Bill > SB00403

This bill establishes a comprehensive cybersecurity framework for the state, defining "covered entities" as businesses, healthcare entities, or government contractors handling sensitive data or operating critical infrastructure. It mandates that by July 1, 2027, covered entities complying with the National Institute of Standards and Technology's (NIST) Cybersecurity Framework 2.0 and high-level identity assurance standards (AAL3 identity assurance, meaning robust identity verification resistant to impersonation) will meet state cybersecurity requirements, while critical infrastructure entities must use decentralized security systems that ensure non-repudiation, meaning transactions cannot be denied, and eliminate centrally stored passwords or biometrics by the same date. The bill also prohibits employers from retaliating against cybersecurity employees who report significant security flaws, referred to as "material security deficiencies" (systemic failures posing a risk to public safety or operations), or failures to maintain non-repudiation. Covered entities must report cybersecurity incidents that compromise sensitive data, disrupt services, or pose a material risk within 72 hours to the Division of Emergency Management and Homeland Security, providing details about the incident and its impact. Minimum cybersecurity safeguards, aligned with NIST principles, including timely patching, data encryption, backup systems, and annual risk assessments, are required starting January 1, 2027. Furthermore, critical infrastructure entities, healthcare providers, financial institutions, and state agencies must prepare for quantum computing threats by January 1, 2028, by planning for post-quantum cryptography and implementing systems capable of rapid cryptographic algorithm changes. To support these efforts, the bill establishes the "Connecticut Cybersecurity Seed Fund" grant program to aid in developing decentralized and non-repudiated security solutions, and mandates the creation of a "bug bounty" program by January 1, 2028, to incentivize security researchers to find vulnerabilities in state systems, granting them immunity for good-faith efforts. The Connecticut Intelligence Center will collect and share cybersecurity intelligence, and a State Cybersecurity Intelligence Task Force will be formed to analyze threats and coordinate responses, with the Division of Emergency Management and Homeland Security coordinating the state's operational response to cybersecurity emergencies and serving as a liaison between the task force and local emergency management officials.