Senate Bill S3407A

2015-2016 Legislative Session

Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative

download bill text pdf

Archive: Last Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
May 04, 2016	referred to governmental operations delivered to assembly passed senate
May 03, 2016	advanced to third reading
Apr 12, 2016	2nd report cal.
Apr 11, 2016	1st report cal.587
Jan 11, 2016	reported and committed to finance
Jan 07, 2016	print number 3407a
Jan 07, 2016	amend and recommit to veterans, homeland security and military affairs
Jan 06, 2016	referred to veterans, homeland security and military affairs returned to senate died in assembly
Feb 25, 2015	referred to governmental operations delivered to assembly passed senate
Feb 09, 2015	ordered to third reading cal.77
Feb 06, 2015	referred to rules

Votes

- May 4, 2016 - Floor Vote
  S3407A
  
  Aye
  
  59
  
  Nay
  
  0
  
  Absent
  
  0
  
  Excused
  
  4
  
  Abstained
  
  0
  - - Floor Vote: May 4, 2016
      
      aye (59)
      
      Addabbo Jr.
      
      Akshar
      
      Amedore
      
      Avella
      
      Bonacic
      
      Boyle
      
      Breslin
      
      Carlucci
      
      Comrie
      
      Croci
      
      DeFrancisco
      
      Dilan
      
      Espaillat
      
      Farley
      
      Felder
      
      Flanagan
      
      Funke
      
      Gallivan
      
      Gianaris
      
      Golden
      
      Griffo
      
      Hamilton
      
      Hannon
      
      Hassell-Thompson
      
      Hoylman-Sigal
      
      Kaminsky
      
      Kennedy
      
      Klein
      
      Krueger
      
      LaValle
      
      Lanza
      
      Larkin
      
      Latimer
      
      Little
      
      Marcellino
      
      Martins
      
      Montgomery
      
      Murphy
      
      O'Mara
      
      Ortt
      
      Panepinto
      
      Parker
      
      Peralta
      
      Perkins
      
      Persaud
      
      Ranzenhofer
      
      Ritchie
      
      Rivera
      
      Robach
      
      Sanders Jr.
      
      Savino
      
      Serino
      
      Serrano
      
      Squadron
      
      Stavisky
      
      Stewart-Cousins
      
      Valesky
      
      Venditto
      
      Young
      
      excused (4)
      
      Diaz
      
      Marchione
      
      Nozzolio
      
      Seward
  Feb 25, 2015 - Floor Vote
  S3407A
  
  Aye
  
  58
  
  Nay
  
  1
  
  Absent
  
  0
  
  Excused
  
  4
  
  Abstained
  
  0
  - - Floor Vote: Feb 25, 2015
      
      aye (58)
      
      Addabbo Jr.
      
      Amedore
      
      Avella
      
      Bonacic
      
      Boyle
      
      Carlucci
      
      Croci
      
      DeFrancisco
      
      Diaz
      
      Dilan
      
      Farley
      
      Felder
      
      Flanagan
      
      Funke
      
      Gallivan
      
      Gianaris
      
      Golden
      
      Griffo
      
      Hamilton
      
      Hannon
      
      Hassell-Thompson
      
      Hoylman-Sigal
      
      Kennedy
      
      Klein
      
      LaValle
      
      Lanza
      
      Larkin
      
      Latimer
      
      Libous
      
      Little
      
      Marcellino
      
      Marchione
      
      Martins
      
      Montgomery
      
      Murphy
      
      Nozzolio
      
      O'Mara
      
      Ortt
      
      Panepinto
      
      Parker
      
      Peralta
      
      Ranzenhofer
      
      Ritchie
      
      Rivera
      
      Robach
      
      Sampson
      
      Sanders Jr.
      
      Savino
      
      Serino
      
      Serrano
      
      Seward
      
      Skelos
      
      Squadron
      
      Stavisky
      
      Stewart-Cousins
      
      Valesky
      
      Venditto
      
      Young
      
      nay (1)
      
      Krueger
      
      excused (4)
      
      Breslin
      
      Comrie
      
      Espaillat
      
      Perkins
  Jan 11, 2016 - Veterans, Homeland Security And Military Affairs Committee Vote
  S3407A
  
  Aye
  
  13
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Veterans, Homeland Security And Military Affairs Committee Vote: Jan 11, 2016
      
      aye (13)
      
      Addabbo Jr.
      
      Amedore
      
      Carlucci
      
      Comrie
      
      Croci
      
      Felder
      
      Golden
      
      Larkin
      
      Marchione
      
      Ortt
      
      Panepinto
      
      Sanders Jr.
      
      Serrano
  Feb 9, 2015 - Rules Committee Vote
  S3407A
  
  Aye
  
  23
  
  Nay
  
  0
  
  Aye with Reservations
  
  1
  
  Absent
  
  0
  
  Excused
  
  1
  
  Abstained
  
  0
  - - Rules Committee Vote: Feb 9, 2015
      
      aye (23)
      
      Bonacic
      
      Breslin
      
      Carlucci
      
      Dilan
      
      Espaillat
      
      Farley
      
      Flanagan
      
      Gianaris
      
      Hannon
      
      Hassell-Thompson
      
      LaValle
      
      Larkin
      
      Libous
      
      Little
      
      Marcellino
      
      Montgomery
      
      Nozzolio
      
      Perkins
      
      Seward
      
      Skelos
      
      Stewart-Cousins
      
      Valesky
      
      Young
      
      aye wr (1)
      
      Krueger
      
      excused (1)
      
      Parker
  Apr 11, 2016 - Finance Committee Vote
  S3407A
  
  Aye
  
  33
  
  Nay
  
  0
  
  Aye with Reservations
  
  2
  
  Absent
  
  0
  
  Excused
  
  2
  
  Abstained
  
  0
  - - Finance Committee Vote: Apr 11, 2016
      
      aye (33)
      
      Bonacic
      
      Boyle
      
      Breslin
      
      Diaz
      
      Dilan
      
      Farley
      
      Gallivan
      
      Golden
      
      Griffo
      
      Hannon
      
      Hassell-Thompson
      
      Kennedy
      
      Krueger
      
      LaValle
      
      Lanza
      
      Larkin
      
      Little
      
      Marcellino
      
      Martins
      
      Montgomery
      
      O'Mara
      
      Parker
      
      Peralta
      
      Perkins
      
      Ranzenhofer
      
      Ritchie
      
      Robach
      
      Savino
      
      Seward
      
      Squadron
      
      Stavisky
      
      Valesky
      
      Young
      
      aye wr (2)
      
      Espaillat
      
      Rivera
      
      excused (2)
      
      Marchione
      
      Nozzolio

Bill Amendments

Original

A (Active)

co-Sponsors

View additional co-sponsors

2015-S3407 - Details

See Assembly Version of this Bill:: A6130
Current Committee:: Assembly Governmental Operations
Law Section:: Executive Law
Laws Affected:: Add §719, Exec L
Versions Introduced in 2017-2018 Legislative Session:: S924, A3448

2015-S3407 - Summary

Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative.

2015-S3407 - Sponsor Memo

                                BILL NUMBER:S3407

TITLE OF BILL:  An act to amend the executive law, in relation to a
cyber security initiative

PURPOSE OR GENERAL IDEA OF BILL:

This bill would amend the executive law to establish the New York
State Cyber Security Initiative, to create a New York State Cyber
Security Advisory Board, a New York Cyber Security Partnership
Program, and a New York State Cyber Security Information Sharing
Program.

SUMMARY OF SPECIFIC PROVISIONS:

This bill would add a new section 719 to the executive law to
establish the New York State Cyber Security Initiative.

Specifically, this new section would:

*Make legislative findings;

*Defines "critical infrastructure and information systems";

*Establish within the division of homeland security (DHSES), a Cyber
Security Advisory Board to make recommendations for protecting the

state's critical infrastructure and information systems;

*Establish within DHSES, a Cyber Security Sharing and Threat
Prevention Program, designed to increase the volume, timeliness, and
quality of cyber threat information shared with the public and private
sector; and

*Requires DHSES, in consultation with the State Police, the Office of
Information Technology Services, and the Center for Internet Security,
to issue a New York State Cyber Security Critical Infrastructure Risk
Assessment Report, identifying critical infrastructure and where a
cyber security incident could reasonably result in catastrophic
regional or state-wide effects on public health or safety, economic
distress, and/or threaten public protection of the people and/or
property of New York State.

JUSTIFICATION:

According to the such entities as the United States Department of
Homeland Security, Interpol and the New York State White Collar Crime
Task Force, cybercrime is a pervasive and rapidly expanding threat.
New York state is particularly at risk to cybercrime due to its status
as a global hub of international business and commerce. As, most major
national and international banks, insurance companies and brokerage
houses also have headquarters or a significant presence within the
state, such present a particularly attractive target to those who wish
to engage in cyber crime or cyber terrorism.

By establishing a Cyber Security Advisory Board in state law, New York
State can identify ways to protect the state's critical infrastructure
and information systems. Innovative, actionable policies developed by


the Advisory Board will further ensure that New York state is in the
forefront of public cyber security defense.

Modeled after a successful federal initiative, the Information Sharing
and Threat Prevention Program, established by this bill, seeks to
assist both the public and private sector to develop practices that
will better protect and defend their interests against cyber threats.

Finally, the Risk Assessment Report, required under this legislation,
will additionally allow New York, to leverage the expertise and advice
of experienced and knowledgeable professionals, to identify security
threats that are facing the state and its businesses and citizens, and
develop effective ways to combat them.

PRIOR LEGISLATIVE HISTORY:

This is a new bill.

FISCAL IMPLICATIONS:

None noted.

EFFECTIVE DATE:

This act would take effect immediately.

2015-S3407 - Bill Text download pdf

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                  3407

                       2015-2016 Regular Sessions

                            I N  S E N A T E

                            February 6, 2015
                               ___________

Introduced by Sens. CROCI, GOLDEN -- read twice and ordered printed, and
  when printed to be committed to the Committee on Rules

AN  ACT  to  amend  the  executive  law, in relation to a cyber security
  initiative

  THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. The executive law is amended by adding a new section 719 to
read as follows:
  S 719. NEW YORK STATE CYBER SECURITY INITIATIVE.  1. LEGISLATIVE FIND-
INGS.  THE LEGISLATURE FINDS AND DECLARES THAT REPEATED CYBER INTRUSIONS
INTO CRITICAL INFRASTRUCTURE, EFFECTING GOVERNMENT, PRIVATE SECTOR BUSI-
NESS, AND CITIZENS OF THE STATE OF NEW YORK, HAVE DEMONSTRATED THE  NEED
FOR IMPROVED CYBER SECURITY.
  THE  LEGISLATURE  FURTHER  FINDS  AND  DECLARES THAT THIS CYBER THREAT
CONTINUES TO GROW AND REPRESENTS ONE OF THE MOST SERIOUS PUBLIC SECURITY
CHALLENGES THAT NEW YORK MUST CONFRONT. MOREOVER, THE  SECURITY  OF  THE
STATE  OF  NEW  YORK  DEPENDS  ON  THE  RELIABLE FUNCTIONING OF NEW YORK
STATE'S CRITICAL INFRASTRUCTURE, AND PRIVATE SECTOR BUSINESS  INTERESTS,
AS  WELL  AS  THE PROTECTION OF THE FINANCES AND INDIVIDUAL LIBERTIES OF
EVERY CITIZEN, IN THE FACE OF SUCH THREATS.
  THE LEGISLATURE ADDITIONALLY FINDS AND DECLARES THAT  TO  ENHANCE  THE
SECURITY, PROTECTION AND RESILIENCE OF NEW YORK STATE'S CRITICAL INFRAS-
TRUCTURE,  AND  PRIVATE  SECTOR  BUSINESS  INTERESTS,  AS  WELL  AS  THE
PROTECTION OF THE FINANCES AND INDIVIDUAL LIBERTIES  OF  EVERY  CITIZEN,
THE  STATE  OF NEW YORK MUST PROMOTE A CYBER ENVIRONMENT THAT ENCOURAGES
EFFICIENCY, INNOVATION, AND ECONOMIC PROSPERITY, AND  THAT  CAN  OPERATE
WITH  SAFETY,  SECURITY,  BUSINESS  CONFIDENTIALITY,  PRIVACY, AND CIVIL
LIBERTY.
  THE LEGISLATURE FURTHER FINDS AND DECLARES THAT TO CREATE SUCH A  SAFE
AND SECURE CYBER ENVIRONMENT FOR GOVERNMENT, PRIVATE SECTOR BUSINESS AND
INDIVIDUAL  CITIZENS,  NEW YORK MUST ADVANCE, IN ADDITION TO ITS CURRENT

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD09031-01-5

S. 3407                             2

EFFORTS IN THIS FIELD, A NEW YORK STATE CYBER SECURITY INITIATIVE,  THAT
ESTABLISHES  A  NEW YORK STATE CYBER SECURITY ADVISORY BOARD; A NEW YORK
STATE CYBER SECURITY PARTNERSHIP PROGRAM WITH THE OWNERS  AND  OPERATORS
OF CRITICAL INFRASTRUCTURE, PRIVATE SECTOR BUSINESS, ACADEMIA, AND INDI-
VIDUAL  CITIZENS  TO IMPROVE, DEVELOP AND IMPLEMENT RISK-BASED STANDARDS
FOR GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS; AND A
NEW YORK STATE CYBER SECURITY INFORMATION SHARING PROGRAM.
  2. CRITICAL INFRASTRUCTURE AND INFORMATION SYSTEMS. AS  USED  IN  THIS
SECTION,  THE  TERM  "CRITICAL  INFRASTRUCTURE  AND INFORMATION SYSTEMS"
SHALL MEAN ALL SYSTEMS AND ASSETS, WHETHER PHYSICAL OR VIRTUAL, SO VITAL
TO THE GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS  OF
THE STATE OF NEW YORK THAT THE INCAPACITY OR DESTRUCTION OF SUCH SYSTEMS
AND ASSETS WOULD HAVE A DEBILITATING IMPACT TO THE SECURITY, ECONOMY, OR
PUBLIC  HEALTH OF THE INDIVIDUAL CITIZENS, GOVERNMENT, OR PRIVATE SECTOR
BUSINESSES OF THE STATE OF NEW YORK.
  3. NEW YORK STATE CYBER SECURITY ADVISORY BOARD. (A)  THERE  SHALL  BE
WITHIN  THE  DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES, A NEW
YORK STATE CYBER SECURITY ADVISORY BOARD, WHICH SHALL ADVISE THE  GOVER-
NOR  AND  THE  LEGISLATURE  ON  DEVELOPMENTS  IN CYBER SECURITY AND MAKE
RECOMMENDATIONS FOR PROTECTING THE STATE'S CRITICAL  INFRASTRUCTURE  AND
INFORMATION SYSTEMS.
  (B) THE BOARD MEMBERS SHALL CONSIST OF ELEVEN MEMBERS APPOINTED BY THE
GOVERNOR, WITH THREE MEMBERS APPOINTED UPON RECOMMENDATION OF THE TEMPO-
RARY  PRESIDENT OF THE SENATE, AND THREE MEMBERS APPOINTED AT THE RECOM-
MENDATION OF THE SPEAKER OF THE ASSEMBLY. ALL MEMBERS SO APPOINTED SHALL
HAVE EXPERTISE IN CYBER SECURITY, TELECOMMUNICATIONS,  INTERNET  SERVICE
DELIVERY, PUBLIC PROTECTION, COMPUTER SYSTEMS AND/OR COMPUTER NETWORKS.
  (C)  THE  BOARD  SHALL  INVESTIGATE,  DISCUSS AND MAKE RECOMMENDATIONS
CONCERNING CYBER SECURITY ISSUES INVOLVING BOTH THE PUBLIC  AND  PRIVATE
SECTORS  AND  WHAT STEPS CAN BE TAKEN BY NEW YORK STATE TO PROTECT CRIT-
ICAL  CYBER  INFRASTRUCTURE,   FINANCIAL   SYSTEMS,   TELECOMMUNICATIONS
NETWORKS,  ELECTRICAL  GRIDS,  SECURITY SYSTEMS, FIRST RESPONDER SYSTEMS
AND  INFRASTRUCTURE,  PHYSICAL  INFRASTRUCTURE  SYSTEMS,  TRANSPORTATION
SYSTEMS,  AND SUCH OTHER AND FURTHER SECTORS OF STATE GOVERNMENT AND THE
PRIVATE SECTOR AS THE ADVISORY BOARD SHALL DEEM PRUDENT.
  (D) THE PURPOSE OF THE ADVISORY BOARD SHALL BE TO PROMOTE THE DEVELOP-
MENT OF INNOVATIVE, ACTIONABLE POLICIES TO ENSURE THAT NEW YORK STATE IS
IN THE FOREFRONT OF PUBLIC CYBER SECURITY DEFENSE.
  (E) THE MEMBERS OF THE ADVISORY BOARD SHALL  RECEIVE  NO  COMPENSATION
FOR  THEIR  SERVICES, BUT MAY RECEIVE ACTUAL AND NECESSARY EXPENSES, AND
SHALL NOT BE DISQUALIFIED FOR HOLDING ANY OTHER PUBLIC OFFICE OR EMPLOY-
MENT BY MEANS OF THEIR SERVICE AS A MEMBER OF THE ADVISORY BOARD.
  (F) THE ADVISORY BOARD SHALL BE ENTITLED TO REQUEST AND  RECEIVE,  AND
SHALL BE PROVIDED WITH, SUCH FACILITIES, RESOURCES AND DATA OF ANY AGEN-
CY, DEPARTMENT, DIVISION, BOARD, BUREAU, COMMISSION, OR PUBLIC AUTHORITY
OF  THE  STATE,  AS  THEY  MAY REASONABLY REQUEST, TO CARRY OUT PROPERLY
THEIR POWERS, DUTIES AND PURPOSE.
  4. NEW YORK  STATE  CYBER  SECURITY  INFORMATION  SHARING  AND  THREAT
PREVENTION  PROGRAM. (A) THE DIVISION OF HOMELAND SECURITY AND EMERGENCY
SERVICES, IN CONSULTATION WITH THE DIVISION OF  THE  STATE  POLICE,  THE
STATE  OFFICE  OF  INFORMATION  TECHNOLOGY  SERVICES, AND THE CENTER FOR
INTERNET SECURITY, SHALL ESTABLISH, WITHIN SIXTY DAYS OF  THE  EFFECTIVE
DATE  OF THIS SECTION, A NEW YORK STATE CYBER SECURITY INFORMATION SHAR-
ING AND THREAT PREVENTION PROGRAM.
  (B) IT SHALL BE THE PURPOSE OF  THE  NEW  YORK  STATE  CYBER  SECURITY
INFORMATION  SHARING  AND  THREAT  PREVENTION  PROGRAM  TO  INCREASE THE

S. 3407                             3

VOLUME, TIMELINESS, AND QUALITY OF CYBER THREAT INFORMATION SHARED  WITH
NEW YORK STATE PUBLIC AND PRIVATE SECTOR ENTITIES SO THAT THESE ENTITIES
MAY  BETTER  PROTECT  AND DEFEND THEMSELVES AGAINST CYBER THREATS AND TO
PROMOTE  THE DEVELOPMENT OF EFFECTIVE DEFENSES AND STRATEGIES TO COMBAT,
AND PROTECT AGAINST, CYBER THREATS AND ATTACKS.
  (C) TO FACILITATE THE PURPOSES OF THE NEW YORK  STATE  CYBER  SECURITY
INFORMATION SHARING AND THREAT PREVENTION PROGRAM, THE DIVISION OF HOME-
LAND  SECURITY  AND EMERGENCY SERVICES, SHALL PROMULGATE REGULATIONS, IN
ACCORDANCE WITH THE PROVISIONS OF THIS SUBDIVISION.
  (D) THE REGULATIONS SHALL PROVIDE FOR THE TIMELY PRODUCTION OF UNCLAS-
SIFIED REPORTS OF CYBER THREATS TO NEW YORK STATE  AND  ITS  PUBLIC  AND
PRIVATE  SECTOR  ENTITIES,  INCLUDING  THREATS  THAT IDENTIFY A SPECIFIC
TARGETED ENTITY.
  (E) THE REGULATIONS SHALL ADDRESS THE NEED TO PROTECT INTELLIGENCE AND
LAW ENFORCEMENT SOURCES, METHODS, OPERATIONS,  AND  INVESTIGATIONS,  AND
SHALL  FURTHER ESTABLISH A PROCESS THAT RAPIDLY DISSEMINATES THE REPORTS
PRODUCED PURSUANT TO PARAGRAPH (D) OF  THIS  SUBDIVISION,  TO  BOTH  ANY
TARGETED  ENTITY  AS  WELL  AS SUCH OTHER AND FURTHER PUBLIC AND PRIVATE
ENTITIES AS THE DIVISION SHALL DEEM NECESSARY TO ADVANCE THE PURPOSES OF
THIS SUBDIVISION.
  (F) THE REGULATIONS SHALL FURTHER ESTABLISH A SYSTEM FOR TRACKING  THE
PRODUCTION,  DISSEMINATION,  AND  DISPOSITION OF THE REPORTS PRODUCED IN
ACCORDANCE WITH THE PROVISIONS OF THIS SUBDIVISION.
  (G) THE REGULATIONS SHALL ALSO ESTABLISH AN  ENHANCED  CYBER  SECURITY
SERVICES  PROGRAM,  WITHIN  NEW  YORK  STATE, TO PROVIDE FOR PROCEDURES,
METHODS AND DIRECTIVES, FOR A  VOLUNTARY  INFORMATION  SHARING  PROGRAM,
THAT  WILL PROVIDE CYBER THREAT AND TECHNICAL INFORMATION COLLECTED FROM
BOTH PUBLIC AND PRIVATE SECTOR ENTITIES,  TO  SUCH  PRIVATE  AND  PUBLIC
SECTOR  ENTITIES AS THE DIVISION DEEMS PRUDENT, TO ADVISE ELIGIBLE CRIT-
ICAL INFRASTRUCTURE COMPANIES OR COMMERCIAL SERVICE PROVIDERS THAT OFFER
SECURITY SERVICES TO CRITICAL INFRASTRUCTURE ON CYBER  SECURITY  THREATS
AND DEFENSE MEASURES.
  (H)  THE REGULATIONS SHALL ALSO SEEK TO DEVELOP STRATEGIES TO MAXIMIZE
THE UTILITY OF CYBER THREAT INFORMATION SHARING BETWEEN AND  ACROSS  THE
PRIVATE AND PUBLIC SECTORS, AND SHALL FURTHER SEEK TO PROMOTE THE USE OF
PRIVATE  AND PUBLIC SECTOR SUBJECT MATTER EXPERTS TO ADDRESS CYBER SECU-
RITY NEEDS IN NEW YORK STATE, WITH THESE SUBJECT MATTER EXPERTS  PROVID-
ING  ADVICE  REGARDING  THE CONTENT, STRUCTURE, AND TYPES OF INFORMATION
MOST USEFUL TO CRITICAL INFRASTRUCTURE OWNERS AND OPERATORS IN  REDUCING
AND MITIGATING CYBER RISKS.
  (I)  THE  REGULATIONS  SHALL  FURTHER SEEK TO ESTABLISH A CONSULTATIVE
PROCESS TO COORDINATE IMPROVEMENTS TO THE  CYBER  SECURITY  OF  CRITICAL
INFRASTRUCTURE,  WHERE  AS  PART OF THE CONSULTATIVE PROCESS, THE PUBLIC
AND PRIVATE ENTITIES OF THE STATE OF NEW YORK SHALL ENGAGE AND  CONSIDER
THE  ADVICE OF THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES,
THE DIVISION OF THE STATE POLICE, THE STATE OFFICE OF INFORMATION  TECH-
NOLOGY  SERVICES,  THE  CENTER FOR INTERNET SECURITY, THE NEW YORK STATE
CYBER SECURITY ADVISORY BOARD, THE PROGRAMS ESTABLISHED BY THIS SUBDIVI-
SION, AND SUCH OTHER AND FURTHER PRIVATE  AND  PUBLIC  SECTOR  ENTITIES,
UNIVERSITIES,  AND  CYBER  SECURITY  EXPERTS AS THE DIVISION OF HOMELAND
SECURITY AND EMERGENCY SERVICES MAY DEEM PRUDENT.
  (J) THE REGULATIONS SHALL FURTHER SEEK TO ESTABLISH A BASELINE  FRAME-
WORK  TO REDUCE CYBER RISK TO CRITICAL INFRASTRUCTURE, AND SHALL SEEK TO
HAVE THE DIVISION  OF  HOMELAND  SECURITY  AND  EMERGENCY  SERVICES,  IN
CONSULTATION  WITH  THE  DIVISION  OF  STATE POLICE, THE STATE OFFICE OF
INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR  INTERNET  SECURITY,

S. 3407                             4

LEAD  THE  DEVELOPMENT  OF A FRAMEWORK TO REDUCE CYBER RISKS TO CRITICAL
INFRASTRUCTURE, TO BE KNOWN  AS  THE  CYBER  SECURITY  FRAMEWORK,  WHICH
SHALL:
  (I)  INCLUDE  A SET OF STANDARDS, METHODOLOGIES, PROCEDURES, AND PROC-
ESSES THAT ALIGN  POLICY,  BUSINESS,  AND  TECHNOLOGICAL  APPROACHES  TO
ADDRESS CYBER RISKS;
  (II) INCORPORATE VOLUNTARY CONSENSUS STANDARDS AND INDUSTRY BEST PRAC-
TICES TO THE FULLEST EXTENT POSSIBLE;
  (III)  PROVIDE A PRIORITIZED, FLEXIBLE, REPEATABLE, PERFORMANCE-BASED,
AND COST-EFFECTIVE APPROACH, INCLUDING INFORMATION SECURITY MEASURES AND
CONTROLS, TO HELP OWNERS AND OPERATORS OF CRITICAL INFRASTRUCTURE  IDEN-
TIFY, ASSESS, AND MANAGE CYBER RISK;
  (IV)  FOCUS  ON IDENTIFYING CROSS-SECTOR SECURITY STANDARDS AND GUIDE-
LINES APPLICABLE TO CRITICAL INFRASTRUCTURE;
  (V) IDENTIFY AREAS FOR IMPROVEMENT THAT SHOULD  BE  ADDRESSED  THROUGH
FUTURE  COLLABORATION  WITH  PARTICULAR SECTORS AND STANDARDS-DEVELOPING
ORGANIZATIONS;
  (VI)  ENABLE  TECHNICAL  INNOVATION  AND  ACCOUNT  FOR  ORGANIZATIONAL
DIFFERENCES,  TO  PROVIDE  GUIDANCE  THAT IS TECHNOLOGY NEUTRAL AND THAT
ENABLES CRITICAL INFRASTRUCTURE SECTORS TO BENEFIT  FROM  A  COMPETITIVE
MARKET FOR PRODUCTS AND SERVICES THAT MEET THE STANDARDS, METHODOLOGIES,
PROCEDURES, AND PROCESSES DEVELOPED TO ADDRESS CYBER RISKS;
  (VII)  INCLUDE  GUIDANCE FOR MEASURING THE PERFORMANCE OF AN ENTITY IN
IMPLEMENTING THE CYBER SECURITY FRAMEWORK;
  (VIII) INCLUDE METHODOLOGIES TO IDENTIFY AND MITIGATE IMPACTS  OF  THE
CYBER SECURITY FRAMEWORK AND ASSOCIATED INFORMATION SECURITY MEASURES OR
CONTROLS  ON BUSINESS CONFIDENTIALITY, AND TO PROTECT INDIVIDUAL PRIVACY
AND CIVIL LIBERTIES; AND
  (IX) ENGAGE IN THE REVIEW OF THREAT AND VULNERABILITY INFORMATION  AND
TECHNICAL EXPERTISE.
  (K)  THE REGULATIONS SHALL ADDITIONALLY ESTABLISH A VOLUNTARY CRITICAL
INFRASTRUCTURE CYBER SECURITY PROGRAM TO SUPPORT  THE  ADOPTION  OF  THE
CYBER SECURITY FRAMEWORK BY OWNERS AND OPERATORS OF CRITICAL INFRASTRUC-
TURE  AND ANY OTHER INTERESTED ENTITIES, WHERE UNDER THIS PROGRAM IMPLE-
MENTATION GUIDANCE OR  SUPPLEMENTAL  MATERIALS  WOULD  BE  DEVELOPED  TO
ADDRESS  SECTOR-SPECIFIC RISKS AND OPERATING ENVIRONMENTS, AND RECOMMEND
LEGISLATION FOR ENACTMENT TO ADDRESS CYBER SECURITY ISSUES.
  (L) IN DEVELOPING THE NEW YORK STATE CYBER SECURITY INFORMATION  SHAR-
ING  AND  THREAT PREVENTION PROGRAM IN ACCORDANCE WITH THE PROVISIONS OF
THIS SUBDIVISION,  THE  DIVISION  OF  HOMELAND  SECURITY  AND  EMERGENCY
SERVICES,  IN  CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE
OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER  FOR  INTERNET
SECURITY, SHALL PRODUCE AND SUBMIT A REPORT, TO THE GOVERNOR, THE TEMPO-
RARY  PRESIDENT  OF  THE SENATE, AND THE SPEAKER OF THE ASSEMBLY, MAKING
RECOMMENDATIONS ON THE  FEASIBILITY,  SECURITY  BENEFITS,  AND  RELATIVE
MERITS OF INCORPORATING SECURITY STANDARDS INTO ACQUISITION PLANNING AND
CONTRACT  ADMINISTRATION,  AND  SUCH  REPORT  SHALL FURTHER ADDRESS WHAT
STEPS CAN BE TAKEN TO HARMONIZE AND MAKE CONSISTENT EXISTING PROCUREMENT
REQUIREMENTS RELATED TO CYBER SECURITY.
  5. NEW YORK STATE CYBER SECURITY CRITICAL INFRASTRUCTURE RISK  ASSESS-
MENT  REPORT.  (A)  THE  DIVISION  OF  HOMELAND  SECURITY  AND EMERGENCY
SERVICES, IN CONSULTATION WITH THE DIVISION OF STATE POLICE,  THE  STATE
OFFICE  OF  INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR INTERNET
SECURITY, WITHIN ONE HUNDRED TWENTY DAYS OF THE EFFECTIVE DATE  OF  THIS
SECTION,  SHALL PRODUCE A NEW YORK STATE CYBER SECURITY CRITICAL INFRAS-
TRUCTURE RISK ASSESSMENT REPORT.

S. 3407                             5

  (B) THE PRODUCTION OF THE  NEW  YORK  STATE  CYBER  SECURITY  CRITICAL
INFRASTRUCTURE RISK ASSESSMENT REPORT SHALL USE A RISK-BASED APPROACH TO
IDENTIFY  CRITICAL  INFRASTRUCTURE WHERE A CYBER SECURITY INCIDENT COULD
REASONABLY RESULT IN CATASTROPHIC  REGIONAL  OR  STATE-WIDE  EFFECTS  ON
PUBLIC  HEALTH  OR  SAFETY,  ECONOMIC  DISTRESS,  AND/OR THREATEN PUBLIC
PROTECTION OF THE PEOPLE AND/OR PROPERTY OF NEW YORK STATE.
  (C) THE PRODUCTION OF THE REPORT SHALL FURTHER  USE  THE  CONSULTATIVE
PROCESS  AND  DRAW  UPON  THE EXPERTISE OF AND ADVICE OF THE DIVISION OF
HOMELAND SECURITY AND EMERGENCY SERVICES, THE DIVISION OF STATE  POLICE,
THE  STATE  OFFICE  OF  INFORMATION  TECHNOLOGY SERVICES, THE CENTER FOR
INTERNET SECURITY, THE NEW YORK STATE CYBER SECURITY ADVISORY BOARD, THE
PROGRAMS ESTABLISHED BY THIS SECTION, AND SUCH OTHER AND FURTHER PRIVATE
AND PUBLIC SECTOR ENTITIES, UNIVERSITIES, AND CYBER SECURITY EXPERTS  AS
THE  DIVISION  OF  HOMELAND  SECURITY  AND  EMERGENCY  SERVICES MAY DEEM
PRUDENT.
  (D) THE NEW YORK STATE CYBER  SECURITY  CRITICAL  INFRASTRUCTURE  RISK
ASSESSMENT  REPORT  SHALL  BE  DELIVERED  TO THE GOVERNOR, THE TEMPORARY
PRESIDENT OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, THE CHAIR  OF  THE
SENATE  STANDING  COMMITTEE  ON VETERANS, HOMELAND SECURITY AND MILITARY
AFFAIRS, AND THE CHAIR OF THE ASSEMBLY  STANDING  COMMITTEE  ON  GOVERN-
MENTAL OPERATIONS.
  (E) WHERE COMPLIANCE WITH THIS SECTION SHALL REQUIRE THE DISCLOSURE OF
CONFIDENTIAL  INFORMATION,  OR  THE  DISCLOSURE OF SENSITIVE INFORMATION
WHICH IN THE JUDGMENT OF THE COMMISSIONER OF THE  DIVISION  OF  HOMELAND
SECURITY  AND  EMERGENCY SERVICES WOULD JEOPARDIZE THE CYBER SECURITY OF
THE STATE:
  (I) SUCH CONFIDENTIAL OR SENSITIVE INFORMATION SHALL  BE  PROVIDED  TO
THE  PERSONS  ENTITLED  TO  RECEIVE THE REPORT, IN THE FORM OF A SUPPLE-
MENTAL APPENDIX TO THE REPORT; AND
  (II) SUCH SUPPLEMENTAL APPENDIX TO THE REPORT SHALL NOT BE SUBJECT  TO
THE PROVISIONS OF THE FREEDOM OF INFORMATION LAW PURSUANT TO ARTICLE SIX
OF THE PUBLIC OFFICERS LAW; AND
  (III)  THE  PERSONS  ENTITLED  TO  RECEIVE THE REPORT MAY DISCLOSE THE
SUPPLEMENTAL APPENDIX TO THE REPORT TO  THEIR  PROFESSIONAL  STAFF,  BUT
SHALL  NOT  OTHERWISE  PUBLICALLY  DISCLOSE  SUCH CONFIDENTIAL OR SECURE
INFORMATION.
  S 2. This act shall take effect immediately.

co-Sponsors

View additional co-sponsors

2015-S3407A (ACTIVE) - Details

See Assembly Version of this Bill:: A6130
Current Committee:: Assembly Governmental Operations
Law Section:: Executive Law
Laws Affected:: Add §719, Exec L
Versions Introduced in 2017-2018 Legislative Session:: S924, A3448

2015-S3407A (ACTIVE) - Summary

Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative.

2015-S3407A (ACTIVE) - Sponsor Memo

                                 BILL NUMBER:  S3407A

 TITLE OF BILL :  An act to amend the executive law, in relation to a
cyber security initiative

 PURPOSE OR GENERAL IDEA OF BILL :  This bill would amend the
executive law to establish the New York State Cyber Security
Initiative, to create a New York State Cyber Security Advisory Board,
a New York Cyber Security Partnership Program, and a New York State
Cyber Security Information Sharing Program.

 SUMMARY OF SPECIFIC PROVISIONS :  This bill would add a new section
719 to the executive law to establish the New York State Cyber
Security Initiative.

Specifically, this new section would: *Make legislative findings;

*Defines "critical infrastructure and information systems";

*Establish within the division of homeland security (DHSES), a Cyber
Security Advisory Board to make recommendations for protecting the
state's critical infrastructure and information systems;

*Establish within DHSES, a Cyber Security Sharing and Threat
Prevention Program, designed to increase the volume, timeliness, and
quality of cyber threat information shared with the public and private

sector; and

*Requires DHSES, in consultation with the State Police, the Office of
Information Technology Services, and the Center for Internet Security,
to issue a New York State Cyber Security Critical Infrastructure Risk
Assessment Report, identifying critical infrastructure and where a
cyber security incident could reasonably result in catastrophic
regional or state-wide effects on public:  health or safety, economic
distress, and/or threaten public protection of the people and/or
property of New York State.

 JUSTIFICATION :  According to the such entities as the United States
Department of Homeland Security, Interpol and the New York State White
Collar Crime Task Force, cybercrime is a pervasive and rapidly
expanding threat.  New York state is particularly at risk to
cybercrime due to its status as a global hub of international business
and commerce. As most major national and international banks,
insurance companies and brokerage houses also have headquarters or a
significant presence within the state, such present a particularly
attractive target to those who wish to engage in cyber crime or cyber
terrorism.

By establishing a Cyber Security Advisory Board in state law, New York
State can identify ways to protect the state's critical infrastructure
and information systems. Innovative, actionable policies developed by
the Advisory Board will further ensure that New York state is in the
forefront of public cyber security defense.

Modeled after a successful federal initiative, the Information Sharing
and Threat Prevention Program, established by this bill, seeks to
assist both the public and private sector to develop practices that
will better protect and defend their interests against cyber threats.

Finally, the Risk Assessment Report, required under this legislation,
will additionally allow New York, to leverage the expertise and advice
of experienced and knowledgeable professionals, to identify security
threats that are facing the state and its businesses and citizens, and
develop effective ways to combat them.

 PRIOR LEGISLATIVE HISTORY : This is a new bill.
 FISCAL IMPLICATIONS :  None noted.

 EFFECTIVE DATE :  This act would take effect immediately.

2015-S3407A (ACTIVE) - Bill Text download pdf

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                 3407--A

                       2015-2016 Regular Sessions

                            I N  S E N A T E

                            February 6, 2015
                               ___________

Introduced  by  Sens.  CROCI, AVELLA, CARLUCCI, FLANAGAN, FUNKE, GOLDEN,
  MARTINS, NOZZOLIO -- read twice and ordered printed, and when  printed
  to  be  committed  to  the  Committee  on  Rules -- recommitted to the
  Committee on Veterans,  Homeland  Security  and  Military  Affairs  in
  accordance  with  Senate  Rule 6, sec. 8 -- committee discharged, bill
  amended, ordered reprinted as amended and recommitted to said  commit-
  tee

AN  ACT  to  amend  the  executive  law, in relation to a cyber security
  initiative

  THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. The executive law is amended by adding a new section 719 to
read as follows:
  S 719. NEW YORK STATE CYBER SECURITY INITIATIVE.  1. LEGISLATIVE FIND-
INGS.  THE LEGISLATURE FINDS AND DECLARES THAT REPEATED CYBER INTRUSIONS
INTO CRITICAL INFRASTRUCTURE, EFFECTING GOVERNMENT, PRIVATE SECTOR BUSI-
NESS, AND CITIZENS OF THE STATE OF NEW YORK, HAVE DEMONSTRATED THE  NEED
FOR IMPROVED CYBER SECURITY.
  THE  LEGISLATURE  FURTHER  FINDS  AND  DECLARES THAT THIS CYBER THREAT
CONTINUES TO GROW AND REPRESENTS ONE OF THE MOST SERIOUS PUBLIC SECURITY
CHALLENGES THAT NEW YORK MUST CONFRONT. MOREOVER, THE  SECURITY  OF  THE
STATE  OF  NEW  YORK  DEPENDS  ON  THE  RELIABLE FUNCTIONING OF NEW YORK
STATE'S CRITICAL INFRASTRUCTURE, AND PRIVATE SECTOR BUSINESS  INTERESTS,
AS  WELL  AS  THE PROTECTION OF THE FINANCES AND INDIVIDUAL LIBERTIES OF
EVERY CITIZEN, IN THE FACE OF SUCH THREATS.
  THE LEGISLATURE ADDITIONALLY FINDS AND DECLARES THAT  TO  ENHANCE  THE
SECURITY, PROTECTION AND RESILIENCE OF NEW YORK STATE'S CRITICAL INFRAS-
TRUCTURE,  AND  PRIVATE  SECTOR  BUSINESS  INTERESTS,  AS  WELL  AS  THE
PROTECTION OF THE FINANCES AND INDIVIDUAL LIBERTIES  OF  EVERY  CITIZEN,
THE  STATE  OF NEW YORK MUST PROMOTE A CYBER ENVIRONMENT THAT ENCOURAGES
EFFICIENCY, INNOVATION, AND ECONOMIC PROSPERITY, AND  THAT  CAN  OPERATE

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD09031-02-5

S. 3407--A                          2

WITH  SAFETY,  SECURITY,  BUSINESS  CONFIDENTIALITY,  PRIVACY, AND CIVIL
LIBERTY.
  THE  LEGISLATURE FURTHER FINDS AND DECLARES THAT TO CREATE SUCH A SAFE
AND SECURE CYBER ENVIRONMENT FOR GOVERNMENT, PRIVATE SECTOR BUSINESS AND
INDIVIDUAL CITIZENS, NEW YORK MUST ADVANCE, IN ADDITION TO  ITS  CURRENT
EFFORTS  IN THIS FIELD, A NEW YORK STATE CYBER SECURITY INITIATIVE, THAT
ESTABLISHES A NEW YORK STATE CYBER SECURITY ADVISORY BOARD; A  NEW  YORK
STATE  CYBER  SECURITY PARTNERSHIP PROGRAM WITH THE OWNERS AND OPERATORS
OF CRITICAL INFRASTRUCTURE, PRIVATE SECTOR BUSINESS, ACADEMIA, AND INDI-
VIDUAL CITIZENS TO IMPROVE, DEVELOP AND IMPLEMENT  RISK-BASED  STANDARDS
FOR GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS; AND A
NEW YORK STATE CYBER SECURITY INFORMATION SHARING PROGRAM.
  2.  CRITICAL  INFRASTRUCTURE  AND INFORMATION SYSTEMS. AS USED IN THIS
SECTION, THE TERM  "CRITICAL  INFRASTRUCTURE  AND  INFORMATION  SYSTEMS"
SHALL MEAN ALL SYSTEMS AND ASSETS, WHETHER PHYSICAL OR VIRTUAL, SO VITAL
TO  THE GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS OF
THE STATE OF NEW YORK THAT THE INCAPACITY OR DESTRUCTION OF SUCH SYSTEMS
AND ASSETS WOULD HAVE A DEBILITATING IMPACT TO THE SECURITY, ECONOMY, OR
PUBLIC HEALTH OF THE INDIVIDUAL CITIZENS, GOVERNMENT, OR PRIVATE  SECTOR
BUSINESSES OF THE STATE OF NEW YORK.
  3.  NEW  YORK  STATE CYBER SECURITY ADVISORY BOARD. (A) THERE SHALL BE
WITHIN THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES,  A  NEW
YORK  STATE CYBER SECURITY ADVISORY BOARD, WHICH SHALL ADVISE THE GOVER-
NOR AND THE LEGISLATURE ON  DEVELOPMENTS  IN  CYBER  SECURITY  AND  MAKE
RECOMMENDATIONS  FOR  PROTECTING THE STATE'S CRITICAL INFRASTRUCTURE AND
INFORMATION SYSTEMS.
  (B) THE BOARD MEMBERS SHALL CONSIST OF ELEVEN MEMBERS APPOINTED BY THE
GOVERNOR, WITH THREE MEMBERS APPOINTED UPON RECOMMENDATION OF THE TEMPO-
RARY PRESIDENT OF THE SENATE, AND THREE MEMBERS APPOINTED AT THE  RECOM-
MENDATION OF THE SPEAKER OF THE ASSEMBLY. ALL MEMBERS SO APPOINTED SHALL
HAVE  EXPERTISE  IN CYBER SECURITY, TELECOMMUNICATIONS, INTERNET SERVICE
DELIVERY, PUBLIC PROTECTION, COMPUTER SYSTEMS AND/OR COMPUTER NETWORKS.
  (C) THE BOARD SHALL  INVESTIGATE,  DISCUSS  AND  MAKE  RECOMMENDATIONS
CONCERNING  CYBER  SECURITY ISSUES INVOLVING BOTH THE PUBLIC AND PRIVATE
SECTORS AND WHAT STEPS CAN BE TAKEN BY NEW YORK STATE TO  PROTECT  CRIT-
ICAL   CYBER   INFRASTRUCTURE,   FINANCIAL  SYSTEMS,  TELECOMMUNICATIONS
NETWORKS, ELECTRICAL GRIDS, SECURITY SYSTEMS,  FIRST  RESPONDER  SYSTEMS
AND  INFRASTRUCTURE,  PHYSICAL  INFRASTRUCTURE  SYSTEMS,  TRANSPORTATION
SYSTEMS, AND SUCH OTHER AND FURTHER SECTORS OF STATE GOVERNMENT AND  THE
PRIVATE SECTOR AS THE ADVISORY BOARD SHALL DEEM PRUDENT.
  (D) THE PURPOSE OF THE ADVISORY BOARD SHALL BE TO PROMOTE THE DEVELOP-
MENT OF INNOVATIVE, ACTIONABLE POLICIES TO ENSURE THAT NEW YORK STATE IS
IN THE FOREFRONT OF PUBLIC CYBER SECURITY DEFENSE.
  (E)  THE  MEMBERS  OF THE ADVISORY BOARD SHALL RECEIVE NO COMPENSATION
FOR THEIR SERVICES, BUT MAY RECEIVE ACTUAL AND NECESSARY  EXPENSES,  AND
SHALL NOT BE DISQUALIFIED FOR HOLDING ANY OTHER PUBLIC OFFICE OR EMPLOY-
MENT BY MEANS OF THEIR SERVICE AS A MEMBER OF THE ADVISORY BOARD.
  (F)  THE  ADVISORY BOARD SHALL BE ENTITLED TO REQUEST AND RECEIVE, AND
SHALL BE PROVIDED WITH, SUCH FACILITIES, RESOURCES AND DATA OF ANY AGEN-
CY, DEPARTMENT, DIVISION, BOARD, BUREAU, COMMISSION, OR PUBLIC AUTHORITY
OF THE STATE, AS THEY MAY REASONABLY  REQUEST,  TO  CARRY  OUT  PROPERLY
THEIR POWERS, DUTIES AND PURPOSE.
  4.  NEW  YORK  STATE  CYBER  SECURITY INFORMATION SHARING AND ANALYSIS
PROGRAM. (A) THE DIVISION OF HOMELAND SECURITY AND  EMERGENCY  SERVICES,
IN  CONSULTATION WITH THE DIVISION OF THE STATE POLICE, THE STATE OFFICE
OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR INTERNET  SECURI-

S. 3407--A                          3

TY,  SHALL  ESTABLISH,  WITHIN  SIXTY DAYS OF THE EFFECTIVE DATE OF THIS
SECTION, A VOLUNTARY NEW YORK STATE CYBER SECURITY  INFORMATION  SHARING
AND ANALYSIS PROGRAM.
  (B)  IT  SHALL  BE  THE  PURPOSE  OF THE NEW YORK STATE CYBER SECURITY
INFORMATION SHARING AND ANALYSIS PROGRAM TO INCREASE THE VOLUME, TIMELI-
NESS, AND QUALITY OF CYBER THREAT INFORMATION SHARED WITH NEW YORK STATE
PUBLIC AND PRIVATE SECTOR ENTITIES SO THAT  THESE  ENTITIES  MAY  BETTER
PROTECT  AND  DEFEND THEMSELVES AGAINST CYBER THREATS AND TO PROMOTE THE
DEVELOPMENT OF EFFECTIVE DEFENSES AND STRATEGIES TO COMBAT, AND  PROTECT
AGAINST, CYBER THREATS AND ATTACKS.
  (C)  TO  FACILITATE  THE PURPOSES OF THE NEW YORK STATE CYBER SECURITY
INFORMATION SHARING AND ANALYSIS PROGRAM, THE DIVISION OF HOMELAND SECU-
RITY AND EMERGENCY SERVICES, SHALL PROMULGATE REGULATIONS, IN ACCORDANCE
WITH THE PROVISIONS OF THIS SUBDIVISION.
  (D) THE REGULATIONS SHALL PROVIDE FOR THE TIMELY PRODUCTION OF UNCLAS-
SIFIED REPORTS OF CYBER THREATS TO NEW YORK STATE  AND  ITS  PUBLIC  AND
PRIVATE  SECTOR  ENTITIES,  INCLUDING  THREATS  THAT IDENTIFY A SPECIFIC
TARGETED ENTITY.
  (E) THE REGULATIONS SHALL ADDRESS THE NEED TO PROTECT INTELLIGENCE AND
LAW ENFORCEMENT SOURCES, METHODS, OPERATIONS,  AND  INVESTIGATIONS,  AND
SHALL  FURTHER ESTABLISH A PROCESS THAT RAPIDLY DISSEMINATES THE REPORTS
PRODUCED PURSUANT TO PARAGRAPH (D) OF  THIS  SUBDIVISION,  TO  BOTH  ANY
TARGETED  ENTITY  AS  WELL  AS SUCH OTHER AND FURTHER PUBLIC AND PRIVATE
ENTITIES AS THE DIVISION SHALL DEEM NECESSARY TO ADVANCE THE PURPOSES OF
THIS SUBDIVISION.
  (F) THE REGULATIONS SHALL PROVIDE FOR PROTECTIONS FROM  LIABILITY  FOR
ENTITIES SHARING AND RECEIVING INFORMATION WITH THE NEW YORK STATE CYBER
SECURITY  INFORMATION  AND ANALYSIS PROGRAM, SO LONG AS THE ENTITY ACTED
IN GOOD FAITH.
  (G) THE REGULATIONS SHALL FURTHER ESTABLISH A SYSTEM FOR TRACKING  THE
PRODUCTION,  DISSEMINATION,  AND  DISPOSITION OF THE REPORTS PRODUCED IN
ACCORDANCE WITH THE PROVISIONS OF THIS SUBDIVISION.
  (H) THE REGULATIONS SHALL ALSO ESTABLISH AN  ENHANCED  CYBER  SECURITY
SERVICES  PROGRAM,  WITHIN  NEW  YORK  STATE, TO PROVIDE FOR PROCEDURES,
METHODS AND DIRECTIVES, FOR A  VOLUNTARY  INFORMATION  SHARING  PROGRAM,
THAT  WILL PROVIDE CYBER THREAT AND TECHNICAL INFORMATION COLLECTED FROM
BOTH PUBLIC AND PRIVATE SECTOR ENTITIES,  TO  SUCH  PRIVATE  AND  PUBLIC
SECTOR  ENTITIES AS THE DIVISION DEEMS PRUDENT, TO ADVISE ELIGIBLE CRIT-
ICAL INFRASTRUCTURE COMPANIES OR COMMERCIAL SERVICE PROVIDERS THAT OFFER
SECURITY SERVICES TO CRITICAL INFRASTRUCTURE ON CYBER  SECURITY  THREATS
AND DEFENSE MEASURES.
  (I)  THE REGULATIONS SHALL ALSO SEEK TO DEVELOP STRATEGIES TO MAXIMIZE
THE UTILITY OF CYBER THREAT INFORMATION SHARING BETWEEN AND  ACROSS  THE
PRIVATE AND PUBLIC SECTORS, AND SHALL FURTHER SEEK TO PROMOTE THE USE OF
PRIVATE  AND PUBLIC SECTOR SUBJECT MATTER EXPERTS TO ADDRESS CYBER SECU-
RITY NEEDS IN NEW YORK STATE, WITH THESE SUBJECT MATTER EXPERTS  PROVID-
ING  ADVICE  REGARDING  THE CONTENT, STRUCTURE, AND TYPES OF INFORMATION
MOST USEFUL TO CRITICAL INFRASTRUCTURE OWNERS AND OPERATORS IN  REDUCING
AND MITIGATING CYBER RISKS.
  (J)  THE  REGULATIONS  SHALL  FURTHER SEEK TO ESTABLISH A CONSULTATIVE
PROCESS TO COORDINATE IMPROVEMENTS TO THE  CYBER  SECURITY  OF  CRITICAL
INFRASTRUCTURE,  WHERE  AS  PART OF THE CONSULTATIVE PROCESS, THE PUBLIC
AND PRIVATE ENTITIES OF THE STATE OF NEW YORK SHALL ENGAGE AND  CONSIDER
THE  ADVICE OF THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES,
THE DIVISION OF THE STATE POLICE, THE STATE OFFICE OF INFORMATION  TECH-
NOLOGY  SERVICES,  THE  CENTER FOR INTERNET SECURITY, THE NEW YORK STATE

S. 3407--A                          4

CYBER SECURITY ADVISORY BOARD, THE PROGRAMS ESTABLISHED BY THIS SUBDIVI-
SION, AND SUCH OTHER AND FURTHER PRIVATE  AND  PUBLIC  SECTOR  ENTITIES,
UNIVERSITIES,  AND  CYBER  SECURITY  EXPERTS AS THE DIVISION OF HOMELAND
SECURITY AND EMERGENCY SERVICES MAY DEEM PRUDENT.
  (K)  THE REGULATIONS SHALL FURTHER SEEK TO ESTABLISH A BASELINE FRAME-
WORK TO REDUCE CYBER RISK TO CRITICAL INFRASTRUCTURE, AND SHALL SEEK  TO
HAVE  THE  DIVISION  OF  HOMELAND  SECURITY  AND  EMERGENCY SERVICES, IN
CONSULTATION WITH THE DIVISION OF STATE  POLICE,  THE  STATE  OFFICE  OF
INFORMATION  TECHNOLOGY  SERVICES, AND THE CENTER FOR INTERNET SECURITY,
LEAD THE DEVELOPMENT OF A VOLUNTARY FRAMEWORK TO REDUCE CYBER  RISKS  TO
CRITICAL  INFRASTRUCTURE,  TO  BE KNOWN AS THE CYBER SECURITY FRAMEWORK,
WHICH SHALL:
  (I) INCLUDE A SET OF STANDARDS, METHODOLOGIES, PROCEDURES,  AND  PROC-
ESSES  THAT  ALIGN  POLICY,  BUSINESS,  AND  TECHNOLOGICAL APPROACHES TO
ADDRESS CYBER RISKS;
  (II) INCORPORATE VOLUNTARY CONSENSUS STANDARDS AND INDUSTRY BEST PRAC-
TICES TO THE FULLEST EXTENT POSSIBLE;
  (III) PROVIDE A PRIORITIZED, FLEXIBLE, REPEATABLE,  PERFORMANCE-BASED,
AND COST-EFFECTIVE APPROACH, INCLUDING INFORMATION SECURITY MEASURES AND
CONTROLS,  TO HELP OWNERS AND OPERATORS OF CRITICAL INFRASTRUCTURE IDEN-
TIFY, ASSESS, AND MANAGE CYBER RISK;
  (IV) FOCUS ON IDENTIFYING CROSS-SECTOR SECURITY STANDARDS  AND  GUIDE-
LINES APPLICABLE TO CRITICAL INFRASTRUCTURE;
  (V)  IDENTIFY  AREAS  FOR IMPROVEMENT THAT SHOULD BE ADDRESSED THROUGH
FUTURE COLLABORATION WITH PARTICULAR  SECTORS  AND  STANDARDS-DEVELOPING
ORGANIZATIONS;
  (VI)  ENABLE  TECHNICAL  INNOVATION  AND  ACCOUNT  FOR  ORGANIZATIONAL
DIFFERENCES, TO PROVIDE GUIDANCE THAT IS  TECHNOLOGY  NEUTRAL  AND  THAT
ENABLES  CRITICAL  INFRASTRUCTURE  SECTORS TO BENEFIT FROM A COMPETITIVE
MARKET FOR PRODUCTS AND SERVICES THAT MEET THE STANDARDS, METHODOLOGIES,
PROCEDURES, AND PROCESSES DEVELOPED TO ADDRESS CYBER RISKS;
  (VII) INCLUDE GUIDANCE FOR MEASURING THE PERFORMANCE OF AN  ENTITY  IN
IMPLEMENTING THE CYBER SECURITY FRAMEWORK;
  (VIII)  INCLUDE  METHODOLOGIES TO IDENTIFY AND MITIGATE IMPACTS OF THE
CYBER SECURITY FRAMEWORK AND ASSOCIATED INFORMATION SECURITY MEASURES OR
CONTROLS ON BUSINESS CONFIDENTIALITY, AND TO PROTECT INDIVIDUAL  PRIVACY
AND CIVIL LIBERTIES; AND
  (IX)  ENGAGE IN THE REVIEW OF THREAT AND VULNERABILITY INFORMATION AND
TECHNICAL EXPERTISE.
  (L) THE REGULATIONS SHALL ADDITIONALLY ESTABLISH A VOLUNTARY  CRITICAL
INFRASTRUCTURE  CYBER  SECURITY  PROGRAM  TO SUPPORT THE ADOPTION OF THE
CYBER SECURITY FRAMEWORK BY OWNERS AND OPERATORS OF CRITICAL INFRASTRUC-
TURE AND ANY OTHER INTERESTED ENTITIES, WHERE UNDER THIS PROGRAM  IMPLE-
MENTATION  GUIDANCE  OR  SUPPLEMENTAL  MATERIALS  WOULD  BE DEVELOPED TO
ADDRESS SECTOR-SPECIFIC RISKS AND OPERATING ENVIRONMENTS, AND  RECOMMEND
LEGISLATION FOR ENACTMENT TO ADDRESS CYBER SECURITY ISSUES.
  (M)  IN DEVELOPING THE NEW YORK STATE CYBER SECURITY INFORMATION SHAR-
ING AND ANALYSIS PROGRAM IN  ACCORDANCE  WITH  THE  PROVISIONS  OF  THIS
SUBDIVISION,  THE  DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES,
IN CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE  OFFICE  OF
INFORMATION  TECHNOLOGY  SERVICES, AND THE CENTER FOR INTERNET SECURITY,
SHALL PRODUCE AND SUBMIT A REPORT, TO THE GOVERNOR, THE TEMPORARY PRESI-
DENT OF THE SENATE, AND THE SPEAKER OF THE ASSEMBLY, MAKING  RECOMMENDA-
TIONS  ON  THE  FEASIBILITY,  SECURITY  BENEFITS, AND RELATIVE MERITS OF
INCORPORATING SECURITY STANDARDS INTO ACQUISITION PLANNING AND  CONTRACT
ADMINISTRATION.  SUCH  REPORT  SHALL  FURTHER  ADDRESS WHAT STEPS CAN BE

S. 3407--A                          5

TAKEN TO HARMONIZE AND MAKE CONSISTENT EXISTING PROCUREMENT REQUIREMENTS
RELATED TO CYBER SECURITY AND THE FEASIBILITY  OF  INCLUDING  RISK-BASED
SECURITY STANDARDS INTO PROCUREMENT AND CONTRACT ADMINISTRATION.
  5.  NEW YORK STATE CYBER SECURITY CRITICAL INFRASTRUCTURE RISK ASSESS-
MENT REPORT.  (A)  THE  DIVISION  OF  HOMELAND  SECURITY  AND  EMERGENCY
SERVICES,  IN  CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE
OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER  FOR  INTERNET
SECURITY,  WITHIN  ONE HUNDRED TWENTY DAYS OF THE EFFECTIVE DATE OF THIS
SECTION, SHALL PRODUCE A NEW YORK STATE CYBER SECURITY CRITICAL  INFRAS-
TRUCTURE RISK ASSESSMENT REPORT.
  (B)  THE  PRODUCTION  OF  THE  NEW  YORK STATE CYBER SECURITY CRITICAL
INFRASTRUCTURE RISK ASSESSMENT REPORT SHALL USE A RISK-BASED APPROACH TO
IDENTIFY CRITICAL INFRASTRUCTURE WHERE A CYBER SECURITY  INCIDENT  COULD
REASONABLY  RESULT  IN  CATASTROPHIC  REGIONAL  OR STATE-WIDE EFFECTS ON
PUBLIC HEALTH OR  SAFETY,  ECONOMIC  DISTRESS,  AND/OR  THREATEN  PUBLIC
PROTECTION OF THE PEOPLE AND/OR PROPERTY OF NEW YORK STATE.
  (C)  THE  PRODUCTION  OF THE REPORT SHALL FURTHER USE THE CONSULTATIVE
PROCESS AND DRAW UPON THE EXPERTISE OF AND ADVICE  OF  THE  DIVISION  OF
HOMELAND  SECURITY AND EMERGENCY SERVICES, THE DIVISION OF STATE POLICE,
THE STATE OFFICE OF INFORMATION  TECHNOLOGY  SERVICES,  THE  CENTER  FOR
INTERNET SECURITY, THE NEW YORK STATE CYBER SECURITY ADVISORY BOARD, THE
PROGRAMS ESTABLISHED BY THIS SECTION, AND SUCH OTHER AND FURTHER PRIVATE
AND  PUBLIC SECTOR ENTITIES, UNIVERSITIES, AND CYBER SECURITY EXPERTS AS
THE DIVISION OF  HOMELAND  SECURITY  AND  EMERGENCY  SERVICES  MAY  DEEM
PRUDENT.
  (D)  THE  NEW  YORK  STATE CYBER SECURITY CRITICAL INFRASTRUCTURE RISK
ASSESSMENT REPORT SHALL BE DELIVERED  TO  THE  GOVERNOR,  THE  TEMPORARY
PRESIDENT  OF  THE SENATE, THE SPEAKER OF THE ASSEMBLY, THE CHAIR OF THE
SENATE STANDING COMMITTEE ON VETERANS, HOMELAND  SECURITY  AND  MILITARY
AFFAIRS,  AND  THE  CHAIR  OF THE ASSEMBLY STANDING COMMITTEE ON GOVERN-
MENTAL OPERATIONS.
  (E) WHERE COMPLIANCE WITH THIS SECTION SHALL REQUIRE THE DISCLOSURE OF
CONFIDENTIAL INFORMATION, OR THE  DISCLOSURE  OF  SENSITIVE  INFORMATION
WHICH  IN  THE  JUDGMENT OF THE COMMISSIONER OF THE DIVISION OF HOMELAND
SECURITY AND EMERGENCY SERVICES WOULD JEOPARDIZE THE CYBER  SECURITY  OF
THE STATE:
  (I)  SUCH  CONFIDENTIAL  OR SENSITIVE INFORMATION SHALL BE PROVIDED TO
THE PERSONS ENTITLED TO RECEIVE THE REPORT, IN THE  FORM  OF  A  SUPPLE-
MENTAL APPENDIX TO THE REPORT; AND
  (II)  SUCH SUPPLEMENTAL APPENDIX TO THE REPORT SHALL NOT BE SUBJECT TO
THE PROVISIONS OF THE FREEDOM OF INFORMATION LAW PURSUANT TO ARTICLE SIX
OF THE PUBLIC OFFICERS LAW; AND
  (III) THE PERSONS ENTITLED TO RECEIVE  THE  REPORT  MAY  DISCLOSE  THE
SUPPLEMENTAL  APPENDIX  TO  THE  REPORT TO THEIR PROFESSIONAL STAFF, BUT
SHALL NOT OTHERWISE PUBLICLY DISCLOSE SUCH CONFIDENTIAL OR SECURE INFOR-
MATION.
  S 2. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S3407A

Sponsored By

Archive: Last Bill Status - In Assembly Committee

Actions

Votes

May 4, 2016 - Floor Vote

Floor Vote: May 4, 2016

Feb 25, 2015 - Floor Vote

Floor Vote: Feb 25, 2015

Jan 11, 2016 - Veterans, Homeland Security And Military Affairs Committee Vote

Veterans, Homeland Security And Military Affairs Committee Vote: Jan 11, 2016

Feb 9, 2015 - Rules Committee Vote

Rules Committee Vote: Feb 9, 2015

Apr 11, 2016 - Finance Committee Vote

Finance Committee Vote: Apr 11, 2016

Bill Amendments

co-Sponsors

2015-S3407 - Details

2015-S3407 - Summary

2015-S3407 - Sponsor Memo

2015-S3407 - Bill Text download pdf

co-Sponsors

2015-S3407A (ACTIVE) - Details

2015-S3407A (ACTIVE) - Summary

2015-S3407A (ACTIVE) - Sponsor Memo

2015-S3407A (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2015-S3407A

Senate Bill S3407A

Share this bill

Sponsored By

Archive: Last Bill Status - In Assembly Committee

Actions

Votes

Bill Amendments

co-Sponsors

2015-S3407 - Details

2015-S3407 - Summary

2015-S3407 - Sponsor Memo

2015-S3407 - Bill Text download pdf

co-Sponsors

2015-S3407A (ACTIVE) - Details

2015-S3407A (ACTIVE) - Summary

2015-S3407A (ACTIVE) - Sponsor Memo

2015-S3407A (ACTIVE) - Bill Text download pdf

Comments