Bill Text: NY S07312 | 2021-2022 | General Assembly | Introduced
Bill Title: Enacts the "Critical Infrastructure Standards and Procedures (CRISP) Act".
Spectrum: Partisan Bill (Democrat 5-0)
Status: (Introduced - Dead) 2022-01-05 - REFERRED TO INTERNET AND TECHNOLOGY [S07312 Detail]
Download: New_York-2021-S07312-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 7312 2021-2022 Regular Sessions IN SENATE August 4, 2021 ___________ Introduced by Sen. THOMAS -- read twice and ordered printed, and when printed to be committed to the Committee on Rules AN ACT to amend the state technology law, in relation to enacting the "critical infrastructure standards and procedures act" The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The state technology law is amended by adding a new article 2 4 to read as follows: 3 ARTICLE 4 4 CRITICAL INFRASTRUCTURE STANDARDS AND PROCEDURES ACT 5 Section 401. Short title. 6 402. Definitions. 7 403. Compliance with cybersecurity standards for critical 8 infrastructure. 9 404. Procurement, construction, reconstruction, alteration, 10 design and commissioning of critical infrastructure or 11 automation control systems or automation control system 12 components. 13 405. Operations and maintenance of critical infrastructure. 14 § 401. Short title. This article shall be known and may be cited as 15 the "critical infrastructure standards and procedures (CRISP) act". 16 § 402. Definitions. The following terms shall have the following mean- 17 ings: 18 1. Critical infrastructure shall include, but shall not be limited to: 19 (a) public transportation; 20 (b) water and wastewater treatment facilities; 21 (c) public utilities and services subject to the jurisdiction, super- 22 vision, powers and duties of the public service commission and the 23 department of public service; 24 (d) public buildings, including those operated by the state university 25 of New York; EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD11950-01-1S. 7312 2 1 (e) hospitals and public health facilities regulated pursuant to arti- 2 cle twenty-eight of the public health law; 3 (f) facilities created or existing under the public authorities law; 4 and 5 (g) financial services organizations regulated under the financial 6 services law. 7 2. Automation and control system shall include personnel, hardware, 8 software and policies involved in the operation of the critical infras- 9 tructure that may affect or influence its safe, secure and reliable 10 operation. 11 3. Automation and control system components shall mean control systems 12 and any complementary hardware and software components that have been 13 installed and configured to operate in an automation and control system. 14 Such systems shall include, but shall not be limited to: 15 (a) control systems, whether physically separate or integrated, 16 including distributed control systems, programmable logic controllers, 17 remote terminal units, intelligent electronic devices, supervisory 18 control and data acquisition, networked electronic sensing and control, 19 and monitoring and diagnostic systems; 20 (b) associated information systems, such as advanced or multivariable 21 control, online optimizers, dedicated equipment monitors, graphical 22 interfaces, process historians, manufacturing execution systems and 23 plant information management systems; 24 (c) associated internal, human, network, or machine interfaces used to 25 provide control, safety, and manufacturing operations functionality to 26 continuous, batch, discrete; and 27 (d) other processes as defined by the international society of auto- 28 mation including the ISA/IEC 62443 series of standards, as referenced by 29 the national institute of standards and technology (NIST). 30 4. Asset owner shall mean the public or private owner or entity 31 accountable and responsible for operation of the critical infrastructure 32 and for the automation and control system. The asset owner shall be the 33 operator of the automation and control system and of such equipment 34 under control. 35 5. Operational technology shall mean the hardware and software that 36 detects or causes a change in the critical infrastructure through the 37 direct monitoring or control of physical devices, systems, processes and 38 events. 39 § 403. Compliance with cybersecurity standards for critical infras- 40 tructure. The office, in consultation with the department of homeland 41 security and emergency services and the superintendent of financial 42 services shall make a determination of critical infrastructure, includ- 43 ing whose assets, systems, and networks, whether physical or virtual, 44 are considered vital and vulnerable to cybersecurity attacks. 45 § 404. Procurement, construction, reconstruction, alteration, design 46 and commissioning of critical infrastructure or automation control 47 systems or automation control system components. On or after July first, 48 two thousand twenty-six, the asset owner, when procuring automation and 49 control system components, as defined in subdivision three of section 50 four hundred two of this article, services or solutions, or when 51 contracting for facility upgrades or the construction of critical 52 infrastructure facilities, shall require such components, services, and 53 solutions to conform to the ISA/IEC 62443 series of standards as refer- 54 enced by NIST for defining measures to assure conformance. All contracts 55 awarded for construction, reconstruction, alteration, design and commis- 56 sioning of facilities identified as critical infrastructure under thisS. 7312 3 1 article shall provide that such installed automation and control compo- 2 nents meet the minimum standards for cybersecurity as defined by the 3 ISA/IEC 62443 series of standards as referenced by NIST. 4 § 405. Operations and maintenance of critical infrastructure. On or 5 after July first, two thousand twenty-four, the asset owner shall be 6 responsible for ensuring that the operation and maintenance of opera- 7 tional technology, including critical infrastructure, automation control 8 systems and automation control system components conform with the 9 ISA/IEC 62443 series of standards as referenced by NIST, including annu- 10 al risk assessments and shall create a mitigation plan. 11 § 2. This act shall take effect on the one hundred eightieth day after 12 it shall have become a law. Effective immediately, the office, the 13 commissioner of homeland security and emergency services and the super- 14 intendent of financial services may promulgate rules and regulations and 15 take other actions reasonably necessary to implement this act on that 16 date.