58:31-4.1 Update of cybersecurity program; revision; proof of compliance; audit.
3. a. In addition to the requirements of section 4 of P.L.2017, c.133 (C.58:31-4), and the requirements established by the board pursuant thereto, no later than 180 days after the effective date of P.L.2021, c.262 (C.58:31-4.1 et al.), each water purveyor shall update its cybersecurity program developed pursuant to section 4 of P.L.2017, c.133 (C.58:31-4) to apply to all of the public community water system's industrial control systems, and to reasonably conform to the most recent version of one or more of the following industry-recognized cybersecurity frameworks:
(1) the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology;
(2) the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
(3) the International Organization for Standardization and International Electrotechnical Commission 27000 family of standards for an information security management system.
b. Whenever a final revision to one or more of the frameworks listed in subsection a. of this section is published, a water purveyor whose cybersecurity program reasonably conformed to that framework shall revise its cybersecurity program to reasonably conform to the revised framework, and submit a copy of the revised cybersecurity program to the New Jersey Cybersecurity and Communications Integration Cell, no later than 180 days after publication of the revised framework.
c. No later than one year after the effective date of P.L.2021, c.262 (C.58:31-4.1 et al.), and each year thereafter, each water purveyor shall submit to the board, the department , and the New Jersey Cybersecurity and Communications Integration Cell a certification demonstrating that the water purveyor is in compliance with the requirements of this section. The certification shall be made in the form and manner as determined by the department, in consultation with the New Jersey Cybersecurity and Communications Integration Cell. The certification shall be signed by the responsible corporate officer of the public community water system, if privately held, executive director, if an authority, or mayor or chief executive officer of the municipality, if municipally owned, as applicable.
d. The New Jersey Cybersecurity and Communications Integration Cell shall cause to be audited, for compliance with the requirements of section 4 of P.L.2017, c.133 (C.58:31-4) and this section, any public community water system that fails to submit a cybersecurity program as required pursuant to subsection a. of section 4 of P.L.2017, c.133 (C.58:31-4), a revision pursuant to subsection b. of this section, or a certification pursuant to this section. Any audit shall be conducted by a qualified and independent cybersecurity company, at the water purveyor's expense. Following the audit, the water purveyor shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.
e. A water purveyor shall, upon the request of the board, the department, or the New Jersey Cybersecurity and Communications Integration Cell, provide proof of compliance with the requirements of this section, in a form and manner as determined by the board, the department, or by the New Jersey Cybersecurity and Communications Integration Cell.
f. The board shall update any requirements it has established for cybersecurity programs pursuant to subsection a. of section 4 of P.L.2017, c.133 (C.58:31-4) to conform to the requirements of this section.
L.2021, c.262, s.3.