Directs that state agencies require that procurement of personal computing goods, services and solutions meet the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
BILL NUMBER: A2833
SPONSOR: Otis TITLE OF BILL:
An act to amend the state finance law, in relation to procurement
requirements for end point device security
PURPOSE OR GENERAL IDEA OF BILL:
To strengthen New York procurement requirements to prevent cyberattacks.
SUMMARY OF PROVISIONS:
Section one of the bill amends section 165 of the state finance law by
adding a new subdivision 9 to require the commissioner of general
services and all state agencies to procure end point devices that meet
the National Institute of Standards and Technology (NIST) guidelines and
best practices for computer security. This subdivision also requires
that the commissioner and each state agency update their end point
device procurement requirements to reflect any amendments made to the
NIST guidelines within one year of its adoption.
Section two of the bill provides the effective date.
DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE):
JUSTIFICATION:
Cyber security attacks against government systems are becoming more
frequent and more destructive. While governments often view security in
terms of preventing a PC or database from being hacked, new trends
include firmware attacks and the rapid evolution of novel malware. It is
critical that every end point device purchased by a government entity
should include cybersecurity as a critical procurement requirement and
utilize best practices that have been adopted by the U.S. Government.
The U.S. Department of Homeland Security Supply Chain Risk Management
(SCRM) guidelines and the NIST Cybersecurity Framework, as found in the
NIST Special Publication 800 series are critical standards and best
practices to manage cybersecurity-related risk. The Cybersecurity Frame-
work's prioritized, flexible, and cost-effective approach helps to
promote the protection and resilience of critical infrastructure and
other sectors important to the economy and national security. New York
can protect its critical infrastructure, its citizens, and its data by
adopting the NIST standards. This bill will make New York safer by using
proven standards to protect against these types of cyberattacks.
PRIOR LEGISLATIVE HISTORY:
2021-22: A9951-A reported referred to ways and means
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.
EFFECTIVE DATE:
This act shall take effect on the ninetieth day after it shall have
become a law.
STATE OF NEW YORK
________________________________________________________________________
2833
2023-2024 Regular Sessions
IN ASSEMBLY
January 27, 2023
___________
Introduced by M. of A. OTIS -- read once and referred to the Committee
on Science and Technology
AN ACT to amend the state finance law, in relation to procurement
requirements for end point device security
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 165 of the state finance law is amended by adding a
2 new subdivision 9 to read as follows:
3 9. End point device security. (a) For the purposes of this subdivision
4 "end point device" shall mean personal computing goods that include
5 desktops, laptops, all-in-ones, tablets, mobile or cellular telephones,
6 thin clients, and monitors of various sizes; printers; and multi-func-
7 tional devices that include imaging devices that combine operations such
8 as copying, printing, scanning and faxing into one machine.
9 (b) The commissioner and all state agencies, when procuring end point
10 devices, shall require those devices, services and solutions to meet the
11 National Institute of Standards and Technology (NIST) Cybersecurity
12 Framework.
13 (c) Within one year of adoption of any amendments to the security
14 standards and guidelines referenced in paragraph (b) of this subdivision
15 the commissioner and each state agency shall update their end point
16 device procurement requirements.
17 § 2. This act shall take effect on the ninetieth day after it shall
18 have become a law.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD07739-01-3
