Revision: Jan. 29, 2020, 7:49 a.m.
SB 694-FN-A - AS INTRODUCED
2020 SESSION
20-2812
06/04
SENATE BILL 694-FN-A
AN ACT relative to minimal cybersecurity standards for municipalities and making appropriations therefor.
SPONSORS: Sen. Dietsch, Dist 9; Sen. Levesque, Dist 12; Sen. Chandley, Dist 11; Sen. Rosenwald, Dist 13; Sen. Morgan, Dist 23; Rep. Ebel, Merr. 5; Rep. Balch, Hills. 38
COMMITTEE: Election Law and Municipal Affairs
─────────────────────────────────────────────────────────────────
ANALYSIS
This bill:
I. Requires the department of information technology to adopt minimum cybersecurity standards for political subdivisions.
II. Requires political subdivisions to self report their level of adherence to the standards.
III. Makes appropriations to the department of information technology.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
20-2812
06/04
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Twenty
AN ACT relative to minimal cybersecurity standards for municipalities and making appropriations therefor.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 New Paragraph; Department of Information Technology; Duties of Commissioner. Amend RSA 21-R:4 by inserting after paragraph XX the following new paragraph:
XXI. Adopting minimum cyber security standards for political subdivisions, based on CIS controls, as established and maintained by the Center for Internet Security. The department shall:
(a) Require political subdivisions to assess and self-report their level of implementation of CIS controls.
(b) Adopt a reporting process and schedule.
(c) Advise school districts, at their request, on implementation and compliance with the minimum standards under RSA 189:66.
(d) Review the self-assessments and provide cyber risk scores for political subdivisions and school districts that self-assess under RSA 189:66. The information shall be disclosed only to the appropriate political subdivision and school board officials and shall not be subject to RSA 91-A.
(e) Provide feedback to political subdivisions and school districts on the most critical improvements in order to reduce their cyber security risks. Communications on such consultations shall not be subject to RSA 91-A.
(f) Work with the division of homeland security and emergency management and the New Hampshire national guard to develop a cybersecurity incident response plan template and practical exercise for political subdivisions for various levels of cyber disruption.
2 New Section; Duties of Towns; Cybersecurity. Amend RSA 31 by inserting after section 103-a the following new section:
31:103-b Cybersecurity.
I. The governing body of any political subdivision that knows of or suspects a cybersecurity incident within such political subdivision, or within any vendor acting as an agent of the political subdivision, shall immediately report such incident, upon discovery, and shall disclose all known information and interactions to the New Hampshire cyber integration center of the department of information technology.
II. The governing body of every political subdivision shall assess and self-report its level of implementation of CIS controls as adopted by the department of information technology under RSA 21-R:4.
3 School Administrators; Data Breach Report. Amend the introductory paragraph of RSA 189:66, III(b) to read as follows:
(b) Require the department to issue an annual data security breach report to the governor, state board, department of information technology, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee established in RSA 193-C:7, and commissioner of the department of information technology. The breach report shall also be posted to the department's public Internet website and shall not include any information that itself would pose a security threat to a database or data system. The report shall include:
4 New Section; Department of Administrative Services; List of State Contracts. Amend RSA 21-I by inserting after section 14-d the following new section:
21-I:14-e List of State Contracts. In order to mitigate any burden on political subdivisions caused by the minimum cybersecurity standards under RSA 21-R:4, XXI, and to lower the cost of technical and communication products and services that may be required, the department shall communicate to political subdivisions through the New Hampshire Municipal Association a list of all statewide contracts for technical and communications products and services.
5 Department of Information Security; Appropriations.
I. The sum of $472,000 for the fiscal year ending June 30, 2021 is hereby appropriated to the department of information technology to fund 2 analyst positions and one program manager position within the department. The governor is authorized to draw a warrant for said sum out of any money in the treasury not otherwise appropriated.
II. The sum of $150,000 for the fiscal year ending June 30, 2021 is hereby appropriated to the department of information technology for funding for the creation of a cyber incident response template and practical exercise for political subdivisions. The governor is authorized to draw a warrant for said sum out of any money in the treasury not otherwise appropriated.
6 Effective Date. This act shall take effect 60 days after its passage.
20-2812
Revised 1/27/20
SB 694-FN-A- FISCAL NOTE
AS INTRODUCED
AN ACT relative to minimal cybersecurity standards for municipalities and making appropriations therefor.
FISCAL IMPACT: [ X ] State [ X ] County [ X ] Local [ ] None
|
| |||
| Estimated Increase / (Decrease) | |||
STATE: | FY 2020 | FY 2021 | FY 2022 | FY 2023 |
Appropriation | $0 | $622,000 | $0 | $0 |
Revenue | $0 | $0 | $0 | $0 |
Expenditures | $0 | Indeterminable Increase | Indeterminable Increase | Indeterminable Increase |
Funding Source: | [ X ] General [ ] Education [ ] Highway [ ] Other | |||
|
|
|
|
|
COUNTY: |
|
|
|
|
Revenue | $0 | $0 | $0 | $0 |
Expenditures | $0 | Indeterminable Increase | Indeterminable Increase | Indeterminable Increase |
|
|
|
|
|
LOCAL: |
|
|
|
|
Revenue | $0 | $0 | $0 | $0 |
Expenditures | $0 | Indeterminable Increase | Indeterminable Increase | Indeterminable Increase |
METHODOLOGY:
This bill requires the Department of Information Technology (DOIT) to adopt minimum cyber security standards for political subdivisions, based on CIS controls as established by the Center for Internet Security. DOIT will require political subdivisions to assess and self-report their level of implementation; adopt a reporting process and schedule and advise school districts, at their request, on implementation and compliance with minimum standards; review the self assessments of political subdivisions and school districts and provide feedback on improvements to reduce their cyber security risks; and work with the Department of Safety's Division of Homeland Security and Emergency Management and the New Hampshire National Guard to develop a cyber security incident response plan template and practical exercise for political subdivisions.
The bill requires the governing body of any political subdivision that knows of or suspects a cyber security incident within such political subdivision, or within any vendor acting as an agent of such political subdivision, to immediately report such incident to DOIT. The governing body of every political subdivision shall assess and self-report its level of cyber security controls as adopted by DOIT.
The bill appropriates $472,000 for the fiscal year ending June 30, 2021 to the DOIT to fund 2 new analyst positions and one program manager position within the Department. The bill also contains a $150,000 appropriation for the fiscal year ending June 30, 2021 to the DOIT for funding the creation of a cyber incident response template and practical exercise for political subdivisions.
DOIT states the bill establishes a recurring cyber security self-assessment requirement for political subdivisions, which is submitted to the local governing body and the DOIT. DOIT is required to evaluate the self-assessments and generate a cyber security "risk" scorecard for all political subdivisions and schools (RSA 189:66 was amended in 2018 (Chapter 252) to provide for data inventory security plans in schools). DOIT indicates this new function to collect, review, score and create an overall scorecard for approximately 475 political subdivisions and school districts will necessitate a team of cyber security professionals with specialized knowledge and background. DOIT states it will be unable to perform the functions specified in the bill without such additional staff resources.
The DOIT states the appropriation for $472,000 for 3 new positions is overstated by $150,000. The cost of the three positions is approximately $322,000, not $472,000 as indicated in the bill. DOIT states the separate $150,000 appropriation for the creation of a response template and practical exercise is for work to be accomplished through a consultant.
The cost of the 3 new positions is detailed below:
| FY 2021 | FY 2022 | FY 2023 |
Technical Support Specialist IV (LG 27, Step 1) | $94,000 | $92,000 | $96,000 |
Technical Support Specialist VI (LG 32, Step 1) | $110,000 | $109,000 | $114,000 |
Information Technology Manager V (LG 34, Step 1) | $118,000 | $117,000 | $123,000 |
TOTALS | $322,000 | $318,000 | $333,000 |
The Department of Education indicates the department does not know how many school districts will request help with implementation and compliance with the new provisions, making the fiscal impact indeterminable.
The New Hampshire Municipal Association states it does not have enough information to estimate the cost for municipalities to comply with the bill's requirements and such cost may vary significantly among municipalities, rendering the fiscal impact indeterminable. There should be no effect on municipal revenues.
The Department of Administrative Services is required to provide a list of all statewide contracts for technical and communications products and services to all political subdivisions. The Department of Administrative Services states there is no fiscal impact to the department's revenues or expenditures. The obligation to compile and provide a list of contracts to municipalities would not require a substantial amount of additional employee time.
The Department of Military Affairs and Veterans Services and the Department of Safety indicate there is no additional cost to the departments as a result of this bill.
It is assumed any fiscal impact from this bill will not occur until FY 2021.
AGENCIES CONTACTED:
Departments of Information Technology, Education, Administrative Services, Military Affairs and Veterans Services, Safety, and New Hampshire Municipal Association