MD
Maryland Senate Bill SB754

Maryland 2022 Regular Session

Maryland Senate Bill SB754 Compare Versions

OldNewDifferences
1- LAWRENCE J. HOGAN, JR., Governor Ch. 241
21
3-– 1 –
4-Chapter 241
5-(Senate Bill 754)
62
7-AN ACT concerning
3+EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4+ [Brackets] indicate matter deleted from existing law.
5+ Underlining indicates amendments to bill.
6+ Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7+amendment.
8+ Italics indicate opposite chamber/conference committee amendments.
9+ *sb0754*
810
9-Local Government Cybersecurity – Coordination and Operations
10-(Local Cybersecurity Support Act of 2022)
11+SENATE BILL 754
12+S2, E4, P1 EMERGENCY BILL (2lr1504)
13+ENROLLED BILL
14+— Education, Health, and Environmental Affairs/Health and Government
15+Operations —
16+Introduced by Senator Hester Senators Hester, Hershey, Jennings, Jackson,
17+Rosapepe, Lee, and Watson
1118
12-FOR the purpose of establishing the Cyber Preparedness Unit in the Maryland Department
13-of Emergency Management; establishing certain responsibilities of the Unit;
14-requiring certain local entities local governments to report certain cybersecurity
15-incidents in a certain manner and under certain circumstances; requiring the
16-Maryland Joint Operations Center State Security Operations Center to notify
17-appropriate agencies of a cybersecurity incident in a certain manner; establishing
18-the Cybersecurity Fusion Center in the Maryland Department of Emergency
19-Management; establishing certain responsibilities of the Fusion Center; establishing
20-the Local Cybersecurity Support Fund, the purposes of the Fund, and certain
21-eligibility requirements to receive assistance from the Fund; establishing the Office
22-of Security Management within the Department of Information Technology and
23-certain Office positions; establishing certain responsibilities and authority of the
24-Office; requiring each unit of the Legislative or Judicial Branch of State government,
25-each unit of local government, and any local agencies that use a certain network to
26-certify certain compliance to the Department of Information Technology on or before
27-a certain date each year; requiring certain local entities to submit a certain report to
28-the Office on or before a certain date each year; in a certain manner; requiring the
29-Office to submit a certain report to the Governor and certain committees of the
30-General Assembly on or before a certain date each year; requiring the Office to
31-submit a certain report to the Governor and certain committees of the General
32-Assembly on or before a certain date each year; establishing the Information Sharing
33-and Analysis Center in the Department of Information Technology; establishing
34-certain responsibilities for the Center; requiring the State Chief Information
35-Security Officer and the Secretary of Emergency Management to conduct a certain
36-review, make recommendations, establish certain guidance, and submit a certain
37-report on or before a certain date; requiring the State Chief Information Security
38-Officer to commission a certain feasibility study and report recommendations on or
39-before a certain date; requiring the Governor to include an appropriation in a certain
40-annual budget to cover the cost of the feasibility study; authorizing funds to be
41-transferred by budget amendment from the Dedicated Purpose Account in a certain
42-fiscal year to implement the Act; and generally relating to local government
43-cybersecurity coordination and operations.
19+Read and Examined by Proofreaders:
4420
45-BY renumbering
46- Article – State Finance and Procurement
47-Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of
48-Information Technology” Ch. 241 2022 LAWS OF MARYLAND
21+_______________________________________________
22+Proofreader.
23+_______________________________________________
24+Proofreader.
4925
50-– 2 –
51-to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5.
52-Department of Information Technology”
53- Annotated Code of Maryland
54- (2021 Replacement Volume)
26+Sealed with the Great Seal and presented to the Governor, for his approval this
5527
56-BY repealing and reenacting, with amendments,
57- Article – Criminal Procedure
58- Section 10–221(b)
59- Annotated Code of Maryland
60- (2018 Replacement Volume and 2021 Supplement)
28+_______ day of _______________ at ________________________ o’clock, ________M.
6129
62-BY repealing and reenacting, with amendments,
63- Article – Health – General
64- Section 21–2C–03(h)(2)(i)
65- Annotated Code of Maryland
66- (2019 Replacement Volume and 2021 Supplement)
30+______________________________________________
31+President.
6732
68-BY repealing and reenacting, with amendments,
69- Article – Human Services
70- Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1)
71- Annotated Code of Maryland
72- (2019 Replacement Volume and 2021 Supplement)
33+CHAPTER ______
7334
74-BY repealing and reenacting, with amendments,
75- Article – Insurance
76- Section 31–103(a)(2)(i) and (b)(2)
77- Annotated Code of Maryland
78- (2017 Replacement Volume and 2021 Supplement)
35+AN ACT concerning 1
7936
80-BY repealing and reenacting, with amendments,
81- Article – Natural Resources
82- Section 1–403(c)
83- Annotated Code of Maryland
84- (2018 Replacement Volume and 2021 Supplement)
37+Local Government Cybersecurity – Coordination and Operations 2
38+(Local Cybersecurity Support Act of 2022) 3
8539
86-BY repealing and reenacting, without amendments,
87- Article – Public Safety
88- Section 14–103
89- Annotated Code of Maryland
90- (2018 Replacement Volume and 2021 Supplement)
40+FOR the purpose of establishing the Cyber Preparedness Unit in the Maryland Department 4
41+of Emergency Management; establishing certain responsibilities of the Unit; 5
42+requiring certain local entities local governments to report certain cybersecurity 6
43+incidents in a certain manner and under certain circumstances; requiring the 7
44+Maryland Joint Operations Center State Security Operations Center to notify 8
45+appropriate agencies of a cybersecurity incident in a certain manner; establishing 9
46+the Cybersecurity Fusion Center in the Maryland Department of Emergency 10
47+Management; establishing certain responsibilities of the Fusion Center; establishing 11
48+the Local Cybersecurity Support Fund, the purposes of the Fund, and certain 12
49+eligibility requirements to receive assistance from the Fund; establishing the Office 13 2 SENATE BILL 754
9150
92-BY adding to
93- Article – Public Safety
94- Section 14–104.1
95- Annotated Code of Maryland
96- (2018 Replacement Volume and 2021 Supplement) LAWRENCE J. HOGAN, JR., Governor Ch. 241
9751
98-– 3 –
52+of Security Management within the Department of Information Technology and 1
53+certain Office positions; establishing certain responsibilities and authority of the 2
54+Office; requiring each unit of the Legislative or Judicial Branch of State government, 3
55+each unit of local government, and any local agencies that use a certain network to 4
56+certify certain compliance to the Department of Information Technology on or before 5
57+a certain date each year; requiring certain local entities to submit a certain report to 6
58+the Office on or before a certain date each year; in a certain manner; requiring the 7
59+Office to submit a certain report to the Governor and certain committees of the 8
60+General Assembly on or before a certain date each year; requiring the Office to 9
61+submit a certain report to the Governor and certain committees of the General 10
62+Assembly on or before a certain date each year; establishing the Information Sharing 11
63+and Analysis Center in the Department of Information Technology; establishing 12
64+certain responsibilities for the Center; requiring the State Chief Information 13
65+Security Officer and the Secretary of Emergency Management to conduct a certain 14
66+review, make recommendations, establish certain guidance, and submit a certain 15
67+report on or before a certain date; requiring the State Chief Information Security 16
68+Officer to commission a certain feasibility study and report recommendations on or 17
69+before a certain date; requiring the Governor to include an appropriation in a certain 18
70+annual budget to cover the cost of the feasibility study; authorizing funds to be 19
71+transferred by budget amendment from the Dedicated Purpose Account in a certain 20
72+fiscal year to implement the Act; and generally relating to local government 21
73+cybersecurity coordination and operations. 22
9974
100-BY repealing and reenacting, without amendments,
101- Article – State Finance and Procurement
102- Section 3.5–101(a) and (e) and 3.5–301(a)
103- Annotated Code of Maryland
104- (2021 Replacement Volume)
105- (As enacted by Section 1 of this Act)
75+BY renumbering 23
76+ Article – State Finance and Procurement 24
77+Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of 25
78+Information Technology” 26
79+to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5. 27
80+Department of Information Technology” 28
81+ Annotated Code of Maryland 29
82+ (2021 Replacement Volume) 30
10683
107-BY adding to
108- Article – State Finance and Procurement
109-Section 3.5–2A–01 through 3.5–2A–04 to be under the new subtitle “Subtitle 2A.
110-Office of Security Management”; and 3.5–315, 3.5–405, and 4–308 and
111-6–226(a)(2)(ii)146.
112- Annotated Code of Maryland
113- (2021 Replacement Volume)
84+BY repealing and reenacting, with amendments, 31
85+ Article – Criminal Procedure 32
86+ Section 10–221(b) 33
87+ Annotated Code of Maryland 34
88+ (2018 Replacement Volume and 2021 Supplement) 35
11489
115-BY repealing and reenacting, with amendments,
116- Article – State Finance and Procurement
117-Section 3.5–301(j), 3.5–302(c), 3.5–303(c)(2)(ii)2., 3.5–307(a)(2), 3.5–309(c)(2), (i)(3),
118-and (l)(1)(i), 3.5–311(a)(2)(i), and 3.5–404
119- Annotated Code of Maryland
120- (2021 Replacement Volume)
121- (As enacted by Section 1 of this Act)
90+BY repealing and reenacting, with amendments, 36
91+ Article – Health – General 37
92+ Section 21–2C–03(h)(2)(i) 38
93+ Annotated Code of Maryland 39
94+ (2019 Replacement Volume and 2021 Supplement) 40
12295
123-BY repealing and reenacting, without amendments,
124- Article – State Finance and Procurement
125-Section 6–226(a)(2)(i)
126- Annotated Code of Maryland
127- (2021 Replacement Volume)
96+BY repealing and reenacting, with amendments, 41
97+ Article – Human Services 42
98+ Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1) 43 SENATE BILL 754 3
12899
129-BY repealing and reenacting, with amendments,
130- Article – State Finance and Procurement
131- Section 6–226(a)(2)(ii)144. and 145. and 12–107(b)(2)(i)10. and 11.
132- Annotated Code of Maryland
133- (2021 Replacement Volume)
134100
135-BY repealing and reenacting, with amendments,
136- Article – State Government
137-Section 2–1224(f)
138- Annotated Code of Maryland
139- (2021 Replacement Volume)
101+ Annotated Code of Maryland 1
102+ (2019 Replacement Volume and 2021 Supplement) 2
140103
141-BY adding to
142- Article – State Government
143-Section 2–1224(i)
144- Annotated Code of Maryland Ch. 241 2022 LAWS OF MARYLAND
104+BY repealing and reenacting, with amendments, 3
105+ Article – Insurance 4
106+ Section 31–103(a)(2)(i) and (b)(2) 5
107+ Annotated Code of Maryland 6
108+ (2017 Replacement Volume and 2021 Supplement) 7
145109
146-– 4 –
147- (2021 Replacement Volume)
110+BY repealing and reenacting, with amendments, 8
111+ Article – Natural Resources 9
112+ Section 1–403(c) 10
113+ Annotated Code of Maryland 11
114+ (2018 Replacement Volume and 2021 Supplement) 12
148115
149- SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
150-That Section(s) 3A101 through 3A–702, respectively, and the title “Title 3A. Department
151-of Information Technology” of Article – State Finance and Procurement of the Annotated
152-Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively,
153-and the title “Title 3.5. Department of Information Technology”.
116+BY repealing and reenacting, without amendments, 13
117+ Article Public Safety 14
118+ Section 14–103 15
119+ Annotated Code of Maryland 16
120+ (2018 Replacement Volume and 2021 Supplement) 17
154121
155- SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read
156-as follows:
122+BY adding to 18
123+ Article – Public Safety 19
124+ Section 14–104.1 20
125+ Annotated Code of Maryland 21
126+ (2018 Replacement Volume and 2021 Supplement) 22
157127
158-Article – Criminal Procedure
128+BY repealing and reenacting, without amendments, 23
129+ Article – State Finance and Procurement 24
130+ Section 3.5–101(a) and (e) and 3.5–301(a) 25
131+ Annotated Code of Maryland 26
132+ (2021 Replacement Volume) 27
133+ (As enacted by Section 1 of this Act) 28
159134
160-10–221.
135+BY adding to 29
136+ Article – State Finance and Procurement 30
137+Section 3.5–2A–01 through 3.5–2A–04 to be under the new subtitle “Subtitle 2A. 31
138+Office of Security Management”; and 3.5–315, 3.5–405, and 4–308 and 32
139+6–226(a)(2)(ii)146. 33
140+ Annotated Code of Maryland 34
141+ (2021 Replacement Volume) 35
161142
162- (b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement
163-Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and
164-the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall:
143+BY repealing and reenacting, with amendments, 36
144+ Article – State Finance and Procurement 37
145+Section 3.5–301(j), 3.5–302(c), 3.5–303(c)(2)(ii)2., 3.5–307(a)(2), 3.5–309(c)(2), (i)(3), 38
146+and (l)(1)(i), 3.5–311(a)(2)(i), and 3.5–404 39
147+ Annotated Code of Maryland 40 4 SENATE BILL 754
165148
166- (1) regulate the collection, reporting, and dissemination of criminal history
167-record information by a court and criminal justice units;
168149
169- (2) ensure the security of the criminal justice information system and
170-criminal history record information reported to and collected from it;
150+ (2021 Replacement Volume) 1
151+ (As enacted by Section 1 of this Act) 2
171152
172- (3) regulate the dissemination of criminal history record information in
173-accordance with Subtitle 1 of this title and this subtitle;
153+BY repealing and reenacting, without amendments, 3
154+ Article – State Finance and Procurement 4
155+Section 6–226(a)(2)(i) 5
156+ Annotated Code of Maryland 6
157+ (2021 Replacement Volume) 7
174158
175- (4) regulate the procedures for inspecting and challenging criminal history
176-record information;
159+BY repealing and reenacting, with amendments, 8
160+ Article – State Finance and Procurement 9
161+ Section 6–226(a)(2)(ii)144. and 145. and 12–107(b)(2)(i)10. and 11. 10
162+ Annotated Code of Maryland 11
163+ (2021 Replacement Volume) 12
177164
178- (5) regulate the auditing of criminal justice units to ensure that criminal
179-history record information is:
165+BY repealing and reenacting, with amendments, 13
166+ Article – State Government 14
167+Section 2–1224(f) 15
168+ Annotated Code of Maryland 16
169+ (2021 Replacement Volume) 17
180170
181- (i) accurate and complete; and
171+BY adding to 18
172+ Article – State Government 19
173+Section 2–1224(i) 20
174+ Annotated Code of Maryland 21
175+ (2021 Replacement Volume) 22
182176
183- (ii) collected, reported, and disseminated in accordance with Subtitle
184-1 of this title and this subtitle;
177+ SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 23
178+That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department 24
179+of Information Technology” of Article – State Finance and Procurement of the Annotated 25
180+Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively, 26
181+and the title “Title 3.5. Department of Information Technology”. 27
185182
186- (6) regulate the development and content of agreements between the
187-Central Repository and criminal justice units and noncriminal justice units; and
183+ SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 28
184+as follows: 29
188185
189- (7) regulate the development of a fee schedule and provide for the collection
190-of the fees for obtaining criminal history record information for other than criminal justice
191-purposes.
192- LAWRENCE J. HOGAN, JR., Governor Ch. 241
186+Article – Criminal Procedure 30
193187
194-– 5 –
195-Article – Health – General
188+10–221. 31
196189
197-21–2C–03.
190+ (b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement 32
191+Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and 33
192+the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall: 34
198193
199- (h) (2) The Board is subject to the following provisions of the State Finance
200-and Procurement Article:
194+ (1) regulate the collection, reporting, and dissemination of criminal history 35
195+record information by a court and criminal justice units; 36
196+ SENATE BILL 754 5
201197
202- (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
203-that the Secretary of Information Technology determines that an information technology
204-project of the Board is a major information technology development project;
205198
206-Article – Human Services
199+ (2) ensure the security of the criminal justice information system and 1
200+criminal history record information reported to and collected from it; 2
207201
208-7–806.
202+ (3) regulate the dissemination of criminal history record information in 3
203+accordance with Subtitle 1 of this title and this subtitle; 4
209204
210- (a) (1) Subject to paragraph (2) of this subsection, the programs under §
211-7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State
212-Finance and Procurement Article shall be funded as provided in the State budget.
205+ (4) regulate the procedures for inspecting and challenging criminal history 5
206+record information; 6
213207
214- (2) For fiscal year 2019 and each fiscal year thereafter, the program under
215-[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an
216-amount that:
208+ (5) regulate the auditing of criminal justice units to ensure that criminal 7
209+history record information is: 8
217210
218- (i) is equal to the cost that the Department of Aging is expected to
219-incur for the upcoming fiscal year to provide the service and administer the program; and
211+ (i) accurate and complete; and 9
220212
221- (ii) does not exceed 5 cents per month for each account out of the
222-surcharge amount authorized under subsection (c) of this section.
213+ (ii) collected, reported, and disseminated in accordance with Subtitle 10
214+1 of this title and this subtitle; 11
223215
224- (b) (1) There is a Universal Service Trust Fund created for the purpose of
225-paying the costs of maintaining and operating the programs under:
216+ (6) regulate the development and content of agreements between the 12
217+Central Repository and criminal justice units and noncriminal justice units; and 13
226218
227- (i) § 7–804(a) of this subtitle, subject to the limitations and controls
228-provided in this subtitle;
219+ (7) regulate the development of a fee schedule and provide for the collection 14
220+of the fees for obtaining criminal history record information for other than criminal justice 15
221+purposes. 16
229222
230- (ii) § 7–902(a) of this title, subject to the limitations and controls
231-provided in Subtitle 9 of this title; and
223+Article – Health – General 17
232224
233- (iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement
234-Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the
235-State Finance and Procurement Article.
225+21–2C–03. 18
236226
237- (c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a)
238-of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall
239-be funded by revenues generated by:
240- Ch. 241 2022 LAWS OF MARYLAND
227+ (h) (2) The Board is subject to the following provisions of the State Finance 19
228+and Procurement Article: 20
241229
242-– 6 –
243- (i) a surcharge to be paid by the subscribers to a communications
244-service; and
230+ (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 21
231+that the Secretary of Information Technology determines that an information technology 22
232+project of the Board is a major information technology development project; 23
245233
246- (ii) other funds as provided in the State budget.
234+Article – Human Services 24
247235
248- (d) (1) The Secretary shall annually certify to the Public Service Commission
249-the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§
250-3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the
251-Universal Service Trust Fund for the following fiscal year.
236+7–806. 25
252237
253- (2) (i) The Public Service Commission shall determine the surcharge
254-for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle,
255-§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement
256-Article.
238+ (a) (1) Subject to paragraph (2) of this subsection, the programs under § 26
239+7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State 27
240+Finance and Procurement Article shall be funded as provided in the State budget. 28
257241
258- (g) (1) The Legislative Auditor may conduct postaudits of a fiscal and
259-compliance nature of the Universal Service Trust Fund and the expenditures made for
260-purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of
261-the State Finance and Procurement Article.
242+ (2) For fiscal year 2019 and each fiscal year thereafter, the program under 29
243+[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an 30
244+amount that: 31 6 SENATE BILL 754
262245
263-Article – Insurance
264246
265-31–103.
266247
267- (a) The Exchange is subject to:
248+ (i) is equal to the cost that the Department of Aging is expected to 1
249+incur for the upcoming fiscal year to provide the service and administer the program; and 2
268250
269- (2) the following provisions of the State Finance and Procurement Article:
251+ (ii) does not exceed 5 cents per month for each account out of the 3
252+surcharge amount authorized under subsection (c) of this section. 4
270253
271- (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
272-that the Secretary of Information Technology determines that an information technology
273-project of the Exchange is a major information technology development project;
254+ (b) (1) There is a Universal Service Trust Fund created for the purpose of 5
255+paying the costs of maintaining and operating the programs under: 6
274256
275- (b) The Exchange is not subject to:
257+ (i) § 7–804(a) of this subtitle, subject to the limitations and controls 7
258+provided in this subtitle; 8
276259
277- (2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance
278-and Procurement Article, except to the extent determined by the Secretary of Information
279-Technology under subsection (a)(2)(i) of this section;
260+ (ii) § 7–902(a) of this title, subject to the limitations and controls 9
261+provided in Subtitle 9 of this title; and 10
280262
281-Article – Natural Resources
263+ (iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement 11
264+Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the 12
265+State Finance and Procurement Article. 13
282266
283-1–403.
267+ (c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) 14
268+of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall 15
269+be funded by revenues generated by: 16
284270
285- (c) The Department shall develop the electronic system consistent with the
286-statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of
287-the State Finance and Procurement Article. LAWRENCE J. HOGAN, JR., Governor Ch. 241
271+ (i) a surcharge to be paid by the subscribers to a communications 17
272+service; and 18
288273
289-– 7 –
274+ (ii) other funds as provided in the State budget. 19
290275
291-Article – Public Safety
276+ (d) (1) The Secretary shall annually certify to the Public Service Commission 20
277+the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 21
278+3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the 22
279+Universal Service Trust Fund for the following fiscal year. 23
292280
293-14–103.
281+ (2) (i) The Public Service Commission shall determine the surcharge 24
282+for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle, 25
283+§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement 26
284+Article. 27
294285
295- (a) There is a Maryland Department of Emergency Management established as a
296-principal department of the Executive Branch of State government.
286+ (g) (1) The Legislative Auditor may conduct postaudits of a fiscal and 28
287+compliance nature of the Universal Service Trust Fund and the expenditures made for 29
288+purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of 30
289+the State Finance and Procurement Article. 31
297290
298- (b) The Department has primary responsibility and authority for developing
299-emergency management policies and is responsible for coordinating disaster risk reduction,
300-consequence management, and disaster recovery activities.
291+Article – Insurance 32
292+ SENATE BILL 754 7
301293
302- (c) The Department may act to:
303294
304- (1) reduce the disaster risk and vulnerability of persons and property
305-located in the State;
295+31–103. 1
306296
307- (2) develop and coordinate emergency planning and preparedness; and
297+ (a) The Exchange is subject to: 2
308298
309- (3) coordinate emergency management activities and operations:
299+ (2) the following provisions of the State Finance and Procurement Article: 3
310300
311- (i) relating to an emergency that involves two or more State
312-agencies;
301+ (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 4
302+that the Secretary of Information Technology determines that an information technology 5
303+project of the Exchange is a major information technology development project; 6
313304
314- (ii) between State agencies and political subdivisions;
305+ (b) The Exchange is not subject to: 7
315306
316- (iii) with local governments;
307+ (2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance 8
308+and Procurement Article, except to the extent determined by the Secretary of Information 9
309+Technology under subsection (a)(2)(i) of this section; 10
317310
318- (iv) with agencies of the federal government and other states; and
311+Article – Natural Resources 11
319312
320- (v) with private and nonprofit entities.
313+1–403. 12
321314
322-14–104.1.
315+ (c) The Department shall develop the electronic system consistent with the 13
316+statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of 14
317+the State Finance and Procurement Article. 15
323318
324- (A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS
325-INDICATED.
319+Article – Public Safety 16
326320
327- (2) “FUND” MEANS THE LOCAL CYBERSECURITY SUPPORT FUND.
321+14–103. 17
328322
329- (3) “FUSION CENTER” MEANS THE CYBERSECURITY FUSION
330-CENTER.
323+ (a) There is a Maryland Department of Emergency Management established as a 18
324+principal department of the Executive Branch of State government. 19
331325
332- (4) (2) “LOCAL GOVERNMENT ” INCLUDES LOCAL SCHOO L
333-SYSTEMS, LOCAL SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS.
326+ (b) The Department has primary responsibility and authority for developing 20
327+emergency management policies and is responsible for coordinating disaster risk reduction, 21
328+consequence management, and disaster recovery activities. 22
334329
335- (5) (3) “UNIT” MEANS THE CYBER PREPAREDNESS UNIT. Ch. 241 2022 LAWS OF MARYLAND
330+ (c) The Department may act to: 23
336331
337-– 8 –
332+ (1) reduce the disaster risk and vulnerability of persons and property 24
333+located in the State; 25
338334
339- (B) (1) THERE IS A CYBER PREPAREDNESS UNIT IN THE DEPARTMENT .
335+ (2) develop and coordinate emergency planning and preparedness; and 26
340336
341- (2) IN COORDINATION WITH THE STATE CHIEF INFORMATION
342-SECURITY OFFICER, THE UNIT SHALL:
337+ (3) coordinate emergency management activities and operations: 27
343338
344- (I) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A
345-VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT THROUGH THE MARYLAND
346-NATIONAL GUARD’S INNOVATIVE READINESS TRAINING PROGRAM OR THE U.S.
347-DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AND INFRASTRUCTURE
348-SECURITY AGENCY, INCLUDING PROVIDING LOCAL GOVERNMENTS WI TH THE
349-RESOURCES AND INFORM ATION ON BEST PRACTI CES TO COMPLETE THE
350-ASSESSMENTS ;
339+ (i) relating to an emergency that involves two or more State 28
340+agencies; 29 8 SENATE BILL 754
351341
352- (II) DEVELOP AND REGULARL Y UPDATE AN ONLINE D ATABASE
353-OF CYBERSECURITY TRA INING RESOURCES FOR LOCAL GOVERNMENT PER SONNEL,
354-INCLUDING TECHNICAL TRAINING RESOURCES, CYBERSECURITY CONTIN UITY OF
355-OPERATIONS TEMPLATES , CONSEQUENCE MANAGEME NT PLANS, AND TRAININGS ON
356-MALWARE AND RANSOMWA RE DETECTION ;
357342
358- (III) ESTABLISH AND PROVID E STAFF FOR A STATEW IDE
359-HELPLINE TO PROVIDE REAL–TIME EMERGENC Y ASSISTANCE AND RES OURCE
360-INFORMATION TO ANY L OCAL GOVERNMENT THAT HAS EXPERIENCED A CY BER
361-INCIDENT OR ATTACK ;
362343
363- (IV) (III) ASSIST LOCAL GOVERNM ENTS IN:
344+ (ii) between State agencies and political subdivisions; 1
364345
365- 1. THE DEVELOPMENT OF C YBERSECURITY
366-PREPAREDNESS AND RES PONSE PLANS; AND
346+ (iii) with local governments; 2
367347
368- 2. IMPLEMENTING BEST PRACTICES AND G UIDANCE
369-DEVELOPED BY THE STATE CHIEF INFORMATION SECURITY OFFICER; AND
348+ (iv) with agencies of the federal government and other states; and 3
370349
371- 3. IDENTIFYING AND ACQU IRING RESOURCES TO
372-COMPLETE APPROPRIATE CYBERSECURITY VULNER ABILITY ASSESSMENTS ;
350+ (v) with private and nonprofit entities. 4
373351
374- (V) (IV) CONNECT LOCAL GOVERN MENTS TO APPROPRIATE
375-RESOURCES FOR ANY OT HER PURPOSE RELATED TO CYBERSECURITY
376-PREPAREDNESS AND RES PONSE;
352+14–104.1. 5
377353
378- (VI) DEVELOP APPROPRIATE REPORTS ON LOCAL
379-CYBERSECURITY PREPAR EDNESS;
380- LAWRENCE J. HOGAN, JR., Governor Ch. 241
354+ (A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 6
355+INDICATED. 7
381356
382-– 9 –
383- (VII) (V) AS NECESSARY AND IN COORDINATION WITH TH E
384-NATIONAL GUARD, LOCAL EMERGENCY MANAGERS, AND OTHER STATE AND LOCAL
385-ENTITIES, CONDUCT REGIONAL CYB ERSECURITY PREPAREDN ESS EXERCISES; AND
357+ (2) “FUND” MEANS THE LOCAL CYBERSECURITY SUPPORT FUND. 8
386358
387- (VIII) (VI) ESTABLISH REGIONAL A SSISTANCE GROUPS TO
388-DELIVER AND COORDINA TE SUPPORT SERVICES TO LOCAL GOVERNMENTS ,
389-AGENCIES, OR REGIONS.
359+ (3) “FUSION CENTER” MEANS THE CYBERSECURITY FUSION 9
360+CENTER. 10
390361
391- (3) THE UNIT SHALL SUPPORT TH E OFFICE OF SECURITY
392-MANAGEMENT IN THE DEPARTMENT OF INFORMATION TECHNOLOGY DURING
393-EMERGENCY RESPONSE E FFORTS.
362+ (4) (2) “LOCAL GOVERNMENT ” INCLUDES LOCAL SCHOO L 11
363+SYSTEMS, LOCAL SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS. 12
394364
395- (C) (1) EACH LOCAL GOVERNMENT SHALL REPORT A CYBER SECURITY
396-INCIDENT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING US ED BY THE LOCAL
397-GOVERNMENT , TO THE APPROPRIATE L OCAL EMERGENCY MANAG ER AND THE
398-STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT OF INFORMATION
399-TECHNOLOGY TO THE MARYLAND JOINT OPERATIONS CENTER IN THE
400-DEPARTMENT IN ACCORDA NCE WITH PARAGRAPH (2) OF THIS SUBSEC TION.
365+ (5) (3) “UNIT” MEANS THE CYBER PREPAREDNESS UNIT. 13
401366
402- (2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS UNDER
403-PARAGRAPH (1) OF THIS SUBSECTION , THE DEPARTMENT STATE CHIEF
404-INFORMATION SECURITY OFFICER SHALL DETERMINE :
367+ (B) (1) THERE IS A CYBER PREPAREDNESS UNIT IN THE DEPARTMENT . 14
405368
406- (I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST
407-BE REPORTED ;
369+ (2) IN COORDINATION WITH THE STATE CHIEF INFORMATION 15
370+SECURITY OFFICER, THE UNIT SHALL: 16
408371
409- (II) THE MANNER IN WHICH TO REPORT; AND
372+ (I) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A 17
373+VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT THROUGH THE MARYLAND 18
374+NATIONAL GUARD’S INNOVATIVE READINESS TRAINING PROGRAM OR THE U.S. 19
375+DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AND INFRASTRUCTURE 20
376+SECURITY AGENCY, INCLUDING PROVIDING LOCAL GOVERNMENTS WI TH THE 21
377+RESOURCES AND INFORM ATION ON BEST PRACTI CES TO COMPLETE THE 22
378+ASSESSMENTS ; 23
410379
411- (III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE.
380+ (II) DEVELOP AND REGULARL Y UPDATE AN ONLINE DATABASE 24
381+OF CYBERSECURITY TRA INING RESOURCES FOR LOCAL GOVERNMENT PER SONNEL, 25
382+INCLUDING TECHNICAL TRAINING RESOURCES , CYBERSECURITY CONTIN UITY OF 26
383+OPERATIONS TEMPLATES , CONSEQUENCE MANAGEME NT PLANS, AND TRAININGS ON 27
384+MALWARE AND RANSOMWA RE DETECTION ; 28
412385
413- (3) THE MARYLAND JOINT OPERATIONS CENTER STATE SECURITY
414-OPERATIONS CENTER SHALL IMMEDIATELY NOTIFY APPROPRIATE A GENCIES OF A
415-CYBERSECURITY INCIDE NT REPORTE D UNDER THIS SUBSECT ION THROUGH THE
416-STATE SECURITY OPERATIONS CENTER.
386+ (III) ESTABLISH AND PROVID E STAFF FOR A STATEW IDE 29
387+HELPLINE TO PROVIDE REAL–TIME EMERGENCY ASSIS TANCE AND RESOURCE 30 SENATE BILL 754 9
417388
418- (D) (1) FIVE POSITION IDENTIFICATION NUMBERS (PINS) SHALL BE
419-CREATED FOR THE PURP OSE OF HIRING STAFF TO CONDUCT THE DUTIE S OF THE
420-MARYLAND DEPARTMENT OF EMERGENCY MANAGEMENT CYBERSECU RITY
421-PREPAREDNESS UNIT.
422389
423- (2) FOR FISCAL YEAR 2024 AND EACH FISCAL YEAR THEREAFTER ,
424-THE GOVERNOR SHALL INCLUD E IN THE ANNUAL BUDG ET BILL AN APPROPRIA TION
425-OF AT LEAST:
426- Ch. 241 2022 LAWS OF MARYLAND
390+INFORMATION TO ANY L OCAL GOVERNMENT THAT HAS EXPERIENCED A CY BER 1
391+INCIDENT OR ATTACK ; 2
427392
428-– 10 –
429- (I) $220,335 FOR 3 PINS FOR ADMINISTRATOR III POSITIONS;
430-AND
393+ (IV) (III) ASSIST LOCAL GOVERNM ENTS IN: 3
431394
432- (II) $137,643 FOR 2 PINS FOR ADMINISTRATOR II POSITIONS.
395+ 1. THE DEVELOPMENT OF C YBERSECURITY 4
396+PREPAREDNESS AND RES PONSE PLANS; AND 5
433397
434- (D) (1) THERE IS A CYBERSECURITY FUSION CENTER IN THE
435-DEPARTMENT .
398+ 2. IMPLEMENTING BEST PR ACTICES AND GUIDANCE 6
399+DEVELOPED BY THE STATE CHIEF INFORMATION SECURITY OFFICER; AND 7
436400
437- (2) THE FUSION CENTER SHALL:
401+ 3. IDENTIFYING AND ACQU IRING RESOURCES TO 8
402+COMPLETE APPROPRIATE CYBERSECURITY VULNERABILI TY ASSESSMENTS ; 9
438403
439- (I) COORDINATE INFORMATI ON ON CYBERSECURITY BY
440-SERVING AS A CENTRAL LOCATION FOR INFORMA TION SHARING ACROSS STATE AND
441-LOCAL GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ;
404+ (V) (IV) CONNECT LOCAL GOVERN MENTS TO APPROPRIATE 10
405+RESOURCES FOR ANY OT HER PURPOSE RELATED TO CYBERSECURITY 11
406+PREPAREDNESS AND RES PONSE; 12
442407
443- (II) WITH THE OFFICE OF SECURITY MANAGEMENT IN THE
444-DEPARTMENT OF INFORMATION TECHNOLOGY , SUPPORT CYBERSECURIT Y
445-COORDINATION BETWEEN LOCAL UNITS OF GOVER NMENT THROUGH EXISTI NG
446-LOCAL GOVERNMENT STAKE HOLDER ORGANIZATIONS ;
408+ (VI) DEVELOP APPROPRIATE REPORTS ON LOCAL 13
409+CYBERSECURITY PREPAR EDNESS; 14
447410
448- (III) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION
449-SECURITY OFFICER AND THE UNIT DURING CYBERSECU RITY INCIDENTS THAT
450-AFFECT STATE AND LOCAL GOVER NMENTS;
411+ (VII) (V) AS NECESSARY AND IN COORDINATION WITH TH E 15
412+NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND OTHER STATE AND LOCAL 16
413+ENTITIES, CONDUCT REGIONAL CYB ERSECURITY PREPAREDN ESS EXERCISES; AND 17
451414
452- (IV) SUPPORT RISK –BASED PLANNING FOR T HE USE OF
453-FEDERAL RESOURCES ; AND
415+ (VIII) (VI) ESTABLISH REGIONAL A SSISTANCE GROUPS TO 18
416+DELIVER AND COORDINA TE SUPPORT SERVICES TO LOCAL GOVERNMENTS , 19
417+AGENCIES, OR REGIONS. 20
454418
455- (V) CONDUCT ANALYSIS OF CYBERSECURITY INCIDE NTS.
419+ (3) THE UNIT SHALL SUPPORT TH E OFFICE OF SECURITY 21
420+MANAGEMENT IN THE DEPARTMENT OF INFORMATION TECHNOLOGY DURING 22
421+EMERGENCY RESPON SE EFFORTS. 23
456422
457- (E) (1) THERE IS A LOCAL CYBERSECURITY SUPPORT FUND.
423+ (C) (1) EACH LOCAL GOVERNMENT SHALL REPORT A CYBER SECURITY 24
424+INCIDENT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING US ED BY THE LOCAL 25
425+GOVERNMENT , TO THE APPROPRIATE L OCAL EMERGENCY MANAG ER AND THE 26
426+STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT OF INFORMATION 27
427+TECHNOLOGY TO THE MARYLAND JOINT OPERATIONS CENTER IN THE 28
428+DEPARTMENT IN ACCORDA NCE WITH PARAGRAPH (2) OF THIS SUBSECTION . 29
458429
459- (2) THE PURPOSE OF THE FUND IS TO:
430+ (2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS UNDER 30
431+PARAGRAPH (1) OF THIS SUBSECTION , THE DEPARTMENT STATE CHIEF 31
432+INFORMATION SECURITY OFFICER SHALL DETERMINE : 32
433+ 10 SENATE BILL 754
460434
461- (I) PROVIDE FINANCIAL AS SISTANCE TO LOCAL GO VERNMENTS
462-TO IMPROVE CYBERSECU RITY PREPAREDNESS, INCLUDING:
463435
464- 1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH
465-THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS;
436+ (I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST 1
437+BE REPORTED ; 2
466438
467- 2. SUPPORTING THE PURCH ASE OF NEW HARDWARE ,
468-SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY
469-PREPAREDNESS ;
439+ (II) THE MANNER IN WHICH TO REPORT; AND 3
470440
471- 3. RECRUITING AND HIRIN G INFORMATION
472-TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND LAWRENCE J. HOGAN, JR., Governor Ch. 241
441+ (III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE. 4
473442
474-– 11 –
443+ (3) THE MARYLAND JOINT OPERATIONS CENTER STATE SECURITY 5
444+OPERATIONS CENTER SHALL IMMEDIATELY NOTIFY APPROPRIATE A GENCIES OF A 6
445+CYBERSECURITY INCIDE NT REPORTED UNDER TH IS SUBSECTION THROUG H THE 7
446+STATE SECURITY OPERATIONS CENTER. 8
475447
476- 4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY
477-STAFF TRAINING ; AND
448+ (D) (1) FIVE POSITION IDENTIFICATION NUMBERS (PINS) SHALL BE 9
449+CREATED FOR THE PURP OSE OF HIRING STAFF TO CONDUCT THE DUTIE S OF THE 10
450+MARYLAND DEPARTMENT OF EMERGENCY MANAGEMENT CYBERSECURITY 11
451+PREPAREDNESS UNIT. 12
478452
479- (II) ASSIST LOCAL GOVERNM ENTS APPLYING FOR FE DERAL
480-CYBERSECURITY PREPAR EDNESS GRANTS .
453+ (2) FOR FISCAL YEAR 2024 AND EACH FISCAL YEAR THEREAFTER , 13
454+THE GOVERNOR SHALL INCLUD E IN THE ANNUAL BUDGET BILL AN AP PROPRIATION 14
455+OF AT LEAST: 15
481456
482- (3) THE SECRETARY SHALL ADMIN ISTER THE FUND.
457+ (I) $220,335 FOR 3 PINS FOR ADMINISTRATOR III POSITIONS; 16
458+AND 17
483459
484- (4) (I) THE FUND IS A SPECIAL, NONLAPSING FUND THAT IS NOT
485-SUBJECT TO § 7–302 OF THE STATE FINANCE AND PROCUREMENT ARTICLE.
460+ (II) $137,643 FOR 2 PINS FOR ADMINISTRATOR II POSITIONS. 18
486461
487- (II) THE STATE TREASURER SHALL HOLD THE FUND
488-SEPARATELY, AND THE COMPTROLLER SHALL ACCOUNT FOR THE FUND.
462+ (D) (1) THERE IS A CYBERSECURITY FUSION CENTER IN THE 19
463+DEPARTMENT . 20
489464
490- (5) THE FUND CONSISTS OF :
465+ (2) THE FUSION CENTER SHALL: 21
491466
492- (I) MONEY APPROPRIATED I N THE STATE BUDGET TO THE
493-FUND;
467+ (I) COORDINATE INFORMATI ON ON CYBERSECURITY BY 22
468+SERVING AS A CENTRAL LOCATION FOR INFORMA TION SHARING ACROSS STATE AND 23
469+LOCAL GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ; 24
494470
495- (II) INTEREST EARNINGS ; AND
471+ (II) WITH THE OFFICE OF SECURITY MANAGEMENT IN THE 25
472+DEPARTMENT OF INFORMATION TECHNOLOGY , SUPPORT CYBERSECURIT Y 26
473+COORDINATION BETWEEN LOCAL UNITS OF GOVER NMENT THROUGH EXISTI NG 27
474+LOCAL GOVERNMENT STA KEHOLDER ORGANIZATIO NS; 28
496475
497- (III) ANY OTHER MONEY FROM ANY OTHER SOURCE ACC EPTED
498-FOR THE BENEFIT OF T HE FUND.
476+ (III) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION 29
477+SECURITY OFFICER AND THE UNIT DURING CYBERSECU RITY INCIDENTS THAT 30
478+AFFECT STATE AND LOCAL GOVER NMENTS; 31
479+ SENATE BILL 754 11
499480
500- (6) THE FUND MAY BE US ED ONLY:
501481
502- (I) TO PROVIDE FINANCIAL ASSISTANCE TO LOCAL
503-GOVERNMENTS TO IMPRO VE CYBERSECURITY PRE PAREDNESS, INCLUDING:
482+ (IV) SUPPORT RISK –BASED PLANNING FOR T HE USE OF 1
483+FEDERAL RESOURCES ; AND 2
504484
505- 1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH
506-THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS;
485+ (V) CONDUCT ANALYSIS OF CYBERSECURITY INCIDE NTS. 3
507486
508- 2. SUPPORTING THE PURCH ASE OF NEW HARDWARE ,
509-SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY
510-PREPAREDNESS ;
487+ (E) (1) THERE IS A LOCAL CYBERSECURITY SUPPORT FUND. 4
511488
512- 3. RECRUITING AND HIRIN G INFORMATION
513-TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND
489+ (2) THE PURPOSE OF THE FUND IS TO: 5
514490
515- 4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY
516-STAFF TRAINING ;
517- Ch. 241 2022 LAWS OF MARYLAND
491+ (I) PROVIDE FINANCIAL AS SISTANCE TO LOCAL GO VERNMENTS 6
492+TO IMPROVE CYBERSECU RITY PREPAREDNESS , INCLUDING: 7
518493
519-– 12 –
520- (II) TO ASSIST LOCAL GOVERNMEN TS APPLYING FOR FEDE RAL
521-CYBERSECURITY PREPAR EDNESS GRANTS ; AND
494+ 1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH 8
495+THE MOST UP–TO–DATE CYBERSECUR ITY PROTECTIONS ; 9
522496
523- (III) FOR ADMINISTRATIVE E XPENSES ASSOCIATED W ITH
524-PROVIDING THE ASSIST ANCE DESCRIBED UNDER ITEM (I) OF THIS PARAGRAPH .
497+ 2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 10
498+SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY 11
499+PREPAREDNESS ; 12
525500
526- (7) (I) THE STATE TREASURER SHALL INVES T THE MONEY OF THE
527-FUND IN THE SAME MANN ER AS OTHER STATE MONEY MAY BE IN VESTED.
501+ 3. RECRUITING AND HIRIN G INFORMATION 13
502+TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND 14
528503
529- (II) ANY INTEREST EARNINGS OF THE FUND SHALL BE
530-CREDITED TO THE FUND.
504+ 4. PAYING OUTSIDE VEND ORS FOR CYBERSECURIT Y 15
505+STAFF TRAINING ; AND 16
531506
532- (8) EXPENDITURES FROM THE FUND MAY BE MADE ONLY IN
533-ACCORDANCE WITH THE STATE BUDGET .
507+ (II) ASSIST LOCAL GOVERNM ENTS APPLYING FOR FE DERAL 17
508+CYBERSECURITY PREPAR EDNESS GRANTS . 18
534509
535- (F) TO BE ELIGIBLE TO RECEIVE ASSISTANCE FROM THE FUND, EACH
536-LOCAL GOVERNMENT THA T USES THE NETWORK E STABLISHED IN ACCORD ANCE
537-WITH § 3.5–404 OF THE STATE FINANCE AND PROCUREMENT ARTICLE SHALL MEET
538-THE REQUIREMENTS OF §§ 3.5–404(D) AND 3.5–405 OF THE STATE FINANCE AND
539-PROCUREMENT ARTICLE.
510+ (3) THE SECRETARY SHALL ADMIN ISTER THE FUND. 19
540511
541-Article – State Finance and Procurement
512+ (4) (I) THE FUND IS A SPECIAL, NONLAPSING FUND THAT IS NOT 20
513+SUBJECT TO § 7–302 OF THE STATE FINANCE AND PROCUREMENT ARTICLE. 21
542514
543-3.5–101.
515+ (II) THE STATE TREASURER SHALL HOLD THE FUND 22
516+SEPARATELY, AND THE COMPTROLLER SHALL ACC OUNT FOR THE FUND. 23
544517
545- (a) In this title the following words have the meanings indicated.
518+ (5) THE FUND CONSISTS OF : 24
546519
547- (e) “Unit of State government” means an agency or unit of the Executive Branch
548-of State government.
520+ (I) MONEY APPROPRIATED I N THE STATE BUDGET TO THE 25
521+FUND; 26
549522
550-SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT .
523+ (II) INTEREST EARNINGS ; AND 27
524+ 12 SENATE BILL 754
551525
552-3.5–2A–01.
553526
554- IN THIS SUBTITLE , “OFFICE” MEANS THE OFFICE OF SECURITY
555-MANAGEMENT .
527+ (III) ANY OTHER MONEY FROM ANY OTHER SOURCE ACC EPTED 1
528+FOR THE BENEFIT OF T HE FUND. 2
556529
557-3.5–2A–02.
530+ (6) THE FUND MAY BE USED ONLY : 3
558531
559- THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT .
532+ (I) TO PROVIDE FINANCIAL ASSISTANCE TO LOCAL 4
533+GOVERNMENTS TO IMPRO VE CYBERSECURITY PRE PAREDNESS, INCLUDING: 5
560534
561-3.5–2A–03.
562- LAWRENCE J. HOGAN, JR., Governor Ch. 241
535+ 1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH 6
536+THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS; 7
563537
564-– 13 –
565- (A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION
566-SECURITY OFFICER.
538+ 2. SUPPORTING THE PURCH ASE OF NEW HARDWARE , 8
539+SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE C YBERSECURITY 9
540+PREPAREDNESS ; 10
567541
568- (B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL:
542+ 3. RECRUITING AND HIRIN G INFORMATION 11
543+TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND 12
569544
570- (1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND
571-CONSENT OF THE SENATE;
545+ 4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY 13
546+STAFF TRAINING ; 14
572547
573- (2) SERVE AT THE PLEASUR E OF THE GOVERNOR;
548+ (II) TO ASSIST LOCAL GOVE RNMENTS APPLYING FOR FEDERAL 15
549+CYBERSECURITY P REPAREDNESS GRANTS ; AND 16
574550
575- (3) BE SUPERVISED BY THE SECRETARY; AND
551+ (III) FOR ADMINISTRATIVE E XPENSES ASSOCIATED W ITH 17
552+PROVIDING THE ASSIST ANCE DESCRIBED UNDER ITEM (I) OF THIS PARAGRAPH . 18
576553
577- (4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE
578-DEPARTMENT .
554+ (7) (I) THE STATE TREASURER SHALL INVES T THE MONEY OF THE 19
555+FUND IN THE SAME MANN ER AS OTHER STATE MONEY MAY BE INVESTED . 20
579556
580- (C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION
581-SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L:
557+ (II) ANY INTEREST EARNINGS OF THE FUND SHALL BE 21
558+CREDITED TO THE FUND. 22
582559
583- (1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE;
560+ (8) EXPENDITURES FROM THE FUND MAY BE MADE ONLY IN 23
561+ACCORDANCE WITH THE STATE BUDGET . 24
584562
585- (2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR
586-CYBERSECURITY CERTIF ICATIONS;
563+ (F) TO BE ELIGIBLE TO REC EIVE ASSISTANCE FROM THE FUND, EACH 25
564+LOCAL GOVERNMENT THAT USES THE NETWORK ESTABLIS HED IN ACCORDANCE 26
565+WITH § 3.5–404 OF THE STATE FINANCE AND PROCUREMENT ARTICLE SHALL MEET 27
566+THE REQUIREMENTS OF §§ 3.5–404(D) AND 3.5–405 OF THE STATE FINANCE AND 28
567+PROCUREMENT ARTICLE. 29
587568
588- (3) HAVE EXPERIENCE :
569+Article – State Finance and Procurement 30
570+ SENATE BILL 754 13
589571
590- (I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING
591-SECURITY CONTROLS ;
592572
593- (II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR
594-CYBERSECURITY ;
573+3.5–101. 1
595574
596- (III) MANAGING HIGHLY TECHNIC AL SECURITY , SECURITY
597-OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD
598-ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND
575+ (a) In this title the following words have the meanings indicated. 2
599576
600- (IV) WORKING WITH COMMON INFORMATION SECURITY
601-MANAGEMENT FRAMEWORK S;
577+ (e) “Unit of State government” means an agency or unit of the Executive Branch 3
578+of State government. 4
602579
603- (4) HAVE EXTENSIVE KNOW LEDGE OF INFORMATION TECHNOLOGY
604-AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH
605-AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO
606-ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND
607-SYSTEMS; AND
608- Ch. 241 2022 LAWS OF MARYLAND
580+SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT . 5
609581
610-– 14 –
611- (5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS.
582+3.5–2A–01. 6
612583
613- (C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL
614-PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON
615-REQUEST.
584+ IN THIS SUBTITLE, “OFFICE” MEANS THE OFFICE OF SECURITY 7
585+MANAGEMENT . 8
616586
617- (D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY ,
618-WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY
619-OFFICER.
587+3.5–2A–02. 9
620588
621- (II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK
622-IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY
623-MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES ,
624-AND IMPROVE CYBERSECURIT Y PREPAREDNESS FOR U NITS OF LOCAL
625-GOVERNMENT .
589+ THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT . 10
626590
627- (2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY , WHO
628-SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER.
591+3.5–2A–03. 11
629592
630- (II) THE DIRECTOR OF STATE CYBERSECURITY IS
631-RESPONSIBLE FOR IMPLEMENTATION OF TH IS SECTION WITH RESP ECT TO UNITS OF
632-STATE GOVERNMENT .
593+ (A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION 12
594+SECURITY OFFICER. 13
633595
634- (E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH
635-SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE.
596+ (B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL: 14
636597
637- (F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL
638-COORDINATORS, NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE.
598+ (1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND 15
599+CONSENT OF THE SENATE; 16
639600
640-3.5–2A–04.
601+ (2) SERVE AT THE PLEASUR E OF THE GOVERNOR; 17
641602
642- (A) (1) THE OFFICE IS RESPONSIBLE FOR:
603+ (3) BE SUPERVISED BY THE SECRETARY; AND 18
643604
644- (1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION
645-OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE
646-GOVERNMENT ; AND
605+ (4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE 19
606+DEPARTMENT . 20
647607
648- (2) THE COORDINATION OF RESOURCES AND EFFORT S TO
649-IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL
650-CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL
651-GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL
652-HEALTH DEPARTMENT S.; AND
653- LAWRENCE J. HOGAN, JR., Governor Ch. 241
608+ (C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION 21
609+SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L: 22
654610
655-– 15 –
656- (II) SUPPORTING THE MARYLAND DEPARTMENT OF
657-EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY
658-RESPONSE EFFORTS .
611+ (1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE; 23
659612
660- (2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION
661-TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY
662-CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A
663-LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH
664-DEPARTMENT .
613+ (2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR 24
614+CYBERSECURITY CERTIF ICATIONS; 25
665615
666- (B) THE OFFICE SHALL:
616+ (3) HAVE EXPERIENCE : 26
617+ 14 SENATE BILL 754
667618
668- (1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
669-COLLECTED OR MAINTAI NED BY OR ON BEHALF OF EACH UNIT OF STATE
670-GOVERNMENT ;
671619
672- (2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
673-SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ;
620+ (I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING 1
621+SECURITY CONTROLS ; 2
674622
675- (3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION
676-AND INFORMATION SYST EMS TO BE INCLUDED IN EACH C ATEGORY;
623+ (II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR 3
624+CYBERSECURITY ; 4
677625
678- (4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND
679-INFORMATION SYSTEMS IN EACH CATEGORY ;
626+ (III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY 5
627+OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD 6
628+ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND 7
680629
681- (5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND
682-INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF THE SECURITY
683-REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ;
630+ (IV) WORKING WITH COMMON INFORMATION SECURITY 8
631+MANAGEMENT FRAMEWORK S; 9
684632
685- (6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
686-DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN
687-THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER
688-ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM
689-SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE
690-NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY
691-INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NE CESSARY TO
692-CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY
693-INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ;
633+ (4) HAVE EXTENSIVE K NOWLEDGE OF INFORMAT ION TECHNOLOGY 10
634+AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH 11
635+AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO 12
636+ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND 13
637+SYSTEMS; AND 14
694638
695- (7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
696-DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY
697-CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT
698-INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWOR K OR TO
699-THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; Ch. 241 2022 LAWS OF MARYLAND
639+ (5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS. 15
700640
701-– 16 –
641+ (C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL 16
642+PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON 17
643+REQUEST. 18
702644
703- (7) (8) MANAGE SECURITY AWAR ENESS TR AINING FOR ALL
704-APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ;
645+ (D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY , 19
646+WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY 20
647+OFFICER. 21
705648
706- (8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT,
707-DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE
708-STANDARDIZATION AND REDUCE RISK;
649+ (II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK 22
650+IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY 23
651+MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES, 24
652+AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNITS OF LOCAL 25
653+GOVERNMENT . 26
709654
710- (9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL IDENTIT Y
711-STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING,
712-INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE
713-GOVERNMENT ;
655+ (2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY , WHO 27
656+SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER. 28
714657
715- (10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY
716-SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH
717-BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND
718-TECHNOLOGY ;
658+ (II) THE DIRECTOR OF STATE CYBERSECURITY IS 29
659+RESPONSIBLE FOR IMPL EMENTATION OF THIS S ECTION WITH RESPECT TO UNITS OF 30
660+STATE GOVERNMENT . 31
719661
720- (11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND
721-INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSI STANCE
722-PROVIDED BY THE FEDERA L GOVERNMENT OR NON –STATE ENTITIES TO SUP PORT
723-THE WORK OF THE OFFICE;
662+ (E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH 32
663+SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE. 33 SENATE BILL 754 15
724664
725- (12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS
726-AND RESPONSE PLANS ;
727665
728- (13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING
729-AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND
730666
731- (14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO
732-UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS,
733-PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES.
667+ (F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING R EGIONAL 1
668+COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE. 2
734669
735- (C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT
736-OF EMERGENCY MANAGEMENT , SHALL:
670+3.5–2A–04. 3
737671
738- (1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES ,
739-SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN:
672+ (A) (1) THE OFFICE IS RESPONSIBLE FOR: 4
740673
741- (I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS
742-AND RESPONSE PLANS ; AND
743- LAWRENCE J. HOGAN, JR., Governor Ch. 241
674+ (1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION 5
675+OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE 6
676+GOVERNMENT ; AND 7
744677
745-– 17 –
746- (II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE
747-DEVELOPED BY THE DEPARTMENT ; AND
678+ (2) THE COORDINATION OF RESOURCES AND EFFORT S TO 8
679+IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL 9
680+CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL 10
681+GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL 11
682+HEALTH DEPARTMENTS .; AND 12
748683
749- (2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR
750-ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND
751-RESPONSE.
684+ (II) SUPPORTING THE MARYLAND DEPARTMENT OF 13
685+EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY 14
686+RESPONSE EFFORTS . 15
752687
753- (D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT
754-OF EMERGENCY MANAGEMENT , MAY:
688+ (2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION 16
689+TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY 17
690+CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A 18
691+LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH 19
692+DEPARTMENT . 20
755693
756- (1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN
757-COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND
758-OTHER STATE AND LOCAL ENTIT IES; AND
694+ (B) THE OFFICE SHALL: 21
759695
760- (2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR
761-COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES,
762-OR REGIONS.
696+ (1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 22
697+COLLECTED OR MAINTAINED BY OR ON BEHALF OF EACH UNIT OF STATE 23
698+GOVERNMENT ; 24
763699
764- (C) (E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE
765-SHALL REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE
766-STATE GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE,
767-THE SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE,
768-THE HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND
769-GOVERNMENT OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON
770-CYBERSECURITY , INFORMATION TECHNOLO GY, AND BIOTECHNOLOGY ON THE
771-ACTIVITIES OF THE OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN
772-MARYLAND, INCLUDING:
700+ (2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 25
701+SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ; 26
773702
774- (1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE
775-DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND
703+ (3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION 27
704+AND INFORMATION SYSTEMS TO B E INCLUDED IN EACH C ATEGORY; 28
776705
777- (2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE
778-INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER §
779-3.5–405 OF THIS TITLE, INCLUDING:
706+ (4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND 29
707+INFORMATION SYSTEMS IN EACH CATEGORY ; 30
708+ 16 SENATE BILL 754
780709
781- (I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E
782-CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THAT YEAR;
783710
784- (II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF
785-ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST
786-TO REMEDIATE ANY VUL NERABILITIES EXPOSED ;
787- Ch. 241 2022 LAWS OF MARYLAND
711+ (5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND 1
712+INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF T HE SECURITY 2
713+REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ; 3
788714
789-– 18 –
790- (III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE
791-GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING
792-RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING;
715+ (6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 4
716+DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN 5
717+THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER 6
718+ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM 7
719+SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE 8
720+NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY 9
721+INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECESSARY TO 10
722+CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY 11
723+INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ; 12
793724
794- (IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON
795-CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPEND ING
796-FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET,
797-INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL
798-CYBERSECURITY PREPAR EDNESS;
725+ (7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 13
726+DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY 14
727+CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT 15
728+INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWOR K OR TO 16
729+THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; 17
799730
800- (V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR
801-CYBER RISK MITIGATION FROM FEDE RAL OR OTHER NON –STATE RESOURCES ;
731+ (7) (8) MANAGE SECURITY AWARENESS TRAINING F OR ALL 18
732+APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ; 19
802733
803- (VI) 6. KEY PERFORMANCE INDI CATORS ON THE
804-CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY
805-MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR
806-IMPLEMENTATION ; AND
734+ (8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT, 20
735+DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE 21
736+STANDARDIZATION AND REDUCE RISK; 22
807737
808- (VII) 7. ANY ADDITIONAL RECOM MENDATIONS FOR
809-IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S.
738+ (9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL I DENTITY 23
739+STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING, 24
740+INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE 25
741+GOVERNMENT ; 26
810742
811- (2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT
812-CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND
813-RISKS IN THE STATE.
743+ (10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY 27
744+SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH 28
745+BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND 29
746+TECHNOLOGY ; 30
814747
815-3.5–301.
748+ (11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND 31
749+INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSISTAN CE 32
750+PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT 33
751+THE WORK OF THE OFFICE; 34
816752
817- (a) In this subtitle the following words have the meanings indicated.
753+ (12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS 35
754+AND RESPONSE PLANS ; 36 SENATE BILL 754 17
818755
819- (j) “Nonvisual access” means the ability, through keyboard control, synthesized
820-speech, Braille, or other methods not requiring sight to receive, use, and manipulate
821-information and operate controls necessary to access information technology in accordance
822-with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle.
823756
824-3.5–302.
825757
826- (c) Notwithstanding any other provision of law, except as provided in subsection
827-(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–307(A)(2), 3.5–308,
828-AND 3.5–309 of this subtitle, this subtitle applies to all units of the Executive Branch of
829-State government including public institutions of higher education other than Morgan
830-State University, the University System of Maryland, St. Mary’s College of Maryland, and
831-Baltimore City Community College.
758+ (13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING 1
759+AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND 2
832760
833-3.5–303. LAWRENCE J. HOGAN, JR., Governor Ch. 241
761+ (14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO 3
762+UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS, 4
763+PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES. 5
834764
835-– 19 –
765+ (C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 6
766+OF EMERGENCY MANAGEMENT , SHALL: 7
836767
837- (c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall:
768+ (1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES , 8
769+SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN: 9
838770
839- (2) establish a process for the Secretary or the Secretary’s designee to:
771+ (I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS 10
772+AND RESPONSE PLANS ; AND 11
840773
841- (ii) 2. for information technology procured by a State unit on or
842-after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] §
843-3.5–311 of this subtitle, including the enforcement of the civil penalty described in [§
844-3A–311(a)(2)(iii)1] § 3.5–311(A)(2)(III)1 of this subtitle.
774+ (II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE 12
775+DEVELOPED BY THE DEPARTMENT ; AND 13
845776
846-3.5–307.
777+ (2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR 14
778+ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND 15
779+RESPONSE. 16
847780
848- (a) (2) A unit of State government other than a public institution of higher
849-education may not make expenditures for major information technology development
850-projects OR CYBERSECURITY PRO JECTS except as provided in [§ 3A–308] § 3.5–308 of
851-this subtitle.
781+ (D) THE OFFICE, IN COORDINATION WITH TH E MARYLAND DEPARTMENT 17
782+OF EMERGENCY MANAGEMENT , MAY: 18
852783
853-3.5–309.
784+ (1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN 19
785+COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND 20
786+OTHER STATE AND LOCAL ENTIT IES; AND 21
854787
855- (c) The Secretary:
788+ (2) ESTABLISH REGIONAL ASSISTANCE GROUPS TO DELIVER OR 22
789+COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES, 23
790+OR REGIONS. 24
856791
857- (2) subject to the provisions of § 2–201 of this article and [§ 3A–307] §
858-3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of money or
859-property.
792+ (C) (E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE 25
793+SHALL REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE 26
794+STATE GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, 27
795+THE SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, 28
796+THE HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND 29
797+GOVERNMENT OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON 30
798+CYBERSECURITY , INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE 31
799+ACTIVITIES OF THE OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN 32
800+MARYLAND, INCLUDING: 33 18 SENATE BILL 754
860801
861- (i) The Fund may be used:
862802
863- (3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for
864-the costs of the first 12 months of operation and maintenance of a major information
865-technology development project.
866803
867- (l) (1) Notwithstanding subsection (b) of this section and in accordance with
868-paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this
869-section shall be used to support:
804+ (1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE 1
805+DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVELS; AND 2
870806
871- (i) the State telecommunication and computer network established
872-under [§ 3A–404] § 3.5–404 of this title, including program development for these
873-activities; and
807+ (2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE 3
808+INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER § 4
809+3.5–405 OF THIS TITLE, INCLUDING: 5
874810
875-3.5–311.
811+ (I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E 6
812+CYBERSECURITY PREPAR EDNESS ASSESSMENTS CONDUCTE D THAT YEAR; 7
876813
877- (a) (2) On or after January 1, 2020, the nonvisual access clause developed in
878-accordance with paragraph (1) of this subsection shall include a statement that:
814+ (II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF 8
815+ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST 9
816+TO REMEDIATE ANY VUL NERABILITIES EXPOSED ; 10
879817
880- (i) within 18 months after the award of the procurement, the
881-Secretary, or the Secretary’s designee, will determine whether the information technology Ch. 241 2022 LAWS OF MARYLAND
818+ (III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE 11
819+GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING 12
820+RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING; 13
882821
883-– 20 –
884-meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] §
885-3.5–303(B) of this subtitle;
822+ (IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON 14
823+CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPEND ING 15
824+FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET, 16
825+INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL 17
826+CYBERSECURITY PREPAR EDNESS; 18
886827
887-3.5–315.
828+ (V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR 19
829+CYBER RISK MITIGAT ION FROM FEDERAL OR OTHER NON–STATE RESOURCES ; 20
888830
889- (A) THERE IS AN INFORMATION SHARING AND ANALYSIS CENTER IN THE
890-DEPARTMENT .
831+ (VI) 6. KEY PERFORMANCE INDI CATORS ON THE 21
832+CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY 22
833+MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR 23
834+IMPLEMENTATION ; AND 24
891835
892- (B) THE INFORMATION SHARING AND ANALYSIS CENTER SHALL:
836+ (VII) 7. ANY ADDITIONAL RECOMME NDATIONS FOR 25
837+IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S. 26
893838
894- (1) COORDINATE INFORMATI ON ON CYBERSECURITY BY SERVING AS
895-A CENTRAL LOCATION F OR INFORMATION SHARI NG ACROSS STATE AND LOCAL
896-GOVERNMENT , FEDERAL GOVERNMENT PARTNERS , AND PRIVATE ENTITIES ;
839+ (2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT 27
840+CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND 28
841+RISKS IN THE STATE. 29
897842
898- (2) WITH THE OFFICE OF SECURITY MANAGEMENT , SUPPORT
899-CYBERSECURITY COORDI NATION BETWEEN LOCAL UNITS OF GOVERNMENT
900-THROUGH EXISTING LOC AL GOVERNMENT STAKEH OLDER ORGANIZATIONS ;
843+3.5–301. 30
901844
902- (3) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION
903-SECURITY OFFICER AND THE CYBER PREPAREDNESS UNIT, IN THE MARYLAND
904-DEPARTMENT OF EMERGENCY MANAGEMENT , DURING CYBERSECURITY
905-INCIDENTS THAT AFFEC T STATE AND LOCAL GOVER NMENTS;
845+ (a) In this subtitle the following words have the meanings indicated. 31
846+ SENATE BILL 754 19
906847
907- (4) SUPPORT RISK –BASED PLANNING FOR T HE USE OF FEDERAL
908-RESOURCES; AND
909848
910- (5) CONDUCT ANALYSES OF CYBERSECURITY INCIDE NTS.
849+ (j) “Nonvisual access” means the ability, through keyboard control, synthesized 1
850+speech, Braille, or other methods not requiring sight to receive, use, and manipulate 2
851+information and operate controls necessary to access information technology in accordance 3
852+with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle. 4
911853
912-3.5–404.
854+3.5–302. 5
913855
914- (a) The General Assembly declares that:
856+ (c) Notwithstanding any other provision of law, except as provided in subsection 6
857+(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–307(A)(2), 3.5–308, 7
858+AND 3.5–309 of this subtitle, this subtitle applies to all units of the Executive Branch of 8
859+State government including public institutions of higher education other than Morgan 9
860+State University, the University System of Maryland, St. Mary’s College of Maryland, and 10
861+Baltimore City Community College. 11
915862
916- (1) it is the policy of the State to foster telecommunication and computer
917-networking among State and local governments, their agencies, an d educational
918-institutions in the State;
863+3.5–303. 12
919864
920- (2) there is a need to improve access, especially in rural areas, to efficient
921-telecommunication and computer network connections;
865+ (c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall: 13
922866
923- (3) improvement of telecommunication and computer networking for State
924-and local governments and educational institutions promotes economic development,
925-educational resource use and development, and efficiency in State and local administration;
926- LAWRENCE J. HOGAN, JR., Governor Ch. 241
867+ (2) establish a process for the Secretary or the Secretary’s designee to: 14
927868
928-– 21 –
929- (4) rates for the intrastate interLATA telephone communications needed
930-for effective integration of telecommunication and computer resources are prohibitive for
931-many smaller governments, agencies, and institutions; and
869+ (ii) 2. for information technology procured by a State unit on or 15
870+after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A311] § 16
871+3.5–311 of this subtitle, including the enforcement of the civil penalty described in [§ 17
872+3A–311(a)(2)(iii)1] § 3.5–311(A)(2)(III)1 of this subtitle. 18
932873
933- (5) the use of improved State telecommunication and computer networking
934-under this section is intended not to compete with commercial access to advanced network
935-technology, but rather to foster fundamental efficiencies in government and education for
936-the public good.
874+3.5–307. 19
937875
938- (b) (1) The Department shall establish a telecommunication and computer
939-network in the State.
876+ (a) (2) A unit of State government other than a public institution of higher 20
877+education may not make expenditures for major information technology development 21
878+projects OR CYBERSECURITY PROJEC TS except as provided in [§ 3A–308] § 3.5–308 of 22
879+this subtitle. 23
940880
941- (2) The network shall consist of:
881+3.5–309. 24
942882
943- (i) one or more connection facilities for telecommunication and
944-computer connection in each local access transport area (LATA) in the State; and
883+ (c) The Secretary: 25
945884
946- (ii) facilities, auxiliary equipment, and services required to support
947-the network in a reliable and secure manner.
885+ (2) subject to the provisions of § 2–201 of this article and [§ 3A–307] § 26
886+3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of money or 27
887+property. 28
948888
949- (c) The network shall be accessible through direct connection and through local
950-intra–LATA telecommunications to State and local governments and public and private
951-educational institutions in the State.
889+ (i) The Fund may be used: 29
952890
953- (D) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQU ENCY
954-ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH UNIT OF THE
955-LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT , EACH UNIT OF LOCAL
956-GOVERNMENT , AND ANY LOCAL AGENCI ES THAT USE THE NETW ORK ESTABLISHED
957-UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT
958-THAT THE UNIT IS IN COMPLIANCE WITH THE DEPARTMENT ’S MINIMUM SECURITY
959-STANDARDS.
891+ (3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for 30
892+the costs of the first 12 months of operation and maintenance of a major information 31
893+technology development project. 32
894+ 20 SENATE BILL 754
960895
961-3.5–405.
962896
963- (A) THIS SECTION DOES NOT APPLY TO MUNICIPAL G OVERNMENTS .
897+ (l) (1) Notwithstanding subsection (b) of this section and in accordance with 1
898+paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this 2
899+section shall be used to support: 3
964900
965- (B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQU ENCY
966-ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH COUNTY
967-GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT SHALL :
901+ (i) the State telecommunication and computer network established 4
902+under [§ 3A–404] § 3.5–404 of this title, including program development for these 5
903+activities; and 6
968904
969- (1) IN CONSULTATION WITH THE LOCAL EMERGENCY MANAGER,
970-CREATE OR UPDATE A C YBERSECURITY PREPAREDNESS AND RESPONSE PLAN AN D
971-SUBMIT THE PLAN TO T HE OFFICE OF SECURITY MANAGEMENT FOR APPROV AL;
972- Ch. 241 2022 LAWS OF MARYLAND
905+3.5–311. 7
973906
974-– 22 –
975- (2) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND
976-REPORT THE RESULTS T O THE OFFICE IN ACCORDANCE WITH GUIDELINES
977-DEVELOPED BY THE OFFICE; AND
907+ (a) (2) On or after January 1, 2020, the nonvisual access clause developed in 8
908+accordance with paragraph (1) of this subsection shall include a statement that: 9
978909
979- (3) REPORT TO THE OFFICE:
910+ (i) within 18 months after the award of the procurement, the 10
911+Secretary, or the Secretary’s designee, will determine whether the information technology 11
912+meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] § 12
913+3.5–303(B) of this subtitle; 13
980914
981- (I) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF
982-POSITIONS, INCLUDING VACANCIES ;
915+3.5–315. 14
983916
984- (II) THE ENTITY’S CYBERSECURITY BUDG ET AND OVERALL
985-INFORMATION TECHNOLO GY BUDGET;
917+ (A) THERE IS AN INFORMATION SHARING AND ANALYSIS CENTER IN THE 15
918+DEPARTMENT . 16
986919
987- (III) THE NUMBER OF EMPLOY EES WHO HAVE RECEIVED
988-CYBERSECURITY TRAINI NG; AND
920+ (B) THE INFORMATION SHARING AND ANALYSIS CENTER SHALL: 17
989921
990- (IV) THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO THE
991-ENTITY’S COMPUTER SYSTEMS A ND DATABASES .
922+ (1) COORDINATE INFORMATI ON ON CYBERSECURITY BY SERVING AS 18
923+A CENTRAL LOCATION F OR INFORMATION SHARI NG ACROSS STATE AND LOCAL 19
924+GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ; 20
992925
993-4–308.
926+ (2) WITH THE OFFICE OF SECURITY MANAGEMENT , SUPPORT 21
927+CYBERSECURITY COORDI NATION BETWEEN LOCAL UNITS OF GOVERNMENT 22
928+THROUGH EXISTING LOC AL GOVERNMENT STAKEH OLDER ORGANIZATIONS ; 23
994929
995- (A) THE DEPARTMENT MAY ESTABL ISH A PROGRAM THAT L EVERAGES
996-STATE PURCHASING POWE R TO OFFER FAVORABLE RATES TO U NITS OF LOCAL
997-GOVERNMENT TO PROCUR E INFORMATION TECHNO LOGY OR CYBERSECURIT Y
998-SERVICES FROM CONTRA CTORS.
930+ (3) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION 24
931+SECURITY OFFICER AND THE CYBER PREPAREDNESS UNIT, IN THE MARYLAND 25
932+DEPARTMENT OF EMERGENCY MANAGEMENT , DURING CYBERSECURITY 26
933+INCIDENTS THAT AFFEC T STATE AND LOCAL GOVER NMENTS; 27
999934
1000- (B) A UNIT OF LOCAL GOVERN MENT MAY NOT BE REQU IRED TO
1001-PARTICIPATE IN A PRO GRAM ESTABLISHED UND ER SUBSECTION (A) OF THIS
1002-SECTION.
935+ (4) SUPPORT RISK –BASED PLANNING FOR T HE USE OF FEDERAL 28
936+RESOURCES; AND 29
1003937
1004-6–226.
938+ (5) CONDUCT ANALYSES OF CYBERSECURITY INCIDE NTS. 30
1005939
1006- (a) (2) (i) Notwithstanding any other provision of law, and unless
1007-inconsistent with a federal law, grant agreement, or other federal requirement or with the
1008-terms of a gift or settlement agreement, net interest on all State money allocated by the
1009-State Treasurer under this section to special funds or accounts, and otherwise entitled to
1010-receive interest earnings, as accounted for by the Comptroller, shall accrue to the General
1011-Fund of the State.
940+3.5–404. 31
941+ SENATE BILL 754 21
1012942
1013- (ii) The provisions of subparagraph (i) of this paragraph do not apply
1014-to the following funds:
1015943
1016- 144. the Health Equity Resource Community Reserve Fund;
1017-[and]
1018- LAWRENCE J. HOGAN, JR., Governor Ch. 241
944+ (a) The General Assembly declares that: 1
1019945
1020-– 23 –
1021- 145. the Access to Counsel in Evictions Special Fund; AND
946+ (1) it is the policy of the State to foster telecommunication and computer 2
947+networking among State and local governments, their agencies, and educational 3
948+institutions in the State; 4
1022949
1023- 146. THE LOCAL CYBERSECURITY SUPPORT FUND.
950+ (2) there is a need to improve access, especially in rural areas, to efficient 5
951+telecommunication and computer network connections; 6
1024952
1025-12–107.
953+ (3) improvement of telecommunication and computer networking for State 7
954+and local governments and educational institutions promotes economic development, 8
955+educational resource use and development, and efficiency in State and local administration; 9
1026956
1027- (b) Subject to the authority of the Board, jurisdiction over procurement is as
1028-follows:
957+ (4) rates for the intrastate inter–LATA telephone communications needed 10
958+for effective integration of telecommunication and computer resources are prohibitive for 11
959+many smaller governments, agencies, and institutions; and 12
1029960
1030- (2) the Department of General Services may:
961+ (5) the use of improved State telecommunication and computer networking 13
962+under this section is intended not to compete with commercial access to advanced network 14
963+technology, but rather to foster fundamental efficiencies in government and education for 15
964+the public good. 16
1031965
1032- (i) engage in or control procurement of:
966+ (b) (1) The Department shall establish a telecommunication and computer 17
967+network in the State. 18
1033968
1034- 10. information processing equipment and associated
1035-services, as provided in Title [3A] 3.5, Subtitle 3 of this article; and
969+ (2) The network shall consist of: 19
1036970
1037- 11. telecommunication equipment, systems, or services, as
1038-provided in Title [3A] 3.5, Subtitle 4 of this article;
971+ (i) one or more connection facilities for telecommunication and 20
972+computer connection in each local access transport area (LATA) in the State; and 21
1039973
1040-Article – State Government
974+ (ii) facilities, auxiliary equipment, and services required to support 22
975+the network in a reliable and secure manner. 23
1041976
1042-2–1224.
977+ (c) The network shall be accessible through direct connection and through local 24
978+intra–LATA telecommunications to State and local governments and public and private 25
979+educational institutions in the State. 26
1043980
1044- (f) [After] EXCEPT AS PROVIDED IN SUBSECTION (I) OF THIS SECTION ,
1045-AFTER the expiration of any period that the Joint Audit and Evaluation Committee
1046-specifies, a report of the Legislative Auditor is available to the public under Title 4,
1047-Subtitles 1 through 5 of the General Provisions Article.
981+ (D) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQUENCY 27
982+ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH UNIT OF THE 28
983+LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT , EACH UNIT OF LOCAL 29
984+GOVERNMENT , AND ANY LOCAL AGENCI ES THAT USE THE NETW ORK ESTABLISHED 30
985+UNDER SUBSECTION (B) OF THIS SECTION SHALL CERTIF Y TO THE DEPARTMENT 31
986+THAT THE UNIT IS IN COMPLIANCE WITH THE DEPARTMENT ’S MINIMUM SECURITY 32
987+STANDARDS. 33
1048988
1049- (I) A REPORT AUDITING A UN IT OF STATE OR LOCAL GOVERN MENT SHALL
1050-HAVE ANY CYBERSECURI TY FINDINGS REDACTED IN A MANNER CONSISTE NT WITH
1051-AUDITING BEST PRACTI CES BEFORE THE REPORT IS MADE AVAILABLE TO TH E
1052-PUBLIC.
989+3.5–405. 34 22 SENATE BILL 754
1053990
1054- SECTION 3. AND BE IT FURTHER ENACTED, That, on or before December 1,
1055-2022, the State Chief Information Security Officer and the Secretary of Emergency
1056-Management shall:
1057991
1058- (1) review the State budget for efficiency and effectiveness of funding and
1059-resources to ensure that the State is equipped to respond to a cybersecurity attack;
1060992
1061- (2) make recommendations for any changes to the budget needed to
1062-accomplish the goals under item (1) of this section;
993+ (A) THIS SECTION DOES NOT APPLY TO MUNICIPAL G OVERNMENTS . 1
1063994
1064- (3) establish guidance for units of State government on use and access to
1065-State funding related to cybersecurity preparedness; and
1066- Ch. 241 2022 LAWS OF MARYLAND
995+ (B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQUENCY 2
996+ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH COUNTY 3
997+GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT SHALL : 4
1067998
1068-– 24 –
1069- (4) report any recommendations and guidance to the Governor and, in
1070-accordance with § 2–1257 of the State Government Article, the General Assembly.
999+ (1) IN CONSULTATION WITH THE LOCAL EMERGENCY MANAGER, 5
1000+CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESP ONSE PLAN AND 6
1001+SUBMIT THE PLAN TO T HE OFFICE OF SECURITY MANAGEMENT FOR APPROV AL; 7
10711002
1072- SECTION 4. AND BE IT FURTHER ENACTED, That:
1003+ (2) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND 8
1004+REPORT THE RESULTS T O THE OFFICE IN ACCORDANCE WITH GUIDELINES 9
1005+DEVELOPED BY THE OFFICE; AND 10
10731006
1074- (a) On or before December 1, 2023, the State Chief Information Security Officer
1075-shall:
1007+ (3) REPORT TO THE OFFICE: 11
10761008
1077- (1) commission a feasibility study on expanding the operations of the State
1078-Security Operations Center operated by the Department of Information Technology to
1079-include cybersecurity monitoring and alert services for units of local government; and
1009+ (I) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 12
1010+POSITIONS, INCLUDING VACANCIES ; 13
10801011
1081- (2) report any recommendations to the Governor and, in accordance with §
1082-2–1257 of the State Government Article, the General Assembly.
1012+ (II) THE ENTITY’S CYBERSECURITY BUDG ET AND OVERALL 14
1013+INFORMATION TECHNOLO GY BUDGET; 15
10831014
1084- (b) For fiscal year 2024, the Governor shall include an appropriation in the
1085-annual budget to cover the cost of the feasibility study required under subsection (a) of this
1086-section.
1015+ (III) THE NUMBER OF EMPLOY EES WHO HAVE RECEIVE D 16
1016+CYBERSECURITY TRAINI NG; AND 17
10871017
1088- SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect July
1089-1, 2022.
1018+ (IV) THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO THE 18
1019+ENTITY’S COMPUTER SYSTEMS A ND DATABASES . 19
10901020
1091- SECTION 5. AND BE IT FURTHER ENACTED, That:
1021+4–308. 20
10921022
1093- (a) (1) On or before June 30, 2023, each unit of local government shall certify
1094-to the Office of Security Management compliance with State minimum cybersecurity
1095-standards established by the Department of Information Technology.
1023+ (A) THE DEPARTMENT MAY ESTABL ISH A PROGRAM THAT L EVERAGES 21
1024+STATE PURCHASING POWE R TO OFFER FAVORABLE RATES TO UNITS OF LO CAL 22
1025+GOVERNMENT TO PROCU RE INFORMATION TECHN OLOGY OR CYBERSECURI TY 23
1026+SERVICES FROM CONTRA CTORS. 24
10961027
1097- (2) Certification shall be reviewed by independent auditors, and any
1098-findings must be remediated.
1028+ (B) A UNIT OF LOCAL GOVERN MENT MAY NOT BE REQU IRED TO 25
1029+PARTICIPATE IN A PRO GRAM ESTABLISHED UND ER SUBSECTION (A) OF THIS 26
1030+SECTION. 27
10991031
1100- (b) If a unit of local government has not remediated any findings pertaining to
1101-State cybersecurity standards found by the independent audit required under subsection
1102-(1) of this section by July 1, 2024, the Office of Security Management shall assume
1103-responsibility for a unit’s cybersecurity through a shared service agreement, administrative
1104-privileges, or access to Network Maryland notwithstanding any federal law or regulation
1105-that forbids the Office of Security Management from managing a specific system provide
1106-guidance for the unit to achieve compliance with the cybersecurity standards.
1032+6–226. 28
11071033
1108- SECTION 6. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds
1109-from the Dedicated Purpose Account may be transfe rred by budget amendment in
1110-accordance with § 7–310 of the State Finance and Procurement Article to implement this
1111-Act.
1034+ (a) (2) (i) Notwithstanding any other provision of law, and unless 29
1035+inconsistent with a federal law, grant agreement, or other federal requirement or with the 30 SENATE BILL 754 23
11121036
1113- SECTION 7. AND BE IT FURTHER ENACTED, That:
1114- LAWRENCE J. HOGAN, JR., Governor Ch. 241
11151037
1116-– 25 –
1117- (a) On or before June October 1, 2022, the State Chief Information Security
1118-Officer shall establish guidelines to determine when a cybersecurity incident shall be
1119-disclosed to the public.
1038+terms of a gift or settlement agreement, net interest on all State money allocated by the 1
1039+State Treasurer under this section to special funds or accounts, and otherwise entitled to 2
1040+receive interest earnings, as accounted for by the Comptroller, shall accrue to the General 3
1041+Fund of the State. 4
11201042
1121- (b) On or before November 1, 2022, the State Chief Information Security Officer
1122-shall submit a report on the guidelines established under subsection (a) of this section to
1123-the Governor and, in accordance with § 2–1257 of the State Government Article, the House
1124-Health and Government Operations Committee and the Senate Education, Health, and
1125-Environmental Affairs Committee.
1043+ (ii) The provisions of subparagraph (i) of this paragraph do not apply 5
1044+to the following funds: 6
11261045
1127- SECTION 8. AND BE IT FURTHER ENACTED, That this Act is an emergency
1128-measure, is necessary for the immediate preservation of the public health or safety, has
1129-been passed by a yea and nay vote supported by three–fifths of all the members elected to
1130-each of the two Houses of the General Assembly, and shall take effect from the date it is
1131-enacted.
1046+ 144. the Health Equity Resource Community Reserve Fund; 7
1047+[and] 8
11321048
1133-Approved by the Governor, May 12, 2022.
1049+ 145. the Access to Counsel in Evictions Special Fund; AND 9
1050+
1051+ 146. THE LOCAL CYBERSECURITY SUPPORT FUND. 10
1052+
1053+12–107. 11
1054+
1055+ (b) Subject to the authority of the Board, jurisdiction over procurement is as 12
1056+follows: 13
1057+
1058+ (2) the Department of General Services may: 14
1059+
1060+ (i) engage in or control procurement of: 15
1061+
1062+ 10. information processing equipment and associated 16
1063+services, as provided in Title [3A] 3.5, Subtitle 3 of this article; and 17
1064+
1065+ 11. telecommunication equipment, systems, or services, as 18
1066+provided in Title [3A] 3.5, Subtitle 4 of this article; 19
1067+
1068+Article – State Government 20
1069+
1070+2–1224. 21
1071+
1072+ (f) [After] EXCEPT AS PROVIDED IN SUBSECTION (I) OF THIS SECTION , 22
1073+AFTER the expiration of any period that the Joint Audit and Evaluation Committee 23
1074+specifies, a report of the Legislative Auditor is available to the public under Title 4, 24
1075+Subtitles 1 through 5 of the General Provisions Article. 25
1076+
1077+ (I) A REPORT AUDITING A UN IT OF STATE OR LOCAL GOVERN MENT SHALL 26
1078+HAVE ANY CYBERSECURI TY FINDINGS REDACTED IN A MANNER CONSISTE NT WITH 27
1079+AUDITING BEST PRACTI CES BEFORE THE REPORT IS MADE AVAILABLE TO TH E 28
1080+PUBLIC. 29
1081+ 24 SENATE BILL 754
1082+
1083+
1084+ SECTION 3. AND BE IT FURTHER ENACTED, That, on or before December 1, 1
1085+2022, the State Chief Information Security Officer and the Secretary of Emergency 2
1086+Management shall: 3
1087+
1088+ (1) review the State budget for efficiency and effectiveness of funding and 4
1089+resources to ensure that the State is equipped to respond to a cybersecurity attack; 5
1090+
1091+ (2) make recommendations for any changes to the budget needed to 6
1092+accomplish the goals under item (1) of this section; 7
1093+
1094+ (3) establish guidance for units of State government on use and access to 8
1095+State funding related to cybersecurity preparedness; and 9
1096+
1097+ (4) report any recommendations and guidance to the Governor and, in 10
1098+accordance with § 2–1257 of the State Government Article, the General Assembly. 11
1099+
1100+ SECTION 4. AND BE IT FURTHER ENACTED, That: 12
1101+
1102+ (a) On or before December 1, 2023, the State Chief Information Security Officer 13
1103+shall: 14
1104+
1105+ (1) commission a feasibility study on expanding the operations of the State 15
1106+Security Operations Center operated by the Department of Information Technology to 16
1107+include cybersecurity monitoring and alert services for units of local government; and 17
1108+
1109+ (2) report any recommendations to the Governor and, in accordance with § 18
1110+2–1257 of the State Government Article, the General Assembly. 19
1111+
1112+ (b) For fiscal year 2024, the Governor shall include an appropriation in the 20
1113+annual budget to cover the cost of the feasibility study required under subsection (a) of this 21
1114+section. 22
1115+
1116+ SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect July 23
1117+1, 2022. 24
1118+
1119+ SECTION 5. AND BE IT FURTHER ENACTED, That: 25
1120+
1121+ (a) (1) On or before June 30, 2023, each unit of local government shall certify 26
1122+to the Office of Security Management compliance with State minimum cybersecurity 27
1123+standards established by the Department of Information Technology. 28
1124+
1125+ (2) Certification shall be reviewed by independent auditors, and any 29
1126+findings must be remediated. 30
1127+
1128+ (b) If a unit of local government has not remediated any findings pertaining to 31
1129+State cybersecurity standards found by the independent audit required under subsection 32
1130+(1) of this section by July 1, 2024, the Office of Security Management shall assume 33 SENATE BILL 754 25
1131+
1132+
1133+responsibility for a unit’s cybersecurity through a shared service agreement, administrative 1
1134+privileges, or access to Network Maryland notwithstanding any federal law or regulation 2
1135+that forbids the Office of Security Management from managing a specific system provide 3
1136+guidance for the unit to achieve compliance with the cybersecurity standards. 4
1137+
1138+ SECTION 6. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds 5
1139+from the Dedicated Purpose Account may be transferred by budget amendment in 6
1140+accordance with § 7–310 of the State Finance and Procurement Article to implement this 7
1141+Act. 8
1142+
1143+ SECTION 7. AND BE IT FURTHER ENACTED, That: 9
1144+
1145+ (a) On or before June October 1, 2022, the State Chief Information Security 10
1146+Officer shall establish guidelines to determine when a cybersecurity incident shall be 11
1147+disclosed to the public. 12
1148+
1149+ (b) On or before November 1, 2022, the State Chief Information Security Officer 13
1150+shall submit a report on the guidelines established under subsection (a) of this section to 14
1151+the Governor and, in accordance with § 2–1257 of the State Government Article, the House 15
1152+Health and Government Operations Committee and the Senate Education, Health, and 16
1153+Environmental Affairs Committee. 17
1154+
1155+ SECTION 8. AND BE IT FURTHER ENACTED, That this Act is an emergency 18
1156+measure, is necessary for the immediate preservation of the public health or safety, has 19
1157+been passed by a yea and nay vote supported by three–fifths of all the members elected to 20
1158+each of the two Houses of the General Assembly, and shall take effect from the date it is 21
1159+enacted. 22
1160+
1161+
1162+
1163+
1164+
1165+
1166+
1167+Approved:
1168+________________________________________________________________________________
1169+ Governor.
1170+________________________________________________________________________________
1171+ President of the Senate.
1172+________________________________________________________________________________
1173+ Speaker of the House of Delegates.