CT SB00403

Covered entities complying with NIST Cybersecurity Framework 2.0 and AAL3 identity assurance standards are deemed compliant with equivalent state cybersecurity requirements starting July 1, 2027; critical infrastructure entities must eliminate centrally stored passwords and biometrics by the same date.

Cybersecurity professionals receive whistleblower protections when reporting material security deficiencies or non-repudiation failures to supervisors or the Division of Emergency Management and Homeland Security.

Covered entities must notify the Division of Emergency Management and Homeland Security within 72 hours of discovering cybersecurity incidents involving unauthorized data access, service disruption, or material operational risk.

Critical infrastructure entities, health care providers, financial institutions, and state agencies must adopt quantum-transition readiness postures and implement cryptographic agility architectures by January 1, 2028.

Establishes the Connecticut Cybersecurity Seed Fund grant program, a bug bounty program for state systems with researcher immunity, and a State Cybersecurity Intelligence Task Force comprising commissioners from Emergency Services, Administrative Services, and the Military Department.