S T A T E O F N E W Y O R K
________________________________________________________________________
2652
2021-2022 Regular Sessions
I N S E N A T E
January 22, 2021
___________
Introduced by Sen. SAVINO -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology
AN ACT to amend the state technology law, in relation to requiring
governmental entities to implement multifactor authentication for
local and network remote access
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. Section 202 of the state technology law is amended by
adding two new subdivisions 9 and 10 to read as follows:
9. "GOVERNMENTAL ENTITY" SHALL MEAN ANY STATE OR LOCAL DEPARTMENT,
BOARD, BUREAU, DIVISION, COMMISSION, COMMITTEE, SCHOOL DISTRICT, PUBLIC
AUTHORITY, PUBLIC BENEFIT CORPORATION, COUNCIL OR OFFICE, INCLUDING ALL
ENTITIES DEFINED PURSUANT TO SECTION TWO OF THE PUBLIC AUTHORITIES LAW.
SUCH TERM SHALL INCLUDE THE STATE UNIVERSITY OF NEW YORK AND THE CITY
UNIVERSITY OF NEW YORK. FURTHER, SUCH TERM SHALL INCLUDE ANY COUNTY,
CITY, TOWN OR VILLAGE BUT SHALL NOT INCLUDE THE JUDICIARY OR STATE AND
LOCAL LEGISLATURES.
10. "MULTIFACTOR AUTHENTICATION" SHALL MEAN USING TWO OR MORE DIFFER-
ENT TYPES OF IDENTIFICATION CREDENTIALS TO ACHIEVE AUTHENTICATION. THE
TYPES OF IDENTIFICATION CREDENTIALS SHALL INCLUDE:
(A) KNOWLEDGE-BASED CREDENTIALS, WHICH IS A KNOWLEDGE-BASED AUTHENTI-
CATION THAT REQUIRES THE USER TO PROVIDE INFORMATION THAT THEY KNOW SUCH
AS PASSWORDS OR PINS;
(B) POSSESSION-BASED CREDENTIALS, WHICH IS AUTHENTICATION THAT
REQUIRES INDIVIDUALS TO HAVE SOMETHING SPECIFIC IN THEIR POSSESSION,
SUCH AS SECURITY TOKENS, KEY FOBS, SIM CARDS OR SMARTPHONE APPLICATIONS;
AND
(C) INHERENCE-BASED CREDENTIALS, WHICH IS AUTHENTICATION THAT REQUIRES
USER-SPECIFIC BIOLOGICAL TRAITS TO CONFIRM IDENTITY FOR LOGIN, SUCH AS
FINGERPRINTS OR FACIAL RECOGNITION.
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD08845-01-1
S. 2652 2
§ 2. The state technology law is amended by adding two new sections
209 and 210 to read as follows:
§ 209. MULTIFACTOR AUTHENTICATION. 1. MULTIFACTOR AUTHENTICATION
REQUIREMENT. EVERY GOVERNMENTAL ENTITY SHALL IMPLEMENT MULTIFACTOR
AUTHENTICATION FOR LOCAL AND REMOTE NETWORK ACCESS TO ANY EMAIL
ACCOUNTS, CLOUD STORAGE ACCOUNTS, WEB APPLICATIONS, NETWORKS, DATABASES,
OR SERVERS, MAINTAINED BY SUCH ENTITY OR ON BEHALF OF SUCH ENTITY, FOR
THE EMPLOYEES AND OFFICERS OF SUCH ENTITY OR FOR ANY OTHER INDIVIDUALS
PROVIDING SERVICES TO OR ON BEHALF OF SUCH ENTITY.
2. TECHNICAL STANDARD. THE OFFICE SHALL PROMULGATE RULES TO ESTABLISH
STANDARD TECHNICAL REQUIREMENTS FOR GOVERNMENTAL ENTITIES FOR COMPLYING
WITH SUBDIVISION ONE OF THIS SECTION. SUCH RULES SHALL INCLUDE
PROVISIONS REGARDING COMPLIANCE FOR INDIVIDUALS WITH DISABILITIES OR
SPECIAL NEEDS. FOR THE PURPOSES OF THIS SUBDIVISION, THE OFFICE MAY USE
AND REFER TO THE GUIDELINES PROVIDED BY THE NATIONAL INSTITUTE OF STAND-
ARDS AND TECHNOLOGY, THE FEDERAL RISK AND AUTHORIZATION MANAGEMENT
PROGRAM (FEDRAMP), THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF
2002 (FISMA) AND THE DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT
(DFARS).
3. WAIVERS. THE OFFICE, UPON APPLICATION BY A GOVERNMENTAL ENTITY, MAY
COMPLETELY OR PARTIALLY WAIVE THE REQUIREMENTS OF THIS SECTION FOR SUCH
GOVERNMENTAL ENTITY. SUCH WAIVER SHALL BE VALID FOR NO LONGER THAN TWO
YEARS AND SHALL BE REAPPROVED AFTER EXPIRATION. THE OFFICE SHALL PROMUL-
GATE RULES TO ESTABLISH THE APPLICATION PROCESS AND CRITERIA FOR SUCH
WAIVERS.
§ 210. PUBLIC WEBSITE ENCRYPTION. EVERY WEBSITE MAINTAINED BY OR ON
BEHALF OF A GOVERNMENTAL ENTITY SHALL ENCRYPT ALL EXCHANGES AND TRANS-
FERS BETWEEN A WEB SERVER, MAINTAINED BY OR ON BEHALF OF A GOVERNMENTAL
ENTITY, AND A WEB BROWSER OF HYPERTEXT OR OF ELECTRONIC INFORMATION, AND
REQUIRE WEB BROWSERS TO REQUEST SUCH ENCRYPTED EXCHANGE OR TRANSFER AT
ALL TIMES FOR SUCH WEBSITES, PROVIDED THAT SUCH ENCRYPTION SHALL NOT BE
REQUIRED IF SUCH EXCHANGES OR TRANSFERS ARE CONDUCTED IN A MANNER THAT
PROVIDES AT LEAST AN EQUIVALENT LEVEL OF CONFIDENTIALITY, DATA INTEGRITY
AND AUTHENTICATION.
§ 3. This act shall take effect one year after it shall have become a
law. Effective immediately, the addition, amendment, and/or repeal of
any rule or regulation necessary for the implementation of this act on
its effective date are authorized to be made and completed on or before
such effective date.