Budget Amendment ID: FY2024-S3-793

OTH 793

Data/ Cyber Security

Mr. Brady moved that the proposed new text be amended by adding the following section:-

"SECTION__. The Massachusetts Gaming Commission shall by regulation establish a requirement for the primacy of data- and application security with a multi-layered approach including the network and application layers, as applied to mobile, web, and any third party, or other applications that store, transact, or transmit with gaming, personal, or any other relevant data with the purpose of reducing cyber risk- and harm to consumers and digital operators.

The approach will utilize a Federal Information Processing Standard (FIPS) 140-3 conformance tested technology including but not limited to National Institute of Standards of Technology-approved solution that goes beyond the security of standards to reduce the attack surface of online gaming systems and applications and reduce the unauthorized access of Massachusetts Gaming Commission systems and applications

Said technology should and mitigate the risk of exploitation of common online threats including, but not limited to: local and remote exploitation of known- and unknown ("zero day") software vulnerabilities; caused by zero-day attacks, man-in-the-middle attacks; injection attacks; compromises of software development pipelines and supply chains; credential stuffing and other elements of nefarious activity used to disrupt the integrity and trust in the data communication from the consumer to the Gaming Operator. To assess ongoing compliance with the above requirements, covered entities shall submit to annual "red team" cybersecurity assessments carried out by GIAC- certified offensive security professionals."