NY State Senate Bill 2017-S924

Senate Bill S924

2017-2018 Legislative Session

Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative

download bill text pdf

Archive: Last Bill Status - In Senate Committee Rules Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jun 20, 2018	committed to rules
May 31, 2018	advanced to third reading
May 30, 2018	2nd report cal.
May 22, 2018	1st report cal.1331
Jan 22, 2018	reported and committed to finance
Jan 03, 2018	referred to veterans, homeland security and military affairs returned to senate died in assembly
Jun 15, 2017	referred to governmental operations delivered to assembly passed senate ordered to third reading cal.1772 committee discharged and committed to rules
Feb 14, 2017	reported and committed to finance
Jan 05, 2017	referred to veterans, homeland security and military affairs

Votes

- Jun 15, 2017 - Floor Vote
  S924
  
  60
  
  Aye
  
  0
  
  Nay
  
  0
  
  Absent
  
  3
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: Jun 15, 2017
      
      aye (60)
      
      Addabbo Jr.
      
      Akshar
      
      Alcantara
      
      Amedore
      
      Avella
      
      Benjamin
      
      Bonacic
      
      Boyle
      
      Breslin
      
      Brooks
      
      Carlucci
      
      Comrie
      
      Croci
      
      DeFrancisco
      
      Dilan
      
      Felder
      
      Flanagan
      
      Funke
      
      Gallivan
      
      Gianaris
      
      Golden
      
      Griffo
      
      Hamilton
      
      Hannon
      
      Helming
      
      Hoylman-Sigal
      
      Jacobs
      
      Kaminsky
      
      Kennedy
      
      Klein
      
      Krueger
      
      LaValle
      
      Lanza
      
      Larkin
      
      Latimer
      
      Little
      
      Marchione
      
      Montgomery
      
      Murphy
      
      O'Mara
      
      Ortt
      
      Parker
      
      Peralta
      
      Persaud
      
      Phillips
      
      Ranzenhofer
      
      Ritchie
      
      Rivera
      
      Robach
      
      Sanders Jr.
      
      Savino
      
      Serino
      
      Serrano
      
      Seward
      
      Squadron
      
      Stavisky
      
      Stewart-Cousins
      
      Tedisco
      
      Valesky
      
      Young
      
      excused (3)
      
      Bailey
      
      Diaz
      
      Marcellino
  Jan 22, 2018 - Veterans, Homeland Security And Military Affairs Committee Vote
  S924
  
  13
  
  Aye
  
  0
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Veterans, Homeland Security And Military Affairs Committee Vote: Jan 22, 2018
      
      aye (13)
      
      Addabbo Jr.
      
      Amedore
      
      Carlucci
      
      Comrie
      
      Croci
      
      Felder
      
      Golden
      
      Jacobs
      
      Kaminsky
      
      Larkin
      
      Marchione
      
      Ortt
      
      Sanders Jr.
  Feb 13, 2017 - Veterans, Homeland Security And Military Affairs Committee Vote
  S924
  
  13
  
  Aye
  
  0
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Veterans, Homeland Security And Military Affairs Committee Vote: Feb 13, 2017
      
      aye (13)
      
      Addabbo Jr.
      
      Amedore
      
      Carlucci
      
      Comrie
      
      Croci
      
      Felder
      
      Golden
      
      Jacobs
      
      Kaminsky
      
      Larkin
      
      Marchione
      
      Ortt
      
      Sanders Jr.
  Jun 15, 2017 - Rules Committee Vote
  S924
  
  25
  
  Aye
  
  0
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Rules Committee Vote: Jun 15, 2017
      
      aye (25)
      
      Bonacic
      
      Breslin
      
      Carlucci
      
      DeFrancisco
      
      Dilan
      
      Flanagan
      
      Gianaris
      
      Griffo
      
      Hannon
      
      Kennedy
      
      Krueger
      
      LaValle
      
      Lanza
      
      Larkin
      
      Little
      
      Montgomery
      
      Parker
      
      Ranzenhofer
      
      Robach
      
      Savino
      
      Seward
      
      Squadron
      
      Stewart-Cousins
      
      Valesky
      
      Young
  May 22, 2018 - Finance Committee Vote
  S924
  
  31
  
  Aye
  
  2
  
  Nay
  
  4
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Finance Committee Vote: May 22, 2018
      
      aye (31)
      
      Avella
      
      Benjamin
      
      Bonacic
      
      Boyle
      
      Breslin
      
      Carlucci
      
      Comrie
      
      Dilan
      
      Felder
      
      Gallivan
      
      Golden
      
      Hannon
      
      Kaminsky
      
      Kennedy
      
      LaValle
      
      Lanza
      
      Larkin
      
      Little
      
      Marcellino
      
      Marchione
      
      Montgomery
      
      O'Mara
      
      Parker
      
      Peralta
      
      Ranzenhofer
      
      Ritchie
      
      Robach
      
      Seward
      
      Stavisky
      
      Valesky
      
      Young
      
      nay (2)
      
      Bailey
      
      Krueger
      
      aye wr (4)
      
      Griffo
      
      Persaud
      
      Rivera
      
      Savino

co-Sponsors

View additional co-sponsors

2017-S924 (ACTIVE) - Details

See Assembly Version of this Bill:: A3448
Current Committee:: Senate Rules
Law Section:: Executive Law
Laws Affected:: Add §719, Exec L
Versions Introduced in 2015-2016 Legislative Session:: S3407, A6130

2017-S924 (ACTIVE) - Summary

Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative.

2017-S924 (ACTIVE) - Sponsor Memo

                                 BILL NUMBER:  S924

 TITLE OF BILL :

An act to amend the executive law, in relation to a cyber security
initiative

 PURPOSE OR GENERAL IDEA OF BILL :

This bill would amend the executive law to establish the New York
State Cyber Security Initiative, to create a New York State Cyber
Security Advisory Board, a New York Cyber Security Partnership
Program, and a New York State Cyber Security Information Sharing
Program.

 SUMMARY OF SPECIFIC PROVISIONS :

This bill would add a new section to the executive law to establish
the New York State Cyber Security Initiative.  Specifically, this new
section would:

*Make legislative findings;

*Define "critical infrastructure and information systems";

*Establish within the division of homeland security (DHSES), a Cyber

Security Advisory Board to make recommendations for protecting the
state's critical infrastructure and information systems;

*Establish within DHSES, a Cyber Security Sharing and Threat
Prevention Program, designed to increase the volume, timeliness, and
quality of cyber threat information shared with the public and private
sector; and

*Require DHSES, in consultation with the State Police, the Office of
Information Technology Services, and the Center for Internet Security,
to issue a New York State Cyber Security Critical Infrastructure Risk
Assessment Report, identifying critical infrastructure and where a
cyber security incident could reasonably result in catastrophic
regional or state-wide effects on public:  health or safety, economic
distress, and/or threaten public protection of the people and/or
property of New York State.

 JUSTIFICATION :

According to the such entities as the United States Department of
Homeland Security, Interpol and the New York State White Collar Crime
Task Force, cybercrime is a pervasive and rapidly expanding threat.
New York state is particularly at risk to cybercrime due to its status
as a global hub of international business and commerce. As most major
national and international banks, insurance companies and brokerage
houses also have headquarters or a significant presence within the
state, such present a particularly attractive target to those who wish
to engage in cyber crime or cyber terrorism.

By establishing a Cyber Security Advisory Board in state law, New York
State can identify ways to protect the state's critical infrastructure
and information systems. Innovative, actionable policies developed by
the Advisory Board will further ensure that New York state is in the
forefront of public cyber security defense.

Modeled after a successful federal initiative, the Information Sharing
and Threat Prevention Program, established by this bill, seeks to
assist both the public and private sector to develop practices that
will better protect and defend their interests against cyber threats.
Finally, the Risk Assessment Report, required under this legislation,
will additionally allow New York, to leverage the expertise and advice
of experienced and knowledgeable professionals, to identify security
threats that are facing the state and its businesses and citizens, and
develop effective ways to combat them.

 PRIOR LEGISLATIVE HISTORY :

This is a new bill.

 FISCAL IMPLICATIONS :

None noted.

 EFFECTIVE DATE :
This act would take effect immediately.

2017-S924 (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                    924
 
                        2017-2018 Regular Sessions
 
                             I N  S E N A T E
 
                              January 5, 2017
                                ___________
 
 Introduced by Sens. CROCI, AKSHAR, AVELLA, DeFRANCISCO, FUNKE, GOLDEN --
   read  twice  and  ordered printed, and when printed to be committed to
   the Committee on Veterans, Homeland Security and Military Affairs
 
 AN ACT to amend the executive law,  in  relation  to  a  cyber  security
   initiative

   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The executive law is amended by adding a new section 719 to
 read as follows:
   § 719. NEW YORK STATE CYBER SECURITY INITIATIVE.  1. LEGISLATIVE FIND-
 INGS. THE LEGISLATURE FINDS AND DECLARES THAT REPEATED CYBER  INTRUSIONS
 INTO CRITICAL INFRASTRUCTURE, EFFECTING GOVERNMENT, PRIVATE SECTOR BUSI-
 NESS,  AND CITIZENS OF THE STATE OF NEW YORK, HAVE DEMONSTRATED THE NEED
 FOR IMPROVED CYBER SECURITY.
   THE LEGISLATURE FURTHER FINDS AND  DECLARES  THAT  THIS  CYBER  THREAT
 CONTINUES TO GROW AND REPRESENTS ONE OF THE MOST SERIOUS PUBLIC SECURITY
 CHALLENGES  THAT  NEW  YORK MUST CONFRONT. MOREOVER, THE SECURITY OF THE
 STATE OF NEW YORK DEPENDS  ON  THE  RELIABLE  FUNCTIONING  OF  NEW  YORK
 STATE'S  CRITICAL INFRASTRUCTURE, AND PRIVATE SECTOR BUSINESS INTERESTS,
 AS WELL AS THE PROTECTION OF THE FINANCES AND  INDIVIDUAL  LIBERTIES  OF
 EVERY CITIZEN, IN THE FACE OF SUCH THREATS.
   THE  LEGISLATURE  ADDITIONALLY  FINDS AND DECLARES THAT TO ENHANCE THE
 SECURITY, PROTECTION AND RESILIENCE OF NEW YORK STATE'S CRITICAL INFRAS-
 TRUCTURE,  AND  PRIVATE  SECTOR  BUSINESS  INTERESTS,  AS  WELL  AS  THE
 PROTECTION  OF  THE  FINANCES AND INDIVIDUAL LIBERTIES OF EVERY CITIZEN,
 THE STATE OF NEW YORK MUST PROMOTE A CYBER ENVIRONMENT  THAT  ENCOURAGES
 EFFICIENCY,  INNOVATION,  AND  ECONOMIC PROSPERITY, AND THAT CAN OPERATE
 WITH SAFETY, SECURITY,  BUSINESS  CONFIDENTIALITY,  PRIVACY,  AND  CIVIL
 LIBERTY.
   THE  LEGISLATURE FURTHER FINDS AND DECLARES THAT TO CREATE SUCH A SAFE
 AND SECURE CYBER ENVIRONMENT FOR GOVERNMENT, PRIVATE SECTOR BUSINESS AND
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD02129-01-7

 S. 924                              2
 
 INDIVIDUAL CITIZENS, NEW YORK MUST ADVANCE, IN ADDITION TO  ITS  CURRENT
 EFFORTS  IN THIS FIELD, A NEW YORK STATE CYBER SECURITY INITIATIVE, THAT
 ESTABLISHES A NEW YORK STATE CYBER SECURITY ADVISORY BOARD; A  NEW  YORK
 STATE  CYBER  SECURITY PARTNERSHIP PROGRAM WITH THE OWNERS AND OPERATORS
 OF CRITICAL INFRASTRUCTURE, PRIVATE SECTOR BUSINESS, ACADEMIA, AND INDI-
 VIDUAL CITIZENS TO IMPROVE, DEVELOP AND IMPLEMENT  RISK-BASED  STANDARDS
 FOR GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS; AND A
 NEW YORK STATE CYBER SECURITY INFORMATION SHARING PROGRAM.
   2.  CRITICAL  INFRASTRUCTURE  AND INFORMATION SYSTEMS. AS USED IN THIS
 SECTION, THE TERM  "CRITICAL  INFRASTRUCTURE  AND  INFORMATION  SYSTEMS"
 SHALL MEAN ALL SYSTEMS AND ASSETS, WHETHER PHYSICAL OR VIRTUAL, SO VITAL
 TO  THE GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS OF
 THE STATE OF NEW YORK THAT THE INCAPACITY OR DESTRUCTION OF SUCH SYSTEMS
 AND ASSETS WOULD HAVE A DEBILITATING IMPACT TO THE SECURITY, ECONOMY, OR
 PUBLIC HEALTH OF THE INDIVIDUAL CITIZENS, GOVERNMENT, OR PRIVATE  SECTOR
 BUSINESSES OF THE STATE OF NEW YORK.
   3.  NEW  YORK  STATE CYBER SECURITY ADVISORY BOARD. (A) THERE SHALL BE
 WITHIN THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES,  A  NEW
 YORK  STATE CYBER SECURITY ADVISORY BOARD, WHICH SHALL ADVISE THE GOVER-
 NOR AND THE LEGISLATURE ON  DEVELOPMENTS  IN  CYBER  SECURITY  AND  MAKE
 RECOMMENDATIONS  FOR  PROTECTING THE STATE'S CRITICAL INFRASTRUCTURE AND
 INFORMATION SYSTEMS.
   (B) THE BOARD MEMBERS SHALL CONSIST OF ELEVEN MEMBERS APPOINTED BY THE
 GOVERNOR, WITH THREE MEMBERS APPOINTED UPON RECOMMENDATION OF THE TEMPO-
 RARY PRESIDENT OF THE SENATE, AND THREE MEMBERS APPOINTED AT THE  RECOM-
 MENDATION OF THE SPEAKER OF THE ASSEMBLY. ALL MEMBERS SO APPOINTED SHALL
 HAVE  EXPERTISE  IN CYBER SECURITY, TELECOMMUNICATIONS, INTERNET SERVICE
 DELIVERY, PUBLIC PROTECTION, COMPUTER SYSTEMS AND/OR COMPUTER NETWORKS.
   (C) THE BOARD SHALL  INVESTIGATE,  DISCUSS  AND  MAKE  RECOMMENDATIONS
 CONCERNING  CYBER  SECURITY ISSUES INVOLVING BOTH THE PUBLIC AND PRIVATE
 SECTORS AND WHAT STEPS CAN BE TAKEN BY NEW YORK STATE TO  PROTECT  CRIT-
 ICAL   CYBER   INFRASTRUCTURE,   FINANCIAL  SYSTEMS,  TELECOMMUNICATIONS
 NETWORKS, ELECTRICAL GRIDS, SECURITY SYSTEMS,  FIRST  RESPONDER  SYSTEMS
 AND  INFRASTRUCTURE,  PHYSICAL  INFRASTRUCTURE  SYSTEMS,  TRANSPORTATION
 SYSTEMS, AND SUCH OTHER AND FURTHER SECTORS OF STATE GOVERNMENT AND  THE
 PRIVATE SECTOR AS THE ADVISORY BOARD SHALL DEEM PRUDENT.
   (D) THE PURPOSE OF THE ADVISORY BOARD SHALL BE TO PROMOTE THE DEVELOP-
 MENT OF INNOVATIVE, ACTIONABLE POLICIES TO ENSURE THAT NEW YORK STATE IS
 IN THE FOREFRONT OF PUBLIC CYBER SECURITY DEFENSE.
   (E)  THE  MEMBERS  OF THE ADVISORY BOARD SHALL RECEIVE NO COMPENSATION
 FOR THEIR SERVICES, BUT MAY RECEIVE ACTUAL AND NECESSARY  EXPENSES,  AND
 SHALL NOT BE DISQUALIFIED FOR HOLDING ANY OTHER PUBLIC OFFICE OR EMPLOY-
 MENT BY MEANS OF THEIR SERVICE AS A MEMBER OF THE ADVISORY BOARD.
   (F)  THE  ADVISORY BOARD SHALL BE ENTITLED TO REQUEST AND RECEIVE, AND
 SHALL BE PROVIDED WITH, SUCH FACILITIES, RESOURCES AND DATA OF ANY AGEN-
 CY, DEPARTMENT, DIVISION, BOARD, BUREAU, COMMISSION, OR PUBLIC AUTHORITY
 OF THE STATE, AS THEY MAY REASONABLY  REQUEST,  TO  CARRY  OUT  PROPERLY
 THEIR POWERS, DUTIES AND PURPOSE.
   4.  NEW  YORK  STATE  CYBER  SECURITY INFORMATION SHARING AND ANALYSIS
 PROGRAM. (A) THE DIVISION OF HOMELAND SECURITY AND  EMERGENCY  SERVICES,
 IN  CONSULTATION WITH THE DIVISION OF THE STATE POLICE, THE STATE OFFICE
 OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR INTERNET  SECURI-
 TY,  SHALL  ESTABLISH,  WITHIN  SIXTY DAYS OF THE EFFECTIVE DATE OF THIS
 SECTION, A VOLUNTARY NEW YORK STATE CYBER SECURITY  INFORMATION  SHARING
 AND ANALYSIS PROGRAM.

 S. 924                              3

   (B)  IT  SHALL  BE  THE  PURPOSE  OF THE NEW YORK STATE CYBER SECURITY
 INFORMATION SHARING AND ANALYSIS PROGRAM TO INCREASE THE VOLUME, TIMELI-
 NESS, AND QUALITY OF CYBER THREAT INFORMATION SHARED WITH NEW YORK STATE
 PUBLIC AND PRIVATE SECTOR ENTITIES SO THAT  THESE  ENTITIES  MAY  BETTER
 PROTECT  AND  DEFEND THEMSELVES AGAINST CYBER THREATS AND TO PROMOTE THE
 DEVELOPMENT OF EFFECTIVE DEFENSES AND STRATEGIES TO COMBAT, AND  PROTECT
 AGAINST, CYBER THREATS AND ATTACKS.
   (C)  TO  FACILITATE  THE PURPOSES OF THE NEW YORK STATE CYBER SECURITY
 INFORMATION SHARING AND ANALYSIS PROGRAM, THE DIVISION OF HOMELAND SECU-
 RITY AND EMERGENCY SERVICES, SHALL PROMULGATE REGULATIONS, IN ACCORDANCE
 WITH THE PROVISIONS OF THIS SUBDIVISION.
   (D) THE REGULATIONS SHALL PROVIDE FOR THE TIMELY PRODUCTION OF UNCLAS-
 SIFIED REPORTS OF CYBER THREATS TO NEW YORK STATE  AND  ITS  PUBLIC  AND
 PRIVATE  SECTOR  ENTITIES,  INCLUDING  THREATS  THAT IDENTIFY A SPECIFIC
 TARGETED ENTITY.
   (E) THE REGULATIONS SHALL ADDRESS THE NEED TO PROTECT INTELLIGENCE AND
 LAW ENFORCEMENT SOURCES, METHODS, OPERATIONS,  AND  INVESTIGATIONS,  AND
 SHALL  FURTHER ESTABLISH A PROCESS THAT RAPIDLY DISSEMINATES THE REPORTS
 PRODUCED PURSUANT TO PARAGRAPH (D) OF  THIS  SUBDIVISION,  TO  BOTH  ANY
 TARGETED  ENTITY  AS  WELL  AS SUCH OTHER AND FURTHER PUBLIC AND PRIVATE
 ENTITIES AS THE DIVISION SHALL DEEM NECESSARY TO ADVANCE THE PURPOSES OF
 THIS SUBDIVISION.
   (F) THE REGULATIONS SHALL PROVIDE FOR PROTECTIONS FROM  LIABILITY  FOR
 ENTITIES SHARING AND RECEIVING INFORMATION WITH THE NEW YORK STATE CYBER
 SECURITY  INFORMATION  AND ANALYSIS PROGRAM, SO LONG AS THE ENTITY ACTED
 IN GOOD FAITH.
   (G) THE REGULATIONS SHALL FURTHER ESTABLISH A SYSTEM FOR TRACKING  THE
 PRODUCTION,  DISSEMINATION,  AND  DISPOSITION OF THE REPORTS PRODUCED IN
 ACCORDANCE WITH THE PROVISIONS OF THIS SUBDIVISION.
   (H) THE REGULATIONS SHALL ALSO ESTABLISH AN  ENHANCED  CYBER  SECURITY
 SERVICES  PROGRAM,  WITHIN  NEW  YORK  STATE, TO PROVIDE FOR PROCEDURES,
 METHODS AND DIRECTIVES, FOR A  VOLUNTARY  INFORMATION  SHARING  PROGRAM,
 THAT  WILL PROVIDE CYBER THREAT AND TECHNICAL INFORMATION COLLECTED FROM
 BOTH PUBLIC AND PRIVATE SECTOR ENTITIES,  TO  SUCH  PRIVATE  AND  PUBLIC
 SECTOR  ENTITIES AS THE DIVISION DEEMS PRUDENT, TO ADVISE ELIGIBLE CRIT-
 ICAL INFRASTRUCTURE COMPANIES OR COMMERCIAL SERVICE PROVIDERS THAT OFFER
 SECURITY SERVICES TO CRITICAL INFRASTRUCTURE ON CYBER  SECURITY  THREATS
 AND DEFENSE MEASURES.
   (I)  THE REGULATIONS SHALL ALSO SEEK TO DEVELOP STRATEGIES TO MAXIMIZE
 THE UTILITY OF CYBER THREAT INFORMATION SHARING BETWEEN AND  ACROSS  THE
 PRIVATE AND PUBLIC SECTORS, AND SHALL FURTHER SEEK TO PROMOTE THE USE OF
 PRIVATE  AND PUBLIC SECTOR SUBJECT MATTER EXPERTS TO ADDRESS CYBER SECU-
 RITY NEEDS IN NEW YORK STATE, WITH THESE SUBJECT MATTER EXPERTS  PROVID-
 ING  ADVICE  REGARDING  THE CONTENT, STRUCTURE, AND TYPES OF INFORMATION
 MOST USEFUL TO CRITICAL INFRASTRUCTURE OWNERS AND OPERATORS IN  REDUCING
 AND MITIGATING CYBER RISKS.
   (J)  THE  REGULATIONS  SHALL  FURTHER SEEK TO ESTABLISH A CONSULTATIVE
 PROCESS TO COORDINATE IMPROVEMENTS TO THE  CYBER  SECURITY  OF  CRITICAL
 INFRASTRUCTURE,  WHERE  AS  PART OF THE CONSULTATIVE PROCESS, THE PUBLIC
 AND PRIVATE ENTITIES OF THE STATE OF NEW YORK SHALL ENGAGE AND  CONSIDER
 THE  ADVICE OF THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES,
 THE DIVISION OF THE STATE POLICE, THE STATE OFFICE OF INFORMATION  TECH-
 NOLOGY  SERVICES,  THE  CENTER FOR INTERNET SECURITY, THE NEW YORK STATE
 CYBER SECURITY ADVISORY BOARD, THE PROGRAMS ESTABLISHED BY THIS SUBDIVI-
 SION, AND SUCH OTHER AND FURTHER PRIVATE  AND  PUBLIC  SECTOR  ENTITIES,

 S. 924                              4
 
 UNIVERSITIES,  AND  CYBER  SECURITY  EXPERTS AS THE DIVISION OF HOMELAND
 SECURITY AND EMERGENCY SERVICES MAY DEEM PRUDENT.
   (K)  THE REGULATIONS SHALL FURTHER SEEK TO ESTABLISH A BASELINE FRAME-
 WORK TO REDUCE CYBER RISK TO CRITICAL INFRASTRUCTURE, AND SHALL SEEK  TO
 HAVE  THE  DIVISION  OF  HOMELAND  SECURITY  AND  EMERGENCY SERVICES, IN
 CONSULTATION WITH THE DIVISION OF STATE  POLICE,  THE  STATE  OFFICE  OF
 INFORMATION  TECHNOLOGY  SERVICES, AND THE CENTER FOR INTERNET SECURITY,
 LEAD THE DEVELOPMENT OF A VOLUNTARY FRAMEWORK TO REDUCE CYBER  RISKS  TO
 CRITICAL  INFRASTRUCTURE,  TO  BE KNOWN AS THE CYBER SECURITY FRAMEWORK,
 WHICH SHALL:
   (I) INCLUDE A SET OF STANDARDS, METHODOLOGIES, PROCEDURES,  AND  PROC-
 ESSES  THAT  ALIGN  POLICY,  BUSINESS,  AND  TECHNOLOGICAL APPROACHES TO
 ADDRESS CYBER RISKS;
   (II) INCORPORATE VOLUNTARY CONSENSUS STANDARDS AND INDUSTRY BEST PRAC-
 TICES TO THE FULLEST EXTENT POSSIBLE;
   (III) PROVIDE A PRIORITIZED, FLEXIBLE, REPEATABLE,  PERFORMANCE-BASED,
 AND COST-EFFECTIVE APPROACH, INCLUDING INFORMATION SECURITY MEASURES AND
 CONTROLS,  TO HELP OWNERS AND OPERATORS OF CRITICAL INFRASTRUCTURE IDEN-
 TIFY, ASSESS, AND MANAGE CYBER RISK;
   (IV) FOCUS ON IDENTIFYING CROSS-SECTOR SECURITY STANDARDS  AND  GUIDE-
 LINES APPLICABLE TO CRITICAL INFRASTRUCTURE;
   (V)  IDENTIFY  AREAS  FOR IMPROVEMENT THAT SHOULD BE ADDRESSED THROUGH
 FUTURE COLLABORATION WITH PARTICULAR  SECTORS  AND  STANDARDS-DEVELOPING
 ORGANIZATIONS;
   (VI)  ENABLE  TECHNICAL  INNOVATION  AND  ACCOUNT  FOR  ORGANIZATIONAL
 DIFFERENCES, TO PROVIDE GUIDANCE THAT IS  TECHNOLOGY  NEUTRAL  AND  THAT
 ENABLES  CRITICAL  INFRASTRUCTURE  SECTORS TO BENEFIT FROM A COMPETITIVE
 MARKET FOR PRODUCTS AND SERVICES THAT MEET THE STANDARDS, METHODOLOGIES,
 PROCEDURES, AND PROCESSES DEVELOPED TO ADDRESS CYBER RISKS;
   (VII) INCLUDE GUIDANCE FOR MEASURING THE PERFORMANCE OF AN  ENTITY  IN
 IMPLEMENTING THE CYBER SECURITY FRAMEWORK;
   (VIII)  INCLUDE  METHODOLOGIES TO IDENTIFY AND MITIGATE IMPACTS OF THE
 CYBER SECURITY FRAMEWORK AND ASSOCIATED INFORMATION SECURITY MEASURES OR
 CONTROLS ON BUSINESS CONFIDENTIALITY, AND TO PROTECT INDIVIDUAL  PRIVACY
 AND CIVIL LIBERTIES; AND
   (IX)  ENGAGE IN THE REVIEW OF THREAT AND VULNERABILITY INFORMATION AND
 TECHNICAL EXPERTISE.
   (L) THE REGULATIONS SHALL ADDITIONALLY ESTABLISH A VOLUNTARY  CRITICAL
 INFRASTRUCTURE  CYBER  SECURITY  PROGRAM  TO SUPPORT THE ADOPTION OF THE
 CYBER SECURITY FRAMEWORK BY OWNERS AND OPERATORS OF CRITICAL INFRASTRUC-
 TURE AND ANY OTHER INTERESTED ENTITIES, WHERE UNDER THIS PROGRAM  IMPLE-
 MENTATION  GUIDANCE  OR  SUPPLEMENTAL  MATERIALS  WOULD  BE DEVELOPED TO
 ADDRESS SECTOR-SPECIFIC RISKS AND OPERATING ENVIRONMENTS, AND  RECOMMEND
 LEGISLATION FOR ENACTMENT TO ADDRESS CYBER SECURITY ISSUES.
   (M)  IN DEVELOPING THE NEW YORK STATE CYBER SECURITY INFORMATION SHAR-
 ING AND ANALYSIS PROGRAM IN  ACCORDANCE  WITH  THE  PROVISIONS  OF  THIS
 SUBDIVISION,  THE  DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES,
 IN CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE  OFFICE  OF
 INFORMATION  TECHNOLOGY  SERVICES, AND THE CENTER FOR INTERNET SECURITY,
 SHALL PRODUCE AND SUBMIT A REPORT, TO THE GOVERNOR, THE TEMPORARY PRESI-
 DENT OF THE SENATE, AND THE SPEAKER OF THE ASSEMBLY, MAKING  RECOMMENDA-
 TIONS  ON  THE  FEASIBILITY,  SECURITY  BENEFITS, AND RELATIVE MERITS OF
 INCORPORATING SECURITY STANDARDS INTO ACQUISITION PLANNING AND  CONTRACT
 ADMINISTRATION.  SUCH  REPORT  SHALL  FURTHER  ADDRESS WHAT STEPS CAN BE
 TAKEN TO HARMONIZE AND MAKE CONSISTENT EXISTING PROCUREMENT REQUIREMENTS

 S. 924                              5
 
 RELATED TO CYBER SECURITY AND THE FEASIBILITY  OF  INCLUDING  RISK-BASED
 SECURITY STANDARDS INTO PROCUREMENT AND CONTRACT ADMINISTRATION.
   5.  NEW YORK STATE CYBER SECURITY CRITICAL INFRASTRUCTURE RISK ASSESS-
 MENT REPORT.  (A)  THE  DIVISION  OF  HOMELAND  SECURITY  AND  EMERGENCY
 SERVICES,  IN  CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE
 OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER  FOR  INTERNET
 SECURITY,  WITHIN  ONE HUNDRED TWENTY DAYS OF THE EFFECTIVE DATE OF THIS
 SECTION, SHALL PRODUCE A NEW YORK STATE CYBER SECURITY CRITICAL  INFRAS-
 TRUCTURE RISK ASSESSMENT REPORT.
   (B)  THE  PRODUCTION  OF  THE  NEW  YORK STATE CYBER SECURITY CRITICAL
 INFRASTRUCTURE RISK ASSESSMENT REPORT SHALL USE A RISK-BASED APPROACH TO
 IDENTIFY CRITICAL INFRASTRUCTURE WHERE A CYBER SECURITY  INCIDENT  COULD
 REASONABLY  RESULT  IN  CATASTROPHIC  REGIONAL  OR STATE-WIDE EFFECTS ON
 PUBLIC HEALTH OR  SAFETY,  ECONOMIC  DISTRESS,  AND/OR  THREATEN  PUBLIC
 PROTECTION OF THE PEOPLE AND/OR PROPERTY OF NEW YORK STATE.
   (C)  THE  PRODUCTION  OF THE REPORT SHALL FURTHER USE THE CONSULTATIVE
 PROCESS AND DRAW UPON THE EXPERTISE OF AND ADVICE  OF  THE  DIVISION  OF
 HOMELAND  SECURITY AND EMERGENCY SERVICES, THE DIVISION OF STATE POLICE,
 THE STATE OFFICE OF INFORMATION  TECHNOLOGY  SERVICES,  THE  CENTER  FOR
 INTERNET SECURITY, THE NEW YORK STATE CYBER SECURITY ADVISORY BOARD, THE
 PROGRAMS ESTABLISHED BY THIS SECTION, AND SUCH OTHER AND FURTHER PRIVATE
 AND  PUBLIC SECTOR ENTITIES, UNIVERSITIES, AND CYBER SECURITY EXPERTS AS
 THE DIVISION OF  HOMELAND  SECURITY  AND  EMERGENCY  SERVICES  MAY  DEEM
 PRUDENT.
   (D)  THE  NEW  YORK  STATE CYBER SECURITY CRITICAL INFRASTRUCTURE RISK
 ASSESSMENT REPORT SHALL BE DELIVERED  TO  THE  GOVERNOR,  THE  TEMPORARY
 PRESIDENT  OF  THE SENATE, THE SPEAKER OF THE ASSEMBLY, THE CHAIR OF THE
 SENATE STANDING COMMITTEE ON VETERANS, HOMELAND  SECURITY  AND  MILITARY
 AFFAIRS,  AND  THE  CHAIR  OF THE ASSEMBLY STANDING COMMITTEE ON GOVERN-
 MENTAL OPERATIONS.
   (E) WHERE COMPLIANCE WITH THIS SECTION SHALL REQUIRE THE DISCLOSURE OF
 CONFIDENTIAL INFORMATION, OR THE  DISCLOSURE  OF  SENSITIVE  INFORMATION
 WHICH  IN  THE  JUDGMENT OF THE COMMISSIONER OF THE DIVISION OF HOMELAND
 SECURITY AND EMERGENCY SERVICES WOULD JEOPARDIZE THE CYBER  SECURITY  OF
 THE STATE:
   (I)  SUCH  CONFIDENTIAL  OR SENSITIVE INFORMATION SHALL BE PROVIDED TO
 THE PERSONS ENTITLED TO RECEIVE THE REPORT, IN THE  FORM  OF  A  SUPPLE-
 MENTAL APPENDIX TO THE REPORT; AND
   (II)  SUCH SUPPLEMENTAL APPENDIX TO THE REPORT SHALL NOT BE SUBJECT TO
 THE PROVISIONS OF THE FREEDOM OF INFORMATION LAW PURSUANT TO ARTICLE SIX
 OF THE PUBLIC OFFICERS LAW; AND
   (III) THE PERSONS ENTITLED TO RECEIVE  THE  REPORT  MAY  DISCLOSE  THE
 SUPPLEMENTAL  APPENDIX  TO  THE  REPORT TO THEIR PROFESSIONAL STAFF, BUT
 SHALL NOT OTHERWISE PUBLICLY DISCLOSE SUCH CONFIDENTIAL OR SECURE INFOR-
 MATION.
   § 2. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.