SENATE, No. 3835

STATE OF NEW JERSEY

221st LEGISLATURE

INTRODUCED OCTOBER 24, 2024

Sponsored by:

Senator  RAJ MUKHERJI

District 32 (Hudson)

SYNOPSIS

     Establishes Office of Cybersecurity Infrastructure.

CURRENT VERSION OF TEXT

     As introduced.

An Act establishing the Office of Cybersecurity Infrastructure and supplementing Title 52 of the Revised Statutes.

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    This act shall be known and may be cited as "The Office of Cybersecurity Infrastructure Act."

     2.    As used in this act:

     "Agency" means any of the principal departments in the Executive Branch of the State Government, and any division, board, bureau, office, commission, or other instrumentality within or created by such department, and, to the extent consistent with law, any interstate agency to which New Jersey is a party and any independent State authority, commission, instrumentality, or agency, and any municipality, county, school district, or any agency, department, or instrumentality or any other public body having local or regional jurisdiction or powers.

     "Artificial intelligence" or "AI" means: (1) any artificial system that performs tasks under varying and unpredictable circumstances without significant human oversight or that can learn from experience and improve performance when exposed to data sets; (2) any artificial system developed in computer software, physical hardware, or other contexts that solves tasks requiring human-like perception, cognition, planning, learning, communication, or physical action; (3) any artificial system designed to think or act like a human, including cognitive architectures and neural networks; (4) any set of techniques, including machine learning, that is designed to approximate a cognitive task; or (5) any artificial system designed to act rationally, including an intelligent software agent or embodied robot that achieves goals using perception, planning, reasoning, learning, communicating, decision making, or acting.

     "Cybersecurity infrastructure" means the application of technologies, processes, and controls to protect systems, networks, programs, devices, and data from unauthorized access or criminal use.

     "Office" means the Office of Cybersecurity Infrastructure established by section 3 of P.L.    c.    (C.        )(pending before the Legislature as this bill).

     3.    a. There is established an Office of Cybersecurity Infrastructure.

     b.    The office shall be in, but not of, the Department of the Treasury.  Notwithstanding this allocation, the office shall be independent of any supervision or control by the State Treasurer, or the Department of the Treasury, or by any division, board, office, or other officer thereof.  The office is hereby constituted as an instrumentality of the State exercising public and essential governmental functions, and the exercise by the office of the powers conferred by this act shall be deemed and held to be an essential governmental function of the State.

     c.     The office shall be directed by the Chief Officer of Cybersecurity Infrastructure, who shall report directly to the Governor.

     d.    The Chief Officer of Cybersecurity Infrastructure shall submit requests for the budget of the office to the Division of Budget and Accounting in the Department of the Treasury.

     e.     Under the direction of the Chief Officer of Cybersecurity Infrastructure, the office shall be responsible for:

     (1) establishing and implementing cybersecurity policies for the State;

     (2) establishing, implementing, and monitoring technology infrastructure throughout the State in order for nonprofit and private organizations to interact with residents of this State in a secure manner; and

     (3) establishing AI policies in order for public and private institutions to safely integrate AI into professional practices.

     f.     The office shall develop and maintain an Internet website providing information to the public concerning the operations of the office.

     4.    a.  The Office of Cybersecurity Infrastructure shall be administered by the Chief Officer of Cybersecurity Infrastructure for the State of New Jersey.  The Officer of Cybersecurity Infrastructure shall be appointed by and serve at the pleasure of the Governor.  The Chief Officer of Cybersecurity Infrastructure shall be qualified by education, training, and prior experience to direct the work of the office and to perform the duties, functions and responsibilities of the position.

     b.    The Chief Officer of Cybersecurity Infrastructure shall serve during the term of the Governor appointing the officer and until a successor is appointed and has qualified.

     c.     The Chief Officer of Cybersecurity Infrastructure shall devote full-time to the duties and responsibilities of the office and shall receive a salary as shall be provided pursuant to law.

     d.    A vacancy in the position of Chief Officer of Cybersecurity Infrastructure shall be filled in the same manner as provided for in the original appointment.

     5.    The Chief Officer of Cybersecurity Infrastructure, in consultation with the Chief Technology Officer of the Office of Information Technology, the Chief Information Security Officer of the State, and the Director of the New Jersey Cybersecurity and Communications Integration Cell, shall:

     a.     establish the internal organizational structure of the Office of Cybersecurity Infrastructure, in a manner appropriate to carrying out the duties and functions, and fulfilling the responsibilities, of the office;

     b.    coordinate and conduct cybersecurity operations in the Executive Branch of State Government, including agency cybersecurity technology operations, technology infrastructure operations, and AI integration operations;

     c.     draft and establish Service Level Agreements with each department and agency in the Executive Branch of State Government; and

     d.    enter into agreements as necessary, in accordance and consistent with applicable law, regulations, and existing contracts, with private and public entities or individuals in order to better secure cybersecurity infrastructure in this State.

     6.    a.  The Chief Officer of Cybersecurity Infrastructure shall be authorized to appoint up to six Deputy Officers of Cybersecurity Infrastructure.

     b.    Each Deputy Officer of Cybersecurity Infrastructure shall be appointed by and serve at the pleasure of the Chief Officer of Cybersecurity Infrastructure, and shall be responsible for cybersecurity planning, coordination, budgeting, technical architecture, and management of large-scale cybersecurity initiatives, in a single area of interest as determined by the Chief Officer of Cybersecurity Infrastructure.

     7.    a.  The Chief Officer of Cybersecurity Infrastructure shall provide periodic reports to the Governor, and shall issue an annual report to the Governor and, pursuant to section 2 of P.L.1991, c.164 (C.52:14-19.1), to the Legislature regarding the cybersecurity infrastructure operations of the Executive Branch of State Government and the activities of the Office of Cybersecurity Infrastructure.

     b.    The annual report shall be issued on or before January 1 of each year and shall be made available to the public on the office's website.

     8.    This act shall take effect immediately.

STATEMENT

     This bill establishes the Office of Cybersecurity Infrastructure in the Executive Branch of State Government.  The office will be in, but not of, the Department of the Treasury, but the office will be independent of any supervision or control by the State Treasurer or the Department of the Treasury.

     The purpose of the office is to establish and implement cybersecurity policies for the State; establish, implement, and monitor technology infrastructure throughout the State in order for nonprofit and private organizations to interact with residents of this State in a secure manner; and establish artificial intelligence (AI) policies in order for public and private institutions to safely integrate AI into professional practices.  The office will develop and maintain an Internet website or webpage providing information to the public concerning the operations of the office.

     Under the bill, the office will be led by a Chief Officer of Cybersecurity Infrastructure.  The officer will be appointed by, serve at the pleasure of, and report directly to the Governor.  The officer will devote full-time to the duties and responsibilities of the office and will receive a salary as determined by law.  The Chief Officer of Cybersecurity Infrastructure, in consultation with the Chief Technology Officer of the Office of Information Technology, the Chief Information Security Officer of the State, and the Director of the New Jersey Cybersecurity and Communications Integration Cell, will:

     establish the internal organizational structure of the Office of Cybersecurity Infrastructure;

     coordinate and conduct technology operations in the Executive Branch of State Government, including agency cybersecurity technology operations, technology infrastructure operations, and AI integration operations;

     draft and establish Service Level Agreements with each department and agency in the Executive Branch of State Government; and

     enter into agreements as necessary with private and public entities or individuals in order to better secure cybersecurity infrastructure in this State.

     The Chief Officer of Cybersecurity Infrastructure will be authorized to appoint up to six Deputy Officers of Cybersecurity Infrastructure.  Each deputy officer will be appointed by and serve at the pleasure of the officer and will be responsible for cybersecurity planning, coordination, budgeting, technical architecture, and management of large-scale cybersecurity initiatives.

     The Chief Officer of Cybersecurity Infrastructure will provide periodic reports to the Governor and will issue an annual report to the Governor and to the Legislature regarding the cybersecurity infrastructure operations of the Executive Branch of State Government and the activities of the Office of Cybersecurity Infrastructure.  The annual report will be issued on or before January 1 of each year and will be made available to the public on the office's website.