Dashboard Academy Control templates NYDFS 23 NYCRR Part 500
Public Beta. Reference implementation only — not a compliance certification, attestation, or audit outcome. Read the full beta disclaimer →

Control template: NYDFS 23 NYCRR Part 500 (Cybersecurity Regulation)

Status: Public Beta · Version: nydfs-part-500/v0.1.0-beta

A bundle of CALM control snippets covering the architecturally enforceable subset of the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR §§500.0–500.24, as amended November 2023). You copy these into your *.calm.json files on the nodes that are part of your Covered Entity's Information Systems handling Nonpublic Information.

Who Part 500 applies to

Covered Entities: any individual or non-governmental entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. Common categories: - New York-chartered banks and trust companies - Foreign banks with New York branches - Licensed insurers and insurance producers - Money transmitters, virtual currency businesses (BitLicense) - Mortgage lenders, brokers, and servicers - Premium finance agencies

Class A Companies (§500.1(d)): Covered Entities with $20 million in gross annual revenue from NY operations over the last 2 fiscal years AND either (i) over 2,000 employees averaged over the last 2 fiscal years OR (ii) over $1 billion in gross annual revenue averaged over the last 3 fiscal years. Stricter expectations apply to Class A.

Limited exemptions exist under §500.19 (employee-only firms, small firms with <20 employees + <$7.5M NY revenue + <$15M total assets). Confirm your category with counsel.

What this template covers

Part 500 has 24 sections. The architectural surface concentrates in §§500.5–500.16. Governance (§500.4 CISO), risk assessment (§500.9), training (§500.14(b)), and incident reporting workflow (§500.17) are documented separately in your cybersecurity program.

Part 500 citation Architectural surface Control alias
§500.5 — Vulnerability mgmt Vulnerability scanning + patching nydfs-vulnerability-management
§500.6 — Audit trail Audit logging on Nonpublic Info nydfs-audit-trail
§500.7 — Access privileges RBAC + privileged-access governance nydfs-access-privileges
§500.8 — App security SDLC + secure-development practices nydfs-application-security
§500.11 — Third-party risk Third-party Information Systems mapping nydfs-third-party-mapping
§500.12 — MFA Multi-factor authentication nydfs-mfa
§500.13 — Asset management Asset inventory + retention nydfs-asset-inventory
§500.14(a) — Monitoring Continuous monitoring of activity nydfs-monitoring
§500.15 — Encryption Encryption of Nonpublic Information nydfs-encryption
§500.16 — Incident response IR plan + BCDR procedures nydfs-incident-response-bcdr
§500.17 — Notification 72-hour cybersecurity event notification nydfs-event-notification

11 architectural controls covering Part 500's implementation-shaped surfaces. Governance (§500.4 CISO designation), risk assessment (§500.9), training (§500.14(b)), policies (§500.3), and the annual Certificate of Compliance (§500.17(b)) are organizational and live in your firm's cybersecurity program.

The "NYDFS-in-scope" pattern

A node is NYDFS-in-scope if it is part of an Information System of a Covered Entity, particularly any system that handles Nonpublic Information as defined in §500.1(k) (business information that would cause material adverse impact; personal information; biometric data; health information).

{
  "unique-id": "policy-administration-system",
  "node-type": "service",
  "name": "Policy Administration System",
  "metadata": {
    "nydfs-in-scope": true,
    "nydfs-class-a": true,
    "handles-nonpublic-info": true,
    "data-classification": "nonpublic-information"
  }
}

Class A status drives stricter expectations for several controls (annual independent audit, more frequent risk assessments, dedicated monitoring solutions).

Control snippets

Copy each block under the controls key of the node it applies to.

§500.5 — Vulnerability management (nydfs-vulnerability-management)

Per-node.

"nydfs-vulnerability-management": {
  "description": "NYDFS Part 500 §500.5 — vulnerability assessments + automated scans + manual review of systems not covered by such assessments + timely remediation.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/vulnerability-management",
      "config": {
        "control-id": "nydfs-vulnerability-management",
        "automated-scanning-frequency": "weekly",
        "manual-review-frequency": "annual",
        "critical-patch-deadline-days": 14,
        "high-patch-deadline-days": 30,
        "evidence-document-url": "https://internal.example.com/nydfs/vuln-mgmt"
      }
    }
  ]
}

§500.6 — Audit trail (nydfs-audit-trail)

Per-node. Audit trail design + retention.

"nydfs-audit-trail": {
  "description": "NYDFS Part 500 §500.6 — audit trails to detect and respond to Cybersecurity Events with sufficient detail to support investigations, retained for at least 5 years (3 years for some categories per §500.6(a)(2)).",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/audit-trail",
      "config": {
        "control-id": "nydfs-audit-trail",
        "events": ["access-to-nonpublic-info", "privilege-elevation", "config-change", "policy-violation", "auth-success", "auth-failure"],
        "destination": "centralized-siem",
        "immutable": true,
        "retention-days": 1827
      }
    }
  ]
}

§500.7 — Access privileges (nydfs-access-privileges)

Per-node.

"nydfs-access-privileges": {
  "description": "NYDFS Part 500 §500.7 — limit user access privileges to Information Systems that provide access to Nonpublic Information. Privileged access controlled per §500.7(a)(3)–(6).",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/access-privileges",
      "config": {
        "control-id": "nydfs-access-privileges",
        "principle": "least-privilege",
        "review-frequency": "at-least-annual",
        "privileged-access-jit-or-pam": true,
        "remote-privileged-access-additional-controls": true
      }
    }
  ]
}

§500.8 — Application security (nydfs-application-security)

Graph-level. Declares the firm's SDLC + secure-development practices.

"metadata": {
  "controls": {
    "nydfs-application-security": {
      "description": "NYDFS Part 500 §500.8 — secure-development practices for in-house applications, and procedures for evaluating, assessing, or testing the security of externally developed applications.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/application-security",
          "config": {
            "control-id": "nydfs-application-security",
            "sdlc-document-url": "https://internal.example.com/nydfs/sdlc",
            "code-review-required": true,
            "external-app-assessment-required": true,
            "review-frequency": "annual"
          }
        }
      ]
    }
  }
}

§500.11 — Third-party risk (nydfs-third-party-mapping)

Per-relationship.

"controls": {
  "nydfs-third-party-mapping": {
    "description": "NYDFS Part 500 §500.11 — third-party service provider's Information Systems risk-assessed; contractual + due-diligence requirements documented; ongoing monitoring established.",
    "requirements": [
      {
        "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/third-party-mapping",
        "config": {
          "control-id": "nydfs-third-party-mapping",
          "provider-name": "Acme Cloud Services",
          "risk-assessment-date": "2025-01-15",
          "risk-assessment-url": "https://internal.example.com/nydfs/tpsp-risk/acme",
          "contract-references-cybersecurity-program": true,
          "mfa-required-by-contract": true,
          "encryption-required-by-contract": true,
          "ongoing-monitoring-frequency": "quarterly"
        }
      }
    ]
  }
}

§500.12 — MFA (nydfs-mfa)

Per-node. The 2023 amendments expanded MFA to broadly cover access to Information Systems.

"nydfs-mfa": {
  "description": "NYDFS Part 500 §500.12 — multi-factor authentication for any individual accessing the Covered Entity's Information Systems, with limited exceptions documented + approved in writing by the CISO.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/mfa",
      "config": {
        "control-id": "nydfs-mfa",
        "factor-count": 2,
        "factor-types": ["password", "totp-or-webauthn-or-hardware-token"],
        "exception-policy-url": "https://internal.example.com/nydfs/mfa-exceptions",
        "ciso-approval-required-for-exceptions": true
      }
    }
  ]
}

§500.13 — Asset management (nydfs-asset-inventory)

Graph-level. New in 2023 amendments.

"metadata": {
  "controls": {
    "nydfs-asset-inventory": {
      "description": "NYDFS Part 500 §500.13 — written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of the Covered Entity's information systems.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/asset-inventory",
          "config": {
            "control-id": "nydfs-asset-inventory",
            "inventory-source": "calm-graph-plus-cmdb",
            "tracked-attributes": ["owner", "location", "classification", "support-status", "recovery-tier"],
            "review-frequency": "at-least-annual",
            "retention-after-decommission-days": 1827
          }
        }
      ]
    }
  }
}

§500.14(a) — Monitoring (nydfs-monitoring)

Per-node.

"nydfs-monitoring": {
  "description": "NYDFS Part 500 §500.14(a) — monitor authorized users' activity and detect unauthorized access or use of, or tampering with, Nonpublic Information by authorized users.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/monitoring",
      "config": {
        "control-id": "nydfs-monitoring",
        "metrics": ["anomalous-access-patterns", "data-export-volume", "off-hours-activity", "failed-auth-rate"],
        "destination": "centralized-siem",
        "alerting-target": "security-soc@example.com",
        "review-frequency": "continuous-plus-weekly-summary"
      }
    }
  ]
}

§500.15 — Encryption (nydfs-encryption)

Per-node.

"nydfs-encryption": {
  "description": "NYDFS Part 500 §500.15 — encryption of Nonpublic Information in transit over external networks AND at rest. Compensating controls required where encryption is infeasible.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/encryption",
      "config": {
        "control-id": "nydfs-encryption",
        "at-rest-algorithm": "AES-256-GCM",
        "in-transit-minimum-tls": ["1.2", "1.3"],
        "key-management": "hsm-or-kms-cmk",
        "key-rotation-days": 365,
        "compensating-controls-document-url": "https://internal.example.com/nydfs/encryption-exceptions"
      }
    }
  ]
}

§500.16 — Incident response + BCDR (nydfs-incident-response-bcdr)

Graph-level.

"metadata": {
  "controls": {
    "nydfs-incident-response-bcdr": {
      "description": "NYDFS Part 500 §500.16 — written incident response plan + business continuity and disaster recovery plan, tested annually.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/incident-response-bcdr",
          "config": {
            "control-id": "nydfs-incident-response-bcdr",
            "ir-plan-document-url": "https://internal.example.com/nydfs/ir-plan",
            "bcdr-plan-document-url": "https://internal.example.com/nydfs/bcdr-plan",
            "tested-frequency": "annual",
            "last-test-date": "2025-03-20",
            "tabletop-frequency": "annual",
            "rpo-minutes": 60,
            "rto-minutes": 240
          }
        }
      ]
    }
  }
}

§500.17 — Event notification (nydfs-event-notification)

Graph-level. 72-hour notification to NYDFS.

"metadata": {
  "controls": {
    "nydfs-event-notification": {
      "description": "NYDFS Part 500 §500.17(a) — notify the Superintendent of Cybersecurity Events as promptly as possible but no later than 72 hours after determining a notifiable event occurred. Plus the §500.17(c) ransomware-payment notification (24-hour).",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nydfs-part-500/event-notification",
          "config": {
            "control-id": "nydfs-event-notification",
            "supervisor": "NYDFS Superintendent",
            "notification-deadline-hours": 72,
            "ransomware-payment-notification-hours": 24,
            "internal-detection-process-url": "https://internal.example.com/nydfs/event-detection",
            "notification-template-url": "https://internal.example.com/nydfs/event-template",
            "tested-annually": true,
            "last-test-date": "2025-04-08"
          }
        }
      ]
    }
  }
}

What the engine enforces

Same constraint engine. Per-rule behavior:

All deterministic — pure function over your CALM JSON.

Class A considerations

If nydfs-class-a: true is set on the node, your firm has stricter expectations under several sections (independent audit, more frequent risk assessments, dedicated monitoring solutions). This template's defaults are tuned for non-Class A; Class A firms should tighten the values (e.g., automated-scanning-frequency: continuous, review-frequency: quarterly).

Auto-include during bootstrap (coming)

A future release will let archrails bootstrap detect NY-FSI repos (by asking about state-financial-services licensing) and offer to auto-include this template.

Versioning

This is nydfs-part-500/v0.1.0-beta. Pre-1.0 = beta. Bumps to v1.0.0 per the GA criteria above. Updates as NYDFS publishes further amendments or material guidance.

Out of scope for this template

For those surfaces, pair this template with your cybersecurity program documentation and engage qualified counsel.