Revision: May 18, 2020, 5:36 p.m.
SB 694-FN-A - AS AMENDED BY THE SENATE
03/12/2020 1091s
2020 SESSION
20-2812
06/04
SENATE BILL 694-FN-A
SPONSORS: Sen. Dietsch, Dist 9; Sen. Levesque, Dist 12; Sen. Chandley, Dist 11; Sen. Rosenwald, Dist 13; Sen. Morgan, Dist 23; Rep. Ebel, Merr. 5; Rep. Balch, Hills. 38
COMMITTEE: Election Law and Municipal Affairs
─────────────────────────────────────────────────────────────────
AMENDED ANALYSIS
This bill:
I. Requires the department of information technology to recommend minimum cybersecurity standards for political subdivisions.
II. Requires political subdivisions to report cybersecurity incidents to the New Hampshire cyber integration center.
III. Makes an appropriation to the department of information technology.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
03/12/2020 1091s 20-2812
06/04
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Twenty
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 New Paragraph; Department of Information Technology; Duties of Commissioner. Amend RSA 21-R:4 by inserting after paragraph XX the following new paragraph:
XXI. Recommending minimum cybersecurity standards for political subdivisions, based on CIS controls, as established and maintained by the Center for Internet Security. The department shall:
(a) Publish recommended minimum cybersecurity standards for political subdivisions, to be updated annually.
(b) Designate the New Hampshire cyber integration center to coordinate incident response of cybersecurity incident reports from political subdivisions.
2 New Paragraph; Department of Information Technology; Definitions. Amend RSA 21-R:1 by inserting after paragraph II the following new paragraph:
III. “Cybersecurity incident” means an occurrence that actually or potentially:
(a) Jeopardizes the confidentiality, integrity, or availability of an information system;
(b) Jeopardizes the information the system processes, stores, or transmits; or
(c) Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
3 New Section; Duties of Towns; Cybersecurity. Amend RSA 31 by inserting after section 103-a the following new section:
31:103-b Cybersecurity. The governing body, chief administrative officer, or the designee of any political subdivision who knows of or suspects a cybersecurity incident within such political subdivision, or within any vendor acting as an agent of the political subdivision, shall immediately report such incident, upon discovery, and shall disclose all known information and interactions to the New Hampshire cyber integration center of the department of information technology.
4 Department of Information Technology; Appropriation. The sum of $1 for the fiscal year ending June 30, 2021 is hereby appropriated to the department of information technology. The governor is authorized to draw a warrant for said sum out of any money in the treasury not otherwise appropriated.
5 Effective Date. This act shall take effect 60 days after its passage.
20-2812
Amended 5/18/20
SB 694-FN-A- FISCAL NOTE
AS AMENDED BY THE SENATE (AMENDMENT 2020-1091s)
FISCAL IMPACT: [ X ] State [ ] County [ ] Local [ ] None
|
| |||
| Estimated Increase / (Decrease) | |||
STATE: | FY 2020 | FY 2021 | FY 2022 | FY 2023 |
Appropriation | $0 | $1 | $0 | $0 |
Revenue | $0 | $0 | $0 | $0 |
Expenditures | $0 | $0 | $0 | $0 |
Funding Source: | [ X ] General [ ] Education [ ] Highway [ ] Other | |||
METHODOLOGY:
This bill requires that the Department of Information Technology (DOIT) recommend minimum cybersecurity standards for political subdivisions, based on CIS controls, as established and maintained by the Center for Internet Security. The DOIT shall:
(a) Publish recommended minimum cybersecurity standards for political subdivisions, to be updated annually.
(b) Designate the New Hampshire cyber integration center to coordinate incident response of cybersecurity incident reports from political subdivisions.
The bill defines a "cybersecurity incident". The bill requires the governing body, chief administrative officer or designee of any political subdivision that knows of or suspects a cybersecurity incident within such political subdivision, or within any vendor acting as an agent of such political subdivision, to immediately report such incident to DOIT. The bill appropriates $1 to the DOIT for the fiscal year ending June 30, 2021.
AGENCIES CONTACTED:
Department of Information Technology