[First Reprint]

ASSEMBLY, No. 4936

STATE OF NEW JERSEY

217th LEGISLATURE

INTRODUCED JUNE 5, 2017

Sponsored by:

Assemblywoman  ANNETTE QUIJANO

District 20 (Union)

Assemblywoman  ANNETTE CHAPARRO

District 33 (Hudson)

SYNOPSIS

     Requires State, county, and municipal employees and certain State contractors to complete cybersecurity awareness training.

CURRENT VERSION OF TEXT

     As reported by the Assembly Homeland Security and State Preparedness Committee on June 15, 2017, with amendments.

An Act requiring State, county, and municipal employees and certain State contractors to complete cybersecurity awareness training and supplementing various parts of the statutory law. 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    All State officers and employees in a State agency in the Executive Branch and in the Judicial Branch of State government shall complete a cybersecurity awareness training program at least once in each calendar year.  An officer and employee shall verify completion of the program in the manner specified by the Chief Technology Officer, or a designee, of the New Jersey Office of Information Technology. 

     The Chief Technology Officer, or a designee, shall approve the format and content of the program.  The program shall be provided online.  The program may include content which ¹[in particular]¹ addresses ¹[the situations of]¹certain identified groups of officers or employees, such as those who are involved in contracting processes.

     The Chief Technology Officer shall require ¹[the conduct of]¹ periodic audits by appropriate persons or agencies to ensure compliance with the requirement set forth in this section.

     As used in this section¹[,] :¹

     "State agency in the Executive Branch" means any of the principal departments in the Executive Branch of ¹[the]¹ State ¹[Government] government¹, and any division, board, bureau, office, commission, or other instrumentality within or created by ¹[such] a¹ department, and any independent State authority, commission, instrumentality, or agency, including any public institution of higher education¹[; and] .¹

     "State officer and employee" means a person employed and compensated to serve in a full time or part time capacity.

     2.    All county and municipal officers and employees shall complete, at least once in each calendar year, the cybersecurity awareness training program approved by the Chief Technology Officer, or a designee, pursuant to section 1 of P.L.   , c.        (C.    ) (pending before the ¹[legislature] Legislature¹ as this bill).  An officer and employee shall verify completion of the program to the governing body of each county and municipality, as appropriate.  The governing body of each county and municipality, as appropriate, shall report completion of the program to the Chief Technology Officer, or a designee. 

     The governing body of each county and municipality, as appropriate, shall require ¹[the conduct of]¹ periodic audits by appropriate persons to ensure compliance with the requirement set forth in this section ¹[by officers and employees in the county and municipality, as appropriate]¹.

     As used in this section¹[, "county"] :

     "County"¹ means any county of any class of this State, and any authority, commission, agency, or instrumentality of a county.

      ¹["municipality"] "Municipality"¹ means any city of any class, any town, township, village, or borough of this State, other than a county or a school district, and any authority, commission, agency, or instrumentality of a municipality.

     3.    The members of the Legislature and the State officers and employees in the Legislative Branch of State government shall complete, at least once in each calendar year, the cybersecurity awareness training program approved by the Chief Technology Officer, or a designee, pursuant to section 1 of P.L.   , c.        (C.    ) (pending before the ¹[legislature] Legislature¹ as this bill).  A member, officer, and employee shall verify completion of the program to the Office of Legislative Services.  The Office of Legislative Services shall report completion of the program to the Chief Technology Officer, or a designee.  The President of the Senate, Speaker of the General Assembly, and Executive Director of the Office of Legislative Services shall require ¹[the conduct of]¹ periodic audits by appropriate persons to ensure compliance with the requirement set forth in this section ¹[by members, officers, and employees in the Senate, in the General Assembly, and in the Office of Legislative Services, as appropriate]¹.

     4.    Notwithstanding any other provision of law to the contrary, a State contractor and a subcontractor of ¹[such]¹ a  ¹State¹ contractor, and an officer and employee of the contractor and subcontractor, who has access to a computer system of the State or a database of the State shall complete the cybersecurity awareness training program approved by the Chief Technology Officer, or a designee, pursuant to section 1 of P.L.   , c.        (C.    ) (pending before the ¹[legislature] Legislature¹ as this bill), except that the Chief Technology Officer, or a designee, may include content in the program which ¹[in particular]¹ addresses ¹[the situations of such]¹ contractors and their officers and employees.  The program shall be completed once by each contractor, subcontractor, officer, and employee during each contract period and each renewal period.

     The completion of the program shall be required by the terms and conditions of the contract or agreement awarded by the State.  Each contractor, subcontractor, officer, and employee shall verify completion of the program in the manner specified by the Chief Technology Officer, or a designee.  The State contract manager, or a designee, shall report completion of the program to the Chief Technology Officer, or a designee.  The State contract manager, or a designee, shall conduct periodic audits to ensure compliance ¹[by contractors, subcontractors, officers, and employees]¹ with the requirement set forth in this section. 

     The requirement of this section shall apply to contracts awarded or renewed after the effective date of P.L.    , c.       (pending before the Legislature as this bill).

     5.    This act shall take effect on the 90th day following enactment, except that the Chief Technology Officer may take such anticipatory administrative action in advance as shall be necessary for the implementation of this act.