A02833 Summary:
BILL NO | A02833 |
  | |
SAME AS | SAME AS S05615 |
  | |
SPONSOR | Otis |
  | |
COSPNSR | |
  | |
MLTSPNSR | |
  | |
Amd §165, St Fin L | |
  | |
Directs that state agencies require that procurement of personal computing goods, services and solutions meet the National Institute of Standards and Technology (NIST) Cybersecurity Framework. |
A02833 Actions:
BILL NO | A02833 | |||||||||||||||||||||||||||||||||||||||||||||||||
  | ||||||||||||||||||||||||||||||||||||||||||||||||||
01/27/2023 | referred to science and technology | |||||||||||||||||||||||||||||||||||||||||||||||||
05/23/2023 | reported referred to ways and means | |||||||||||||||||||||||||||||||||||||||||||||||||
06/07/2023 | reported referred to rules | |||||||||||||||||||||||||||||||||||||||||||||||||
01/03/2024 | referred to ways and means |
A02833 Memo:
Go to topNEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)   BILL NUMBER: A2833 SPONSOR: Otis
  TITLE OF BILL: An act to amend the state finance law, in relation to procurement requirements for end point device security   PURPOSE OR GENERAL IDEA OF BILL: To strengthen New York procurement requirements to prevent cyberattacks.   SUMMARY OF PROVISIONS: Section one of the bill amends section 165 of the state finance law by adding a new subdivision 9 to require the commissioner of general services and all state agencies to procure end point devices that meet the National Institute of Standards and Technology (NIST) guidelines and best practices for computer security. This subdivision also requires that the commissioner and each state agency update their end point device procurement requirements to reflect any amendments made to the NIST guidelines within one year of its adoption. Section two of the bill provides the effective date.   DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE):   JUSTIFICATION: Cyber security attacks against government systems are becoming more frequent and more destructive. While governments often view security in terms of preventing a PC or database from being hacked, new trends include firmware attacks and the rapid evolution of novel malware. It is critical that every end point device purchased by a government entity should include cybersecurity as a critical procurement requirement and utilize best practices that have been adopted by the U.S. Government. The U.S. Department of Homeland Security Supply Chain Risk Management (SCRM) guidelines and the NIST Cybersecurity Framework, as found in the NIST Special Publication 800 series are critical standards and best practices to manage cybersecurity-related risk. The Cybersecurity Frame- work's prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. New York can protect its critical infrastructure, its citizens, and its data by adopting the NIST standards. This bill will make New York safer by using proven standards to protect against these types of cyberattacks.   PRIOR LEGISLATIVE HISTORY: 2021-22: A9951-A reported referred to ways and means   FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS: None.   EFFECTIVE DATE: This act shall take effect on the ninetieth day after it shall have become a law.
A02833 Text:
Go to top STATE OF NEW YORK ________________________________________________________________________ 2833 2023-2024 Regular Sessions IN ASSEMBLY January 27, 2023 ___________ Introduced by M. of A. OTIS -- read once and referred to the Committee on Science and Technology AN ACT to amend the state finance law, in relation to procurement requirements for end point device security The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 165 of the state finance law is amended by adding a 2 new subdivision 9 to read as follows: 3 9. End point device security. (a) For the purposes of this subdivision 4 "end point device" shall mean personal computing goods that include 5 desktops, laptops, all-in-ones, tablets, mobile or cellular telephones, 6 thin clients, and monitors of various sizes; printers; and multi-func- 7 tional devices that include imaging devices that combine operations such 8 as copying, printing, scanning and faxing into one machine. 9 (b) The commissioner and all state agencies, when procuring end point 10 devices, shall require those devices, services and solutions to meet the 11 National Institute of Standards and Technology (NIST) Cybersecurity 12 Framework. 13 (c) Within one year of adoption of any amendments to the security 14 standards and guidelines referenced in paragraph (b) of this subdivision 15 the commissioner and each state agency shall update their end point 16 device procurement requirements. 17 § 2. This act shall take effect on the ninetieth day after it shall 18 have become a law. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD07739-01-3