EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTING LAW .
[Brackets] indicate matter deleted from existing law.
*sb0754*
SENATE BILL 754
S2, E4, P1 2lr1504
CF 2lr1778
By: Senator Hester
Introduced and read first time: February 7, 2022
Assigned to: Education, Health, and Environmental Affairs
A BILL ENTITLED
AN ACT concerning 1
Local Government Cybersecurity – Coordination and Operations 2
(Local Cybersecurity Support Act of 2022) 3
FOR the purpose of establishing the Cyber Preparedness Unit in the Maryland Department 4
of Emergency Management; establishing certain responsibilities of the Unit; 5
requiring certain local entities to report certain cybersecurity incidents in a certain 6
manner and under certain circumstances; requiring the Maryland Joint Operations 7
Center to notify appropriate agencies of a cybersecurity incident in a certain manner; 8
establishing the Cybersecurity Fusion Center in the Maryland Department of 9
Emergency Management; establishing certain responsibilities of the Fusion Center; 10
establishing the Local Cybersecurity Support Fund, the purposes of the Fund, and 11
certain eligibility requirements to receive assistance from the Fund; establishing the 12
Office of Security Management within the Department of Information Technology 13
and certain Office positions; establishing certain responsibilities and authority of the 14
Office; requiring each unit of the Legislative or Judicial Branch of State government, 15
each unit of local government, and any local agencies that use a certain network to 16
certify certain compliance to the Department of Information Technology on or before 17
a certain date each year; requiring certain local entities to submit a certain report to 18
the Office on or before a certain date each year; requiring the Office to submit a 19
certain report to the Governor and certain committees of the General Assembly on 20
or before a certain date each year; requiring the State Chief Information Security 21
Officer and the Secretary of Emergency Management to conduct a certain review, 22
make recommendations, establish certain guidance, and submit a certain report on 23
or before a certain date; requiring the State Chief Information Security Officer to 24
commission a certain feasibility study and report recommendations on or before a 25
certain date; requiring the Governor to include an appropriation in a certain annual 26
budget to cover the cost of the feasibility study; and generally relating to local 27
government cybersecurity coordination and operations. 28
BY renumbering 29
Article – State Finance and Procurement 30 2 SENATE BILL 754
Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of 1
Information Technology” 2
to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5. 3
Department of Information Technology” 4
Annotated Code of Maryland 5
(2021 Replacement Volume) 6
BY repealing and reenacting, with amendments, 7
Article – Criminal Procedure 8
Section 10–221(b) 9
Annotated Code of Maryland 10
(2018 Replacement Volume and 2021 Supplement) 11
BY repealing and reenacting, with amendments, 12
Article – Health – General 13
Section 21–2C–03(h)(2)(i) 14
Annotated Code of Maryland 15
(2019 Replacement Volume and 2021 Supplement) 16
BY repealing and reenacting, with amendments, 17
Article – Human Services 18
Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1) 19
Annotated Code of Maryland 20
(2019 Replacement Volume and 2021 Supplement) 21
BY repealing and reenacting, with amendments, 22
Article – Insurance 23
Section 31–103(a)(2)(i) and (b)(2) 24
Annotated Code of Maryland 25
(2017 Replacement Volume and 2021 Supplement) 26
BY repealing and reenacting, with amendments, 27
Article – Natural Resources 28
Section 1–403(c) 29
Annotated Code of Maryland 30
(2018 Replacement Volume and 2021 Supplement) 31
BY repealing and reenacting, without amendments, 32
Article – Public Safety 33
Section 14–103 34
Annotated Code of Maryland 35
(2018 Replacement Volume and 2021 Supplement) 36
BY adding to 37
Article – Public Safety 38
Section 14–104.1 39
Annotated Code of Maryland 40 SENATE BILL 754 3
(2018 Replacement Volume and 2021 Supplement) 1
BY repealing and reenacting, without amendments, 2
Article – State Finance and Procurement 3
Section 3.5–101(a) and (e) and 3.5–301(a) 4
Annotated Code of Maryland 5
(2021 Replacement Volume) 6
(As enacted by Section 1 of this Act) 7
BY adding to 8
Article – State Finance and Procurement 9
Section 3.5–2A–01 through 3.5–2A–04 to be under the new subtitle “Subtitle 2A. 10
Office of Security Management”; and 3.5–405 and 6–226(a)(2)(ii)146. 11
Annotated Code of Maryland 12
(2021 Replacement Volume) 13
BY repealing and reenacting, with amendments, 14
Article – State Finance and Procurement 15
Section 3.5–301(j), 3.5–302(c), 3.5–303(c)(2)(ii)2., 3.5–307(a)(2), 3.5–309(c)(2), (i)(3), 16
and (l)(1)(i), 3.5–311(a)(2)(i), and 3.5–404 17
Annotated Code of Maryland 18
(2021 Replacement Volume) 19
(As enacted by Section 1 of this Act) 20
BY repealing and reenacting, without amendments, 21
Article – State Finance and Procurement 22
Section 6–226(a)(2)(i) 23
Annotated Code of Maryland 24
(2021 Replacement Volume) 25
BY repealing and reenacting, with amendments, 26
Article – State Finance and Procurement 27
Section 6–226(a)(2)(ii)144. and 145. and 12–107(b)(2)(i)10. and 11. 28
Annotated Code of Maryland 29
(2021 Replacement Volume) 30
BY repealing and reenacting, with amendments, 31
Article – State Government 32
Section 2–1224(f) 33
Annotated Code of Maryland 34
(2021 Replacement Volume) 35
BY adding to 36
Article – State Government 37
Section 2–1224(i) 38
Annotated Code of Maryland 39
(2021 Replacement Volume) 40 4 SENATE BILL 754
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 1
That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department 2
of Information Technology” of Article – State Finance and Procurement of the Annotated 3
Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively, 4
and the title “Title 3.5. Department of Information Technology”. 5
SECTION 2. AND BE IT FURTHER ENACTED , That the Laws of Maryland read 6
as follows: 7
Article – Criminal Procedure 8
10–221. 9
(b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement 10
Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and 11
the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall: 12
(1) regulate the collection, reporting, and dissemination of criminal history 13
record information by a court and criminal justice units; 14
(2) ensure the security of the criminal justice information system and 15
criminal history record information reported to and collected from it; 16
(3) regulate the dissemination of criminal history record information in 17
accordance with Subtitle 1 of this title and this subtitle; 18
(4) regulate the procedures for inspecting and challenging criminal history 19
record information; 20
(5) regulate the auditing of criminal justice units to ensure that criminal 21
history record information is: 22
(i) accurate and complete; and 23
(ii) collected, reported, and disseminated in accordance with Subtitle 24
1 of this title and this subtitle; 25
(6) regulate the development and content of agreements between the 26
Central Repository and criminal justice units and noncriminal justice units; and 27
(7) regulate the development of a fee schedule and provide for the collection 28
of the fees for obtaining criminal history record information for other than criminal justice 29
purposes. 30
Article – Health – General 31
SENATE BILL 754 5
21–2C–03. 1
(h) (2) The Board is subject to the following provisions of the State Finance 2
and Procurement Article: 3
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 4
that the Secretary of Information Technology determines that an information technology 5
project of the Board is a major information technology development project; 6
Article – Human Services 7
7–806. 8
(a) (1) Subject to paragraph (2) of this subsection, the programs under § 9
7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State 10
Finance and Procurement Article shall be funded as provided in the State budget. 11
(2) For fiscal year 2019 and each fiscal year thereafter, the program under 12
[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an 13
amount that: 14
(i) is equal to the cost that the Department of Aging is expected to 15
incur for the upcoming fiscal year to provide the service and administer the program; and 16
(ii) does not exceed 5 cents per month for each account out of the 17
surcharge amount authorized under subsection (c) of this section. 18
(b) (1) There is a Universal Service Trust Fund created for the purpose of 19
paying the costs of maintaining and operating the programs under: 20
(i) § 7–804(a) of this subtitle, subject to the limitations and controls 21
provided in this subtitle; 22
(ii) § 7–902(a) of this title, subject to the limitations and controls 23
provided in Subtitle 9 of this title; and 24
(iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement 25
Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the 26
State Finance and Procurement Article. 27
(c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) 28
of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall 29
be funded by revenues generated by: 30
(i) a surcharge to be paid by the subscribers to a communications 31
service; and 32 6 SENATE BILL 754
(ii) other funds as provided in the State budget. 1
(d) (1) The Secretary shall annually certify to the Public Service Commission 2
the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3
3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the 4
Universal Service Trust Fund for the following fiscal year. 5
(2) (i) The Public Service Commission shall determine the surcharge 6
for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle, 7
§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement 8
Article. 9
(g) (1) The Legislative Auditor may conduct postaudits of a fiscal and 10
compliance nature of the Universal Service Trust Fund and the expenditures made for 11
purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of 12
the State Finance and Procurement Article. 13
Article – Insurance 14
31–103. 15
(a) The Exchange is subject to: 16
(2) the following provisions of the State Finance and Procurement Article: 17
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 18
that the Secretary of Information Technology determines that an information technology 19
project of the Exchange is a major information technology development project; 20
(b) The Exchange is not subject to: 21
(2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance 22
and Procurement Article, except to the extent determined by the Secretary of Information 23
Technology under subsection (a)(2)(i) of this section; 24
Article – Natural Resources 25
1–403. 26
(c) The Department shall develop the electronic system consistent with the 27
statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of 28
the State Finance and Procurement Article. 29
Article – Public Safety 30
SENATE BILL 754 7
14–103. 1
(a) There is a Maryland Department of Emergency Management established as a 2
principal department of the Executive Branch of State government. 3
(b) The Department has primary responsibility and authority for developing 4
emergency management policies and is responsible for coordinating disaster risk reduction, 5
consequence management, and disaster recovery activities. 6
(c) The Department may act to: 7
(1) reduce the disaster risk and vulnerability of persons and property 8
located in the State; 9
(2) develop and coordinate emergency planning and preparedness; and 10
(3) coordinate emergency management activities and operations: 11
(i) relating to an emergency that involves two or more State 12
agencies; 13
(ii) between State agencies and political subdivisions; 14
(iii) with local governments; 15
(iv) with agencies of the federal government and other states; and 16
(v) with private and nonprofit entities. 17
14–104.1. 18
(A) (1) IN THIS SECTION THE FOLLOWING WORDS HAVE THE MEANINGS 19
INDICATED. 20
(2) “FUND” MEANS THE LOCAL CYBERSECURITY SUPPORT FUND. 21
(3) “FUSION CENTER” MEANS THE CYBERSECURITY FUSION 22
CENTER. 23
(4) “LOCAL GOVERNMENT ” INCLUDES LOCAL SCHOO L SYSTEMS, 24
LOCAL SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS. 25
(5) “UNIT” MEANS THE CYBER PREPAREDNESS UNIT. 26
(B) (1) THERE IS A CYBER PREPAREDNESS UNIT IN THE DEPARTMENT . 27 8 SENATE BILL 754
(2) IN COORDINATION WITH THE STATE CHIEF INFORMATION 1
SECURITY OFFICER, THE UNIT SHALL: 2
(I) SUPPORT LOCAL GOVERNMENTS IN DEVELOPING A 3
VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT THROUGH TH E MARYLAND 4
NATIONAL GUARD’S INNOVATIVE READINESS TRAINING PROGRAM OR THE U.S. 5
DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AND INFRASTRUCTURE 6
SECURITY AGENCY, INCLUDING PROVIDING LOCAL GOVERNMENTS WI TH THE 7
RESOURCES AND INFORM ATION ON BEST PRACTI CES TO CO MPLETE THE 8
ASSESSMENTS ; 9
(II) DEVELOP AND REGULARL Y UPDATE AN ONLINE D ATABASE 10
OF CYBERSECURITY TRA INING RESOURCES FOR LOCAL GOVERNMENT PERSONNEL, 11
INCLUDING TECHNICAL TRAINING RESOURCES , CYBERSECURITY CONTIN UITY OF 12
OPERATIONS TEMPLATES , CONSEQUENCE MANAGEME NT PLANS, AND TRAININGS ON 13
MALWARE AND RANSOMWA RE DETECTION ; 14
(III) ESTABLISH AND PROVID E STAFF FOR A STATEW IDE 15
HELPLINE TO PROVID E REAL–TIME EMERGENCY ASSIS TANCE AND RESOURCE 16
INFORMATION TO ANY L OCAL GOVERNMENT THAT HAS EXPERIENCED A CYBER 17
INCIDENT OR ATTACK ; 18
(IV) ASSIST LOCAL GOVERNM ENTS IN: 19
1. THE DEVELOPMENT OF C YBERSECURITY 20
PREPAREDNESS AND RES PONSE PLANS; AND 21
2. IMPLEMENTING BEST PR ACTICES AND GUIDANCE 22
DEVELOPED BY THE STATE CHIEF INFORMATION SECURITY OFFICER; 23
(V) CONNECT LOCAL GOVERN MENTS TO APPROPRIATE 24
RESOURCES FOR ANY OTHER PURPOSE RELATED TO C YBERSECURITY 25
PREPAREDNESS AND RES PONSE; 26
(VI) DEVELOP APPROPRIATE REPORTS ON LOCAL 27
CYBERSECURITY PREPAR EDNESS; 28
(VII) AS NECESSARY AND IN COORDINATION WITH TH E NATIONAL 29
GUARD, LOCAL EMERGENCY MANA GERS, AND OTHER STATE AND LOCAL ENTIT IES, 30
CONDUCT REGIONAL CYB ERSECURITY PREPAREDN ESS EXERCISES; AND 31
SENATE BILL 754 9
(VIII) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER 1
AND COORDINATE SUPPO RT SERVICES TO LOCAL GOVERNMENTS , AGENCIES, OR 2
REGIONS. 3
(C) (1) EACH LOCAL GOVERNMENT SHALL REPORT A CYBER SECURITY 4
INCIDENT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING US ED BY THE LOCAL 5
GOVERNMENT , TO THE MARYLAND JOINT OPERATIONS CENTER IN THE 6
DEPARTMENT IN ACCORDANCE WITH P ARAGRAPH (2) OF THIS SUBSECTION . 7
(2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS UNDER 8
PARAGRAPH (1) OF THIS SUBSECTION , THE DEPARTMENT SHALL DETERMINE : 9
(I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST 10
BE REPORTED ; 11
(II) THE MANNER IN WHICH TO REPORT; AND 12
(III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE. 13
(3) THE MARYLAND JOINT OPERATIONS CENTER SHALL NOTIFY 14
APPROPRIATE AGENCIES OF A CYBERSECURITY I NCIDENT REPORTED UND ER THIS 15
SUBSECTION THROUGH T HE STATE SECURITY OPERATIONS CENTER. 16
(D) (1) THERE IS A CYBERSECURITY FUSION CENTER IN THE 17
DEPARTMENT . 18
(2) THE FUSION CENTER SHALL: 19
(I) COORDINATE INFORMATI ON ON CYBERSECURITY BY 20
SERVING AS A CENTRAL LOCATION FOR INFORMA TION SHARING ACROSS STATE AND 21
LOCAL GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ; 22
(II) WITH THE OFFICE OF SECURITY MANAGEMENT IN THE 23
DEPARTMENT OF INFORMATION TECHNOLOGY , SUPPORT CYBERSECURIT Y 24
COORDINATION BETWEEN LOCAL UNITS OF GOVER NMENT THROUGH EXISTI NG 25
LOCAL GOVERNMENT STAKEHOLDER ORGANIZA TIONS; 26
(III) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION 27
SECURITY OFFICER AND THE UNIT DURING CYBERSECURITY INCIDE NTS THAT 28
AFFECT STATE AND LOCAL GOVER NMENTS; 29
(IV) SUPPORT RISK –BASED PLANNING FOR THE USE OF 30
FEDERAL RESOURCES ; AND 31 10 SENATE BILL 754
(V) CONDUCT ANALYSIS OF CYBERSECURITY INCIDE NTS. 1
(E) (1) THERE IS A LOCAL CYBERSECURITY SUPPORT FUND. 2
(2) THE PURPOSE OF THE FUND IS TO: 3
(I) PROVIDE FINANCIAL AS SISTANCE TO LOCAL GO VERNMENTS 4
TO IMPROVE CYBERSECU RITY PREPAREDNESS , INCLUDING: 5
1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH 6
THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS; 7
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 8
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY 9
PREPAREDNESS ; 10
3. RECRUITING AND HIRIN G INFORMATION 11
TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND 12
4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY 13
STAFF TRAINING; AND 14
(II) ASSIST LOCAL GOVERNM ENTS APPLYING FOR FE DERAL 15
CYBERSECURITY PREPAR EDNESS GRANTS . 16
(3) THE SECRETARY SHALL ADMIN ISTER THE FUND. 17
(4) (I) THE FUND IS A SPECIAL, NONLAPSING FUND THAT IS NOT 18
SUBJECT TO § 7–302 OF THE STATE FINANCE AND PROCUREMENT ARTICLE. 19
(II) THE STATE TREASURER SHALL HOLD THE FUND 20
SEPARATELY, AND THE COMPTROLLER SHALL ACC OUNT FOR THE FUND. 21
(5) THE FUND CONSISTS OF : 22
(I) MONEY APPROPRIATED I N THE STATE BUDGET TO THE 23
FUND; 24
(II) INTEREST EARNI NGS; AND 25
(III) ANY OTHER MONEY FROM ANY OTHER SOURCE ACC EPTED 26
FOR THE BENEFIT OF T HE FUND. 27 SENATE BILL 754 11
(6) THE FUND MAY BE USED ONLY : 1
(I) TO PROVIDE FINANCIAL ASSISTANCE TO LOCAL 2
GOVERNMENTS TO IMPRO VE CYBERSECURITY PRE PAREDNESS, INCLUDING: 3
1. UPDATING CURRENT DEVICES A ND NETWORKS WITH 4
THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS; 5
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 6
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY 7
PREPAREDNESS ; 8
3. RECRUITING AND HIRIN G INFORMATION 9
TECHNOL OGY STAFF FOCUSED ON CYBERSECURITY ; AND 10
4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY 11
STAFF TRAINING ; 12
(II) TO ASSIST LOCAL GOVE RNMENTS APPLYING FOR FEDERAL 13
CYBERSECURITY PREPAR EDNESS GRANTS ; AND 14
(III) FOR ADMINISTRATIVE E XPENSES ASSOCIATED W ITH 15
PROVIDING THE ASSIST ANCE DESCRIBED UNDER ITEM (I) OF THIS PARAGRAPH . 16
(7) (I) THE STATE TREASURER SHALL INVES T THE MONEY OF THE 17
FUND IN THE SAME MANN ER AS OTHER STATE MONEY MAY BE IN VESTED. 18
(II) ANY INTERE ST EARNINGS OF THE FUND SHALL BE 19
CREDITED TO THE FUND. 20
(8) EXPENDITURES FROM THE FUND MAY BE MADE ONLY IN 21
ACCORDANCE WITH THE STATE BUDGET . 22
(F) TO BE ELIGIBLE TO RECEIVE ASSISTANCE FROM THE FUND, EACH 23
LOCAL GOVERNMENT THA T USES THE NETWORK E STABLISHED IN ACCORD ANCE 24
WITH § 3.5–404 OF THE STATE FINANCE AND PROCUREMENT ARTICLE SHALL MEET 25
THE REQUIREMENTS OF §§ 3.5–404(D) AND 3.5–405 OF THE STATE FINANCE AND 26
PROCUREMENT ARTICLE. 27
Article – State Finance and Procurement 28
3.5–101. 29
12 SENATE BILL 754
(a) In this title the following words have the meanings indicated. 1
(e) “Unit of State government” means an agency or unit of the Executive Branch 2
of State government. 3
SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT . 4
3.5–2A–01. 5
IN THIS SUBTITLE , “OFFICE” MEANS THE OFFICE OF SECURITY 6
MANAGEMENT . 7
3.5–2A–02. 8
THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT . 9
3.5–2A–03. 10
(A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION 11
SECURITY OFFICER. 12
(B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL: 13
(1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND 14
CONSENT OF THE SENATE; 15
(2) SERVE AT THE PLEASUR E OF THE GOVERNOR; 16
(3) BE SUPERVISED BY THE SECRETARY; AND 17
(4) SERVE AS THE CHIEF INFORMA TION SECURITY OFFICE R OF THE 18
DEPARTMENT . 19
(C) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL PROVIDE 20
CYBERSECURITY ADVICE AND RECOMMENDATIONS TO THE GOVERNOR ON 21
REQUEST. 22
(D) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY , WHO 23
SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER. 24
(II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK 25
IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY 26
MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES , 27
AND IM PROVE CYBERSECURITY PREPAREDNESS FOR UNI TS OF LOCAL 28
GOVERNMENT . 29 SENATE BILL 754 13
(2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY , WHO 1
SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER. 2
(II) THE DIRECTOR OF STATE CYBERSECURITY IS 3
RESPONSIBLE FOR I MPLEMENTATION OF THI S SECTION WITH RESPE CT TO UNITS OF 4
STATE GOVERNMENT . 5
(E) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH SUFFICIEN T 6
STAFF TO PERFORM THE FUNCTIONS OF THIS SU BTITLE. 7
(F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL 8
COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE. 9
3.5–2A–04. 10
(A) THE OFFICE IS RESPONSIBLE FOR: 11
(1) THE DIRECTION , COORDINATION , AND IMPLEMENTATION O F THE 12
OVERALL CYBERSECURIT Y STRATEGY AND POLIC Y FOR UNITS OF STATE 13
GOVERNMENT ; AND 14
(2) THE COORDINATION OF RESOURCES AND EFFORT S TO 15
IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL 16
CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL 17
GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL 18
HEALTH DEPARTMENTS . 19
(B) THE OFFICE SHALL: 20
(1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 21
COLLECTED OR MAINTAI NED BY OR ON BEHALF OF EACH UNIT OF STATE 22
GOVERNMENT ; 23
(2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 24
SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ; 25
(3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION 26
AND INFORMATION SYST EMS TO BE INCLUDED I N EACH CATEGORY ; 27
(4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND 28
INFORMATION SYSTEMS IN EACH CATEGORY ; 29
14 SENATE BILL 754
(5) ASSESS THE CATEGO RIZATION OF INFORMAT ION AND 1
INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF THE SECURITY 2
REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ; 3
(6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 4
DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICIENC IES IN 5
THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER 6
ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM 7
SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE 8
NETWORK ESTABLISHED IN ACCORDA NCE WITH § 3.5–404 OF THIS TITLE; 9
(7) MANAGE SECURITY AWAR ENESS TRAINING FOR A LL 10
APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ; 11
(8) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT, DATA 12
GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE 13
STANDARDIZATION AND REDUCE RISK; 14
(9) ASSIST IN THE DEVELO PMENT OF A DIGITAL I DENTITY STANDARD 15
AND SPECIFICATION AP PLICABLE TO ALL PART IES COMMUNI CATING, INTERACTING, 16
OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE GOVERNMENT ; 17
(10) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY SECURITY 18
POLICY, STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH BEST 19
PRACTICES DEVELOPED BY THE NATIONAL INSTITUTE OF STANDARDS AND 20
TECHNOLOGY ; 21
(11) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND INFORM 22
RELEVANT STAKEHOLDER S OF ANY AVAILABLE F INANCIAL ASSISTANCE PROVIDED 23
BY THE FEDERAL GOVER NMENT OR NON –STATE ENTITIES TO SUP PORT THE WORK 24
OF THE OFFICE; 25
(12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS 26
AND RESPONSE PLANS ; 27
(13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING 28
AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND 29
(14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO 30
UNITS OF LOCAL GOVERNME NT TO IMPROVE CYBERS ECURITY PREPAREDNESS , 31
PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES. 32
(C) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE SHALL REPORT 33
TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 34 SENATE BILL 754 15
GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, THE 1
HOUSE APPROPRIATIONS COMMITTEE, AND THE JOINT COMMITTEE ON 2
CYBERSECU RITY, INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE 3
ACTIVITIES OF THE OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN 4
MARYLAND, INCLUDING: 5
(1) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE DURING 6
THE PREVIOUS 12 MONTHS AT THE STATE AND LOCA L LEVELS; AND 7
(2) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE 8
INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER § 9
3.5–405 OF THIS TITLE, INCLUDING: 10
(I) A SUMMARY OF THE ISS UES IDENTIFIED BY TH E 11
CYBERSECURITY PREPAR EDNESS ASSESSM ENTS CONDUCTED THAT YEAR; 12
(II) THE STATUS OF VULNER ABILITY ASSESSMENTS OF ALL 13
UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST TO 14
REMEDIATE ANY VULNER ABILITIES EXPOSED ; 15
(III) RECENT AUDIT FINDING S OF ALL UNITS OF STATE 16
GOVERNMENT AND OPTIONS TO IMPRO VE FINDINGS IN FUTUR E AUDITS, INCLUDING 17
RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING; 18
(IV) ANALYSIS OF THE STATE’S EXPENDITURE ON 19
CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPE NDING 20
FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET, 21
INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL 22
CYBERSECURITY PRE PAREDNESS; 23
(V) EFFORTS TO SECURE FI NANCIAL SUPPORT FOR CYBER RISK 24
MITIGATION FROM FEDE RAL OR OTHER NON –STATE RESOURCES ; 25
(VI) KEY PERFORMANCE INDI CATORS ON THE CYBERS ECURITY 26
STRATEGIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY MASTER PLAN , 27
INCLUDING TIME, BUDGET, AND STAFF REQUIRED F OR IMPLEMENTATION ; AND 28
(VII) ANY ADDITIONAL RECOM MENDATIONS FOR IMPRO VING 29
STATE AND LOCAL CYBER SECURITY PREPAREDNES S. 30
3.5–301. 31
(a) In this subtitle the following words have the meanings indicated. 32
16 SENATE BILL 754
(j) “Nonvisual access” means the ability, through keyboard control, synthesized 1
speech, Braille, or other methods not requiring sight to receive, use, and manipulate 2
information and operate controls necessary to access information technology in accordance 3
with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle. 4
3.5–302. 5
(c) Notwithstanding any other provision of law, except as provided in subsection 6
(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–307(A)(2), 3.5–308, 7
AND 3.5–309 of this subtitle, this subtitle applies to all units of the Executive Branch of 8
State government including public institutions of higher education other than Morgan 9
State University, the University System of Maryland, St. Mary’s College of Maryland, and 10
Baltimore City Community College. 11
3.5–303. 12
(c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall: 13
(2) establish a process for the Secretary or the Secretary’s designee to: 14
(ii) 2. for information technology procured by a State unit on or 15
after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] § 16
3.5–311 of this subtitle, including the enforcement of the civil penalty described in [§ 17
3A–311(a)(2)(iii)1] § 3.5–311(A)(2)(III)1 of this subtitle. 18
3.5–307. 19
(a) (2) A unit of State government other than a public institution of higher 20
education may not make expenditures for major information technology development 21
projects except as provided in [§ 3A–308] § 3.5–308 of this subtitle. 22
3.5–309. 23
(c) The Secretary: 24
(2) subject to the provisions of § 2–201 of this article and [§ 3A–307] § 25
3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of money or 26
property. 27
(i) The Fund may be used: 28
(3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for 29
the costs of the first 12 months of operation and maintenance of a major information 30
technology development project. 31
SENATE BILL 754 17
(l) (1) Notwithstanding subsection (b) of this section and in accordance with 1
paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this 2
section shall be used to support: 3
(i) the State telecommunication and computer network established 4
under [§ 3A–404] § 3.5–404 of this title, including program development for these 5
activities; and 6
3.5–311. 7
(a) (2) On or after January 1, 2020, the nonvisual access clause developed in 8
accordance with paragraph (1) of this subsection shall include a statement that: 9
(i) within 18 months after the award of the procurement, the 10
Secretary, or the Secretary’s designee, will determine whether the information technology 11
meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] § 12
3.5–303(B) of this subtitle; 13
3.5–404. 14
(a) The General Assembly declares that: 15
(1) it is the policy of the State to foster telecommunication and computer 16
networking among State and local governments, their agencies, and educational 17
institutions in the State; 18
(2) there is a need to improve access, especially in rural areas, to efficient 19
telecommunication and computer network connections; 20
(3) improvement of telecommunication and computer networking for State 21
and local governments and educational institutions promotes economic development, 22
educational resource use and development, and efficiency in State and local administration; 23
(4) rates for the intrastate inter–LATA telephone communications needed 24
for effective integration of telecommunication and computer resources are prohibitive for 25
many smaller governments, agencies, and institutions; and 26
(5) the use of improved State telecommunication and computer networking 27
under this section is intended not to compete with commercial access to advanced network 28
technology, but rather to foster fundamental efficiencies in government and education for 29
the public good. 30
(b) (1) The Department shall establish a telecommunication and computer 31
network in the State. 32
(2) The network shall consist of: 33
18 SENATE BILL 754
(i) one or more connection facilities for telecommunication and 1
computer connection in each local access transport area (LATA) in the State; and 2
(ii) facilities, auxiliary equipment, and services required to support 3
the network in a reliable and secure manner. 4
(c) The network shall be accessible through direct connection and through local 5
intra–LATA telecommunications to State and local governments and public and private 6
educational institutions in the State. 7
(D) ON OR BEFORE DECEMBER 1 EACH YEAR , EACH UNIT OF THE 8
LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT , EACH UNIT OF LOCAL 9
GOVERNMENT , AND ANY LOCAL AGENCI ES THAT USE THE NETW ORK ESTABLISHED 10
UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT 11
THAT THE UNIT IS IN COMPLIANCE WITH THE DEPARTMENT ’S MINIMUM SECURITY 12
STANDARDS. 13
3.5–405. 14
(A) THIS SECTION DOES NOT APPLY TO MUNICIPAL G OVERNMENTS . 15
(B) ON OR BEFORE DECEMBER 1 EACH YEAR, EACH COUNTY GOVERNME NT, 16
LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT SHALL : 17
(1) IN CONSULTATION WITH THE LOCAL EMERGENCY MANAGER, 18
CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESPONSE P LAN AND 19
SUBMIT THE PLAN TO T HE OFFICE OF SECURITY MANAGEMENT FOR APPROV AL; 20
(2) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND 21
REPORT THE RESULTS TO THE OFFICE IN ACCORDANCE WITH GUIDELINES 22
DEVELOPED BY THE OFFICE; AND 23
(3) REPORT TO THE OFFICE: 24
(I) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 25
POSITIONS, INCLUDING VACANCIES ; 26
(II) THE ENTITY’S CYBERSECURITY BUDG ET AND OVERALL 27
INFORMATION TECHNOLOGY BU DGET; 28
(III) THE NUMBER OF EMPLOY EES WHO HAVE RECEIVE D 29
CYBERSECURITY TRAINI NG; AND 30
(IV) THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO THE 31
ENTITY’S COMPUTER SYSTEMS A ND DATABASES . 32 SENATE BILL 754 19
6–226. 1
(a) (2) (i) Notwithstanding any other provision of law, and unless 2
inconsistent with a federal law, grant agreement, or other federal requirement or with the 3
terms of a gift or settlement agreement, net interest on all State money allocated by the 4
State Treasurer under this section to special funds or accounts, and otherwise entitled to 5
receive interest earnings, as accounted for by the Comptroller, shall accrue to the General 6
Fund of the State. 7
(ii) The provisions of subparagraph (i) of this paragraph do not apply 8
to the following funds: 9
144. the Health Equity Resource Community Reserve Fund; 10
[and] 11
145. the Access to Counsel in Evictions Special Fund; AND 12
146. THE LOCAL CYBERSECURITY SUPPORT FUND. 13
12–107. 14
(b) Subject to the authority of the Board, jurisdiction over procurement is as 15
follows: 16
(2) the Department of General Services may: 17
(i) engage in or control procurement of: 18
10. information processing equipment and associated 19
services, as provided in Title [3A] 3.5, Subtitle 3 of this article; and 20
11. telecommunication equipment, systems, or services, as 21
provided in Title [3A] 3.5, Subtitle 4 of this article; 22
Article – State Government 23
2–1224. 24
(f) [After] EXCEPT AS PROVIDED IN SUBSECTION (I) OF THIS SECTION , 25
AFTER the expiration of any period that the Joint Audit and Evaluation Committee 26
specifies, a report of the Legislative Auditor is available to the public under Title 4, 27
Subtitles 1 through 5 of the General Provisions Article. 28
20 SENATE BILL 754
(I) A REPORT AUDITING A UN IT OF STATE OR LOCAL GOVERNMENT SHALL 1
HAVE ANY CYBERSECURI TY FINDINGS REDACTED BEFORE THE REPORT IS MADE 2
AVAILABLE TO THE PUB LIC. 3
SECTION 3. AND BE IT FURTHER ENACTED, That, on or before December 1, 4
2022, the State Chief Information Security Officer and the Secretary of Emergency 5
Management shall: 6
(1) review the State budget for efficiency and effectiveness of funding and 7
resources to ensure that the State is equipped to respond to a cybersecurity attack; 8
(2) make recommendations for any changes to the budget needed to 9
accomplish the goals under item (1) of this section; 10
(3) establish guidance for units of State government on use and access to 11
State funding related to cybersecurity preparedness; and 12
(4) report any recommendations and guidance to the Governor and, in 13
accordance with § 2–1257 of the State Government Article, the General Assembly. 14
SECTION 4. AND BE IT FURTHER ENACTED, That: 15
(a) On or before December 1, 2023, the State Chief Information Security Officer 16
shall: 17
(1) commission a feasibility study on expanding the operations of the State 18
Security Operations Center operated by the Department of Information Technology to 19
include cybersecurity monitoring and alert services for units of local government; and 20
(2) report any recommendations to the Governor and, in accordance with § 21
2–1257 of the State Government Article, the General Assembly. 22
(b) For fiscal year 2024, the Governor shall include an appropriation in the 23
annual budget to cover the cost of the feasibility study required under subsection (a) of this 24
section. 25
SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect July 26
1, 2022. 27