Sponsored by:
Assemblyman JOHN F. MCKEON
District 27 (Essex and Morris)
Assemblyman ROBERT J. KARABINCHAK
District 18 (Middlesex)
Assemblywoman NANCY J. PINKIN
District 18 (Middlesex)
Co-Sponsored by:
Assemblyman Benson
SYNOPSIS
Revises cybersecurity, asset management, and related reporting requirements in Water Quality Accountability Act.
CURRENT VERSION OF TEXT
As introduced.
An Act concerning cybersecurity and asset management at public community water systems and amending and supplementing P.L.2017, c.133.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. Section 2 of P.L.2017, c.133 (C.58:31-2) is amended to read as follows:
2. As used in [this act] P.L.2017, c.133 (C.58:31-1 et seq.):
"Board" means the Board of Public Utilities.
Cybersecurity incident means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of computers, information systems, communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information residing thereon.
Cybersecurity insurance policy means an insurance policy designed to mitigate losses from cybersecurity incidents, including, but not limited to, data breaches, business interruption, and network damage.
"Department" means the Department of Environmental Protection.
Industrial control system means an information system used to control industrial processes such as manufacturing, product handling, production, or distribution. Industrial control system includes supervisory control and data acquisition systems used to control geographically dispersed assets, and distributed control systems and smaller control systems using programmable logic controllers to control localized processes.
Information resource means information and related resources, such as personnel, equipment, funds, and information technology.
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
New Jersey Cybersecurity and Communications Integration Cell means the New Jersey Cybersecurity and Communications Integration Cell established pursuant to Executive Order No. 178 (2015) in the New Jersey Office of Homeland Security and Preparedness, or any successor entity.
Public community water system means the same as that term is defined in subsection l. of section 3 of P.L.1977, c.224 (C.58:12A-3).
"Public water system" means the same as the term is defined in section 3 of P.L.1977, c.224 (C.58:12A-3).
"Water purveyor" means any person that owns a public community water system with more than 500 service connections.
(cf: P.L.2017, c.133, s.2)
2. Section 4 of P.L.2017, c.133 (C.58:31-4) is amended to read as follows:
4. a. Within 120 days after the effective date of [this act] P.L.2017, c.133 (C.58:31-1 et seq.), each water purveyor shall develop a cybersecurity program, in accordance with requirements established by the [board] New Jersey Cybersecurity and Communications Integration Cell, as rules and regulations adopted pursuant to the Administrative Procedure Act, P.L.1968, c.410 (C.52:14B-1 et seq.), that defines and implements organization accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. As part of the cybersecurity program, a water purveyor shall: identify the individual chiefly responsible for ensuring that the policies, plans processes, and procedures established pursuant to this section are executed in a timely manner; conduct risk assessments and implement appropriate controls to mitigate identified risks to the public community water system [,] ; maintain situational awareness of cyber threats and vulnerabilities to the public community water system [,] ; and create and exercise incident response and recovery plans. No later than 180 days after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), a water purveyor shall update its cybersecurity program to conform to the requirements of section 3 of P.L. , c. (C. )(pending before the Legislature as this bill).
A water purveyor shall submit a copy of the cybersecurity program developed pursuant to this subsection [shall be provided] to the New Jersey Cybersecurity and Communications Integration Cell, [established pursuant to Executive Order No. 178 (2015) in the New Jersey Office of Homeland Security and Preparedness] in a form and manner as determined by the New Jersey Cybersecurity and Communications Integration Cell. A cybersecurity program submitted pursuant to this subsection shall not be considered a government record under P.L.1963, c.73 (C.47:1A-1 et seq.), and shall not be made available for public inspection.
b. Within 60 days after developing the cybersecurity program required pursuant to subsection a. of this section, each water purveyor shall join the New Jersey Cybersecurity and Communications Integration Cell [, established pursuant to Executive Order No. 178 (2015),] and create a cybersecurity incident reporting process.
c. [A water purveyor that does not have an internet-connected control system shall be exempt from the requirements of this section.] (Deleted by amendment, P.L. , c. (pending before the Legislature as this bill)
d. No later than 180 days after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), each water purveyor shall obtain a cybersecurity insurance policy that meets any applicable standards adopted by the board.
(cf: P.L.2017, c.133, s.4)
3. (New section) a. In addition to the requirements of section 4 of P.L.2017, c.133 (C.58:31-4), and the requirements established by the board pursuant thereto, no later than 180 days after the effective date of P.L. , c. (C. &#