‑party software” across on‑premises, cloud, and hybrid environments.
That scope forces agencies to consider not only their servers and endpoints but also SaaS and vendor‑hosted components used in mission‑critical work.To make progress measurable, the bill lists minimum technical priorities: require multifactor authentication for accessing any system or data, deploy enterprise endpoint detection and response to speed detection and remediation, and adopt robust logging to enable investigations and threat hunting. The chief must translate these priorities into uniform policies, standards, and procedures and publish them in the State Administrative Manual and Statewide Information Management Manual so agencies have a single reference for implementation.Finally, the bill tightens reporting and audit expectations.
Agencies must report completed steps, findings from independent security assessments, what remains unfinished with a prioritized plan, and a schedule for implementation. The chief may expand reporting to capture Zero Trust indicators such as presumption of compromise, least privilege adoption, lateral‑movement controls, detection speed, and isolation/removal practices.
The University of California is outside the mandate unless the Regents choose to adopt it, and the statute explicitly links implementation to maintaining eligibility for certain federal funds.
The Five Things You Need to Know
Deadlines: Agencies must reach CISA “Advanced” maturity by June 1, 2026 and “Optimal” maturity by June 1, 2030.
Scope: The requirement covers all agency data, hardware, software, internal systems, and 'essential third‑party software' in on‑premises, cloud, and hybrid setups.
Minimum controls: The law mandates multifactor authentication for access to all systems/data, enterprise‑level endpoint detection and response, and robust logging practices.
Centralized policy role: The Chief of the Office of Information Security must issue uniform policies and standards in the State Administrative Manual and Statewide Information Management Manual; some agencies may opt not to adopt those policies if statutorily exempt under 11549.3(f).
Reporting and audits: Annual reporting and independent assessments must document completed steps, prioritized remaining activities after assessments, and implementation schedules; the Chief can expand reports to measure Zero Trust outcomes like least privilege and lateral movement prevention.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope of Zero Trust terms
This subsection establishes the working definitions that determine coverage and measurement: it names the Chief of the Office of Information Security, adopts CISA’s Zero Trust Maturity Model as the yardstick, and defines technical terms such as endpoint detection and response and multifactor authentication. By codifying these definitions the bill limits ambiguity about what tools and approaches qualify under the mandate and ties agency obligations to an external framework rather than an internal standard.
CISA‑based maturity targets and deadlines
This is the bill’s engine: every state agency must attain CISA’s “Advanced” maturity by June 1, 2026 and “Optimal” maturity by June 1, 2030. The provision applies to all covered systems and software, not only new projects. Legally, these are outcome deadlines; practically, agencies must translate CISA’s model into project plans, procurement timelines, and risk assessments to meet the dates.
Federal alignment and procurement priority
Agencies must prioritize solutions that comply with or align to federal programs such as FedRAMP, CDM, and NIST guidance. That steers procurement toward vendors and products already authorized by federal programs, supporting federal funding compliance but narrowing the vendor pool and raising procurement standards for third‑party software.
Minimum technical priorities: MFA, EDR, and logging
The statute requires agency implementation to, at minimum, prioritize multifactor authentication for access to all systems and data, enterprise endpoint detection and response, and robust logging practices. These are baseline technical controls intended to deliver immediate reductions in access risk and faster detection and response capabilities; agencies will need to operationalize these requirements across diverse legacy and modern systems.
Chief’s duty to publish uniform policies and standards
The Chief must develop or revise uniform technology policies, standards, and procedures and publish them in the State Administrative Manual and Statewide Information Management Manual to help agencies reach the specified maturity levels. Agencies covered by 11549.3(f) may elect whether to use those materials, which preserves limited local discretion while pushing for statewide uniformity.
Updated reporting: steps taken, assessment results, and schedules
The Chief must update existing annual reporting and audit standards to collect concrete progress metrics: a description of completed steps, identification of post‑assessment activities with the highest security impact, and a schedule for planned work. This makes implementation auditable and forces agencies to present prioritized roadmaps rather than vague commitments.
Optional expanded reporting on Zero Trust outcomes
The Chief may further require agencies to report on qualitative Zero Trust outcomes — for example, whether systems assume compromise, how the agency enforces least privilege, measures taken to prevent lateral movement, speed of threat identification, and timelines for isolating unauthorized entities. These items shift reporting from inputs to security posture indicators but remain optional for the Chief to impose.
University of California: opt‑in by Regents
The statute does not automatically apply to the University of California. It becomes applicable only if the UC Regents, by resolution, choose to adopt any of the provisions. That creates a possible gap in statewide coverage for systems the UC operates unless the Regents decide otherwise.
Legislative intent on federal fund compliance
The Legislature states its intent that implementation be consistent with timely compliance with federal funding conditions, including for Infrastructure Investment and Jobs Act programs. This is a directional statement tying the statute to funding eligibility rather than a separate funding appropriation or mandate for specific federal requirements.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- State agency cybersecurity teams — receive a single, CISA‑aligned roadmap and uniform policies from the Chief, simplifying standards and allowing centralized benchmarking of progress.
- Californians with state‑held data — stand to benefit from stronger access controls, faster detection, and improved logging that reduce the risk and impact of breaches affecting personal information.
- Federal partners and grant programs — gain assurance that California agencies will align with federal frameworks (e.g., FedRAMP, NIST), easing cross‑jurisdictional cooperation and funding compliance.
- Cybersecurity vendors and managed service providers — see increased demand for MFA, EDR, logging, and Zero Trust consultancy as agencies modernize and procure compliant solutions.
- Incident response and audit firms — will be engaged for independent security assessments and post‑assessment remediation planning required under the updated reporting rules.
Who Bears the Cost
- State agencies’ IT budgets and program offices — bear the capital and operational costs of technology upgrades, staff training, procurement, and migration of legacy systems to meet maturity deadlines.
- Office of Information Security (the Chief) — takes on expanded responsibilities to develop standards, update reporting frameworks, and manage statewide implementation without specified new funding.
- Third‑party and smaller software vendors — may need to pursue federal authorizations or reconfigure products to meet state expectations, increasing compliance and certification costs.
- Independent auditors and assessors — while benefiting commercially, their engagement represents a recurring expense for agencies required to document progress and remediate findings.
- California’s state budget/taxpayers — if the Legislature funds accelerated compliance or emergency remediation, the financial burden will ultimately fall to the state budget.
Key Issues
The Core Tension
The central dilemma is urgency versus feasibility: the Legislature demands rapid, statewide adoption of a resource‑intensive security model to reduce cyber risk and align with federal standards, but it does so without earmarking funding or clarifying scope, forcing agencies to choose between costly, centralized upgrades or uneven, agency‑specific workarounds that may undermine the bill’s goal of a uniform Zero Trust posture.
The bill sets ambitious, time‑bound targets without specifying funding or enforcement mechanisms. Meeting an “Advanced” maturity level within roughly a year will be straightforward for well‑funded agencies but impractical for units managing extensive legacy infrastructure unless the Legislature or administration provides money, staff, or procurement waivers.
The statute pushes agencies toward federal authorizations (FedRAMP, CDM, NIST), which helps grant compliance but can narrow vendor choices, lengthen procurement lead times, and favor vendors already operating in the federal ecosystem.
Several important terms and operational questions are left for policy documents the Chief will issue. “Essential third‑party software” is undefined in the statute, creating ambiguity about scope and vendor obligations. The law expands logging and monitoring expectations, which improves forensic capability but raises privacy, data retention, and regional sovereignty questions that agencies will need to resolve in policy.
The University of California opt‑out possibility creates a nonuniform statewide security posture for key public research and education infrastructure. Finally, the bill relies largely on reporting and publication of standards rather than explicit penalties or funding allocations, making successful implementation contingent on administrative follow‑through and budget decisions that the statute does not mandate.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.