S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   2652
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                             January 22, 2021
                                ___________
 
 Introduced  by  Sen.  SAVINO -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the state  technology  law,  in  relation  to  requiring
   governmental  entities  to  implement  multifactor  authentication for
   local and network remote access
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Section  202  of  the  state technology law is amended by
 adding two new subdivisions 9 and 10 to read as follows:
   9. "GOVERNMENTAL ENTITY" SHALL MEAN ANY  STATE  OR  LOCAL  DEPARTMENT,
 BOARD,  BUREAU, DIVISION, COMMISSION, COMMITTEE, SCHOOL DISTRICT, PUBLIC
 AUTHORITY, PUBLIC BENEFIT CORPORATION, COUNCIL OR OFFICE, INCLUDING  ALL
 ENTITIES  DEFINED PURSUANT TO SECTION TWO OF THE PUBLIC AUTHORITIES LAW.
 SUCH TERM SHALL INCLUDE THE STATE UNIVERSITY OF NEW YORK  AND  THE  CITY
 UNIVERSITY  OF  NEW  YORK.  FURTHER, SUCH TERM SHALL INCLUDE ANY COUNTY,
 CITY, TOWN OR VILLAGE BUT SHALL NOT INCLUDE THE JUDICIARY OR  STATE  AND
 LOCAL LEGISLATURES.
   10.  "MULTIFACTOR AUTHENTICATION" SHALL MEAN USING TWO OR MORE DIFFER-
 ENT TYPES OF IDENTIFICATION CREDENTIALS TO ACHIEVE  AUTHENTICATION.  THE
 TYPES OF IDENTIFICATION CREDENTIALS SHALL INCLUDE:
   (A)  KNOWLEDGE-BASED CREDENTIALS, WHICH IS A KNOWLEDGE-BASED AUTHENTI-
 CATION THAT REQUIRES THE USER TO PROVIDE INFORMATION THAT THEY KNOW SUCH
 AS PASSWORDS OR PINS;
   (B)  POSSESSION-BASED  CREDENTIALS,  WHICH  IS   AUTHENTICATION   THAT
 REQUIRES  INDIVIDUALS  TO  HAVE  SOMETHING SPECIFIC IN THEIR POSSESSION,
 SUCH AS SECURITY TOKENS, KEY FOBS, SIM CARDS OR SMARTPHONE APPLICATIONS;
 AND
   (C) INHERENCE-BASED CREDENTIALS, WHICH IS AUTHENTICATION THAT REQUIRES
 USER-SPECIFIC BIOLOGICAL TRAITS TO CONFIRM IDENTITY FOR LOGIN,  SUCH  AS
 FINGERPRINTS OR FACIAL RECOGNITION.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD08845-01-1
              
             
                          
                
 S. 2652                             2
 
   §  2.  The  state technology law is amended by adding two new sections
 209 and 210 to read as follows:
   §  209.  MULTIFACTOR  AUTHENTICATION.  1.  MULTIFACTOR  AUTHENTICATION
 REQUIREMENT.  EVERY  GOVERNMENTAL  ENTITY  SHALL  IMPLEMENT  MULTIFACTOR
 AUTHENTICATION  FOR  LOCAL  AND  REMOTE  NETWORK  ACCESS  TO  ANY  EMAIL
 ACCOUNTS, CLOUD STORAGE ACCOUNTS, WEB APPLICATIONS, NETWORKS, DATABASES,
 OR SERVERS, MAINTAINED BY SUCH ENTITY OR ON BEHALF OF SUCH  ENTITY,  FOR
 THE  EMPLOYEES  AND OFFICERS OF SUCH ENTITY OR FOR ANY OTHER INDIVIDUALS
 PROVIDING SERVICES TO OR ON BEHALF OF SUCH ENTITY.
   2. TECHNICAL STANDARD. THE OFFICE SHALL PROMULGATE RULES TO  ESTABLISH
 STANDARD  TECHNICAL REQUIREMENTS FOR GOVERNMENTAL ENTITIES FOR COMPLYING
 WITH  SUBDIVISION  ONE  OF  THIS  SECTION.  SUCH  RULES  SHALL   INCLUDE
 PROVISIONS  REGARDING  COMPLIANCE  FOR  INDIVIDUALS WITH DISABILITIES OR
 SPECIAL NEEDS.  FOR THE PURPOSES OF THIS SUBDIVISION, THE OFFICE MAY USE
 AND REFER TO THE GUIDELINES PROVIDED BY THE NATIONAL INSTITUTE OF STAND-
 ARDS AND TECHNOLOGY,  THE  FEDERAL  RISK  AND  AUTHORIZATION  MANAGEMENT
 PROGRAM  (FEDRAMP),  THE  FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF
 2002 (FISMA) AND THE DEFENSE FEDERAL ACQUISITION  REGULATION  SUPPLEMENT
 (DFARS).
   3. WAIVERS. THE OFFICE, UPON APPLICATION BY A GOVERNMENTAL ENTITY, MAY
 COMPLETELY  OR PARTIALLY WAIVE THE REQUIREMENTS OF THIS SECTION FOR SUCH
 GOVERNMENTAL ENTITY. SUCH WAIVER SHALL BE VALID FOR NO LONGER  THAN  TWO
 YEARS AND SHALL BE REAPPROVED AFTER EXPIRATION. THE OFFICE SHALL PROMUL-
 GATE  RULES  TO  ESTABLISH THE APPLICATION PROCESS AND CRITERIA FOR SUCH
 WAIVERS.
   § 210. PUBLIC WEBSITE ENCRYPTION. EVERY WEBSITE MAINTAINED  BY  OR  ON
 BEHALF  OF  A GOVERNMENTAL ENTITY SHALL ENCRYPT ALL EXCHANGES AND TRANS-
 FERS BETWEEN A WEB SERVER, MAINTAINED BY OR ON BEHALF OF A  GOVERNMENTAL
 ENTITY, AND A WEB BROWSER OF HYPERTEXT OR OF ELECTRONIC INFORMATION, AND
 REQUIRE  WEB  BROWSERS TO REQUEST SUCH ENCRYPTED EXCHANGE OR TRANSFER AT
 ALL TIMES FOR SUCH WEBSITES, PROVIDED THAT SUCH ENCRYPTION SHALL NOT  BE
 REQUIRED  IF  SUCH EXCHANGES OR TRANSFERS ARE CONDUCTED IN A MANNER THAT
 PROVIDES AT LEAST AN EQUIVALENT LEVEL OF CONFIDENTIALITY, DATA INTEGRITY
 AND AUTHENTICATION.
   § 3. This act shall take effect one year after it shall have become  a
 law.  Effective  immediately,  the addition, amendment, and/or repeal of
 any rule or regulation necessary for the implementation of this  act  on
 its  effective date are authorized to be made and completed on or before
 such effective date.