EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
Italics indicate opposite chamber/conference committee amendments.
*sb0754*
SENATE BILL 754
S2, E4, P1 EMERGENCY BILL (2lr1504)
ENROLLED BILL
— Education, Health, and Environmental Affairs/Health and Government
Operations —
Introduced by Senator Hester Senators Hester, Hershey, Jennings, Jackson,
Rosapepe, Lee, and Watson
Read and Examined by Proofreaders:
_______________________________________________
Proofreader.
_______________________________________________
Proofreader.
Sealed with the Great Seal and presented to the Governor, for his approval this
_______ day of _______________ at ________________________ o’clock, ________M.
______________________________________________
President.
CHAPTER ______
AN ACT concerning 1
Local Government Cybersecurity – Coordination and Operations 2
(Local Cybersecurity Support Act of 2022) 3
FOR the purpose of establishing the Cyber Preparedness Unit in the Maryland Department 4
of Emergency Management; establishing certain responsibilities of the Unit; 5
requiring certain local entities local governments to report certain cybersecurity 6
incidents in a certain manner and under certain circumstances; requiring the 7
Maryland Joint Operations Center State Security Operations Center to notify 8
appropriate agencies of a cybersecurity incident in a certain manner; establishing 9
the Cybersecurity Fusion Center in the Maryland Department of Emergency 10
Management; establishing certain responsibilities of the Fusion Center; establishing 11
the Local Cybersecurity Support Fund, the purposes of the Fund, and certain 12
eligibility requirements to receive assistance from the Fund; establishing the Office 13 2 SENATE BILL 754
of Security Management within the Department of Information Technology and 1
certain Office positions; establishing certain responsibilities and authority of the 2
Office; requiring each unit of the Legislative or Judicial Branch of State government, 3
each unit of local government, and any local agencies that use a certain network to 4
certify certain compliance to the Department of Information Technology on or before 5
a certain date each year; requiring certain local entities to submit a certain report to 6
the Office on or before a certain date each year; in a certain manner; requiring the 7
Office to submit a certain report to the Governor and certain committees of the 8
General Assembly on or before a certain date each year; requiring the Office to 9
submit a certain report to the Governor and certain committees of the General 10
Assembly on or before a certain date each year; establishing the Information Sharing 11
and Analysis Center in the Department of Information Technology; establishing 12
certain responsibilities for the Center; requiring the State Chief Information 13
Security Officer and the Secretary of Emergency Management to conduct a certain 14
review, make recommendations, establish certain guidance, and submit a certain 15
report on or before a certain date; requiring the State Chief Information Security 16
Officer to commission a certain feasibility study and report recommendations on or 17
before a certain date; requiring the Governor to include an appropriation in a certain 18
annual budget to cover the cost of the feasibility study; authorizing funds to be 19
transferred by budget amendment from the Dedicated Purpose Account in a certain 20
fiscal year to implement the Act; and generally relating to local government 21
cybersecurity coordination and operations. 22
BY renumbering 23
Article – State Finance and Procurement 24
Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of 25
Information Technology” 26
to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5. 27
Department of Information Technology” 28
Annotated Code of Maryland 29
(2021 Replacement Volume) 30
BY repealing and reenacting, with amendments, 31
Article – Criminal Procedure 32
Section 10–221(b) 33
Annotated Code of Maryland 34
(2018 Replacement Volume and 2021 Supplement) 35
BY repealing and reenacting, with amendments, 36
Article – Health – General 37
Section 21–2C–03(h)(2)(i) 38
Annotated Code of Maryland 39
(2019 Replacement Volume and 2021 Supplement) 40
BY repealing and reenacting, with amendments, 41
Article – Human Services 42
Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1) 43 SENATE BILL 754 3
Annotated Code of Maryland 1
(2019 Replacement Volume and 2021 Supplement) 2
BY repealing and reenacting, with amendments, 3
Article – Insurance 4
Section 31–103(a)(2)(i) and (b)(2) 5
Annotated Code of Maryland 6
(2017 Replacement Volume and 2021 Supplement) 7
BY repealing and reenacting, with amendments, 8
Article – Natural Resources 9
Section 1–403(c) 10
Annotated Code of Maryland 11
(2018 Replacement Volume and 2021 Supplement) 12
BY repealing and reenacting, without amendments, 13
Article – Public Safety 14
Section 14–103 15
Annotated Code of Maryland 16
(2018 Replacement Volume and 2021 Supplement) 17
BY adding to 18
Article – Public Safety 19
Section 14–104.1 20
Annotated Code of Maryland 21
(2018 Replacement Volume and 2021 Supplement) 22
BY repealing and reenacting, without amendments, 23
Article – State Finance and Procurement 24
Section 3.5–101(a) and (e) and 3.5–301(a) 25
Annotated Code of Maryland 26
(2021 Replacement Volume) 27
(As enacted by Section 1 of this Act) 28
BY adding to 29
Article – State Finance and Procurement 30
Section 3.5–2A–01 through 3.5–2A–04 to be under the new subtitle “Subtitle 2A. 31
Office of Security Management”; and 3.5–315, 3.5–405, and 4–308 and 32
6–226(a)(2)(ii)146. 33
Annotated Code of Maryland 34
(2021 Replacement Volume) 35
BY repealing and reenacting, with amendments, 36
Article – State Finance and Procurement 37
Section 3.5–301(j), 3.5–302(c), 3.5–303(c)(2)(ii)2., 3.5–307(a)(2), 3.5–309(c)(2), (i)(3), 38
and (l)(1)(i), 3.5–311(a)(2)(i), and 3.5–404 39
Annotated Code of Maryland 40 4 SENATE BILL 754
(2021 Replacement Volume) 1
(As enacted by Section 1 of this Act) 2
BY repealing and reenacting, without amendments, 3
Article – State Finance and Procurement 4
Section 6–226(a)(2)(i) 5
Annotated Code of Maryland 6
(2021 Replacement Volume) 7
BY repealing and reenacting, with amendments, 8
Article – State Finance and Procurement 9
Section 6–226(a)(2)(ii)144. and 145. and 12–107(b)(2)(i)10. and 11. 10
Annotated Code of Maryland 11
(2021 Replacement Volume) 12
BY repealing and reenacting, with amendments, 13
Article – State Government 14
Section 2–1224(f) 15
Annotated Code of Maryland 16
(2021 Replacement Volume) 17
BY adding to 18
Article – State Government 19
Section 2–1224(i) 20
Annotated Code of Maryland 21
(2021 Replacement Volume) 22
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 23
That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department 24
of Information Technology” of Article – State Finance and Procurement of the Annotated 25
Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively, 26
and the title “Title 3.5. Department of Information Technology”. 27
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 28
as follows: 29
Article – Criminal Procedure 30
10–221. 31
(b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement 32
Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and 33
the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall: 34
(1) regulate the collection, reporting, and dissemination of criminal history 35
record information by a court and criminal justice units; 36
SENATE BILL 754 5
(2) ensure the security of the criminal justice information system and 1
criminal history record information reported to and collected from it; 2
(3) regulate the dissemination of criminal history record information in 3
accordance with Subtitle 1 of this title and this subtitle; 4
(4) regulate the procedures for inspecting and challenging criminal history 5
record information; 6
(5) regulate the auditing of criminal justice units to ensure that criminal 7
history record information is: 8
(i) accurate and complete; and 9
(ii) collected, reported, and disseminated in accordance with Subtitle 10
1 of this title and this subtitle; 11
(6) regulate the development and content of agreements between the 12
Central Repository and criminal justice units and noncriminal justice units; and 13
(7) regulate the development of a fee schedule and provide for the collection 14
of the fees for obtaining criminal history record information for other than criminal justice 15
purposes. 16
Article – Health – General 17
21–2C–03. 18
(h) (2) The Board is subject to the following provisions of the State Finance 19
and Procurement Article: 20
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 21
that the Secretary of Information Technology determines that an information technology 22
project of the Board is a major information technology development project; 23
Article – Human Services 24
7–806. 25
(a) (1) Subject to paragraph (2) of this subsection, the programs under § 26
7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State 27
Finance and Procurement Article shall be funded as provided in the State budget. 28
(2) For fiscal year 2019 and each fiscal year thereafter, the program under 29
[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an 30
amount that: 31 6 SENATE BILL 754
(i) is equal to the cost that the Department of Aging is expected to 1
incur for the upcoming fiscal year to provide the service and administer the program; and 2
(ii) does not exceed 5 cents per month for each account out of the 3
surcharge amount authorized under subsection (c) of this section. 4
(b) (1) There is a Universal Service Trust Fund created for the purpose of 5
paying the costs of maintaining and operating the programs under: 6
(i) § 7–804(a) of this subtitle, subject to the limitations and controls 7
provided in this subtitle; 8
(ii) § 7–902(a) of this title, subject to the limitations and controls 9
provided in Subtitle 9 of this title; and 10
(iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement 11
Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the 12
State Finance and Procurement Article. 13
(c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) 14
of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall 15
be funded by revenues generated by: 16
(i) a surcharge to be paid by the subscribers to a communications 17
service; and 18
(ii) other funds as provided in the State budget. 19
(d) (1) The Secretary shall annually certify to the Public Service Commission 20
the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 21
3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the 22
Universal Service Trust Fund for the following fiscal year. 23
(2) (i) The Public Service Commission shall determine the surcharge 24
for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle, 25
§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement 26
Article. 27
(g) (1) The Legislative Auditor may conduct postaudits of a fiscal and 28
compliance nature of the Universal Service Trust Fund and the expenditures made for 29
purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of 30
the State Finance and Procurement Article. 31
Article – Insurance 32
SENATE BILL 754 7
31–103. 1
(a) The Exchange is subject to: 2
(2) the following provisions of the State Finance and Procurement Article: 3
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 4
that the Secretary of Information Technology determines that an information technology 5
project of the Exchange is a major information technology development project; 6
(b) The Exchange is not subject to: 7
(2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance 8
and Procurement Article, except to the extent determined by the Secretary of Information 9
Technology under subsection (a)(2)(i) of this section; 10
Article – Natural Resources 11
1–403. 12
(c) The Department shall develop the electronic system consistent with the 13
statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of 14
the State Finance and Procurement Article. 15
Article – Public Safety 16
14–103. 17
(a) There is a Maryland Department of Emergency Management established as a 18
principal department of the Executive Branch of State government. 19
(b) The Department has primary responsibility and authority for developing 20
emergency management policies and is responsible for coordinating disaster risk reduction, 21
consequence management, and disaster recovery activities. 22
(c) The Department may act to: 23
(1) reduce the disaster risk and vulnerability of persons and property 24
located in the State; 25
(2) develop and coordinate emergency planning and preparedness; and 26
(3) coordinate emergency management activities and operations: 27
(i) relating to an emergency that involves two or more State 28
agencies; 29 8 SENATE BILL 754
(ii) between State agencies and political subdivisions; 1
(iii) with local governments; 2
(iv) with agencies of the federal government and other states; and 3
(v) with private and nonprofit entities. 4
14–104.1. 5
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 6
INDICATED. 7
(2) “FUND” MEANS THE LOCAL CYBERSECURITY SUPPORT FUND. 8
(3) “FUSION CENTER” MEANS THE CYBERSECURITY FUSION 9
CENTER. 10
(4) (2) “LOCAL GOVERNMENT ” INCLUDES LOCAL SCHOO L 11
SYSTEMS, LOCAL SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS. 12
(5) (3) “UNIT” MEANS THE CYBER PREPAREDNESS UNIT. 13
(B) (1) THERE IS A CYBER PREPAREDNESS UNIT IN THE DEPARTMENT . 14
(2) IN COORDINATION WITH THE STATE CHIEF INFORMATION 15
SECURITY OFFICER, THE UNIT SHALL: 16
(I) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A 17
VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT THROUGH THE MARYLAND 18
NATIONAL GUARD’S INNOVATIVE READINESS TRAINING PROGRAM OR THE U.S. 19
DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AND INFRASTRUCTURE 20
SECURITY AGENCY, INCLUDING PROVIDING LOCAL GOVERNMENTS WI TH THE 21
RESOURCES AND INFORM ATION ON BEST PRACTI CES TO COMPLETE THE 22
ASSESSMENTS ; 23
(II) DEVELOP AND REGULARL Y UPDATE AN ONLINE DATABASE 24
OF CYBERSECURITY TRA INING RESOURCES FOR LOCAL GOVERNMENT PER SONNEL, 25
INCLUDING TECHNICAL TRAINING RESOURCES , CYBERSECURITY CONTIN UITY OF 26
OPERATIONS TEMPLATES , CONSEQUENCE MANAGEME NT PLANS, AND TRAININGS ON 27
MALWARE AND RANSOMWA RE DETECTION ; 28
(III) ESTABLISH AND PROVID E STAFF FOR A STATEW IDE 29
HELPLINE TO PROVIDE REAL–TIME EMERGENCY ASSIS TANCE AND RESOURCE 30 SENATE BILL 754 9
INFORMATION TO ANY L OCAL GOVERNMENT THAT HAS EXPERIENCED A CY BER 1
INCIDENT OR ATTACK ; 2
(IV) (III) ASSIST LOCAL GOVERNM ENTS IN: 3
1. THE DEVELOPMENT OF C YBERSECURITY 4
PREPAREDNESS AND RES PONSE PLANS; AND 5
2. IMPLEMENTING BEST PR ACTICES AND GUIDANCE 6
DEVELOPED BY THE STATE CHIEF INFORMATION SECURITY OFFICER; AND 7
3. IDENTIFYING AND ACQU IRING RESOURCES TO 8
COMPLETE APPROPRIATE CYBERSECURITY VULNERABILI TY ASSESSMENTS ; 9
(V) (IV) CONNECT LOCAL GOVERN MENTS TO APPROPRIATE 10
RESOURCES FOR ANY OT HER PURPOSE RELATED TO CYBERSECURITY 11
PREPAREDNESS AND RES PONSE; 12
(VI) DEVELOP APPROPRIATE REPORTS ON LOCAL 13
CYBERSECURITY PREPAR EDNESS; 14
(VII) (V) AS NECESSARY AND IN COORDINATION WITH TH E 15
NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND OTHER STATE AND LOCAL 16
ENTITIES, CONDUCT REGIONAL CYB ERSECURITY PREPAREDN ESS EXERCISES; AND 17
(VIII) (VI) ESTABLISH REGIONAL A SSISTANCE GROUPS TO 18
DELIVER AND COORDINA TE SUPPORT SERVICES TO LOCAL GOVERNMENTS , 19
AGENCIES, OR REGIONS. 20
(3) THE UNIT SHALL SUPPORT TH E OFFICE OF SECURITY 21
MANAGEMENT IN THE DEPARTMENT OF INFORMATION TECHNOLOGY DURING 22
EMERGENCY RESPON SE EFFORTS. 23
(C) (1) EACH LOCAL GOVERNMENT SHALL REPORT A CYBER SECURITY 24
INCIDENT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING US ED BY THE LOCAL 25
GOVERNMENT , TO THE APPROPRIATE L OCAL EMERGENCY MANAG ER AND THE 26
STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT OF INFORMATION 27
TECHNOLOGY TO THE MARYLAND JOINT OPERATIONS CENTER IN THE 28
DEPARTMENT IN ACCORDA NCE WITH PARAGRAPH (2) OF THIS SUBSECTION . 29
(2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS UNDER 30
PARAGRAPH (1) OF THIS SUBSECTION , THE DEPARTMENT STATE CHIEF 31
INFORMATION SECURITY OFFICER SHALL DETERMINE : 32
10 SENATE BILL 754
(I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST 1
BE REPORTED ; 2
(II) THE MANNER IN WHICH TO REPORT; AND 3
(III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE. 4
(3) THE MARYLAND JOINT OPERATIONS CENTER STATE SECURITY 5
OPERATIONS CENTER SHALL IMMEDIATELY NOTIFY APPROPRIATE A GENCIES OF A 6
CYBERSECURITY INCIDE NT REPORTED UNDER TH IS SUBSECTION THROUG H THE 7
STATE SECURITY OPERATIONS CENTER. 8
(D) (1) FIVE POSITION IDENTIFICATION NUMBERS (PINS) SHALL BE 9
CREATED FOR THE PURP OSE OF HIRING STAFF TO CONDUCT THE DUTIE S OF THE 10
MARYLAND DEPARTMENT OF EMERGENCY MANAGEMENT CYBERSECURITY 11
PREPAREDNESS UNIT. 12
(2) FOR FISCAL YEAR 2024 AND EACH FISCAL YEAR THEREAFTER , 13
THE GOVERNOR SHALL INCLUD E IN THE ANNUAL BUDGET BILL AN AP PROPRIATION 14
OF AT LEAST: 15
(I) $220,335 FOR 3 PINS FOR ADMINISTRATOR III POSITIONS; 16
AND 17
(II) $137,643 FOR 2 PINS FOR ADMINISTRATOR II POSITIONS. 18
(D) (1) THERE IS A CYBERSECURITY FUSION CENTER IN THE 19
DEPARTMENT . 20
(2) THE FUSION CENTER SHALL: 21
(I) COORDINATE INFORMATI ON ON CYBERSECURITY BY 22
SERVING AS A CENTRAL LOCATION FOR INFORMA TION SHARING ACROSS STATE AND 23
LOCAL GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ; 24
(II) WITH THE OFFICE OF SECURITY MANAGEMENT IN THE 25
DEPARTMENT OF INFORMATION TECHNOLOGY , SUPPORT CYBERSECURIT Y 26
COORDINATION BETWEEN LOCAL UNITS OF GOVER NMENT THROUGH EXISTI NG 27
LOCAL GOVERNMENT STA KEHOLDER ORGANIZATIO NS; 28
(III) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION 29
SECURITY OFFICER AND THE UNIT DURING CYBERSECU RITY INCIDENTS THAT 30
AFFECT STATE AND LOCAL GOVER NMENTS; 31
SENATE BILL 754 11
(IV) SUPPORT RISK –BASED PLANNING FOR T HE USE OF 1
FEDERAL RESOURCES ; AND 2
(V) CONDUCT ANALYSIS OF CYBERSECURITY INCIDE NTS. 3
(E) (1) THERE IS A LOCAL CYBERSECURITY SUPPORT FUND. 4
(2) THE PURPOSE OF THE FUND IS TO: 5
(I) PROVIDE FINANCIAL AS SISTANCE TO LOCAL GO VERNMENTS 6
TO IMPROVE CYBERSECU RITY PREPAREDNESS , INCLUDING: 7
1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH 8
THE MOST UP–TO–DATE CYBERSECUR ITY PROTECTIONS ; 9
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 10
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY 11
PREPAREDNESS ; 12
3. RECRUITING AND HIRIN G INFORMATION 13
TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND 14
4. PAYING OUTSIDE VEND ORS FOR CYBERSECURIT Y 15
STAFF TRAINING ; AND 16
(II) ASSIST LOCAL GOVERNM ENTS APPLYING FOR FE DERAL 17
CYBERSECURITY PREPAR EDNESS GRANTS . 18
(3) THE SECRETARY SHALL ADMIN ISTER THE FUND. 19
(4) (I) THE FUND IS A SPECIAL, NONLAPSING FUND THAT IS NOT 20
SUBJECT TO § 7–302 OF THE STATE FINANCE AND PROCUREMENT ARTICLE. 21
(II) THE STATE TREASURER SHALL HOLD THE FUND 22
SEPARATELY, AND THE COMPTROLLER SHALL ACC OUNT FOR THE FUND. 23
(5) THE FUND CONSISTS OF : 24
(I) MONEY APPROPRIATED I N THE STATE BUDGET TO THE 25
FUND; 26
(II) INTEREST EARNINGS ; AND 27
12 SENATE BILL 754
(III) ANY OTHER MONEY FROM ANY OTHER SOURCE ACC EPTED 1
FOR THE BENEFIT OF T HE FUND. 2
(6) THE FUND MAY BE USED ONLY : 3
(I) TO PROVIDE FINANCIAL ASSISTANCE TO LOCAL 4
GOVERNMENTS TO IMPRO VE CYBERSECURITY PRE PAREDNESS, INCLUDING: 5
1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH 6
THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS; 7
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 8
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE C YBERSECURITY 9
PREPAREDNESS ; 10
3. RECRUITING AND HIRIN G INFORMATION 11
TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND 12
4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY 13
STAFF TRAINING ; 14
(II) TO ASSIST LOCAL GOVE RNMENTS APPLYING FOR FEDERAL 15
CYBERSECURITY P REPAREDNESS GRANTS ; AND 16
(III) FOR ADMINISTRATIVE E XPENSES ASSOCIATED W ITH 17
PROVIDING THE ASSIST ANCE DESCRIBED UNDER ITEM (I) OF THIS PARAGRAPH . 18
(7) (I) THE STATE TREASURER SHALL INVES T THE MONEY OF THE 19
FUND IN THE SAME MANN ER AS OTHER STATE MONEY MAY BE INVESTED . 20
(II) ANY INTEREST EARNINGS OF THE FUND SHALL BE 21
CREDITED TO THE FUND. 22
(8) EXPENDITURES FROM THE FUND MAY BE MADE ONLY IN 23
ACCORDANCE WITH THE STATE BUDGET . 24
(F) TO BE ELIGIBLE TO REC EIVE ASSISTANCE FROM THE FUND, EACH 25
LOCAL GOVERNMENT THAT USES THE NETWORK ESTABLIS HED IN ACCORDANCE 26
WITH § 3.5–404 OF THE STATE FINANCE AND PROCUREMENT ARTICLE SHALL MEET 27
THE REQUIREMENTS OF §§ 3.5–404(D) AND 3.5–405 OF THE STATE FINANCE AND 28
PROCUREMENT ARTICLE. 29
Article – State Finance and Procurement 30
SENATE BILL 754 13
3.5–101. 1
(a) In this title the following words have the meanings indicated. 2
(e) “Unit of State government” means an agency or unit of the Executive Branch 3
of State government. 4
SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT . 5
3.5–2A–01. 6
IN THIS SUBTITLE, “OFFICE” MEANS THE OFFICE OF SECURITY 7
MANAGEMENT . 8
3.5–2A–02. 9
THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT . 10
3.5–2A–03. 11
(A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION 12
SECURITY OFFICER. 13
(B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL: 14
(1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND 15
CONSENT OF THE SENATE; 16
(2) SERVE AT THE PLEASUR E OF THE GOVERNOR; 17
(3) BE SUPERVISED BY THE SECRETARY; AND 18
(4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE 19
DEPARTMENT . 20
(C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION 21
SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L: 22
(1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE; 23
(2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR 24
CYBERSECURITY CERTIF ICATIONS; 25
(3) HAVE EXPERIENCE : 26
14 SENATE BILL 754
(I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING 1
SECURITY CONTROLS ; 2
(II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR 3
CYBERSECURITY ; 4
(III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY 5
OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD 6
ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND 7
(IV) WORKING WITH COMMON INFORMATION SECURITY 8
MANAGEMENT FRAMEWORK S; 9
(4) HAVE EXTENSIVE K NOWLEDGE OF INFORMAT ION TECHNOLOGY 10
AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH 11
AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO 12
ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND 13
SYSTEMS; AND 14
(5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS. 15
(C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL 16
PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON 17
REQUEST. 18
(D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY , 19
WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY 20
OFFICER. 21
(II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK 22
IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY 23
MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES, 24
AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNITS OF LOCAL 25
GOVERNMENT . 26
(2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY , WHO 27
SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER. 28
(II) THE DIRECTOR OF STATE CYBERSECURITY IS 29
RESPONSIBLE FOR IMPL EMENTATION OF THIS S ECTION WITH RESPECT TO UNITS OF 30
STATE GOVERNMENT . 31
(E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH 32
SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE. 33 SENATE BILL 754 15
(F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING R EGIONAL 1
COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE. 2
3.5–2A–04. 3
(A) (1) THE OFFICE IS RESPONSIBLE FOR: 4
(1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION 5
OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE 6
GOVERNMENT ; AND 7
(2) THE COORDINATION OF RESOURCES AND EFFORT S TO 8
IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL 9
CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL 10
GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL 11
HEALTH DEPARTMENTS .; AND 12
(II) SUPPORTING THE MARYLAND DEPARTMENT OF 13
EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY 14
RESPONSE EFFORTS . 15
(2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION 16
TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY 17
CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A 18
LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH 19
DEPARTMENT . 20
(B) THE OFFICE SHALL: 21
(1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 22
COLLECTED OR MAINTAINED BY OR ON BEHALF OF EACH UNIT OF STATE 23
GOVERNMENT ; 24
(2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 25
SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ; 26
(3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION 27
AND INFORMATION SYSTEMS TO B E INCLUDED IN EACH C ATEGORY; 28
(4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND 29
INFORMATION SYSTEMS IN EACH CATEGORY ; 30
16 SENATE BILL 754
(5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND 1
INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF T HE SECURITY 2
REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ; 3
(6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 4
DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN 5
THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER 6
ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM 7
SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE 8
NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY 9
INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECESSARY TO 10
CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY 11
INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ; 12
(7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 13
DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY 14
CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT 15
INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWOR K OR TO 16
THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; 17
(7) (8) MANAGE SECURITY AWARENESS TRAINING F OR ALL 18
APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ; 19
(8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT, 20
DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE 21
STANDARDIZATION AND REDUCE RISK; 22
(9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL I DENTITY 23
STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING, 24
INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE 25
GOVERNMENT ; 26
(10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY 27
SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH 28
BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND 29
TECHNOLOGY ; 30
(11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND 31
INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSISTAN CE 32
PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT 33
THE WORK OF THE OFFICE; 34
(12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS 35
AND RESPONSE PLANS ; 36 SENATE BILL 754 17
(13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING 1
AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND 2
(14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO 3
UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS, 4
PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES. 5
(C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 6
OF EMERGENCY MANAGEMENT , SHALL: 7
(1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES , 8
SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN: 9
(I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS 10
AND RESPONSE PLANS ; AND 11
(II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE 12
DEVELOPED BY THE DEPARTMENT ; AND 13
(2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR 14
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND 15
RESPONSE. 16
(D) THE OFFICE, IN COORDINATION WITH TH E MARYLAND DEPARTMENT 17
OF EMERGENCY MANAGEMENT , MAY: 18
(1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN 19
COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND 20
OTHER STATE AND LOCAL ENTIT IES; AND 21
(2) ESTABLISH REGIONAL ASSISTANCE GROUPS TO DELIVER OR 22
COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES, 23
OR REGIONS. 24
(C) (E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE 25
SHALL REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE 26
STATE GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, 27
THE SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, 28
THE HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND 29
GOVERNMENT OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON 30
CYBERSECURITY , INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE 31
ACTIVITIES OF THE OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN 32
MARYLAND, INCLUDING: 33 18 SENATE BILL 754
(1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE 1
DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVELS; AND 2
(2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE 3
INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER § 4
3.5–405 OF THIS TITLE, INCLUDING: 5
(I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E 6
CYBERSECURITY PREPAR EDNESS ASSESSMENTS CONDUCTE D THAT YEAR; 7
(II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF 8
ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST 9
TO REMEDIATE ANY VUL NERABILITIES EXPOSED ; 10
(III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE 11
GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING 12
RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING; 13
(IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON 14
CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPEND ING 15
FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET, 16
INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL 17
CYBERSECURITY PREPAR EDNESS; 18
(V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR 19
CYBER RISK MITIGAT ION FROM FEDERAL OR OTHER NON–STATE RESOURCES ; 20
(VI) 6. KEY PERFORMANCE INDI CATORS ON THE 21
CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY 22
MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR 23
IMPLEMENTATION ; AND 24
(VII) 7. ANY ADDITIONAL RECOMME NDATIONS FOR 25
IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S. 26
(2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT 27
CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND 28
RISKS IN THE STATE. 29
3.5–301. 30
(a) In this subtitle the following words have the meanings indicated. 31
SENATE BILL 754 19
(j) “Nonvisual access” means the ability, through keyboard control, synthesized 1
speech, Braille, or other methods not requiring sight to receive, use, and manipulate 2
information and operate controls necessary to access information technology in accordance 3
with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle. 4
3.5–302. 5
(c) Notwithstanding any other provision of law, except as provided in subsection 6
(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–307(A)(2), 3.5–308, 7
AND 3.5–309 of this subtitle, this subtitle applies to all units of the Executive Branch of 8
State government including public institutions of higher education other than Morgan 9
State University, the University System of Maryland, St. Mary’s College of Maryland, and 10
Baltimore City Community College. 11
3.5–303. 12
(c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall: 13
(2) establish a process for the Secretary or the Secretary’s designee to: 14
(ii) 2. for information technology procured by a State unit on or 15
after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] § 16
3.5–311 of this subtitle, including the enforcement of the civil penalty described in [§ 17
3A–311(a)(2)(iii)1] § 3.5–311(A)(2)(III)1 of this subtitle. 18
3.5–307. 19
(a) (2) A unit of State government other than a public institution of higher 20
education may not make expenditures for major information technology development 21
projects OR CYBERSECURITY PROJEC TS except as provided in [§ 3A–308] § 3.5–308 of 22
this subtitle. 23
3.5–309. 24
(c) The Secretary: 25
(2) subject to the provisions of § 2–201 of this article and [§ 3A–307] § 26
3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of money or 27
property. 28
(i) The Fund may be used: 29
(3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for 30
the costs of the first 12 months of operation and maintenance of a major information 31
technology development project. 32
20 SENATE BILL 754
(l) (1) Notwithstanding subsection (b) of this section and in accordance with 1
paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this 2
section shall be used to support: 3
(i) the State telecommunication and computer network established 4
under [§ 3A–404] § 3.5–404 of this title, including program development for these 5
activities; and 6
3.5–311. 7
(a) (2) On or after January 1, 2020, the nonvisual access clause developed in 8
accordance with paragraph (1) of this subsection shall include a statement that: 9
(i) within 18 months after the award of the procurement, the 10
Secretary, or the Secretary’s designee, will determine whether the information technology 11
meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] § 12
3.5–303(B) of this subtitle; 13
3.5–315. 14
(A) THERE IS AN INFORMATION SHARING AND ANALYSIS CENTER IN THE 15
DEPARTMENT . 16
(B) THE INFORMATION SHARING AND ANALYSIS CENTER SHALL: 17
(1) COORDINATE INFORMATI ON ON CYBERSECURITY BY SERVING AS 18
A CENTRAL LOCATION F OR INFORMATION SHARI NG ACROSS STATE AND LOCAL 19
GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ; 20
(2) WITH THE OFFICE OF SECURITY MANAGEMENT , SUPPORT 21
CYBERSECURITY COORDI NATION BETWEEN LOCAL UNITS OF GOVERNMENT 22
THROUGH EXISTING LOC AL GOVERNMENT STAKEH OLDER ORGANIZATIONS ; 23
(3) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION 24
SECURITY OFFICER AND THE CYBER PREPAREDNESS UNIT, IN THE MARYLAND 25
DEPARTMENT OF EMERGENCY MANAGEMENT , DURING CYBERSECURITY 26
INCIDENTS THAT AFFEC T STATE AND LOCAL GOVER NMENTS; 27
(4) SUPPORT RISK –BASED PLANNING FOR T HE USE OF FEDERAL 28
RESOURCES; AND 29
(5) CONDUCT ANALYSES OF CYBERSECURITY INCIDE NTS. 30
3.5–404. 31
SENATE BILL 754 21
(a) The General Assembly declares that: 1
(1) it is the policy of the State to foster telecommunication and computer 2
networking among State and local governments, their agencies, and educational 3
institutions in the State; 4
(2) there is a need to improve access, especially in rural areas, to efficient 5
telecommunication and computer network connections; 6
(3) improvement of telecommunication and computer networking for State 7
and local governments and educational institutions promotes economic development, 8
educational resource use and development, and efficiency in State and local administration; 9
(4) rates for the intrastate inter–LATA telephone communications needed 10
for effective integration of telecommunication and computer resources are prohibitive for 11
many smaller governments, agencies, and institutions; and 12
(5) the use of improved State telecommunication and computer networking 13
under this section is intended not to compete with commercial access to advanced network 14
technology, but rather to foster fundamental efficiencies in government and education for 15
the public good. 16
(b) (1) The Department shall establish a telecommunication and computer 17
network in the State. 18
(2) The network shall consist of: 19
(i) one or more connection facilities for telecommunication and 20
computer connection in each local access transport area (LATA) in the State; and 21
(ii) facilities, auxiliary equipment, and services required to support 22
the network in a reliable and secure manner. 23
(c) The network shall be accessible through direct connection and through local 24
intra–LATA telecommunications to State and local governments and public and private 25
educational institutions in the State. 26
(D) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQUENCY 27
ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH UNIT OF THE 28
LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT , EACH UNIT OF LOCAL 29
GOVERNMENT , AND ANY LOCAL AGENCI ES THAT USE THE NETW ORK ESTABLISHED 30
UNDER SUBSECTION (B) OF THIS SECTION SHALL CERTIF Y TO THE DEPARTMENT 31
THAT THE UNIT IS IN COMPLIANCE WITH THE DEPARTMENT ’S MINIMUM SECURITY 32
STANDARDS. 33
3.5–405. 34 22 SENATE BILL 754
(A) THIS SECTION DOES NOT APPLY TO MUNICIPAL G OVERNMENTS . 1
(B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQUENCY 2
ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH COUNTY 3
GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT SHALL : 4
(1) IN CONSULTATION WITH THE LOCAL EMERGENCY MANAGER, 5
CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESP ONSE PLAN AND 6
SUBMIT THE PLAN TO T HE OFFICE OF SECURITY MANAGEMENT FOR APPROV AL; 7
(2) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND 8
REPORT THE RESULTS T O THE OFFICE IN ACCORDANCE WITH GUIDELINES 9
DEVELOPED BY THE OFFICE; AND 10
(3) REPORT TO THE OFFICE: 11
(I) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 12
POSITIONS, INCLUDING VACANCIES ; 13
(II) THE ENTITY’S CYBERSECURITY BUDG ET AND OVERALL 14
INFORMATION TECHNOLO GY BUDGET; 15
(III) THE NUMBER OF EMPLOY EES WHO HAVE RECEIVE D 16
CYBERSECURITY TRAINI NG; AND 17
(IV) THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO THE 18
ENTITY’S COMPUTER SYSTEMS A ND DATABASES . 19
4–308. 20
(A) THE DEPARTMENT MAY ESTABL ISH A PROGRAM THAT L EVERAGES 21
STATE PURCHASING POWE R TO OFFER FAVORABLE RATES TO UNITS OF LO CAL 22
GOVERNMENT TO PROCU RE INFORMATION TECHN OLOGY OR CYBERSECURI TY 23
SERVICES FROM CONTRA CTORS. 24
(B) A UNIT OF LOCAL GOVERN MENT MAY NOT BE REQU IRED TO 25
PARTICIPATE IN A PRO GRAM ESTABLISHED UND ER SUBSECTION (A) OF THIS 26
SECTION. 27
6–226. 28
(a) (2) (i) Notwithstanding any other provision of law, and unless 29
inconsistent with a federal law, grant agreement, or other federal requirement or with the 30 SENATE BILL 754 23
terms of a gift or settlement agreement, net interest on all State money allocated by the 1
State Treasurer under this section to special funds or accounts, and otherwise entitled to 2
receive interest earnings, as accounted for by the Comptroller, shall accrue to the General 3
Fund of the State. 4
(ii) The provisions of subparagraph (i) of this paragraph do not apply 5
to the following funds: 6
144. the Health Equity Resource Community Reserve Fund; 7
[and] 8
145. the Access to Counsel in Evictions Special Fund; AND 9
146. THE LOCAL CYBERSECURITY SUPPORT FUND. 10
12–107. 11
(b) Subject to the authority of the Board, jurisdiction over procurement is as 12
follows: 13
(2) the Department of General Services may: 14
(i) engage in or control procurement of: 15
10. information processing equipment and associated 16
services, as provided in Title [3A] 3.5, Subtitle 3 of this article; and 17
11. telecommunication equipment, systems, or services, as 18
provided in Title [3A] 3.5, Subtitle 4 of this article; 19
Article – State Government 20
2–1224. 21
(f) [After] EXCEPT AS PROVIDED IN SUBSECTION (I) OF THIS SECTION , 22
AFTER the expiration of any period that the Joint Audit and Evaluation Committee 23
specifies, a report of the Legislative Auditor is available to the public under Title 4, 24
Subtitles 1 through 5 of the General Provisions Article. 25
(I) A REPORT AUDITING A UN IT OF STATE OR LOCAL GOVERN MENT SHALL 26
HAVE ANY CYBERSECURI TY FINDINGS REDACTED IN A MANNER CONSISTE NT WITH 27
AUDITING BEST PRACTI CES BEFORE THE REPORT IS MADE AVAILABLE TO TH E 28
PUBLIC. 29
24 SENATE BILL 754
SECTION 3. AND BE IT FURTHER ENACTED, That, on or before December 1, 1
2022, the State Chief Information Security Officer and the Secretary of Emergency 2
Management shall: 3
(1) review the State budget for efficiency and effectiveness of funding and 4
resources to ensure that the State is equipped to respond to a cybersecurity attack; 5
(2) make recommendations for any changes to the budget needed to 6
accomplish the goals under item (1) of this section; 7
(3) establish guidance for units of State government on use and access to 8
State funding related to cybersecurity preparedness; and 9
(4) report any recommendations and guidance to the Governor and, in 10
accordance with § 2–1257 of the State Government Article, the General Assembly. 11
SECTION 4. AND BE IT FURTHER ENACTED, That: 12
(a) On or before December 1, 2023, the State Chief Information Security Officer 13
shall: 14
(1) commission a feasibility study on expanding the operations of the State 15
Security Operations Center operated by the Department of Information Technology to 16
include cybersecurity monitoring and alert services for units of local government; and 17
(2) report any recommendations to the Governor and, in accordance with § 18
2–1257 of the State Government Article, the General Assembly. 19
(b) For fiscal year 2024, the Governor shall include an appropriation in the 20
annual budget to cover the cost of the feasibility study required under subsection (a) of this 21
section. 22
SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect July 23
1, 2022. 24
SECTION 5. AND BE IT FURTHER ENACTED, That: 25
(a) (1) On or before June 30, 2023, each unit of local government shall certify 26
to the Office of Security Management compliance with State minimum cybersecurity 27
standards established by the Department of Information Technology. 28
(2) Certification shall be reviewed by independent auditors, and any 29
findings must be remediated. 30
(b) If a unit of local government has not remediated any findings pertaining to 31
State cybersecurity standards found by the independent audit required under subsection 32
(1) of this section by July 1, 2024, the Office of Security Management shall assume 33 SENATE BILL 754 25
responsibility for a unit’s cybersecurity through a shared service agreement, administrative 1
privileges, or access to Network Maryland notwithstanding any federal law or regulation 2
that forbids the Office of Security Management from managing a specific system provide 3
guidance for the unit to achieve compliance with the cybersecurity standards. 4
SECTION 6. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds 5
from the Dedicated Purpose Account may be transferred by budget amendment in 6
accordance with § 7–310 of the State Finance and Procurement Article to implement this 7
Act. 8
SECTION 7. AND BE IT FURTHER ENACTED, That: 9
(a) On or before June October 1, 2022, the State Chief Information Security 10
Officer shall establish guidelines to determine when a cybersecurity incident shall be 11
disclosed to the public. 12
(b) On or before November 1, 2022, the State Chief Information Security Officer 13
shall submit a report on the guidelines established under subsection (a) of this section to 14
the Governor and, in accordance with § 2–1257 of the State Government Article, the House 15
Health and Government Operations Committee and the Senate Education, Health, and 16
Environmental Affairs Committee. 17
SECTION 8. AND BE IT FURTHER ENACTED, That this Act is an emergency 18
measure, is necessary for the immediate preservation of the public health or safety, has 19
been passed by a yea and nay vote supported by three–fifths of all the members elected to 20
each of the two Houses of the General Assembly, and shall take effect from the date it is 21
enacted. 22
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.