CS/SB 828 (Hutson) requires local governments when procuring automation and control system components, services, or solutions or entering into a contract for the construction, reconstruction, alteration, or design of a critical infrastructure facility that such components, services, and solutions conform to the ISA 62443 series of standards as referenced by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), beginning July 1, 2022. The bill also requires local governments to ensure that all contracts for the construction, reconstruction, alteration, or design of a critical infrastructure facility require that installed automation and control system components meet the minimum standards for cybersecurity as defined in the ISA 62443 series of standards as referenced by NIST CSF.
HB 1147 (Giallombardo) is similar to CS/SB 828 but has different implementing requirements and timelines. By July 1, 2022, when local governments procure automation and control system components, services, or solutions, or when contracting for facility upgrades for critical infrastructure, the local government must require those new components or services to meet the ISA/IEC 62443 standards. The main difference in these two bills is that HB 1147 encourages local governments who operate critical infrastructure to, by July 1, 2022, have those systems and controls comply with and meet operational standards as defined in the ISA/IED 62443 series of standards as determined by NIST CSF. The bill also encourages asset owners to annually conduct a risk assessment and create a risk mitigation plan. (Taggart)