EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*sb0754*
SENATE BILL 754
S2, E4, P1 EMERGENCY BILL 2lr1504
CF HB 1202
By: Senator Hester Senators Hester, Hershey, Jennings, Jackson, Rosapepe, Lee,
and Watson
Introduced and read first time: February 7, 2022
Assigned to: Education, Health, and Environmental Affairs
Committee Report: Favorable with amendments
Senate action: Adopted with floor amendments
Read second time: March 27, 2022
CHAPTER ______
AN ACT concerning 1
Local Government Cybersecurity – Coordination and Operations 2
(Local Cybersecurity Support Act of 2022) 3
FOR the purpose of establishing the Cyber Preparedness Unit in the Maryland Department 4
of Emergency Management; establishing certain responsibilities of the Unit; 5
requiring certain local entities local governments to report certain cybersecurity 6
incidents in a certain manner and under certain circumstances; requiring the 7
Maryland Joint Operations Center State Security Operations Center to notify 8
appropriate agencies of a cybersecurity incident in a certain manner; establishing 9
the Cybersecurity Fusion Center in the Maryland Department of Emergency 10
Management; establishing certain responsibilities of the Fusion Center; establishing 11
the Local Cybersecurity Support Fund, the purposes of the Fund, and certain 12
eligibility requirements to receive assistance from the Fund; establishing the Office 13
of Security Management within the Department of Information Technology and 14
certain Office positions; establishing certain responsibilities and authority of the 15
Office; requiring each unit of the Legislative or Judicial Branch of State government, 16
each unit of local government, and any local agencies that use a certain network to 17
certify certain compliance to the Department of Information Technology on or before 18
a certain date each year; requiring certain local entities to submit a certain report to 19
the Office on or before a certain date each year; in a certain manner; requiring the 20
Office to submit a certain report to the Governor and certain committees of the 21
General Assembly on or before a certain date each year; requiring the Office to 22
submit a certain report to the Governor and certain committees of the General 23
Assembly on or before a certain date each year; establishing the Information Sharing 24 2 SENATE BILL 754
and Analysis Center in the Department of Information Technology; establishing 1
certain responsibilities for the Center; requiring the State Chief Information 2
Security Officer and the Secretary of Emergency Management to conduct a certain 3
review, make recommendations, establish certain guidance, and submit a certain 4
report on or before a certain date; requiring the State Chief Information Security 5
Officer to commission a certain feasibility study and report recommendations on or 6
before a certain date; requiring the Governor to include an appropriation in a certain 7
annual budget to cover the cost of the feasibility study; authorizing funds to be 8
transferred by budget amendment from the Dedicated Purpose Account in a certain 9
fiscal year to implement the Act; and generally relating to local government 10
cybersecurity coordination and operations. 11
BY renumbering 12
Article – State Finance and Procurement 13
Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of 14
Information Technology” 15
to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5. 16
Department of Information Technology” 17
Annotated Code of Maryland 18
(2021 Replacement Volume) 19
BY repealing and reenacting, with amendments, 20
Article – Criminal Procedure 21
Section 10–221(b) 22
Annotated Code of Maryland 23
(2018 Replacement Volume and 2021 Supplement) 24
BY repealing and reenacting, with amendments, 25
Article – Health – General 26
Section 21–2C–03(h)(2)(i) 27
Annotated Code of Maryland 28
(2019 Replacement Volume and 2021 Supplement) 29
BY repealing and reenacting, with amendments, 30
Article – Human Services 31
Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1) 32
Annotated Code of Maryland 33
(2019 Replacement Volume and 2021 Supplement) 34
BY repealing and reenacting, with amendments, 35
Article – Insurance 36
Section 31–103(a)(2)(i) and (b)(2) 37
Annotated Code of Maryland 38
(2017 Replacement Volume and 2021 Supplement) 39
BY repealing and reenacting, with amendments, 40
Article – Natural Resources 41 SENATE BILL 754 3
Section 1–403(c) 1
Annotated Code of Maryland 2
(2018 Replacement Volume and 2021 Supplement) 3
BY repealing and reenacting, without amendments, 4
Article – Public Safety 5
Section 14–103 6
Annotated Code of Maryland 7
(2018 Replacement Volume and 2021 Supplement) 8
BY adding to 9
Article – Public Safety 10
Section 14–104.1 11
Annotated Code of Maryland 12
(2018 Replacement Volume and 2021 Supplement) 13
BY repealing and reenacting, without amendments, 14
Article – State Finance and Procurement 15
Section 3.5–101(a) and (e) and 3.5–301(a) 16
Annotated Code of Maryland 17
(2021 Replacement Volume) 18
(As enacted by Section 1 of this Act) 19
BY adding to 20
Article – State Finance and Procurement 21
Section 3.5–2A–01 through 3.5–2A–04 to be under the new subtitle “Subtitle 2A. 22
Office of Security Management”; and 3.5–315, 3.5–405, and 4–308 and 23
6–226(a)(2)(ii)146. 24
Annotated Code of Maryland 25
(2021 Replacement Volume) 26
BY repealing and reenacting, with amendments, 27
Article – State Finance and Procurement 28
Section 3.5–301(j), 3.5–302(c), 3.5–303(c)(2)(ii)2., 3.5–307(a)(2), 3.5–309(c)(2), (i)(3), 29
and (l)(1)(i), 3.5–311(a)(2)(i), and 3.5–404 30
Annotated Code of Maryland 31
(2021 Replacement Volume) 32
(As enacted by Section 1 of this Act) 33
BY repealing and reenacting, without amendments, 34
Article – State Finance and Procurement 35
Section 6–226(a)(2)(i) 36
Annotated Code of Maryland 37
(2021 Replacement Volume) 38
BY repealing and reenacting, with amendments, 39
Article – State Finance and Procurement 40 4 SENATE BILL 754
Section 6–226(a)(2)(ii)144. and 145. and 12–107(b)(2)(i)10. and 11. 1
Annotated Code of Maryland 2
(2021 Replacement Volume) 3
BY repealing and reenacting, with amendments, 4
Article – State Government 5
Section 2–1224(f) 6
Annotated Code of Maryland 7
(2021 Replacement Volume) 8
BY adding to 9
Article – State Government 10
Section 2–1224(i) 11
Annotated Code of Maryland 12
(2021 Replacement Volume) 13
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 14
That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department 15
of Information Technology” of Article – State Finance and Procurement of the Annotated 16
Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively, 17
and the title “Title 3.5. Department of Information Technology”. 18
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 19
as follows: 20
Article – Criminal Procedure 21
10–221. 22
(b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement 23
Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and 24
the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall: 25
(1) regulate the collection, reporting, and dissemination of criminal history 26
record information by a court and criminal justice units; 27
(2) ensure the security of the criminal justice information system and 28
criminal history record information reported to and collected from it; 29
(3) regulate the dissemination of criminal history record information in 30
accordance with Subtitle 1 of this title and this subtitle; 31
(4) regulate the procedures for inspecting and challenging criminal history 32
record information; 33
(5) regulate the auditing of criminal justice units to ensure that criminal 34
history record information is: 35 SENATE BILL 754 5
(i) accurate and complete; and 1
(ii) collected, reported, and disseminated in accordance with Subtitle 2
1 of this title and this subtitle; 3
(6) regulate the development and content of agreements between the 4
Central Repository and criminal justice units and noncriminal justice units; and 5
(7) regulate the development of a fee schedule and provide for the collection 6
of the fees for obtaining criminal history record information for other than criminal justice 7
purposes. 8
Article – Health – General 9
21–2C–03. 10
(h) (2) The Board is subject to the following provisions of the State Finance 11
and Procurement Article: 12
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 13
that the Secretary of Information Technology determines that an information technology 14
project of the Board is a major information technology development project; 15
Article – Human Services 16
7–806. 17
(a) (1) Subject to paragraph (2) of this subsection, the programs under § 18
7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State 19
Finance and Procurement Article shall be funded as provided in the State budget. 20
(2) For fiscal year 2019 and each fiscal year thereafter, the program under 21
[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an 22
amount that: 23
(i) is equal to the cost that the Department of Aging is expected to 24
incur for the upcoming fiscal year to provide the service and administer the program; and 25
(ii) does not exceed 5 cents per month for each account out of the 26
surcharge amount authorized under subsection (c) of this section. 27
(b) (1) There is a Universal Service Trust Fund created for the purpose of 28
paying the costs of maintaining and operating the programs under: 29
(i) § 7–804(a) of this subtitle, subject to the limitations and controls 30
provided in this subtitle; 31 6 SENATE BILL 754
(ii) § 7–902(a) of this title, subject to the limitations and controls 1
provided in Subtitle 9 of this title; and 2
(iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement 3
Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the 4
State Finance and Procurement Article. 5
(c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) 6
of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall 7
be funded by revenues generated by: 8
(i) a surcharge to be paid by the subscribers to a communications 9
service; and 10
(ii) other funds as provided in the State budget. 11
(d) (1) The Secretary shall annually certify to the Public Service Commission 12
the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 13
3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the 14
Universal Service Trust Fund for the following fiscal year. 15
(2) (i) The Public Service Commission shall determine the surcharge 16
for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle, 17
§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement 18
Article. 19
(g) (1) The Legislative Auditor may conduct postaudits of a fiscal and 20
compliance nature of the Universal Service Trust Fund and the expenditures made for 21
purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of 22
the State Finance and Procurement Article. 23
Article – Insurance 24
31–103. 25
(a) The Exchange is subject to: 26
(2) the following provisions of the State Finance and Procurement Article: 27
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 28
that the Secretary of Information Technology determines that an information technology 29
project of the Exchange is a major information technology development project; 30
(b) The Exchange is not subject to: 31
SENATE BILL 754 7
(2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance 1
and Procurement Article, except to the extent determined by the Secretary of Information 2
Technology under subsection (a)(2)(i) of this section; 3
Article – Natural Resources 4
1–403. 5
(c) The Department shall develop the electronic system consistent with the 6
statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of 7
the State Finance and Procurement Article. 8
Article – Public Safety 9
14–103. 10
(a) There is a Maryland Department of Emergency Management established as a 11
principal department of the Executive Branch of State government. 12
(b) The Department has primary responsibility and authority for developing 13
emergency management policies and is responsible for coordinating disaster risk reduction, 14
consequence management, and disaster recovery activities. 15
(c) The Department may act to: 16
(1) reduce the disaster risk and vulnerability of persons and property 17
located in the State; 18
(2) develop and coordinate emergency planning and preparedness; and 19
(3) coordinate emergency management activities and operations: 20
(i) relating to an emergency that involves two or more State 21
agencies; 22
(ii) between State agencies and political subdivisions; 23
(iii) with local governments; 24
(iv) with agencies of the federal government and other states; and 25
(v) with private and nonprofit entities. 26
14–104.1. 27
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 28
INDICATED. 29 8 SENATE BILL 754
(2) “FUND” MEANS THE LOCAL CYBERSECURITY SUPPORT FUND. 1
(3) “FUSION CENTER” MEANS THE CYBERSECURITY FUSION 2
CENTER. 3
(4) (2) “LOCAL GOVERNMENT ” INCLUDES LOCAL SCHOO L 4
SYSTEMS, LOCAL SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS. 5
(5) (3) “UNIT” MEANS THE CYBER PREPAREDNESS UNIT. 6
(B) (1) THERE IS A CYBER PREPAREDNESS UNIT IN THE DEPARTMENT . 7
(2) IN COORDINATION WITH THE STATE CHIEF INFORMATION 8
SECURITY OFFICER, THE UNIT SHALL: 9
(I) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A 10
VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT THROUGH THE MARYLAND 11
NATIONAL GUARD’S INNOVATIVE READINESS TRAINING PROGRAM OR THE U.S. 12
DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AND INFRASTRUCTURE 13
SECURITY AGENCY, INCLUDING PROVIDING LOCAL GOVERNMENTS WI TH THE 14
RESOURCES AND INFORM ATION ON BEST PRACTI CES TO COMPLETE THE 15
ASSESSMENTS ; 16
(II) DEVELOP AND REGULARL Y UPDATE AN ONLINE D ATABASE 17
OF CYBERSECURITY TRA INING RESOURCES FOR LOCAL GOVERNMENT PER SONNEL, 18
INCLUDING TECHNICAL TRAINING RESOURCES , CYBERSECURITY CONTIN UITY OF 19
OPERATIONS TEMPLATES , CONSEQUENCE MANAGEMENT PLANS , AND TRAININGS ON 20
MALWARE AND RANSOMWA RE DETECTION ; 21
(III) ESTABLISH AND PROVID E STAFF FOR A STATEW IDE 22
HELPLINE TO PROVIDE REAL–TIME EMERGENCY ASSIS TANCE AND RESOURCE 23
INFORMATION TO ANY L OCAL GOVERNMENT THAT HAS EXPERIENCED A CY BER 24
INCIDENT OR ATTACK ; 25
(IV) (III) ASSIST LOCAL GOVERNM ENTS IN: 26
1. THE DEVELOPMENT OF C YBERSECURITY 27
PREPAREDNESS AND RES PONSE PLANS; AND 28
2. IMPLEMENTING BEST PR ACTICES AND GUIDANCE 29
DEVELOPED BY THE STATE CHIEF INFORMATION SECURITY OFFICER; AND 30
SENATE BILL 754 9
3. IDENTIFYING AND ACQU IRING RESOURCES TO 1
COMPLETE APPROPRIATE CYBERSECURITY VULNER ABILITY ASSESSMENTS ; 2
(V) (IV) CONNECT LOCAL GOVERN MENTS TO APPROPRIATE 3
RESOURCES FOR ANY OT HER PURPOSE RELATED TO CYBERSECURITY 4
PREPAREDNESS AND RES PONSE; 5
(VI) DEVELOP APPROPRIATE REPORTS ON LOCAL 6
CYBERSECURITY PREPAR EDNESS; 7
(VII) (V) AS NECESSARY AND IN COORDINATION WITH TH E 8
NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND OTHER STATE AND LOCAL 9
ENTITIES, CONDUCT REGIONAL CYB ERSECURITY PREPAREDN ESS EXERCISES; AND 10
(VIII) (VI) ESTABLISH REGIONAL A SSISTANCE GROUPS TO 11
DELIVER AND COORDINA TE SUPPORT SERVICES TO LOCAL GOVERNMENTS , 12
AGENCIES, OR REGIONS. 13
(3) THE UNIT SHALL SUPPORT TH E OFFICE OF SECURITY 14
MANAGEMENT IN THE DEPARTMENT OF INFORMATION TECHNOLOGY DURING 15
EMERGENCY RESPONSE E FFORTS. 16
(C) (1) EACH LOCAL GOVERNMENT SHALL REPORT A CYBER SECURITY 17
INCIDENT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING US ED BY THE LOCAL 18
GOVERNMENT , TO THE APPROPRIATE L OCAL EMERGENCY MANAG ER AND THE 19
STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT OF INFORMATION 20
TECHNOLOGY TO THE MARYLAND JOINT OPERATIONS CENTER IN THE 21
DEPARTMENT IN ACCORDA NCE WITH PARAGRAPH (2) OF THIS SUBSECTION . 22
(2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS UNDER 23
PARAGRAPH (1) OF THIS SUBSECTION , THE DEPARTMENT STATE CHIEF 24
INFORMATION SECURITY OFFICER SHALL DETERMINE : 25
(I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST 26
BE REPORTED ; 27
(II) THE MANNER IN WHICH TO REPORT; AND 28
(III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE. 29
(3) THE MARYLAND JOINT OPERATIONS CENTER STATE SECURITY 30
OPERATIONS CENTER SHALL IMMEDIATELY NOTIFY APPROPRIATE A GENCIES OF A 31
CYBERSECURITY INCIDE NT REPORTED UNDER TH IS SUBSECTION THROUG H THE 32
STATE SECURITY OPERATIONS CENTER. 33 10 SENATE BILL 754
(D) (1) FIVE POSITION IDENTIFICATION NUMBERS (PINS) SHALL BE 1
CREATED FOR THE PURP OSE OF HIRING STAFF TO CONDUCT THE DUTIE S OF THE 2
MARYLAND DEPARTMENT OF EMERGENCY MANAGEMENT CYBERSECURITY 3
PREPAREDNESS UNIT. 4
(2) FOR FISCAL YEAR 2024 AND EACH FISCAL YEAR THEREAFTER , 5
THE GOVERNOR SHALL INCLUDE IN THE ANNUAL BUDGET BI LL AN APPROPRIATION 6
OF AT LEAST: 7
(I) $220,335 FOR 3 PINS FOR ADMINISTRATOR III POSITIONS; 8
AND 9
(II) $137,643 FOR 2 PINS FOR ADMINISTRATOR II POSITIONS. 10
(D) (1) THERE IS A CYBERSECURITY FUSION CENTER IN THE 11
DEPARTMENT . 12
(2) THE FUSION CENTER SHALL: 13
(I) COORDINATE INFORMATI ON ON CYBERSECURITY BY 14
SERVING AS A CENTRAL LOCATION FOR INFORMA TION SHARING ACROSS STATE AND 15
LOCAL GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ; 16
(II) WITH THE OFFICE OF SECURITY MANAGEMENT IN THE 17
DEPARTMENT OF INFORMATION TECHNOLOGY , SUPPORT CYBERSECURIT Y 18
COORDINATION BETWEEN LOCAL UNITS OF GOVER NMENT THROUGH EXISTI NG 19
LOCAL GOVERNMENT STA KEHOLDER ORGANIZATIO NS; 20
(III) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION 21
SECURITY OFFICER AND THE UNIT DURING CYBERSECU RITY INCIDENTS THAT 22
AFFECT STATE AND LOCAL GOVER NMENTS; 23
(IV) SUPPORT RISK –BASED PLANNING FOR T HE USE OF 24
FEDERAL RESOURCES ; AND 25
(V) CONDUCT ANALYSIS OF CYBERSECURITY INCIDE NTS. 26
(E) (1) THERE IS A LOCAL CYBERSECURITY SUPPORT FUND. 27
(2) THE PURPOSE OF THE FUND IS TO: 28
(I) PROVIDE FINANCIAL AS SISTANCE TO LOCAL GO VERNMENTS 29
TO IMPROVE CYBERSECU RITY PREPAREDNESS , INCLUDING: 30 SENATE BILL 754 11
1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH 1
THE MOST UP–TO–DATE CYBERSECURITY PR OTECTIONS; 2
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 3
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY 4
PREPAREDNESS ; 5
3. RECRUITING AND HIRIN G INFORMATION 6
TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND 7
4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY 8
STAFF TRAINING ; AND 9
(II) ASSIST LOCAL GOVERNM ENTS APPLYING FOR FE DERAL 10
CYBERSECURITY PREPAR EDNESS GRANTS . 11
(3) THE SECRETARY SHALL ADMIN ISTER THE FUND. 12
(4) (I) THE FUND IS A SPECIAL, NONLAPSING FUND THAT IS NOT 13
SUBJECT TO § 7–302 OF THE STATE FINANCE AND PROCUREMENT ARTICLE. 14
(II) THE STATE TREASURER SHALL HOLD THE FUND 15
SEPARATELY, AND THE COMPTROLLER SHALL ACC OUNT FOR THE FUND. 16
(5) THE FUND CONSISTS OF : 17
(I) MONEY APPROPRIATED I N THE STATE BUDGET TO THE 18
FUND; 19
(II) INTEREST EARNINGS ; AND 20
(III) ANY OTHER MONEY FROM ANY OTHER SOURCE ACC EPTED 21
FOR THE BENEFIT OF T HE FUND. 22
(6) THE FUND MAY BE USED ONLY : 23
(I) TO PROVIDE FINANCIAL ASSISTANCE TO LOCAL 24
GOVERNMENTS TO IMPRO VE CYBERSECUR ITY PREPAREDNESS , INCLUDING: 25
1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH 26
THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS; 27
12 SENATE BILL 754
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 1
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY 2
PREPAREDNESS ; 3
3. RECRUITING AND HIRIN G INFORMATION 4
TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND 5
4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY 6
STAFF TRAINING ; 7
(II) TO ASSIST LOCAL GOVE RNMENTS APPLYING FOR FEDERAL 8
CYBERSECURITY PREPAR EDNESS GRANTS ; AND 9
(III) FOR ADMINISTRATIVE E XPENSES ASSOCIATED W ITH 10
PROVIDING THE ASSIST ANCE DESCRIBED UNDER ITEM (I) OF THIS PARAGRAPH . 11
(7) (I) THE STATE TREASURER SHALL INVES T THE MONEY OF THE 12
FUND IN THE SAME MANN ER AS OTHER STATE MONEY MAY BE IN VESTED. 13
(II) ANY INTER EST EARNINGS OF THE FUND SHALL BE 14
CREDITED TO THE FUND. 15
(8) EXPENDITURES FROM THE FUND MAY BE MADE ONLY IN 16
ACCORDANCE WITH THE STATE BUDGET . 17
(F) TO BE ELIGIBLE TO REC EIVE ASSISTANCE FROM THE FUND, EACH 18
LOCAL GOVERNMENT THA T USES THE NETWORK E STABLISHED IN ACCORDANCE 19
WITH § 3.5–404 OF THE STATE FINANCE AND PROCUREMENT ARTICLE SHALL MEET 20
THE REQUIREMENTS OF §§ 3.5–404(D) AND 3.5–405 OF THE STATE FINANCE AND 21
PROCUREMENT ARTICLE. 22
Article – State Finance and Procurement 23
3.5–101. 24
(a) In this title the following words have the meanings indicated. 25
(e) “Unit of State government” means an agency or unit of the Executive Branch 26
of State government. 27
SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT . 28
3.5–2A–01. 29
SENATE BILL 754 13
IN THIS SUBTITLE , “OFFICE” MEANS THE OFFICE OF SECURITY 1
MANAGEMENT . 2
3.5–2A–02. 3
THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT . 4
3.5–2A–03. 5
(A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION 6
SECURITY OFFICER. 7
(B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL: 8
(1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND 9
CONSENT OF THE SENATE; 10
(2) SERVE AT THE PLEASUR E OF THE GOVERNOR; 11
(3) BE SUPERVISED BY THE SECRETARY; AND 12
(4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE 13
DEPARTMENT . 14
(C) AN INDIVIDUAL APPOINTED AS THE STATE CHIEF INFORMATION 15
SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L: 16
(1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE; 17
(2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR 18
CYBERSECURITY CERTIF ICATIONS; 19
(3) HAVE EXPERIENCE : 20
(I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING 21
SECURITY CONTROLS ; 22
(II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR 23
CYBERSECURITY ; 24
(III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY 25
OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD 26
ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND 27
14 SENATE BILL 754
(IV) WORKING WITH COMMON INFORMATION SECURITY 1
MANAGEMENT FRAMEWORK S; 2
(4) HAVE EXTENSIVE KNOWL EDGE OF INFORMATION TECHNOLOGY 3
AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURE S, WITH 4
AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO 5
ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND 6
SYSTEMS; AND 7
(5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS. 8
(C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL 9
PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON 10
REQUEST. 11
(D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY , 12
WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY 13
OFFICER. 14
(II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK 15
IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY 16
MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES , 17
AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNITS OF LOCAL 18
GOVERNMENT . 19
(2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY , WHO 20
SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER. 21
(II) THE DIRECTOR OF STATE CYBERSECURITY IS 22
RESPONSIBLE FOR IMPL EMENTATION OF THIS S ECTION WITH RESPECT TO UNITS OF 23
STATE GOVERNMENT . 24
(E) (F) THE DEPARTMENT SHALL PROVIDE THE OFFICE WITH 25
SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE. 26
(F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL 27
COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE. 28
3.5–2A–04. 29
(A) (1) THE OFFICE IS RESPONSIBLE FOR: 30
SENATE BILL 754 15
(1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION 1
OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE 2
GOVERNMENT ; AND 3
(2) THE COORDINATION OF RESOURCES AND EFFORT S TO 4
IMPLEMENT CYBERSECUR ITY BEST PRACTICES AND IMPROV E OVERALL 5
CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL 6
GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL 7
HEALTH DEPARTMENTS .; AND 8
(II) SUPPORTING THE MARYLAND DEPARTMENT OF 9
EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY 10
RESPONSE EFFORTS . 11
(2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION 12
TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY 13
CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A 14
LOCAL SCHOOL BOAR D, A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH 15
DEPARTMENT . 16
(B) THE OFFICE SHALL: 17
(1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 18
COLLECTED OR MAINTAI NED BY OR ON BEHALF OF EACH UNIT OF STATE 19
GOVERNMENT ; 20
(2) ESTABLISH STANDARDS TO CATEGORIZE ALL INFORMATION 21
SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ; 22
(3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION 23
AND INFORMATION SYST EMS TO BE INCLUDED I N EACH CATEGORY ; 24
(4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND 25
INFORMATION SYSTEMS IN EACH CATEGORY ; 26
(5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND 27
INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF THE SECURITY 28
REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ; 29
(6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 30
DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN 31
THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER 32
ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM 33
SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE C ONNECTED TO THE 34 16 SENATE BILL 754
NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY 1
INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECE SSARY TO 2
CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY 3
INCLUDE REQUI RING THE INFORMATION SYSTEM TO BE DISCONN ECTED; 4
(7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 5
DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY 6
CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT 7
INTRODUCES A SERIOUS RISK TO ENTI TIES CONNECTED TO TH E NETWORK OR TO 8
THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; 9
(7) (8) MANAGE SECURITY AWAR ENESS TRAINING FOR A LL 10
APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ; 11
(8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT, 12
DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE 13
STANDARDIZATION AND REDUCE RISK; 14
(9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL I DENTITY 15
STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES CO MMUNICATING , 16
INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE 17
GOVERNMENT ; 18
(10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY 19
SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH 20
BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND 21
TECHNOLOGY ; 22
(11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND 23
INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSI STANCE 24
PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT 25
THE WORK OF THE OFFICE; 26
(12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS 27
AND RESPONSE PLANS ; 28
(13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING 29
AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND 30
(14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO 31
UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS, 32
PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES. 33
SENATE BILL 754 17
(C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 1
OF EMERGENCY MANAGEMENT , SHALL: 2
(1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES , 3
SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN: 4
(I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS 5
AND RESPONSE PLANS ; AND 6
(II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE 7
DEVELOPED BY THE DEPARTMENT ; AND 8
(2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR 9
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND 10
RESPONSE. 11
(D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 12
OF EMERGENCY MANAGEMENT , MAY: 13
(1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN 14
COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND 15
OTHER STATE AND LOCAL ENTIT IES; AND 16
(2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR 17
COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS, AGENCIES, 18
OR REGIONS. 19
(C) (E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE 20
SHALL REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE 21
STATE GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, 22
THE SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, 23
THE HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND 24
GOVERNMENT OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON 25
CYBERSECURITY , INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE 26
ACTIVITIES OF THE OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN 27
MARYLAND, INCLUDING: 28
(1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE 29
DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND 30
(2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE 31
INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER § 32
3.5–405 OF THIS TITLE, INCLUDING: 33
18 SENATE BILL 754
(I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY THE 1
CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THAT YEAR ; 2
(II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF 3
ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST 4
TO REMEDIATE ANY VUL NERABILITIES EXPOSED ; 5
(III) 3. RECENT AUDIT FINDINGS OF ALL UNITS OF STATE 6
GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING 7
RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING; 8
(IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON 9
CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPE NDING 10
FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET, 11
INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL 12
CYBERSECURITY PRE PAREDNESS; 13
(V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR 14
CYBER RISK MITIGATIO N FROM FEDERAL OR OT HER NON–STATE RESOURCES ; 15
(VI) 6. KEY PERFORMANCE INDI CATORS ON THE 16
CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY 17
MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR 18
IMPLEMENTATION ; AND 19
(VII) 7. ANY ADDITIONAL RECOM MENDATIONS FOR 20
IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S. 21
(2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT 22
CONTAIN INFORMATION THAT REVEA LS CYBERSECURITY VUL NERABILITIES AND 23
RISKS IN THE STATE. 24
3.5–301. 25
(a) In this subtitle the following words have the meanings indicated. 26
(j) “Nonvisual access” means the ability, through keyboard control, synthesized 27
speech, Braille, or other methods not requiring sight to receive, use, and manipulate 28
information and operate controls necessary to access information technology in accordance 29
with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle. 30
3.5–302. 31
(c) Notwithstanding any other provision of law, except as provided in subsection 32
(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–307(A)(2), 3.5–308, 33 SENATE BILL 754 19
AND 3.5–309 of this subtitle, this subtitle applies to all units of the Executive Branch of 1
State government including public institutions of higher education other than Morgan 2
State University, the University System of Maryland, St. Mary’s College of Maryland, and 3
Baltimore City Community College. 4
3.5–303. 5
(c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall: 6
(2) establish a process for the Secretary or the Secretary’s designee to: 7
(ii) 2. for information technology procured by a State unit on or 8
after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] § 9
3.5–311 of this subtitle, including the enforcement of the civil penalty described in [§ 10
3A–311(a)(2)(iii)1] § 3.5–311(A)(2)(III)1 of this subtitle. 11
3.5–307. 12
(a) (2) A unit of State government other than a public institution of higher 13
education may not make expenditures for major information technology development 14
projects OR CYBERSECURITY PRO JECTS except as provided in [§ 3A–308] § 3.5–308 of 15
this subtitle. 16
3.5–309. 17
(c) The Secretary: 18
(2) subject to the provisions of § 2–201 of this article and [§ 3A–307] § 19
3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of money or 20
property. 21
(i) The Fund may be used: 22
(3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for 23
the costs of the first 12 months of operation and maintenance of a major information 24
technology development project. 25
(l) (1) Notwithstanding subsection (b) of this section and in accordance with 26
paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this 27
section shall be used to support: 28
(i) the State telecommunication and computer network established 29
under [§ 3A–404] § 3.5–404 of this title, including program development for these 30
activities; and 31
3.5–311. 32 20 SENATE BILL 754
(a) (2) On or after January 1, 2020, the nonvisual access clause developed in 1
accordance with paragraph (1) of this subsection shall include a statement that: 2
(i) within 18 months after the award of the procurement, the 3
Secretary, or the Secretary’s designee, will determine whether the information technology 4
meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] § 5
3.5–303(B) of this subtitle; 6
3.5–315. 7
(A) THERE IS AN INFORMATION SHARING AND ANALYSIS CENTER IN THE 8
DEPARTMENT . 9
(B) THE INFORMATION SHARING AND ANALYSIS CENTER SHALL: 10
(1) COORDINATE INFORMATI ON ON CYBERSECURITY BY SERVING AS 11
A CENTRAL LOCATION F OR INFORMATION S HARING ACROSS STATE AND LOCAL 12
GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ; 13
(2) WITH THE OFFICE OF SECURITY MANAGEMENT , SUPPORT 14
CYBERSECURITY COORDI NATION BETWEEN LOCAL UNITS OF GOVERNMENT 15
THROUGH EXISTING LOC AL GOVERNMENT STAKEH OLDER ORGANIZATIONS ; 16
(3) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION 17
SECURITY OFFICER AND THE CYBER PREPAREDNESS UNIT, IN THE MARYLAND 18
DEPARTMENT OF EMERGENCY MANAGEMENT , DURING CYBERSECURITY 19
INCIDENTS THAT AFFEC T STATE AND LOCAL GOVER NMENTS; 20
(4) SUPPORT RISK–BASED PLANNING FOR T HE USE OF FEDERAL 21
RESOURCES; AND 22
(5) CONDUCT ANALYSES OF CYBERSECURITY INCIDE NTS. 23
3.5–404. 24
(a) The General Assembly declares that: 25
(1) it is the policy of the State to foster telecommunication and computer 26
networking among State and local governments, their agencies, and educational 27
institutions in the State; 28
(2) there is a need to improve access, especially in rural areas, to efficient 29
telecommunication and computer network connections; 30
SENATE BILL 754 21
(3) improvement of telecommunication and computer networking for State 1
and local governments and educational institutions promotes economic development, 2
educational resource use and development, and efficiency in State and local administration; 3
(4) rates for the intrastate inter–LATA telephone communications needed 4
for effective integration of telecommunication and computer resources are prohibitive for 5
many smaller governments, agencies, and institutions; and 6
(5) the use of improved State telecommunication and computer networking 7
under this section is intended not to compete with commercial access to advanced network 8
technology, but rather to foster fundamental efficiencies in government and education for 9
the public good. 10
(b) (1) The Department shall establish a telecommunication and computer 11
network in the State. 12
(2) The network shall consist of: 13
(i) one or more connection facilities for telecommunication and 14
computer connection in each local access transport area (LATA) in the State; and 15
(ii) facilities, auxiliary equipment, and services required to support 16
the network in a reliable and secure manner. 17
(c) The network shall be accessible through direct connection and through local 18
intra–LATA telecommunications to State and local governments and public and private 19
educational institutions in the State. 20
(D) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQU ENCY 21
ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH UNIT OF THE 22
LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT , EACH UNIT OF LOCAL 23
GOVERNMENT, AND ANY LOCAL AGENCI ES THAT USE THE NETW ORK ESTABLISHED 24
UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT 25
THAT THE UNIT IS IN COMPLIANCE WITH THE DEPARTMENT ’S MINIMUM SECURITY 26
STANDARDS. 27
3.5–405. 28
(A) THIS SECTION DOES NOT APPLY TO MUNICIPAL G OVERNMENTS . 29
(B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQU ENCY 30
ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH COUNTY 31
GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT SHALL : 32
22 SENATE BILL 754
(1) IN CONSULTATION WITH THE LOCAL EMERGENCY MANAGER, 1
CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESPONSE P LAN AND 2
SUBMIT THE PLAN TO T HE OFFICE OF SECURITY MANAGEMENT FOR APPROV AL; 3
(2) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND 4
REPORT THE RESULTS TO THE OFFICE IN ACCORDANCE WITH GUIDELINES 5
DEVELOPED BY THE OFFICE; AND 6
(3) REPORT TO THE OFFICE: 7
(I) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 8
POSITIONS, INCLUDING VACANCIES ; 9
(II) THE ENTITY’S CYBERSECURITY BUDG ET AND OVERALL 10
INFORMATION TECHNOLOGY BU DGET; 11
(III) THE NUMBER OF EMPLOY EES WHO HAVE RECEIVE D 12
CYBERSECURITY TRAINI NG; AND 13
(IV) THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO THE 14
ENTITY’S COMPUTER SYSTEMS A ND DATABASES . 15
4–308. 16
(A) THE DEPARTMENT MAY ESTABL ISH A PROGRAM THAT LEVERAG ES 17
STATE PURCHASING POWE R TO OFFER FAVORABLE RATES TO UNITS OF LO CAL 18
GOVERNMENT TO PROCUR E INFORMATION TECHNO LOGY OR CYBERSECURIT Y 19
SERVICES FROM CONTRA CTORS. 20
(B) A UNIT OF LOCAL GOVERN MENT MAY NOT BE REQU IRED TO 21
PARTICIPATE IN A PRO GRAM ESTABLISHED UNDER SUBSECTION (A) OF THIS 22
SECTION. 23
6–226. 24
(a) (2) (i) Notwithstanding any other provision of law, and unless 25
inconsistent with a federal law, grant agreement, or other federal requirement or with the 26
terms of a gift or settlement agreement, net interest on all State money allocated by the 27
State Treasurer under this section to special funds or accounts, and otherwise entitled to 28
receive interest earnings, as accounted for by the Comptroller, shall accrue to the General 29
Fund of the State. 30
(ii) The provisions of subparagraph (i) of this paragraph do not apply 31
to the following funds: 32
SENATE BILL 754 23
144. the Health Equity Resource Community Reserve Fund; 1
[and] 2
145. the Access to Counsel in Evictions Special Fund; AND 3
146. THE LOCAL CYBERSECURITY SUPPORT FUND. 4
12–107. 5
(b) Subject to the authority of the Board, jurisdiction over procurement is as 6
follows: 7
(2) the Department of General Services may: 8
(i) engage in or control procurement of: 9
10. information processing equipment and associated 10
services, as provided in Title [3A] 3.5, Subtitle 3 of this article; and 11
11. telecommunication equipment, systems, or services, as 12
provided in Title [3A] 3.5, Subtitle 4 of this article; 13
Article – State Government 14
2–1224. 15
(f) [After] EXCEPT AS PROVIDED IN SUBSECTION (I) OF THIS SECTION , 16
AFTER the expiration of any period that the Joint Audit and Evaluation Committee 17
specifies, a report of the Legislative Auditor is available to the public under Title 4, 18
Subtitles 1 through 5 of the General Provisions Article. 19
(I) A REPORT AUDITING A UN IT OF STATE OR LOCAL GOVERN MENT SHALL 20
HAVE ANY CYBERSECURI TY FINDINGS REDACTED IN A MANNER CONSISTE NT WITH 21
AUDITING BEST PRACTI CES BEFORE THE REPORT IS MADE AVAILABLE TO TH E 22
PUBLIC. 23
SECTION 3. AND BE IT FURTHER ENACTED, That, on or before December 1, 24
2022, the State Chief Information Security Officer and the Secretary of Emergency 25
Management shall: 26
(1) review the State budget for efficiency and effectiveness of funding and 27
resources to ensure that the State is equipped to respond to a cybersecurity attack; 28
(2) make recommendations for any changes to the budget needed to 29
accomplish the goals under item (1) of this section; 30
24 SENATE BILL 754
(3) establish guidance for units of State government on use and access to 1
State funding related to cybersecurity preparedness; and 2
(4) report any recommendations and guidance to the Governor and, in 3
accordance with § 2–1257 of the State Government Article, the General Assembly. 4
SECTION 4. AND BE IT FURTHER ENACT ED, That: 5
(a) On or before December 1, 2023, the State Chief Information Security Officer 6
shall: 7
(1) commission a feasibility study on expanding the operations of the State 8
Security Operations Center operated by the Department of Information Technology to 9
include cybersecurity monitoring and alert services for units of local government; and 10
(2) report any recommendations to the Governor and, in accordance with § 11
2–1257 of the State Government Article, the General Assembly. 12
(b) For fiscal year 2024, the Governor shall include an appropriation in the 13
annual budget to cover the cost of the feasibility study required under subsection (a) of this 14
section. 15
SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect July 16
1, 2022. 17
SECTION 5. AND BE IT FURTHER ENACTED, That: 18
(a) (1) On or before June 30, 2023, each unit of local government shall certify 19
to the Office of Security Management compliance with State minimum cybersecurity 20
standards established by the Department of Information Technology. 21
(2) Certification shall be reviewed by independent auditors, and any 22
findings must be remediated. 23
(b) If a unit of local government has not remediated any findings pertaining to 24
State cybersecurity standards found by the independent audit required under subsection 25
(1) of this section by July 1, 2024, the Office of Security Management shall assume 26
responsibility for a unit’s cybersecurity through a shared service agreement, administrative 27
privileges, or access to Network Maryland notwithstanding any federal law or regulation 28
that forbids the Office of Security Management from managing a specific system. 29
SECTION 6. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds 30
from the Dedicated Purpose Account may be transferred by budget amendm ent in 31
accordance with § 7–310 of the State Finance and Procurement Article to implement this 32
Act. 33
SECTION 7. AND BE IT FURTHER ENACTED, That: 34 SENATE BILL 754 25
(a) On or before June October 1, 2022, the State Chief Information Security 1
Officer shall establish guidelines to determine when a cybersecurity incident shall be 2
disclosed to the public. 3
(b) On or before November 1, 2022, the State Chief Information Security Officer 4
shall submit a report on the guidelines established under subsection (a) of this section to 5
the Governor and, in accordance with § 2–1257 of the State Government Article, the House 6
Health and Government Operations Committee and the Senate Education, Health, and 7
Environmental Affairs Committee. 8
SECTION 8. AND BE IT FURTHER ENACTED, That this Act is an emergency 9
measure, is necessary for the immediate preservation of the public health or safety, has 10
been passed by a yea and nay vote supported by three–fifths of all the members elected to 11
each of the two Houses of the General Assembly, and shall take effect from the date it is 12
enacted. 13
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.