SB 828 (Hutson) requires local governments who operate critical infrastructure to have those systems and controls comply with and meet operational standards as defined in the ISA/IED 62443 series of standards as determined by the National Institute of Standards and Technology (NIST) Cybersecurity Framework by July 1, 2024. ISA/IED 62443 standards are an international series of standards for industrial communication networks and systems developed by the International Society of Automation. The bill also requires local governments who operate these systems to conduct an annual risk assessment and create a mitigation plan. Systems that fall under these requirements include, but are not limited to, public transportation, water and wastewater treatment facilities, public utilities, public services subject to jurisdiction by the Public Service Commission, and public buildings. By July 1, 2026, when local governments procure automation and control system components, services, or solutions, or when contracting for facility upgrades for critical infrastructure, the local government must require those new components or services to meet the ISA/IEC 62443 standards. Additionally, the bill specifies civil penalties for noncompliance if a local government does not make a good-faith effort to comply with these standards and an incident occurs.
HB 1147 (Giallombardo) is similar to SB 828 but has different implementing requirements and timelines. By July 1, 2022, when local governments procure automation and control system components, services, or solutions, or when contracting for facility upgrades for critical infrastructure, the local government must require those new components or services to meet the ISA/IEC 62443 standards. The main difference in these two bills is that HB 1147 encourages local governments who operate critical infrastructure to, by July 1, 2022, have those systems and controls comply with and meet operational standards as defined in the ISA/IED 62443 series of standards as determined by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The bill also encourages asset owners to annually conduct a risk assessment and create a risk mitigation plan.
(Taggart)