NY State Senate Bill 2023-S6474

Senate Bill S6474

2023-2024 Legislative Session

Relates to requiring governmental entities to implement multifactor authentication for local and remote network access

download bill text pdf

Current Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 03, 2024	referred to internet and technology
May 22, 2023	reported and committed to finance
Apr 21, 2023	referred to internet and technology

Votes

- May 23, 2023 - Internet And Technology Committee Vote
  S6474
  
  5
  
  Aye
  
  1
  
  Nay
  
  1
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Internet And Technology Committee Vote: May 23, 2023
      
      aye (5)
      
      Brouk
      
      Comrie
      
      Gonzalez
      
      Parker
      
      Ryan
      
      nay (1)
      
      Walczyk
      
      aye wr (1)
      
      Stec

2023-S6474 (ACTIVE) - Details

See Assembly Version of this Bill:: A7331
Current Committee:: Senate Internet And Technology
Law Section:: State Technology Law
Laws Affected:: Amd §202, add §§210 - 212, St Tech L
Versions Introduced in 2021-2022 Legislative Session:: S2652

2023-S6474 (ACTIVE) - Summary

Requires governmental entities to implement multifactor authentication for local and remote network access; requires public websites to encrypt all exchanges and to comply with privacy standards.

2023-S6474 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S6474

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the state technology law, in relation to requiring
governmental entities to implement multifactor authentication for local
and remote network access

 
PURPOSE:

Amends the State Technology Law to require all government entities in
the State to require multifactor authentication for access to the serv-
ers, email or official applications used by their employees or agents.

 
SUMMARY OF PROVISIONS:

Section 1 adds new subdivisions 9 and 10 to Section 202 of the State
Technology Law, which sets definitions for the terms "governmental enti-
ty" and "multifactor authentication."

Section 2 adds new sections 210, 211, and 212 to the state technology

law.

Section 210 adds multifactor authentication requirements and provides
for technical standards and waivers.

Section 211 adds privacy requirements regarding the use of inherence-
based multifactor authentication.

Section 212 adds encryption requirements for all government websites.

Section 3 sets the effective date.

 
JUSTIFICATION:

Cyberattacks on public entities are occurring with increasing frequency.
In Microsoft's 2021 cybersecurity report, 48% of all cybersecurity
attacks targeted government entities. Since 2017, more than 3,600 local,
state, and tribal governments across the country have been targeted by
ransomware hackers, which is just one type of cyberattack. Lapses in
cybersecurity could require the state's most essential services to
decide between paying expensive ransoms or losing access to systems.

Multifactor authentication (MFA) can significantly reduce the vulner-
ability of public systems. According to Google, multifactor can prevent
100% of automated bots, up to 99% of bulk phishing attacks and up to 90%
of targeted attacks. According to Microsoft, an account is 99.9% less
likely to be compromised when using MFA. Therefore requiring the use of
MFA at sensitive governmental institutions is an important step the
state can take to improve its cybersecurity preparedness.

Importantly, MFA is cost effective to implement due to the connectivity
of devices and web applications. Requiring governmental agencies to use
this technology is a low-cost proposition that can greatly increase
protection against cyberattacks.

 
LEGISLATIVE HISTORY:

2021-2022: New bill S2652; referred to Internet and Technology Commit-
tee; referred to Finance

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect one year after becoming law.

2023-S6474 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   6474
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                              April 21, 2023
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the state  technology  law,  in  relation  to  requiring
   governmental  entities  to  implement  multifactor  authentication for
   local and remote network access

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Section  202  of  the  state technology law is amended by
 adding two new subdivisions 9 and 10 to read as follows:
   9. "GOVERNMENTAL ENTITY" SHALL MEAN ANY  STATE  OR  LOCAL  DEPARTMENT,
 BOARD,  BUREAU, DIVISION, COMMISSION, COMMITTEE, SCHOOL DISTRICT, PUBLIC
 AUTHORITY, PUBLIC BENEFIT CORPORATION, COUNCIL OR OFFICE, INCLUDING  ALL
 ENTITIES  DEFINED PURSUANT TO SECTION TWO OF THE PUBLIC AUTHORITIES LAW.
 SUCH TERM SHALL INCLUDE THE STATE UNIVERSITY OF NEW YORK  AND  THE  CITY
 UNIVERSITY  OF  NEW  YORK.  FURTHER, SUCH TERM SHALL INCLUDE ANY COUNTY,
 CITY, TOWN OR VILLAGE BUT SHALL NOT INCLUDE THE JUDICIARY OR  STATE  AND
 LOCAL LEGISLATURES.
   10.  "MULTIFACTOR AUTHENTICATION" SHALL MEAN USING TWO OR MORE DIFFER-
 ENT TYPES OF IDENTIFICATION CREDENTIALS TO ACHIEVE  AUTHENTICATION.  THE
 TYPES OF IDENTIFICATION CREDENTIALS SHALL INCLUDE:
   (A)  KNOWLEDGE-BASED CREDENTIALS, WHICH IS A KNOWLEDGE-BASED AUTHENTI-
 CATION THAT REQUIRES THE USER TO PROVIDE INFORMATION THAT THEY KNOW SUCH
 AS PASSWORDS OR PINS;
   (B)  POSSESSION-BASED  CREDENTIALS,  WHICH  IS   AUTHENTICATION   THAT
 REQUIRES  INDIVIDUALS  TO  HAVE  SOMETHING SPECIFIC IN THEIR POSSESSION,
 SUCH AS SECURITY TOKENS, KEY FOBS, SIM CARDS OR SMARTPHONE APPLICATIONS;
 AND
   (C) INHERENCE-BASED CREDENTIALS, WHICH IS AUTHENTICATION THAT REQUIRES
 USER-SPECIFIC BIOLOGICAL TRAITS TO CONFIRM IDENTITY FOR LOGIN,  SUCH  AS
 FINGERPRINTS OR FACIAL RECOGNITION.
   §  2. The state technology law is amended by adding three new sections
 210, 211, and 212 to read as follows:
   §  210.  MULTIFACTOR  AUTHENTICATION.  1.  MULTIFACTOR  AUTHENTICATION
 REQUIREMENT.  EVERY  GOVERNMENTAL  ENTITY  SHALL  IMPLEMENT  MULTIFACTOR

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD09003-02-3
 S. 6474                             2
 
 AUTHENTICATION  FOR  LOCAL  AND  REMOTE  NETWORK  ACCESS  TO  ANY  EMAIL
 ACCOUNTS, CLOUD STORAGE ACCOUNTS, WEB APPLICATIONS, NETWORKS, DATABASES,
 OR  SERVERS,  MAINTAINED BY SUCH ENTITY OR ON BEHALF OF SUCH ENTITY, FOR
 THE  EMPLOYEES  AND OFFICERS OF SUCH ENTITY OR FOR ANY OTHER INDIVIDUALS
 PROVIDING SERVICES TO OR ON BEHALF OF SUCH ENTITY.
   2. TECHNICAL STANDARD. THE OFFICE SHALL PROMULGATE RULES TO  ESTABLISH
 STANDARD  TECHNICAL REQUIREMENTS FOR GOVERNMENTAL ENTITIES FOR COMPLYING
 WITH SUBDIVISION ONE OF THIS SECTION. SUCH  RULES  SHALL  INCLUDE  REGU-
 LATIONS  ADDRESSING INHERENCE-BASED CREDENTIALS INCLUDING PROPER STORAGE
 OF TRAITS RELATING TO USER-SPECIFIC BIOLOGICAL TRAITS.  SUCH RULES SHALL
 ADDITIONALLY INCLUDE PROVISIONS  REGARDING  COMPLIANCE  FOR  INDIVIDUALS
 WITH  DISABILITIES  OR SPECIAL NEEDS.  FOR THE PURPOSES OF THIS SUBDIVI-
 SION, THE OFFICE MAY USE AND REFER TO THE  GUIDELINES  PROVIDED  BY  THE
 NATIONAL  INSTITUTE  OF  STANDARDS  AND TECHNOLOGY, THE FEDERAL RISK AND
 AUTHORIZATION MANAGEMENT  PROGRAM  (FEDRAMP),  THE  FEDERAL  INFORMATION
 SECURITY MANAGEMENT ACT OF 2002 (FISMA) AND THE DEFENSE FEDERAL ACQUISI-
 TION REGULATION SUPPLEMENT (DFARS).
   3. WAIVERS. THE OFFICE, UPON APPLICATION BY A GOVERNMENTAL ENTITY, MAY
 COMPLETELY  OR PARTIALLY WAIVE THE REQUIREMENTS OF THIS SECTION FOR SUCH
 GOVERNMENTAL ENTITY. SUCH WAIVER SHALL BE VALID FOR NO LONGER  THAN  TWO
 YEARS AND SHALL BE REAPPROVED AFTER EXPIRATION. THE OFFICE SHALL PROMUL-
 GATE  RULES  TO  ESTABLISH THE APPLICATION PROCESS AND CRITERIA FOR SUCH
 WAIVERS.
   § 211. PRIVACY REQUIREMENTS. THIS SECTION SHALL APPLY TO  THE  USE  OF
 MULTIFACTOR  AUTHENTICATION  AT GOVERNMENTAL ENTITIES AND TO ANY VENDORS
 AND/OR THIRD-PARTY CONTRACTORS ADMINISTERING THE MULTIFACTOR AUTHENTICA-
 TION ON BEHALF OF THE GOVERNMENTAL ENTITY.
   1. NO GOVERNMENTAL ENTITY SHALL REQUIRE THE USE OF AN  INHERENCE-BASED
 CREDENTIAL TO ACCESS LOCAL AND/OR REMOTE NETWORK ACCESS.
   2.  NO GOVERNMENTAL ENTITY THAT FACILITATES THE USE OF INHERENCE-BASED
 CREDENTIALS TO ACCESS LOCAL AND REMOTE  NETWORK  ACCESS  SHALL  SELL  OR
 MONETIZE SUCH DATA.
   3.  NO GOVERNMENTAL ENTITY THAT FACILITATES THE USE OF INHERENCE-BASED
 CREDENTIALS TO ACCESS LOCAL AND REMOTE NETWORK ACCESS SHALL  SHARE  SUCH
 DATA WITH LAW ENFORCEMENT WITHOUT A WARRANT.
   4.  ANY GOVERNMENTAL ENTITY AND ANY APPLICABLE THIRD-PARTY CONTRACTORS
 THAT FACILITATE THE USE OF INHERENCE-BASED CREDENTIALS  SHALL  AGREE  TO
 COMPLY  WITH  THE  STANDARDS ESTABLISHED BY THE OFFICE AND ALL STATUTORY
 PRIVACY STANDARDS.
   § 212. PUBLIC WEBSITE ENCRYPTION. EVERY WEBSITE MAINTAINED  BY  OR  ON
 BEHALF  OF  A GOVERNMENTAL ENTITY SHALL ENCRYPT ALL EXCHANGES AND TRANS-
 FERS BETWEEN A WEB SERVER, MAINTAINED BY OR ON BEHALF OF A  GOVERNMENTAL
 ENTITY, AND A WEB BROWSER OF HYPERTEXT OR OF ELECTRONIC INFORMATION, AND
 REQUIRE  WEB  BROWSERS TO REQUEST SUCH ENCRYPTED EXCHANGE OR TRANSFER AT
 ALL TIMES FOR SUCH WEBSITES, PROVIDED THAT SUCH ENCRYPTION SHALL NOT  BE
 REQUIRED  IF  SUCH EXCHANGES OR TRANSFERS ARE CONDUCTED IN A MANNER THAT
 PROVIDES AT LEAST AN EQUIVALENT LEVEL OF CONFIDENTIALITY, DATA INTEGRITY
 AND AUTHENTICATION.
   § 3. This act shall take effect one year after it shall have become  a
 law.  Effective  immediately,  the addition, amendment, and/or repeal of
 any rule or regulation necessary for the implementation of this  act  on
 its  effective date are authorized to be made and completed on or before
 such effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.