Bill Text: NJ S647 | 2020-2021 | Regular Session | Amended


Bill Title: Revises cybersecurity, asset management, and related reporting requirements in "Water Quality Accountability Act." *

Spectrum: Partisan Bill (Democrat 4-0)

Status: (Engrossed) 2021-03-17 - Reported out of Assembly Comm. with Amendments, 2nd Reading [S647 Detail]

Download: New_Jersey-2020-S647-Amended.html

[Fourth Reprint]

 

SENATE COMMITTEE SUBSTITUTE FOR

SENATE, No. 647

STATE OF NEW JERSEY

219th LEGISLATURE

  ADOPTED JANUARY 27, 2020

 


 

Sponsored by:

Senator  LINDA R. GREENSTEIN

District 14 (Mercer and Middlesex)

Senator  TROY SINGLETON

District 7 (Burlington)

 

Co-Sponsored by:

Senators Ruiz and Pou

 

 

 

 

SYNOPSIS

     Revises cybersecurity, asset management, and related reporting requirements in "Water Quality Accountability Act."

 

CURRENT VERSION OF TEXT

     As reported by the Assembly Appropriations Committee on March 17, 2021, with amendments.

 


An Act concerning cybersecurity and asset management at public 2community2 water systems and amending and supplementing P.L.2017, c.133.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

      1.   Section 2 of P.L.2017, c.133 (C.58:31-2) is amended to read as follows:

      2.   As used in 2[this act] P.L.2017, c.133 (C.58:31-1 et seq.)2 :

      "Board" means the Board of Public Utilities.

      "Cybersecurity incident" means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of computers, information 1[or] systems,1 communications systems 1[or] ,1 networks, physical or virtual infrastructure controlled by computers or information systems, or information residing thereon. 

      3"3 1Cybersecurity insurance policy" means an insurance policy designed to mitigate losses from cybersecurity incidents, including, but not limited to, data breaches, business interruption, and network damage.1

      "Department" means the Department of Environmental Protection.

      "Industrial control system" means an information system used to control industrial processes such as manufacturing, product handling, production, or distribution.  "Industrial control system" includes supervisory control and data acquisition systems used to control geographically dispersed assets, and distributed control systems and smaller control systems using programmable logic controllers to control localized processes.

      "Information resource" means information and related resources, such as personnel, equipment, funds, and information technology.

      "Information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

      2"New Jersey Cybersecurity and Communications Integration Cell" means the New Jersey Cybersecurity and Communications Integration Cell established pursuant to Executive Order No. 178 (2015) in the New Jersey Office of Homeland Security and Preparedness, or any successor entity.

      "Public community water system" means the same as that term is defined in subsection l. of section 3 of P.L.1977, c.224 (C.58:12A-3).2

      "Public water system" means the same as the term is defined in section 3 of P.L.1977, c.224 (C.58:12A-3).

      "Water purveyor" means any person that owns a public 2community2 water system with more than 500 service connections.

(cf:  P.L.2017, c.133, s.2)

 

     2.   Section 4 of P.L.2017, c.133 (C.58:31-4) is amended to read as follows: 

     4.   a.  Within 120 days after the effective date of [this act] P.L.2017, c.133 (C.58:31-1 et seq.), each water purveyor shall develop a cybersecurity program, in accordance with requirements established by the 2[board] New Jersey Cybersecurity and Communications Integration Cell2 , as rules and regulations adopted pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), that defines and implements organization accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public 2community2 water system.  As part of the 1cybersecurity1 program, a water purveyor shall 1: identify the individual chiefly responsible for ensuring that the policies, plans processes, and procedures established pursuant to this section are executed in a timely manner;1 conduct risk assessments and implement appropriate controls to mitigate identified risks to the public 2community2 water system 1[,] ;1 maintain situational awareness of cyber threats and vulnerabilities to the public 2community2 water system 1[,] ;1 and create and exercise incident response and recovery plans.  No later than 1[120] 1801 days after the effective date of P.L.    , c.   (C.        ) (pending before the Legislature as this bill), a water purveyor shall update its cybersecurity program to conform to the requirements of section 3 of P.L.    , c.   (C.        )(pending before the Legislature as this bill).

     A 1water purveyor shall submit a1 copy of the 1cybersecurity1 program developed pursuant to this subsection 1[shall be provided]1 to 2[1the board, the department, and1]2 the New Jersey Cybersecurity and Communications Integration Cell 1[,]1 2[established pursuant to Executive Order No. 178 (2015) in the New Jersey Office of Homeland Security and Preparedness] , in a form and manner as determined by the New Jersey Cybersecurity and Communications Integration Cell2 . 1A cybersecurity program submitted pursuant to this subsection shall not be considered a government record under P.L.1963, c.73 (C.47:1A-1 et seq.), and shall not be made available for public inspection.1

     b.   Within 60 days after developing the 1cybersecurity1 program required pursuant to subsection a. of this section, each water purveyor shall join the New Jersey Cybersecurity and Communications Integration Cell 1[,]1 2[established pursuant to Executive Order No. 178 (2015),]2 and create a cybersecurity incident reporting process.

     c.   [A water purveyor that does not have an internet-connected control system shall be exempt from the requirements of this section.] (Deleted by amendment, P.L.    , c.    (pending before the Legislature as this bill)

     1d.  No later than 180 days after the effective date of P.L.    , c.   (C.       )(pending before the Legislature as this bill), each water purveyor shall obtain a cybersecurity insurance policy that meets any applicable standards adopted by the board.1

(cf:  P.L.2017, c.133, s.4)

 

     3.   (New section)  a.  In addition to the requirements of section 4 of P.L.2017, c.133 (C.58:31-4), and the requirements established by the board pursuant thereto, no later than 1[120] 1801 days after the effective date of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), each water purveyor shall update its cybersecurity program developed pursuant to section 4 of P.L.2017, c.133 (C.58:31-4) to apply to all of the public 2community2 water system's industrial control systems, and to reasonably conform to the most recent version of one or more of the following industry-recognized cybersecurity frameworks: 

     (1) the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology;

     (2)  the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or

     (3) the International Organization for Standardization and International Electrotechnical Commission 27000 family of standards for an information security management system.

     b.   Whenever a final revision to one or more of the frameworks listed in subsection a. of this section is published, a water purveyor whose cybersecurity program reasonably conformed to that framework shall revise its cybersecurity program to reasonably conform to the revised framework, 1and submit a copy of the revised cybersecurity program to 2[the board, the department, and]2 the New Jersey Cybersecurity and Communications Integration Cell,1 no later than 1[120] 1801 days after publication of the revised framework. 

     c.   No later than one year after the effective date of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), and each year thereafter, each water purveyor shall submit to the 1board, the1 department 1,1 and 1[to]1 the New Jersey Cybersecurity and Communications Integration Cell 1[,]1 2[established pursuant to Executive Order No. 178 (2015),]2 a certification demonstrating that the water purveyor is in compliance with the requirements of this section.  The certification shall be made in the form and manner as determined by the department, in consultation with the New Jersey Cybersecurity and Communications Integration Cell.  1The certification shall be signed by the responsible corporate officer of the public 2community2 water system, if privately held, executive director, if an authority, or mayor or chief executive officer of the municipality, if municipally owned, as applicable.1

     d.   1The New Jersey Cybersecurity and Communications Integration Cell shall 2[audit, or]2 cause to be audited, for compliance with the requirements of section 4 of P.L.2017, c.133 (C.58:31-4) and this section, any public 2community2 water system that fails to submit a cybersecurity program as required pursuant to subsection a. of section 4 of P.L.2017, c.133 (C.58:31-4), a revision pursuant to subsection b. of this section, or a certification pursuant to this section.  2Any audit shall be conducted by a qualified and independent cybersecurity company, at the water purveyor's expense.  Following the audit, the water purveyor shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.2

     e.1  A water purveyor shall, upon the request of the 1board, the1 department 1,1 or the New Jersey Cybersecurity and Communications Integration Cell, provide proof of compliance with the requirements of this section, in a form and manner as determined by the 2board, the2 department 2,2 or by the New Jersey Cybersecurity and Communications Integration Cell. 

     1[e.] f.1      The board shall update any requirements it has established for cybersecurity programs pursuant to subsection a. of section 4 of P.L.2017, c.133 (C.58:31-4) to conform to the requirements of this section.

 

     4.   (New section)  1a.1  Beginning 90 days after the effective date of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), 1[each] a1 water purveyor shall 1[immediately]1 report to the 2[1board, the department, and the1]2 New Jersey Cybersecurity and Communications Integration Cell, 2[1immediately] promptly2 after an employee is made aware of a cybersecurity incident,1 and in accordance with all applicable laws, rules 1,1 and regulations:

     1[a.] (1)1    any cybersecurity incident that results in the compromise of the confidentiality, integrity, availability, or privacy of the water purveyor's utility billing, communications, data management, or business information systems, or the information thereon; and

     1[b.] (2)1   any cybersecurity incident against the water purveyor's industrial control system, including monitoring, operations, and centralized control systems, that adversely impact, disable, or manipulate infrastructure, resulting in loss of service, contamination of finished water, or damage to infrastructure. 

     1b.   No later than 30 days after receiving a report of a cybersecurity incident from a water purveyor pursuant to subsection a. of this section, the New Jersey Cybersecurity and Communications Integration Cell shall 2[audit, or]2 cause to be audited 2[,]2 the water purveyor's cybersecurity program and any actions the water purveyor took in response to the cybersecurity incident.  The audit shall identify cyber threats and vulnerabilities to the public 2community2 water system, weaknesses in the public 2community2 water system's cybersecurity program, and strategies to address those weaknesses so as to protect the public 2community2 water system from the threat of future cybersecurity incidents.1 2Any audit shall be conducted by a qualified and independent cybersecurity company, at the water purveyor's expense.  Following the audit, the water purveyor shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.2

 

      5.  Section 6 of P.L.2017, c.133 (C.58:31-6) is amended to read as follows:

      6.  1a.1  In addition to any other certifications required pursuant to law, rule, or regulation, the responsible corporate officer of the public 2community2 water system, if privately held, executive director, if an authority, or mayor or chief executive officer of the municipality, if municipally owned, as applicable, shall be required to certify in writing each year to the [Department of Environmental Protection] department and, if applicable, the 1[Board of Public Utilities] board, in a form and manner as determined by the department,1 that the water purveyor complies with: all federal and State drinking water regulations, including water quality sampling, testing, and reporting requirements; the hydrant and valve requirements set forth in section 3 of [this act] P.L.2017, c.133 (C.58:31-3); the notice of violation mitigation plan requirements set forth in section 5 of [this act] P.L.2017, c.133 (C.58:31-5), if applicable; and the infrastructure improvement investment required pursuant to section 7 of [this act] P.L.2017, c.133 (C.58:31-7).  A water purveyor shall post the annual certification required pursuant to this section on its Internet website, if applicable.

      1b.  The department shall audit, or cause to be audited, for compliance with the requirements of P.L.2017, c.133 (C.58:31-7), any public 2community2 water system that fails to submit the certification required pursuant to subsection a. of this section in a timely manner.  If the department finds that a water purveyor has made a false or misleading statement in a certification submitted pursuant to subsection a. of this section, the department shall forward the matter to the Attorney General for further investigation and, if necessary, criminal prosecution or other appropriate relief, pursuant to any applicable State or federal law, rule, or regulation.

      c.  The department shall annually audit 2, or cause to be audited,2 for compliance with the requirements 3of3 P.L.2017, c.133 (C.58:31-7) a random selection of at least 10 percent of all public 2community2 water systems in the State.1

      2d.  The department may require a water purveyor to pay the cost of an audit ordered pursuant to this section.2

      4e.  This section shall not be construed to abrogate or limit the review and fiscal oversight authority granted to the Division of Local Government Services in the Department of Community Affairs by the "Local Budget Law," N.J.S.40A:4-1 et seq., the "Local Fiscal Affairs Law," N.J.S.40A:5-1 et seq., the "Local Authorities Fiscal Control Law," P.L.1983, c.313 (C.40A:5A-1 et seq.), or any other law.4

(cf: P.L.2017, c.133, s.6)

 

      6.  Section 7 of P.L.2017, c.133 (C.58:31-7) is amended to read as follows:

      7.   a.  Beginning no later than 18 months after the effective date of [this act] P.L.2017, c.133 (C.58:31-1 et seq.), every water purveyor shall implement an asset management plan designed to inspect, maintain, repair, and renew its infrastructure consistent with standards established by the American Water Works Association.  The asset management plan shall include:

      (1)  a water main renewal program designed to achieve a 150-year replacement cycle, or other [appropriate] 2[shorter] appropriate2 replacement cycle as determined by a detailed engineering analysis of the asset condition and estimated service lives of the water mains serving the public 2community2 water system , or by the department ;

      (2)  a water supply and treatment program designed to inspect, maintain, repair, renew, and upgrade wells, intakes, pumps, and treatment facilities in accordance with all federal and State regulations, standards established by the American Water Works Association, and any mitigation plan required pursuant to section 5 of [this act] P.L.2017, c.133 (C.58:31-5); and

      (3)  any other programs, plans, or provisions as may be required by the department pursuant to rules and regulations adopted pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.).

      Each water purveyor shall dedicate 2adequate2 funds on an annual basis to address and remediate the highest priority projects as determined by its asset management plan. 

      All asset management plans and system condition reports shall be certified to by the licensed operator or professional engineer of the public 2community2 water system and the responsible corporate officer of the public 2community2 water system, if privately held, executive director, if an authority, or mayor or chief executive officer of the municipality, if municipally owned, as applicable.  The replacement cycle shall be determined by dividing the miles of water main located in the public 2community2 water system by 150 or other appropriate demonstration set forth in the certified asset management plan prepared pursuant to this section.

      b.   [At least once every three years] No later than one year after the effective date of P.L.     , c.     (C.        ) (pending before the Legislature as this bill), and 2[every three years] each year2 thereafter, each water purveyor shall provide to the department and the board, if applicable, a report based on its asset management plan prepared pursuant to subsection a. of this section identifying [the infrastructure improvements to be undertaken in the coming year and the cost of those improvements, as well as identifying the infrastructure improvements completed in the past year and the cost of those improvements] : (1) the infrastructure improvements completed in the past 3[three years] year3 and the cost of those improvements, including improvements funded by emergency and routine capital spending; (2) the infrastructure improvements 2generally2 planned to be undertaken in the next three years and the estimated cost of those improvements; and (3) the infrastructure improvements that 2[will] may2 be required over the next 10 years and the estimated cost of those improvements4A report provided pursuant to this subsection by a municipality, county, or authority that is a water purveyor, is subject to the Local Authorities Fiscal Control Law, P.L.1983, c.313 (C.40A:5A-1 et seq.), and has a capital program extending beyond three years shall also identify infrastructure improvements to be undertaken pursuant to the asset management plan in the remaining years of the capital program, along with the actual or estimated cost of the improvements.4 2Compliance with this subsection may be demonstrated through the submission of evidence of completion of a detailed, comprehensive planning study, facility master planning study, or other long range planning study that is intended for use in developing three- and ten-year capital improvement plans.  A detailed comprehensive planning study, facility master planning study, or other long range planning study submitted pursuant to this subsection shall not be considered a government record pursuant to P.L.1963, c.73 (C.47:1A-1 et seq.), and shall not be made available for public inspection.2 A municipal water department or municipal water authority shall also submit the report required pursuant to this subsection to the Division of Local Government Services in the Department of Community Affairs.  A water purveyor shall, upon request, provide a copy of its asset management plan to the department, the board, or the Division of Local Government Services in the Department of Community Affairs.

      c.   The department, the board, and the Department of Community Affairs shall create a centralized portal allowing for electronic submittal of the report required pursuant to subsection b. of this section.  The lack of a centralized portal pursuant to this subsection shall not negate the requirement for a water purveyor to submit a report pursuant to subsection b. of this section.

(cf: P.L.2017, c.133, s.7)

 

     7.    (New section)  a.  In addition to the requirements of section 7 of P.L.2017, c.133 (C.58:31-7), no later than 18 months after the effective date of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), each water purveyor shall revise its asset management plan developed pursuant to section 7 of P.L.2017, c.133 (C.58:31-7) to include:

     (1)   a comprehensive inventory, mapping, and 2evaluation of the2 condition 2[assessment]2 of the public 2community2 water system's 2[assets, including its pipes, lead service lines, valves, tanks, pumps, wells, treatment facilities, hydrants, and other components, and an assessment of the remaining useful life of each identified asset] following asset classes:  transmission and distribution piping, valves, service lines, hydrants, water treatment plant facilities, and water supply facilities including wells, reservoirs, and intakes2 ;

     (2)   level of service goals for the public 2community2 water system 2, based upon industry standards such as those established by the American Water Works Association2, which may include, but need not be limited to, goals related to customer service and accountability, energy and water efficiency and conservation, water main breaks and service interruptions, and social and environmental considerations;

     (3)   a priority order in which the public 2community2 water system's assets, identified in the comprehensive inventory prepared pursuant to paragraph (1) of this subsection, will be repaired or replaced as part of the water purveyor's asset management plan, based on each assets' importance to the proper function of the public 2community2 water system, or business risk exposure; 2and2

     (4)   2[the life cycle costs of the public water system's assets, including a schedule for the maintenance, repair, or replacement of the assets, and for capital improvements to the public water system, informed by the priority order developed pursuant to paragraph (3) of this subsection; and

     (5)]2 a long-term funding strategy to implement the water purveyor's asset management plan, including funding sources and estimated annual expenditures to address prioritized repairs, upgrades, and treatment.

     b.    The department shall, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), adopt rules and regulations to implement the requirements of this section.

     8.    (New section)  Any person who violates the provisions of P.L.2017, c.133 (C.58:31-1 et seq.), or any rule or regulation adopted pursuant thereto, shall be subject to the penalties and other remedies set forth in section 10 of P.L.1977, c.224 (C.58:12A-10).  No later than 3[180 days] 18 months3 after the effective date of P.L.    , c.   (C.        )(pending before the Legislature as this bill), the department shall adopt, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), a schedule of civil administrative penalties to be applied pursuant to this section for specific violations of P.L.2017, c.133 (C.58:31-1 et seq.).

 

     9.    (New section)  No later than one year after the effective date of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), and annually thereafter, the department shall develop and publish on its Internet website a report card for each water purveyor in the State, indicating the water purveyor's compliance with federal and State drinking water quality standards, its compliance with the requirements of P.L.2017, c.133 (C.58:31-1 et seq.), and any other factors the department deems appropriate.  The report card shall be designed to inform the public about the overall condition of a public 2community2 water system, and the quality of water coming from the public 2community2 water system.

 

     10.  (New section)  No later than 18 months after the effective date of P.L.     , c.     (C.         ) (pending before the Legislature as this bill), and every three years thereafter, the department shall prepare and submit a report to the Governor and, pursuant to section 2 of P.L.1991, c.164 (C.52:14-19.1), the Legislature assessing:

     a.     the data submitted by public 2community2 water systems pursuant to subsections b. and c. of section 7 of P.L.2017, c.133 (C.58:31-7).  The assessment shall include, but need not be limited to, an analysis of the total estimated cost of infrastructure improvements to public 2community2 water systems, Statewide, required over the next 10 years; and

     b.    the compliance of public 2community2 water systems with the requirements of P.L.2017, c.133 (C.58:31-1 et seq.) and the rules and regulations adopted pursuant thereto.

 

     11.  (New section)  The department and the board shall adopt, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), rules and regulations as are necessary to carry out the provisions of P.L.2017, c.133 (C.58:31-1 et seq.).

 

      212.  Section 3 of P.L.2017, c.133 (C.58:31-3) is amended to read as follows:

      3.   a.  Each water purveyor shall inspect each valve in its public community water system in accordance with the provisions of subsection b. of this section in order to determine (1) accessibility of the valve for operational purposes, and (2) the valve's operating condition. A water purveyor shall repair or replace any valve found to be broken or otherwise not operational.

      b.   Each water purveyor shall inspect each valve that is 12 or more inches in diameter at least once every 3[two] four3 years, and shall inspect all other valves at least once every 3[four] eight3 years, except that the requirements of this subsection shall not apply to any service connection valve or customer shut-off valve. At a minimum, each valve inspection conducted pursuant to this subsection shall include:

      (1)  clearing of the area around the valve to ensure full access to the valve for operating purposes;

      (2)  cleaning out of the valve box;

      (3)  dynamic testing of the valve, by opening and then closing the valve for either of the following number of turns:

      (a)  the number of turns recommended by the valve manufacturer to constitute a credible test; or

      (b)  the number of turns which constitutes 15 percent of the total number of turns necessary to completely open or completely close the valve ; and

      (4)  complying with any other criteria as may be required by the department pursuant to rules and regulations adopted pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.).

      c.   (1)  Each water purveyor shall, once a year, test every fire hydrant in its system in order to determine the hydrant's working condition.

      (2)  Each water purveyor shall formulate and implement a plan for flushing every fire hydrant in the public community water system, and every dead end of a main in the public community water system. This plan for flushing may be combined with the periodic testing of fire hydrants required pursuant to paragraph (1) of this subsection.

      d.   Each water purveyor shall keep a record of all inspections, tests, and flushings conducted pursuant to this section for a period of at least 3[six] 123 years.

      e.   Each water purveyor that owns, solely or jointly, a fire hydrant shall mark each hydrant with the initials of its name, abbreviation of its name, corporate symbol, or other distinguishing mark or code by which ownership may be readily and definitely ascertained. Each fire hydrant shall be marked with a number or symbol, or both, by which the location of the hydrant may be determined on the water purveyor's office records. The markings may be made with 3[paint, brand, or with]3 a soft metal plate, 3plastic, or another durable material,3 and shall be of such size and so spaced and maintained as to be easily read.

      f.    Each water purveyor shall identify, to the extent possible, the geographic location of each valve and fire hydrant in its public community water system using a global positioning system based on satellite or other location technology.2

(cf: P.L.2017, c.133, s.3)

 

     213.  Section 5 of P.L.2017, c.133 (C.58:31-5) is amended to read as follows:

     5.    In addition to any other requirements in law, or any rule or regulation adopted pursuant thereto, whenever a water purveyor is issued , pursuant to section 10 of P.L.1977, c.224 (C.58:12A-10) , three notices of violation for any reason or two notices of violation related to an exceedance of a maximum contaminant level within any 12-month period, the water purveyor, within 60 days after receipt of the third or second notice, as applicable, shall submit to the department a mitigation plan specifying whether the notice of violation will be addressed through operational changes or require a capital expenditure and providing a schedule for implementation of the mitigation plan. The mitigation plan shall include a report prepared by the licensed operator of the public community water system and a professional engineer licensed pursuant to P.L.1938, c.342 (C.45:8-27 et seq.) that includes a technical analysis of the notices of violation and an explanation of how the mitigation plan submitted pursuant to this section is intended to prevent a recurrence of the issue that resulted in the notice of violation. Any capital expenditures required pursuant to this section shall be incorporated into the asset management plan required pursuant to section 7 of [this act] P.L.2017, c.133 (C.58:31-7).2

(cf: P.L.2017, c.133, s.5)

 

     2[12.]  14.2  This act shall take effect immediately.

feedback