LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 1 –
Chapter 241
(Senate Bill 754)
AN ACT concerning
Local Government Cybersecurity – Coordination and Operations
(Local Cybersecurity Support Act of 2022)
FOR the purpose of establishing the Cyber Preparedness Unit in the Maryland Department
of Emergency Management; establishing certain responsibilities of the Unit;
requiring certain local entities local governments to report certain cybersecurity
incidents in a certain manner and under certain circumstances; requiring the
Maryland Joint Operations Center State Security Operations Center to notify
appropriate agencies of a cybersecurity incident in a certain manner; establishing
the Cybersecurity Fusion Center in the Maryland Department of Emergency
Management; establishing certain responsibilities of the Fusion Center; establishing
the Local Cybersecurity Support Fund, the purposes of the Fund, and certain
eligibility requirements to receive assistance from the Fund; establishing the Office
of Security Management within the Department of Information Technology and
certain Office positions; establishing certain responsibilities and authority of the
Office; requiring each unit of the Legislative or Judicial Branch of State government,
each unit of local government, and any local agencies that use a certain network to
certify certain compliance to the Department of Information Technology on or before
a certain date each year; requiring certain local entities to submit a certain report to
the Office on or before a certain date each year; in a certain manner; requiring the
Office to submit a certain report to the Governor and certain committees of the
General Assembly on or before a certain date each year; requiring the Office to
submit a certain report to the Governor and certain committees of the General
Assembly on or before a certain date each year; establishing the Information Sharing
and Analysis Center in the Department of Information Technology; establishing
certain responsibilities for the Center; requiring the State Chief Information
Security Officer and the Secretary of Emergency Management to conduct a certain
review, make recommendations, establish certain guidance, and submit a certain
report on or before a certain date; requiring the State Chief Information Security
Officer to commission a certain feasibility study and report recommendations on or
before a certain date; requiring the Governor to include an appropriation in a certain
annual budget to cover the cost of the feasibility study; authorizing funds to be
transferred by budget amendment from the Dedicated Purpose Account in a certain
fiscal year to implement the Act; and generally relating to local government
cybersecurity coordination and operations.
BY renumbering
Article – State Finance and Procurement
Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of
Information Technology” Ch. 241 2022 LAWS OF MARYLAND
– 2 –
to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5.
Department of Information Technology”
Annotated Code of Maryland
(2021 Replacement Volume)
BY repealing and reenacting, with amendments,
Article – Criminal Procedure
Section 10–221(b)
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Health – General
Section 21–2C–03(h)(2)(i)
Annotated Code of Maryland
(2019 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Human Services
Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1)
Annotated Code of Maryland
(2019 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Insurance
Section 31–103(a)(2)(i) and (b)(2)
Annotated Code of Maryland
(2017 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Natural Resources
Section 1–403(c)
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, without amendments,
Article – Public Safety
Section 14–103
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
BY adding to
Article – Public Safety
Section 14–104.1
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement) LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 3 –
BY repealing and reenacting, without amendments,
Article – State Finance and Procurement
Section 3.5–101(a) and (e) and 3.5–301(a)
Annotated Code of Maryland
(2021 Replacement Volume)
(As enacted by Section 1 of this Act)
BY adding to
Article – State Finance and Procurement
Section 3.5–2A–01 through 3.5–2A–04 to be under the new subtitle “Subtitle 2A.
Office of Security Management”; and 3.5–315, 3.5–405, and 4–308 and
6–226(a)(2)(ii)146.
Annotated Code of Maryland
(2021 Replacement Volume)
BY repealing and reenacting, with amendments,
Article – State Finance and Procurement
Section 3.5–301(j), 3.5–302(c), 3.5–303(c)(2)(ii)2., 3.5–307(a)(2), 3.5–309(c)(2), (i)(3),
and (l)(1)(i), 3.5–311(a)(2)(i), and 3.5–404
Annotated Code of Maryland
(2021 Replacement Volume)
(As enacted by Section 1 of this Act)
BY repealing and reenacting, without amendments,
Article – State Finance and Procurement
Section 6–226(a)(2)(i)
Annotated Code of Maryland
(2021 Replacement Volume)
BY repealing and reenacting, with amendments,
Article – State Finance and Procurement
Section 6–226(a)(2)(ii)144. and 145. and 12–107(b)(2)(i)10. and 11.
Annotated Code of Maryland
(2021 Replacement Volume)
BY repealing and reenacting, with amendments,
Article – State Government
Section 2–1224(f)
Annotated Code of Maryland
(2021 Replacement Volume)
BY adding to
Article – State Government
Section 2–1224(i)
Annotated Code of Maryland Ch. 241 2022 LAWS OF MARYLAND
– 4 –
(2021 Replacement Volume)
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department
of Information Technology” of Article – State Finance and Procurement of the Annotated
Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively,
and the title “Title 3.5. Department of Information Technology”.
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read
as follows:
Article – Criminal Procedure
10–221.
(b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement
Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and
the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall:
(1) regulate the collection, reporting, and dissemination of criminal history
record information by a court and criminal justice units;
(2) ensure the security of the criminal justice information system and
criminal history record information reported to and collected from it;
(3) regulate the dissemination of criminal history record information in
accordance with Subtitle 1 of this title and this subtitle;
(4) regulate the procedures for inspecting and challenging criminal history
record information;
(5) regulate the auditing of criminal justice units to ensure that criminal
history record information is:
(i) accurate and complete; and
(ii) collected, reported, and disseminated in accordance with Subtitle
1 of this title and this subtitle;
(6) regulate the development and content of agreements between the
Central Repository and criminal justice units and noncriminal justice units; and
(7) regulate the development of a fee schedule and provide for the collection
of the fees for obtaining criminal history record information for other than criminal justice
purposes.
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 5 –
Article – Health – General
21–2C–03.
(h) (2) The Board is subject to the following provisions of the State Finance
and Procurement Article:
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
that the Secretary of Information Technology determines that an information technology
project of the Board is a major information technology development project;
Article – Human Services
7–806.
(a) (1) Subject to paragraph (2) of this subsection, the programs under §
7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State
Finance and Procurement Article shall be funded as provided in the State budget.
(2) For fiscal year 2019 and each fiscal year thereafter, the program under
[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an
amount that:
(i) is equal to the cost that the Department of Aging is expected to
incur for the upcoming fiscal year to provide the service and administer the program; and
(ii) does not exceed 5 cents per month for each account out of the
surcharge amount authorized under subsection (c) of this section.
(b) (1) There is a Universal Service Trust Fund created for the purpose of
paying the costs of maintaining and operating the programs under:
(i) § 7–804(a) of this subtitle, subject to the limitations and controls
provided in this subtitle;
(ii) § 7–902(a) of this title, subject to the limitations and controls
provided in Subtitle 9 of this title; and
(iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement
Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the
State Finance and Procurement Article.
(c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a)
of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall
be funded by revenues generated by:
Ch. 241 2022 LAWS OF MARYLAND
– 6 –
(i) a surcharge to be paid by the subscribers to a communications
service; and
(ii) other funds as provided in the State budget.
(d) (1) The Secretary shall annually certify to the Public Service Commission
the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§
3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the
Universal Service Trust Fund for the following fiscal year.
(2) (i) The Public Service Commission shall determine the surcharge
for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle,
§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement
Article.
(g) (1) The Legislative Auditor may conduct postaudits of a fiscal and
compliance nature of the Universal Service Trust Fund and the expenditures made for
purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of
the State Finance and Procurement Article.
Article – Insurance
31–103.
(a) The Exchange is subject to:
(2) the following provisions of the State Finance and Procurement Article:
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
that the Secretary of Information Technology determines that an information technology
project of the Exchange is a major information technology development project;
(b) The Exchange is not subject to:
(2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance
and Procurement Article, except to the extent determined by the Secretary of Information
Technology under subsection (a)(2)(i) of this section;
Article – Natural Resources
1–403.
(c) The Department shall develop the electronic system consistent with the
statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of
the State Finance and Procurement Article. LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 7 –
Article – Public Safety
14–103.
(a) There is a Maryland Department of Emergency Management established as a
principal department of the Executive Branch of State government.
(b) The Department has primary responsibility and authority for developing
emergency management policies and is responsible for coordinating disaster risk reduction,
consequence management, and disaster recovery activities.
(c) The Department may act to:
(1) reduce the disaster risk and vulnerability of persons and property
located in the State;
(2) develop and coordinate emergency planning and preparedness; and
(3) coordinate emergency management activities and operations:
(i) relating to an emergency that involves two or more State
agencies;
(ii) between State agencies and political subdivisions;
(iii) with local governments;
(iv) with agencies of the federal government and other states; and
(v) with private and nonprofit entities.
14–104.1.
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS
INDICATED.
(2) “FUND” MEANS THE LOCAL CYBERSECURITY SUPPORT FUND.
(3) “FUSION CENTER” MEANS THE CYBERSECURITY FUSION
CENTER.
(4) (2) “LOCAL GOVERNMENT ” INCLUDES LOCAL SCHOO L
SYSTEMS, LOCAL SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS.
(5) (3) “UNIT” MEANS THE CYBER PREPAREDNESS UNIT. Ch. 241 2022 LAWS OF MARYLAND
– 8 –
(B) (1) THERE IS A CYBER PREPAREDNESS UNIT IN THE DEPARTMENT .
(2) IN COORDINATION WITH THE STATE CHIEF INFORMATION
SECURITY OFFICER, THE UNIT SHALL:
(I) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A
VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT THROUGH THE MARYLAND
NATIONAL GUARD’S INNOVATIVE READINESS TRAINING PROGRAM OR THE U.S.
DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AND INFRASTRUCTURE
SECURITY AGENCY, INCLUDING PROVIDING LOCAL GOVERNMENTS WI TH THE
RESOURCES AND INFORM ATION ON BEST PRACTI CES TO COMPLETE THE
ASSESSMENTS ;
(II) DEVELOP AND REGULARL Y UPDATE AN ONLINE D ATABASE
OF CYBERSECURITY TRA INING RESOURCES FOR LOCAL GOVERNMENT PER SONNEL,
INCLUDING TECHNICAL TRAINING RESOURCES, CYBERSECURITY CONTIN UITY OF
OPERATIONS TEMPLATES , CONSEQUENCE MANAGEME NT PLANS, AND TRAININGS ON
MALWARE AND RANSOMWA RE DETECTION ;
(III) ESTABLISH AND PROVID E STAFF FOR A STATEW IDE
HELPLINE TO PROVIDE REAL–TIME EMERGENC Y ASSISTANCE AND RES OURCE
INFORMATION TO ANY L OCAL GOVERNMENT THAT HAS EXPERIENCED A CY BER
INCIDENT OR ATTACK ;
(IV) (III) ASSIST LOCAL GOVERNM ENTS IN:
1. THE DEVELOPMENT OF C YBERSECURITY
PREPAREDNESS AND RES PONSE PLANS; AND
2. IMPLEMENTING BEST PRACTICES AND G UIDANCE
DEVELOPED BY THE STATE CHIEF INFORMATION SECURITY OFFICER; AND
3. IDENTIFYING AND ACQU IRING RESOURCES TO
COMPLETE APPROPRIATE CYBERSECURITY VULNER ABILITY ASSESSMENTS ;
(V) (IV) CONNECT LOCAL GOVERN MENTS TO APPROPRIATE
RESOURCES FOR ANY OT HER PURPOSE RELATED TO CYBERSECURITY
PREPAREDNESS AND RES PONSE;
(VI) DEVELOP APPROPRIATE REPORTS ON LOCAL
CYBERSECURITY PREPAR EDNESS;
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 9 –
(VII) (V) AS NECESSARY AND IN COORDINATION WITH TH E
NATIONAL GUARD, LOCAL EMERGENCY MANAGERS, AND OTHER STATE AND LOCAL
ENTITIES, CONDUCT REGIONAL CYB ERSECURITY PREPAREDN ESS EXERCISES; AND
(VIII) (VI) ESTABLISH REGIONAL A SSISTANCE GROUPS TO
DELIVER AND COORDINA TE SUPPORT SERVICES TO LOCAL GOVERNMENTS ,
AGENCIES, OR REGIONS.
(3) THE UNIT SHALL SUPPORT TH E OFFICE OF SECURITY
MANAGEMENT IN THE DEPARTMENT OF INFORMATION TECHNOLOGY DURING
EMERGENCY RESPONSE E FFORTS.
(C) (1) EACH LOCAL GOVERNMENT SHALL REPORT A CYBER SECURITY
INCIDENT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING US ED BY THE LOCAL
GOVERNMENT , TO THE APPROPRIATE L OCAL EMERGENCY MANAG ER AND THE
STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT OF INFORMATION
TECHNOLOGY TO THE MARYLAND JOINT OPERATIONS CENTER IN THE
DEPARTMENT IN ACCORDA NCE WITH PARAGRAPH (2) OF THIS SUBSEC TION.
(2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS UNDER
PARAGRAPH (1) OF THIS SUBSECTION , THE DEPARTMENT STATE CHIEF
INFORMATION SECURITY OFFICER SHALL DETERMINE :
(I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST
BE REPORTED ;
(II) THE MANNER IN WHICH TO REPORT; AND
(III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE.
(3) THE MARYLAND JOINT OPERATIONS CENTER STATE SECURITY
OPERATIONS CENTER SHALL IMMEDIATELY NOTIFY APPROPRIATE A GENCIES OF A
CYBERSECURITY INCIDE NT REPORTE D UNDER THIS SUBSECT ION THROUGH THE
STATE SECURITY OPERATIONS CENTER.
(D) (1) FIVE POSITION IDENTIFICATION NUMBERS (PINS) SHALL BE
CREATED FOR THE PURP OSE OF HIRING STAFF TO CONDUCT THE DUTIE S OF THE
MARYLAND DEPARTMENT OF EMERGENCY MANAGEMENT CYBERSECU RITY
PREPAREDNESS UNIT.
(2) FOR FISCAL YEAR 2024 AND EACH FISCAL YEAR THEREAFTER ,
THE GOVERNOR SHALL INCLUD E IN THE ANNUAL BUDG ET BILL AN APPROPRIA TION
OF AT LEAST:
Ch. 241 2022 LAWS OF MARYLAND
– 10 –
(I) $220,335 FOR 3 PINS FOR ADMINISTRATOR III POSITIONS;
AND
(II) $137,643 FOR 2 PINS FOR ADMINISTRATOR II POSITIONS.
(D) (1) THERE IS A CYBERSECURITY FUSION CENTER IN THE
DEPARTMENT .
(2) THE FUSION CENTER SHALL:
(I) COORDINATE INFORMATI ON ON CYBERSECURITY BY
SERVING AS A CENTRAL LOCATION FOR INFORMA TION SHARING ACROSS STATE AND
LOCAL GOVERNMENT , FEDERAL GOVERNMENT P ARTNERS, AND PRIVATE ENTITIES ;
(II) WITH THE OFFICE OF SECURITY MANAGEMENT IN THE
DEPARTMENT OF INFORMATION TECHNOLOGY , SUPPORT CYBERSECURIT Y
COORDINATION BETWEEN LOCAL UNITS OF GOVER NMENT THROUGH EXISTI NG
LOCAL GOVERNMENT STAKE HOLDER ORGANIZATIONS ;
(III) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION
SECURITY OFFICER AND THE UNIT DURING CYBERSECU RITY INCIDENTS THAT
AFFECT STATE AND LOCAL GOVER NMENTS;
(IV) SUPPORT RISK –BASED PLANNING FOR T HE USE OF
FEDERAL RESOURCES ; AND
(V) CONDUCT ANALYSIS OF CYBERSECURITY INCIDE NTS.
(E) (1) THERE IS A LOCAL CYBERSECURITY SUPPORT FUND.
(2) THE PURPOSE OF THE FUND IS TO:
(I) PROVIDE FINANCIAL AS SISTANCE TO LOCAL GO VERNMENTS
TO IMPROVE CYBERSECU RITY PREPAREDNESS, INCLUDING:
1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH
THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS;
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE ,
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY
PREPAREDNESS ;
3. RECRUITING AND HIRIN G INFORMATION
TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 11 –
4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY
STAFF TRAINING ; AND
(II) ASSIST LOCAL GOVERNM ENTS APPLYING FOR FE DERAL
CYBERSECURITY PREPAR EDNESS GRANTS .
(3) THE SECRETARY SHALL ADMIN ISTER THE FUND.
(4) (I) THE FUND IS A SPECIAL, NONLAPSING FUND THAT IS NOT
SUBJECT TO § 7–302 OF THE STATE FINANCE AND PROCUREMENT ARTICLE.
(II) THE STATE TREASURER SHALL HOLD THE FUND
SEPARATELY, AND THE COMPTROLLER SHALL ACCOUNT FOR THE FUND.
(5) THE FUND CONSISTS OF :
(I) MONEY APPROPRIATED I N THE STATE BUDGET TO THE
FUND;
(II) INTEREST EARNINGS ; AND
(III) ANY OTHER MONEY FROM ANY OTHER SOURCE ACC EPTED
FOR THE BENEFIT OF T HE FUND.
(6) THE FUND MAY BE US ED ONLY:
(I) TO PROVIDE FINANCIAL ASSISTANCE TO LOCAL
GOVERNMENTS TO IMPRO VE CYBERSECURITY PRE PAREDNESS, INCLUDING:
1. UPDATING CURRENT DEV ICES AND NETWORKS WI TH
THE MOST UP–TO–DATE CYBERSECURITY P ROTECTIONS;
2. SUPPORTING THE PURCH ASE OF NEW HARDWARE ,
SOFTWARE, DEVICES, AND FIREWALLS TO IMP ROVE CYBERSECURITY
PREPAREDNESS ;
3. RECRUITING AND HIRIN G INFORMATION
TECHNOLOGY STAFF FOC USED ON CYBERSECURIT Y; AND
4. PAYING OUTSIDE VENDO RS FOR CYBERSECURITY
STAFF TRAINING ;
Ch. 241 2022 LAWS OF MARYLAND
– 12 –
(II) TO ASSIST LOCAL GOVERNMEN TS APPLYING FOR FEDE RAL
CYBERSECURITY PREPAR EDNESS GRANTS ; AND
(III) FOR ADMINISTRATIVE E XPENSES ASSOCIATED W ITH
PROVIDING THE ASSIST ANCE DESCRIBED UNDER ITEM (I) OF THIS PARAGRAPH .
(7) (I) THE STATE TREASURER SHALL INVES T THE MONEY OF THE
FUND IN THE SAME MANN ER AS OTHER STATE MONEY MAY BE IN VESTED.
(II) ANY INTEREST EARNINGS OF THE FUND SHALL BE
CREDITED TO THE FUND.
(8) EXPENDITURES FROM THE FUND MAY BE MADE ONLY IN
ACCORDANCE WITH THE STATE BUDGET .
(F) TO BE ELIGIBLE TO RECEIVE ASSISTANCE FROM THE FUND, EACH
LOCAL GOVERNMENT THA T USES THE NETWORK E STABLISHED IN ACCORD ANCE
WITH § 3.5–404 OF THE STATE FINANCE AND PROCUREMENT ARTICLE SHALL MEET
THE REQUIREMENTS OF §§ 3.5–404(D) AND 3.5–405 OF THE STATE FINANCE AND
PROCUREMENT ARTICLE.
Article – State Finance and Procurement
3.5–101.
(a) In this title the following words have the meanings indicated.
(e) “Unit of State government” means an agency or unit of the Executive Branch
of State government.
SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT .
3.5–2A–01.
IN THIS SUBTITLE , “OFFICE” MEANS THE OFFICE OF SECURITY
MANAGEMENT .
3.5–2A–02.
THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT .
3.5–2A–03.
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 13 –
(A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION
SECURITY OFFICER.
(B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL:
(1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND
CONSENT OF THE SENATE;
(2) SERVE AT THE PLEASUR E OF THE GOVERNOR;
(3) BE SUPERVISED BY THE SECRETARY; AND
(4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE
DEPARTMENT .
(C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION
SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L:
(1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE;
(2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR
CYBERSECURITY CERTIF ICATIONS;
(3) HAVE EXPERIENCE :
(I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING
SECURITY CONTROLS ;
(II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR
CYBERSECURITY ;
(III) MANAGING HIGHLY TECHNIC AL SECURITY , SECURITY
OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD
ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND
(IV) WORKING WITH COMMON INFORMATION SECURITY
MANAGEMENT FRAMEWORK S;
(4) HAVE EXTENSIVE KNOW LEDGE OF INFORMATION TECHNOLOGY
AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH
AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO
ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND
SYSTEMS; AND
Ch. 241 2022 LAWS OF MARYLAND
– 14 –
(5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS.
(C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL
PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON
REQUEST.
(D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY ,
WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY
OFFICER.
(II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK
IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY
MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES ,
AND IMPROVE CYBERSECURIT Y PREPAREDNESS FOR U NITS OF LOCAL
GOVERNMENT .
(2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY , WHO
SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER.
(II) THE DIRECTOR OF STATE CYBERSECURITY IS
RESPONSIBLE FOR IMPLEMENTATION OF TH IS SECTION WITH RESP ECT TO UNITS OF
STATE GOVERNMENT .
(E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH
SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE.
(F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL
COORDINATORS, NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE.
3.5–2A–04.
(A) (1) THE OFFICE IS RESPONSIBLE FOR:
(1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION
OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE
GOVERNMENT ; AND
(2) THE COORDINATION OF RESOURCES AND EFFORT S TO
IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL
CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL
GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL
HEALTH DEPARTMENT S.; AND
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 15 –
(II) SUPPORTING THE MARYLAND DEPARTMENT OF
EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY
RESPONSE EFFORTS .
(2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION
TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY
CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A
LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH
DEPARTMENT .
(B) THE OFFICE SHALL:
(1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
COLLECTED OR MAINTAI NED BY OR ON BEHALF OF EACH UNIT OF STATE
GOVERNMENT ;
(2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ;
(3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION
AND INFORMATION SYST EMS TO BE INCLUDED IN EACH C ATEGORY;
(4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND
INFORMATION SYSTEMS IN EACH CATEGORY ;
(5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND
INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF THE SECURITY
REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ;
(6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN
THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER
ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM
SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE
NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY
INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NE CESSARY TO
CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY
INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ;
(7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY
CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT
INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWOR K OR TO
THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; Ch. 241 2022 LAWS OF MARYLAND
– 16 –
(7) (8) MANAGE SECURITY AWAR ENESS TR AINING FOR ALL
APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ;
(8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT,
DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE
STANDARDIZATION AND REDUCE RISK;
(9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL IDENTIT Y
STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING,
INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE
GOVERNMENT ;
(10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY
SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH
BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY ;
(11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND
INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSI STANCE
PROVIDED BY THE FEDERA L GOVERNMENT OR NON –STATE ENTITIES TO SUP PORT
THE WORK OF THE OFFICE;
(12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS
AND RESPONSE PLANS ;
(13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING
AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND
(14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO
UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS,
PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES.
(C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT
OF EMERGENCY MANAGEMENT , SHALL:
(1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES ,
SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN:
(I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS
AND RESPONSE PLANS ; AND
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 17 –
(II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE
DEVELOPED BY THE DEPARTMENT ; AND
(2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND
RESPONSE.
(D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT
OF EMERGENCY MANAGEMENT , MAY:
(1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN
COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND
OTHER STATE AND LOCAL ENTIT IES; AND
(2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR
COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES,
OR REGIONS.
(C) (E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE
SHALL REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE
STATE GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE,
THE SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE,
THE HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND
GOVERNMENT OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON
CYBERSECURITY , INFORMATION TECHNOLO GY, AND BIOTECHNOLOGY ON THE
ACTIVITIES OF THE OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN
MARYLAND, INCLUDING:
(1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE
DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND
(2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE
INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER §
3.5–405 OF THIS TITLE, INCLUDING:
(I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E
CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THAT YEAR;
(II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF
ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST
TO REMEDIATE ANY VUL NERABILITIES EXPOSED ;
Ch. 241 2022 LAWS OF MARYLAND
– 18 –
(III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE
GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING
RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING;
(IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON
CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPEND ING
FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET,
INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL
CYBERSECURITY PREPAR EDNESS;
(V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR
CYBER RISK MITIGATION FROM FEDE RAL OR OTHER NON –STATE RESOURCES ;
(VI) 6. KEY PERFORMANCE INDI CATORS ON THE
CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY
MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR
IMPLEMENTATION ; AND
(VII) 7. ANY ADDITIONAL RECOM MENDATIONS FOR
IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S.
(2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT
CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND
RISKS IN THE STATE.
3.5–301.
(a) In this subtitle the following words have the meanings indicated.
(j) “Nonvisual access” means the ability, through keyboard control, synthesized
speech, Braille, or other methods not requiring sight to receive, use, and manipulate
information and operate controls necessary to access information technology in accordance
with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle.
3.5–302.
(c) Notwithstanding any other provision of law, except as provided in subsection
(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–307(A)(2), 3.5–308,
AND 3.5–309 of this subtitle, this subtitle applies to all units of the Executive Branch of
State government including public institutions of higher education other than Morgan
State University, the University System of Maryland, St. Mary’s College of Maryland, and
Baltimore City Community College.
3.5–303. LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 19 –
(c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall:
(2) establish a process for the Secretary or the Secretary’s designee to:
(ii) 2. for information technology procured by a State unit on or
after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] §
3.5–311 of this subtitle, including the enforcement of the civil penalty described in [§
3A–311(a)(2)(iii)1] § 3.5–311(A)(2)(III)1 of this subtitle.
3.5–307.
(a) (2) A unit of State government other than a public institution of higher
education may not make expenditures for major information technology development
projects OR CYBERSECURITY PRO JECTS except as provided in [§ 3A–308] § 3.5–308 of
this subtitle.
3.5–309.
(c) The Secretary:
(2) subject to the provisions of § 2–201 of this article and [§ 3A–307] §
3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of money or
property.
(i) The Fund may be used:
(3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for
the costs of the first 12 months of operation and maintenance of a major information
technology development project.
(l) (1) Notwithstanding subsection (b) of this section and in accordance with
paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this
section shall be used to support:
(i) the State telecommunication and computer network established
under [§ 3A–404] § 3.5–404 of this title, including program development for these
activities; and
3.5–311.
(a) (2) On or after January 1, 2020, the nonvisual access clause developed in
accordance with paragraph (1) of this subsection shall include a statement that:
(i) within 18 months after the award of the procurement, the
Secretary, or the Secretary’s designee, will determine whether the information technology Ch. 241 2022 LAWS OF MARYLAND
– 20 –
meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] §
3.5–303(B) of this subtitle;
3.5–315.
(A) THERE IS AN INFORMATION SHARING AND ANALYSIS CENTER IN THE
DEPARTMENT .
(B) THE INFORMATION SHARING AND ANALYSIS CENTER SHALL:
(1) COORDINATE INFORMATI ON ON CYBERSECURITY BY SERVING AS
A CENTRAL LOCATION F OR INFORMATION SHARI NG ACROSS STATE AND LOCAL
GOVERNMENT , FEDERAL GOVERNMENT PARTNERS , AND PRIVATE ENTITIES ;
(2) WITH THE OFFICE OF SECURITY MANAGEMENT , SUPPORT
CYBERSECURITY COORDI NATION BETWEEN LOCAL UNITS OF GOVERNMENT
THROUGH EXISTING LOC AL GOVERNMENT STAKEH OLDER ORGANIZATIONS ;
(3) PROVIDE SUPPORT TO T HE STATE CHIEF INFORMATION
SECURITY OFFICER AND THE CYBER PREPAREDNESS UNIT, IN THE MARYLAND
DEPARTMENT OF EMERGENCY MANAGEMENT , DURING CYBERSECURITY
INCIDENTS THAT AFFEC T STATE AND LOCAL GOVER NMENTS;
(4) SUPPORT RISK –BASED PLANNING FOR T HE USE OF FEDERAL
RESOURCES; AND
(5) CONDUCT ANALYSES OF CYBERSECURITY INCIDE NTS.
3.5–404.
(a) The General Assembly declares that:
(1) it is the policy of the State to foster telecommunication and computer
networking among State and local governments, their agencies, an d educational
institutions in the State;
(2) there is a need to improve access, especially in rural areas, to efficient
telecommunication and computer network connections;
(3) improvement of telecommunication and computer networking for State
and local governments and educational institutions promotes economic development,
educational resource use and development, and efficiency in State and local administration;
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 21 –
(4) rates for the intrastate inter–LATA telephone communications needed
for effective integration of telecommunication and computer resources are prohibitive for
many smaller governments, agencies, and institutions; and
(5) the use of improved State telecommunication and computer networking
under this section is intended not to compete with commercial access to advanced network
technology, but rather to foster fundamental efficiencies in government and education for
the public good.
(b) (1) The Department shall establish a telecommunication and computer
network in the State.
(2) The network shall consist of:
(i) one or more connection facilities for telecommunication and
computer connection in each local access transport area (LATA) in the State; and
(ii) facilities, auxiliary equipment, and services required to support
the network in a reliable and secure manner.
(c) The network shall be accessible through direct connection and through local
intra–LATA telecommunications to State and local governments and public and private
educational institutions in the State.
(D) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQU ENCY
ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH UNIT OF THE
LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT , EACH UNIT OF LOCAL
GOVERNMENT , AND ANY LOCAL AGENCI ES THAT USE THE NETW ORK ESTABLISHED
UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT
THAT THE UNIT IS IN COMPLIANCE WITH THE DEPARTMENT ’S MINIMUM SECURITY
STANDARDS.
3.5–405.
(A) THIS SECTION DOES NOT APPLY TO MUNICIPAL G OVERNMENTS .
(B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND FREQU ENCY
ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH COUNTY
GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT SHALL :
(1) IN CONSULTATION WITH THE LOCAL EMERGENCY MANAGER,
CREATE OR UPDATE A C YBERSECURITY PREPAREDNESS AND RESPONSE PLAN AN D
SUBMIT THE PLAN TO T HE OFFICE OF SECURITY MANAGEMENT FOR APPROV AL;
Ch. 241 2022 LAWS OF MARYLAND
– 22 –
(2) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND
REPORT THE RESULTS T O THE OFFICE IN ACCORDANCE WITH GUIDELINES
DEVELOPED BY THE OFFICE; AND
(3) REPORT TO THE OFFICE:
(I) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF
POSITIONS, INCLUDING VACANCIES ;
(II) THE ENTITY’S CYBERSECURITY BUDG ET AND OVERALL
INFORMATION TECHNOLO GY BUDGET;
(III) THE NUMBER OF EMPLOY EES WHO HAVE RECEIVED
CYBERSECURITY TRAINI NG; AND
(IV) THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO THE
ENTITY’S COMPUTER SYSTEMS A ND DATABASES .
4–308.
(A) THE DEPARTMENT MAY ESTABL ISH A PROGRAM THAT L EVERAGES
STATE PURCHASING POWE R TO OFFER FAVORABLE RATES TO U NITS OF LOCAL
GOVERNMENT TO PROCUR E INFORMATION TECHNO LOGY OR CYBERSECURIT Y
SERVICES FROM CONTRA CTORS.
(B) A UNIT OF LOCAL GOVERN MENT MAY NOT BE REQU IRED TO
PARTICIPATE IN A PRO GRAM ESTABLISHED UND ER SUBSECTION (A) OF THIS
SECTION.
6–226.
(a) (2) (i) Notwithstanding any other provision of law, and unless
inconsistent with a federal law, grant agreement, or other federal requirement or with the
terms of a gift or settlement agreement, net interest on all State money allocated by the
State Treasurer under this section to special funds or accounts, and otherwise entitled to
receive interest earnings, as accounted for by the Comptroller, shall accrue to the General
Fund of the State.
(ii) The provisions of subparagraph (i) of this paragraph do not apply
to the following funds:
144. the Health Equity Resource Community Reserve Fund;
[and]
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 23 –
145. the Access to Counsel in Evictions Special Fund; AND
146. THE LOCAL CYBERSECURITY SUPPORT FUND.
12–107.
(b) Subject to the authority of the Board, jurisdiction over procurement is as
follows:
(2) the Department of General Services may:
(i) engage in or control procurement of:
10. information processing equipment and associated
services, as provided in Title [3A] 3.5, Subtitle 3 of this article; and
11. telecommunication equipment, systems, or services, as
provided in Title [3A] 3.5, Subtitle 4 of this article;
Article – State Government
2–1224.
(f) [After] EXCEPT AS PROVIDED IN SUBSECTION (I) OF THIS SECTION ,
AFTER the expiration of any period that the Joint Audit and Evaluation Committee
specifies, a report of the Legislative Auditor is available to the public under Title 4,
Subtitles 1 through 5 of the General Provisions Article.
(I) A REPORT AUDITING A UN IT OF STATE OR LOCAL GOVERN MENT SHALL
HAVE ANY CYBERSECURI TY FINDINGS REDACTED IN A MANNER CONSISTE NT WITH
AUDITING BEST PRACTI CES BEFORE THE REPORT IS MADE AVAILABLE TO TH E
PUBLIC.
SECTION 3. AND BE IT FURTHER ENACTED, That, on or before December 1,
2022, the State Chief Information Security Officer and the Secretary of Emergency
Management shall:
(1) review the State budget for efficiency and effectiveness of funding and
resources to ensure that the State is equipped to respond to a cybersecurity attack;
(2) make recommendations for any changes to the budget needed to
accomplish the goals under item (1) of this section;
(3) establish guidance for units of State government on use and access to
State funding related to cybersecurity preparedness; and
Ch. 241 2022 LAWS OF MARYLAND
– 24 –
(4) report any recommendations and guidance to the Governor and, in
accordance with § 2–1257 of the State Government Article, the General Assembly.
SECTION 4. AND BE IT FURTHER ENACTED, That:
(a) On or before December 1, 2023, the State Chief Information Security Officer
shall:
(1) commission a feasibility study on expanding the operations of the State
Security Operations Center operated by the Department of Information Technology to
include cybersecurity monitoring and alert services for units of local government; and
(2) report any recommendations to the Governor and, in accordance with §
2–1257 of the State Government Article, the General Assembly.
(b) For fiscal year 2024, the Governor shall include an appropriation in the
annual budget to cover the cost of the feasibility study required under subsection (a) of this
section.
SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect July
1, 2022.
SECTION 5. AND BE IT FURTHER ENACTED, That:
(a) (1) On or before June 30, 2023, each unit of local government shall certify
to the Office of Security Management compliance with State minimum cybersecurity
standards established by the Department of Information Technology.
(2) Certification shall be reviewed by independent auditors, and any
findings must be remediated.
(b) If a unit of local government has not remediated any findings pertaining to
State cybersecurity standards found by the independent audit required under subsection
(1) of this section by July 1, 2024, the Office of Security Management shall assume
responsibility for a unit’s cybersecurity through a shared service agreement, administrative
privileges, or access to Network Maryland notwithstanding any federal law or regulation
that forbids the Office of Security Management from managing a specific system provide
guidance for the unit to achieve compliance with the cybersecurity standards.
SECTION 6. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds
from the Dedicated Purpose Account may be transfe rred by budget amendment in
accordance with § 7–310 of the State Finance and Procurement Article to implement this
Act.
SECTION 7. AND BE IT FURTHER ENACTED, That:
LAWRENCE J. HOGAN, JR., Governor Ch. 241
– 25 –
(a) On or before June October 1, 2022, the State Chief Information Security
Officer shall establish guidelines to determine when a cybersecurity incident shall be
disclosed to the public.
(b) On or before November 1, 2022, the State Chief Information Security Officer
shall submit a report on the guidelines established under subsection (a) of this section to
the Governor and, in accordance with § 2–1257 of the State Government Article, the House
Health and Government Operations Committee and the Senate Education, Health, and
Environmental Affairs Committee.
SECTION 8. AND BE IT FURTHER ENACTED, That this Act is an emergency
measure, is necessary for the immediate preservation of the public health or safety, has
been passed by a yea and nay vote supported by three–fifths of all the members elected to
each of the two Houses of the General Assembly, and shall take effect from the date it is
enacted.
Approved by the Governor, May 12, 2022.