| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | SENATE DOCKET, NO. 2404 FILED ON: 1/20/2023 |
|---|
| 3 | 3 | | SENATE . . . . . . . . . . . . . . No. 32 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Barry R. Finegold |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act relative to cyber incident response. |
|---|
| 13 | 13 | | _______________ |
|---|
| 14 | 14 | | PETITION OF: |
|---|
| 15 | 15 | | NAME:DISTRICT/ADDRESS :Barry R. FinegoldSecond Essex and Middlesex 1 of 9 |
|---|
| 16 | 16 | | SENATE DOCKET, NO. 2404 FILED ON: 1/20/2023 |
|---|
| 17 | 17 | | SENATE . . . . . . . . . . . . . . No. 32 |
|---|
| 18 | 18 | | By Mr. Finegold, a petition (accompanied by bill, Senate, No. 32) of Barry R. Finegold for |
|---|
| 19 | 19 | | legislation relative to cyber incident response. Advanced Information Technology, the Internet |
|---|
| 20 | 20 | | and Cybersecurity. |
|---|
| 21 | 21 | | The Commonwealth of Massachusetts |
|---|
| 22 | 22 | | _______________ |
|---|
| 23 | 23 | | In the One Hundred and Ninety-Third General Court |
|---|
| 24 | 24 | | (2023-2024) |
|---|
| 25 | 25 | | _______________ |
|---|
| 26 | 26 | | An Act relative to cyber incident response. |
|---|
| 27 | 27 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 28 | 28 | | of the same, as follows: |
|---|
| 29 | 29 | | 1 SECTION 1. Chapter 7D of the General Laws, as appearing in the 2022 Official Edition, |
|---|
| 30 | 30 | | 2is hereby amended by inserting after section 11 the following new sections:- |
|---|
| 31 | 31 | | 3 Section 12. State-Level Incident Reporting and Response |
|---|
| 32 | 32 | | 4 (a) As used in this section and section 13, the following words shall have the following |
|---|
| 33 | 33 | | 5meanings, unless the context clearly requires otherwise: |
|---|
| 34 | 34 | | 6 “Breach of security” shall have the same meaning as defined in section 1 of chapter 93H. |
|---|
| 35 | 35 | | 7 “Critical infrastructure”, the systems and assets, either physical or virtual, within the |
|---|
| 36 | 36 | | 8commonwealth that are so vital to the commonwealth or the United States that the incapacitation |
|---|
| 37 | 37 | | 9or destruction of such a system or asset would have a debilitating impact on physical security, |
|---|
| 38 | 38 | | 10economic security, public health or safety or any combination thereof; provided, however, that 2 of 9 |
|---|
| 39 | 39 | | 11“critical infrastructure” shall include, but not be limited to, election systems, transportation |
|---|
| 40 | 40 | | 12infrastructure, water, gas and electric utilities. |
|---|
| 41 | 41 | | 13 “Cybersecurity incident”, an incident that: (i) risks or could risk the confidentiality, |
|---|
| 42 | 42 | | 14integrity or availability of information systems; (ii) consists of unauthorized access to, or |
|---|
| 43 | 43 | | 15malicious software present on, systems or assets that are so vital that the incapacity or |
|---|
| 44 | 44 | | 16destruction of such systems or assets would have a debilitating impact on cybersecurity, physical |
|---|
| 45 | 45 | | 17security, economic security, public health or public safety; and (iii) results or could result in a |
|---|
| 46 | 46 | | 18significant loss of data, system availability or control of systems; provided, however, that a |
|---|
| 47 | 47 | | 19“cybersecurity incident” shall include, but not be limited to, a breach of security, imminent threat |
|---|
| 48 | 48 | | 20of a breach of security or other cyber attack intended to compromise the use of an electronic |
|---|
| 49 | 49 | | 21system. |
|---|
| 50 | 50 | | 22 “Cybersecurity threat”, an action on or through an information system that may result in |
|---|
| 51 | 51 | | 23an unauthorized effort to adversely impact the security, availability, confidentiality or integrity of |
|---|
| 52 | 52 | | 24an information system or information that is stored on, processed by or transiting an information |
|---|
| 53 | 53 | | 25system; provided, however, that a “cybersecurity threat” does not include any action that solely |
|---|
| 54 | 54 | | 26involves a violation of a consumer terms-of-service agreement or consumer licensing agreement. |
|---|
| 55 | 55 | | 27 “Response team”, the Massachusetts Cyber Incident Response Team established pursuant |
|---|
| 56 | 56 | | 28to this section. |
|---|
| 57 | 57 | | 29 (b) There shall be established a Massachusetts Cyber Incident Response Team, the |
|---|
| 58 | 58 | | 30mission of which is to enhance this commonwealth’s ability to prepare for, respond to, mitigate |
|---|
| 59 | 59 | | 31against and recover from significant cybersecurity incidents. 3 of 9 |
|---|
| 60 | 60 | | 32 (c) The response team shall consist of: (i) the secretary of the executive office of |
|---|
| 61 | 61 | | 33technology services and security or their designee, who shall serve as chair of the response team; |
|---|
| 62 | 62 | | 34(ii) a representative of the commonwealth security operations center as designated by the director |
|---|
| 63 | 63 | | 35of security operations; (iii) the secretary of the executive office of public safety and security or |
|---|
| 64 | 64 | | 36their designee; (iv) a representative of the state police cyber crime unit; (v) a representative of |
|---|
| 65 | 65 | | 37the commonwealth fusion center; (vi) the adjutant general of the Massachusetts National Guard |
|---|
| 66 | 66 | | 38or their designee; and (vii) the director of the Massachusetts emergency management agency or |
|---|
| 67 | 67 | | 39their designee. |
|---|
| 68 | 68 | | 40 (d) The response team shall review cybersecurity threat information and vulnerabilities, |
|---|
| 69 | 69 | | 41make informed recommendations and establish appropriate policies to manage the risk of |
|---|
| 70 | 70 | | 42cybersecurity incidents for all state agencies served by the executive office of technology |
|---|
| 71 | 71 | | 43services and security; provided, however, that such recommendations, policies and directives |
|---|
| 72 | 72 | | 44shall be informed by information and best practices obtained through the established information |
|---|
| 73 | 73 | | 45sharing network of local, state, federal and industry partners in which response team members |
|---|
| 74 | 74 | | 46regularly participate. |
|---|
| 75 | 75 | | 47 (e) The response team shall develop and maintain an updated cybersecurity incident |
|---|
| 76 | 76 | | 48response plan for the commonwealth and submit such plan annually for review, not later than |
|---|
| 77 | 77 | | 49November 1, to the governor and the joint committee on advanced information technology, the |
|---|
| 78 | 78 | | 50internet and cybersecurity. Said plan, which shall not be a public record pursuant to section 66, |
|---|
| 79 | 79 | | 51shall include, but not be limited to: |
|---|
| 80 | 80 | | 52 (i) ongoing and anticipated cybersecurity incidents or cybersecurity threats; 4 of 9 |
|---|
| 81 | 81 | | 53 (ii) a risk analysis identifying the vulnerabilities of critical infrastructure and detailing |
|---|
| 82 | 82 | | 54risk-informed recommendations to address such vulnerabilities; |
|---|
| 83 | 83 | | 55 (iii) recommendations regarding the deployment of state agency resources and security |
|---|
| 84 | 84 | | 56professionals in rapidly responding to such cybersecurity incidents or cybersecurity threats; and |
|---|
| 85 | 85 | | 57 (iv) recommendations regarding best practices to minimize the impact of significant |
|---|
| 86 | 86 | | 58cybersecurity threats to agencies. |
|---|
| 87 | 87 | | 59 (f) In the event of a cybersecurity incident that threatens or results in a material |
|---|
| 88 | 88 | | 60impairment of the infrastructure or services of a state agency, the secretary of the executive |
|---|
| 89 | 89 | | 61office of technology services and security shall, with the approval of the governor, serve as the |
|---|
| 90 | 90 | | 62director of the response team; provided, however, that the secretary of the executive office of |
|---|
| 91 | 91 | | 63technology services and security may direct the response team to collaborate with other state |
|---|
| 92 | 92 | | 64agencies and entities that are not members of the response team as appropriate to respond to a |
|---|
| 93 | 93 | | 65cybersecurity incident. |
|---|
| 94 | 94 | | 66 (g) State agencies shall comply with all protocols and procedures established by the |
|---|
| 95 | 95 | | 67response team and all related policies, standards and administrative directives issued by the |
|---|
| 96 | 96 | | 68executive office of technology services and security pursuant to subsection (b) of section 3 of |
|---|
| 97 | 97 | | 69this chapter. The chief information officer or equivalent responsible officer for any state agency |
|---|
| 98 | 98 | | 70served by the executive office of technology services and security shall, as soon as practicable, |
|---|
| 99 | 99 | | 71report any known cybersecurity incident to the commonwealth security operations center, in a |
|---|
| 100 | 100 | | 72form to be prescribed by the executive office of technology services and security. The |
|---|
| 101 | 101 | | 73commonwealth security operations center shall notify the response team of all reported security |
|---|
| 102 | 102 | | 74threats or incidents as soon as practicable, but no later than 24 hours after receiving a report. 5 of 9 |
|---|
| 103 | 103 | | 75 (h) The commonwealth fusion center and the commonwealth security operations center |
|---|
| 104 | 104 | | 76shall routinely exchange information related to cybersecurity threats and cybersecurity incidents |
|---|
| 105 | 105 | | 77that have been reported to or discovered by their respective state agencies or reported to the |
|---|
| 106 | 106 | | 78response team. |
|---|
| 107 | 107 | | 79 (i) The executive office of technology services and security and the response team shall |
|---|
| 108 | 108 | | 80consult with the Massachusetts Cyber Center and assist said center with efforts to foster |
|---|
| 109 | 109 | | 81cybersecurity resiliency through communications, collaboration and outreach to state agencies, |
|---|
| 110 | 110 | | 82municipalities, educational institutions and industry partners. |
|---|
| 111 | 111 | | 83 (j) Notwithstanding anything in this section to the contrary, other agencies not served by |
|---|
| 112 | 112 | | 84the executive office of technology services may report cybersecurity threats or cybersecurity |
|---|
| 113 | 113 | | 85incidents to the commonwealth security operations center in a form to be prescribed by the |
|---|
| 114 | 114 | | 86executive office of technology services and security. |
|---|
| 115 | 115 | | 87 (k) All employees of the executive agencies of the commonwealth shall be required to |
|---|
| 116 | 116 | | 88annually complete a security awareness training program approved by the executive office of |
|---|
| 117 | 117 | | 89technology services and security and administered by the human resources division. |
|---|
| 118 | 118 | | 90 (l) The secretary of the executive office of technology services and security shall |
|---|
| 119 | 119 | | 91promulgate regulations or directives to carry out the purposes of this section. |
|---|
| 120 | 120 | | 92 Section 13. Municipal and Critical Infrastructure Cyber Incident Reporting Requirements |
|---|
| 121 | 121 | | 93 (a) As used in this section, the following words shall have the following meanings unless |
|---|
| 122 | 122 | | 94the context clearly requires otherwise: 6 of 9 |
|---|
| 123 | 123 | | 95 “Covered entity”, any (i) agency, office, department, board, commission, bureau, division |
|---|
| 124 | 124 | | 96or authority of a municipality or any political subdivision thereof; or (ii) an entity that owns or |
|---|
| 125 | 125 | | 97operates critical infrastructure. |
|---|
| 126 | 126 | | 98 “Secretary”, the secretary of the executive office of public safety and security. |
|---|
| 127 | 127 | | 99 (b) A covered entity shall provide notice, as soon as practicable and without unreasonable |
|---|
| 128 | 128 | | 100delay when such covered entity knows or has reason to know of a cybersecurity incident to the |
|---|
| 129 | 129 | | 101commonwealth fusion center in a form to be prescribed by the secretary in consultation with the |
|---|
| 130 | 130 | | 102response team; provided, however, that such notice shall include, but not be limited to: |
|---|
| 131 | 131 | | 103 (i) a timeline of events as best known by the covered entity and the type of cybersecurity |
|---|
| 132 | 132 | | 104incident known or suspected; |
|---|
| 133 | 133 | | 105 (ii) how the cybersecurity incident was initially detected or discovered; |
|---|
| 134 | 134 | | 106 (iii) a list of the specific assets that have been affected or are suspected to be affected; |
|---|
| 135 | 135 | | 107 (iv) copies of any electronic communications that are suspected of being malicious, if |
|---|
| 136 | 136 | | 108applicable; |
|---|
| 137 | 137 | | 109 (v) copies of any malware, threat actor tool or malicious links suspected of causing the |
|---|
| 138 | 138 | | 110cybersecurity incident, if applicable; |
|---|
| 139 | 139 | | 111 (vi) any digital logs such as firewall, active directory and event logs, if available; |
|---|
| 140 | 140 | | 112 (vii) forensic images of random access memory or virtualized random access memory |
|---|
| 141 | 141 | | 113from affected systems, if available; 7 of 9 |
|---|
| 142 | 142 | | 114 (viii) contact information for the covered entity and any third-party entity engaging in |
|---|
| 143 | 143 | | 115cybersecurity incident response that is involved; and |
|---|
| 144 | 144 | | 116 (ix) any other information as required by the commonwealth fusion center or secretary. |
|---|
| 145 | 145 | | 117 (c) Upon receipt of said notice, the representative of the commonwealth fusion center to |
|---|
| 146 | 146 | | 118the response team or their designee shall: |
|---|
| 147 | 147 | | 119 (i) create and maintain a record of the cybersecurity incident, including all information |
|---|
| 148 | 148 | | 120provided by the covered entity in the notice under subsection (b); |
|---|
| 149 | 149 | | 121 (ii) provide a copy of said record to the response team to be included in the response |
|---|
| 150 | 150 | | 122team’s annual cyber incident response plan required by subsection (e) of section 12; provided, |
|---|
| 151 | 151 | | 123however, that such copy shall not include any information identifiable to the covered entity that |
|---|
| 152 | 152 | | 124is not expressly necessary for the preparation of the response team’s report unless the covered |
|---|
| 153 | 153 | | 125entity has provided affirmative consent to share such information; and |
|---|
| 154 | 154 | | 126 (iii) if the covered entity is a municipality or municipal agency under clause (i) of the |
|---|
| 155 | 155 | | 127definition of covered entity in this section, provide notice of the cybersecurity incident to the |
|---|
| 156 | 156 | | 128appropriate local law enforcement agency, including the contact information of the covered |
|---|
| 157 | 157 | | 129entity; provided, however, that this notification shall not be construed to fulfill any of the |
|---|
| 158 | 158 | | 130covered entity’s reporting obligations under this chapter. |
|---|
| 159 | 159 | | 131 (d) Upon receipt of the notice required by subsection (b), the commonwealth fusion |
|---|
| 160 | 160 | | 132center may: 8 of 9 |
|---|
| 161 | 161 | | 133 (i) coordinate with the response team to identify or communicate recommended response |
|---|
| 162 | 162 | | 134measures as appropriate; provided, however, that such recommended response measures shall |
|---|
| 163 | 163 | | 135not include the payment of a ransom; |
|---|
| 164 | 164 | | 136 (ii) assist the covered entity with implementing recommended response measures as |
|---|
| 165 | 165 | | 137appropriate, alone or in conjunction with: (1) any agency or entity represented in the response |
|---|
| 166 | 166 | | 138team; (2) any local law enforcement agency; or (3) the Massachusetts Cyber Center; and |
|---|
| 167 | 167 | | 139 (iii) provide, at the discretion of the secretary, information about other entities that are |
|---|
| 168 | 168 | | 140capable of providing mitigation and remediation support following a cybersecurity incident or in |
|---|
| 169 | 169 | | 141response to a cybersecurity threat. |
|---|
| 170 | 170 | | 142 (e) Nothing in this section shall be construed to: |
|---|
| 171 | 171 | | 143 (i) fulfill any regulatory data breach reporting requirements pursuant to chapter 93H; or |
|---|
| 172 | 172 | | 144 (ii) absolve any duty under applicable federal law to report a cybersecurity threat or |
|---|
| 173 | 173 | | 145cybersecurity incident to the cybersecurity and infrastructure security agency. |
|---|
| 174 | 174 | | 146 (f) This section shall not apply to a covered entity pursuant to clause (ii) of the definition |
|---|
| 175 | 175 | | 147of a covered entity that reports the cybersecurity incident to the cybersecurity and infrastructure |
|---|
| 176 | 176 | | 148security agency pursuant to the federal Cyber Incident Reporting for Critical Infrastructure Act |
|---|
| 177 | 177 | | 149of 2022 and its implementing regulations. |
|---|
| 178 | 178 | | 150 (g) The secretary, alone or in conjunction with the secretary of the executive office of |
|---|
| 179 | 179 | | 151technology services and security, shall promulgate regulations for the purposes of carrying out |
|---|
| 180 | 180 | | 152this section. 9 of 9 |
|---|
| 181 | 181 | | 153 SECTION 2. Section 12 of chapter 7D of the General Laws, as inserted by section 1 of |
|---|
| 182 | 182 | | 154this act, shall take effect upon the passage of this act. |
|---|
| 183 | 183 | | 155 SECTION 3. Section 13 of chapter 7D of the General Laws, as inserted by section 1 of |
|---|
| 184 | 184 | | 156this act, shall take effect 12 months after the passage of this act. |
|---|