Enacts the "critical infrastructure standards and procedures (CRISP) act"; requires the office of information technology, along with the division of homeland security and emergency services and the department of financial services to identify critical infrastructure, both public and private, that could be comprised by cyber-attacks.
Impact
One significant aspect of A06301 is its requirement for asset owners to comply with established cybersecurity standards, particularly those defined by the ISA/IEC 62443 series. This requirement involves risk assessments and the implementation of mitigation plans to ensure that automation and control systems remain secure and operational. The bill is designed to facilitate better procurement, construction, and maintenance practices for critical infrastructures, thus aiming to diminish the state's vulnerability to cyber-related incidents and ultimately enhance public safety.
Summary
Bill A06301, known as the Critical Infrastructure Standards and Procedures (CRISP) Act, introduces new regulations aimed at enhancing cybersecurity for critical infrastructure in New York. The legislation mandates cooperation among several state agencies, including the Office of Information Technology, the Division of Homeland Security and Emergency Services, and the Department of Financial Services. These agencies are tasked with identifying critical infrastructure that may be vulnerable to cyber-attacks. Such infrastructure includes public transportation systems, water treatment facilities, public utilities, healthcare establishments, and state-operated buildings, as outlined within the bill.
Contention
Despite its intended goals, A06301 presents some points of contention among stakeholders. Supporters argue that stringent cybersecurity measures are essential in an era where cyber threats are increasingly prevalent, particularly against vital public services and infrastructure. However, opponents of the bill may raise concerns regarding the financial implications for smaller entities tasked with upgrading their systems to meet these specific standards. There are fears that the compliance costs could burden smaller public and private operators, potentially leading to a competitive disadvantage. Additionally, there are discussions surrounding the balance between necessary regulation and local operational flexibility.
Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Enacts the "prevention of damage to critical infrastructure act"; prevents junk dealers and scrap processors from selling metals that are used by critical infrastructure providers; defines terms.
Enacts the "prevention of damage to critical infrastructure act"; prevents junk dealers and scrap processors from selling metals that are used by critical infrastructure providers; defines terms.
Enacting the Kansas critical infrastructure protection act to prohibit access to state critical infrastructure by countries of concern and the acquisition of critical software and other technology used in state infrastructure from countries of concern.
Relates to the publication of information on public meetings; requires the office of information technology services to develop a mobile application and website to publish information on every public meeting held by a state or local public body; requires public bodies to report such meetings to the office of information technology services.
Establishes the "secure our data act"; relates to cybersecurity protection by state entities; requires the office of information technology services to develop standards for data protection of state entity-maintained information.
Directs the commissioner of education, in conjunction with the superintendent of state police and the commissioner of the division of homeland security and emergency services, to establish standards for the security and safety of school grounds.
Directs the commissioner of education, in conjunction with the superintendent of state police and the commissioner of the division of homeland security and emergency services, to establish standards for the security and safety of school grounds.