EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*sb0812*
SENATE BILL 812
S2, P1, P2 2lr1779
CF HB 1346
By: Senator Hester Senators Hester, Hershey, Jennings, Jackson, Rosapepe, Lee,
and Watson
Introduced and read first time: February 7, 2022
Assigned to: Education, Health, and Environmental Affairs
Committee Report: Favorable with amendments
Senate action: Adopted with floor amendments
Read second time: March 27, 2022
CHAPTER ______
AN ACT concerning 1
State Government – Cybersecurity – Coordination and Governance 2
FOR the purpose of establishing the Cybersecurity Coordination and Operations Office in 3
the Maryland Department of Emergency Management; requiring the Secretary of 4
Emergency Management to ap point an Executive Director as head of the 5
Cybersecurity Coordination and Operations Office; requiring the Office of Security 6
Management to be provided with staff for the Cybersecurity Coordination and 7
Operations Office; requiring the Cybersecurity Coordination and Operations Office 8
to establish regional assistance groups to deliver or coordinate support services to 9
political subdivisions, agencies, or regions in accordance with certain requirements; 10
requiring the Cybersecurity Coordination and Operations Office to offer certain 11
training opportunities for counties and municipalities; establishing the Office of 12
Security Management within the Department of Information Technology (DoIT); 13
establishing certain responsibilities and authority of the Office of Security 14
Management; centralizing authority and control of the procurement of all 15
information technology for the Executive Branch of State government in DoIT; 16
establishing the Maryland Cybersecurity Coordinating Council; requiring the 17
Secretary of Information Technology to develop and maintain a statewide 18
cybersecurity master plan strategy; requiring DoIT to develop and require basic 19
security requirements to be included in certain contracts; requiring each unit of the 20
Legislative or Judicial Branch of State government and any division of the 21
University System of Maryland that uses a certain network to certify certain 22
compliance to DoIT on or before a certain date each year; requiring certain IT units 23
to certify compliance with certain cybersecurity standards; requiring each unit of the 24 2 SENATE BILL 812
Executive Branch of State government and certain local entities to report certain 1
cybersecurity incidents in a certain manner and under certain circumstances; 2
requiring the State Security Operations Center to notify certain agencies of a 3
cybersecurity incident reported in a certain manner; establishing the Maryland 4
Cybersecurity Coordinating Council; exempting meetings of the Council from the 5
Open Meetings Act; requiring the Council to study aspects of the State’s 6
cybersecurity vulnerabilities and procurement potential, including partnerships 7
with other states; requiring the Council to promote certain education and training 8
opportunities; requiring the Department of General Services to study the security 9
and financial implications of executing partnerships with other states to procure 10
information technology and cybersecurity products and services; requiring the 11
Department of General Services to establish certain basic security requirements to 12
be included in certain contracts; requiring DoIT to complete implementation of a 13
certain governance, risk, and compliance module on or before a certain date; 14
requiring the Office to prepare a transition strategy towards cybersecurity 15
centralization; requiring each agency in the Executive Branch of State government 16
to certify to the Office that the agency is in compliance with certain standards; 17
requiring the Office to assume responsibility for a certain agency’s cybersecurity 18
except under certain circumstances; requiring DoIT to hire a contractor to conduct a 19
performance and capacity assessment of DoIT; authorizing funds to be transferred 20
by budget amendment from the Dedicated Purpose Account in a certain fiscal year 21
to implement the Act; transferring certain appropriations, books and records, and 22
employees to DoIT; and generally relating to State cybersecurity coordination. 23
BY renumbering 24
Article – State Finance and Procurement 25
Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of 26
Information Technology” 27
to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5. 28
Department of Information Technology” 29
Annotated Code of Maryland 30
(2021 Replacement Volume) 31
BY repealing and reenacting, with amendments, 32
Article – Criminal Procedure 33
Section 10–221(b) 34
Annotated Code of Maryland 35
(2018 Replacement Volume and 2021 Supplement) 36
BY repealing and reenacting, with amendments, 37
Article – Health – General 38
Section 21–2C–03(h)(2)(i) 39
Annotated Code of Maryland 40
(2019 Replacement Volume and 2021 Supplement) 41
BY repealing and reenacting, with amendments, 42
Article – Human Services 43 SENATE BILL 812 3
Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1) 1
Annotated Code of Maryland 2
(2019 Replacement Volume and 2021 Supplement) 3
BY repealing and reenacting, with amendments, 4
Article – Insurance 5
Section 31–103(a)(2)(i) and (b)(2) 6
Annotated Code of Maryland 7
(2017 Replacement Volume and 2021 Supplement) 8
BY repealing and reenacting, with amendments, 9
Article – Natural Resources 10
Section 1–403(c) 11
Annotated Code of Maryland 12
(2018 Replacement Volume and 2021 Supplement) 13
BY adding to 14
Article – Public Safety 15
Section 14–104.1 16
Annotated Code of Maryland 17
(2018 Replacement Volume and 2021 Supplement) 18
BY repealing and reenacting, without amendments, 19
Article – State Finance and Procurement 20
Section 3.5–101(a) and (e) and 3.5–301(a) 21
Annotated Code of Maryland 22
(2021 Replacement Volume) 23
(As enacted by Section 1 of this Act) 24
BY adding to 25
Article – State Finance and Procurement 26
Section 3.5–2A–01 through 3.5–2A–07 3.5–2A–06 to be under the new subtitle 27
“Subtitle 2A. Office of Security Management”; and 3.5–404(d) and (e), 3.5–405 28
and 12–107(b)(2)(i)12., 3.5–406, 4–316.1, and 13–115 29
Annotated Code of Maryland 30
(2021 Replacement Volume) 31
BY repealing and reenacting, with amendments, 32
Article – State Finance and Procurement 33
Section 3.5–301(j), 3.5–302(c), 3.5–303, 3.5–305, 3.5–307 through 3.5–314, 3.5–401, 34
and 3.5–404 Section 3.5–301(i) and (j), 3.5–302, 3.5–303, 3.5–307, 3.5–309(c), 35
(i), and (l), and 3.5–311(a)(2)(i) 36
Annotated Code of Maryland 37
(2021 Replacement Volume) 38
(As enacted by Section 1 of this Act) 39
BY repealing 40 4 SENATE BILL 812
Article – State Finance and Procurement 1
Section 3.5–306 2
Annotated Code of Maryland 3
(2021 Replacement Volume) 4
(As enacted by Section 1 of this Act) 5
BY repealing and reenacting, with amendments, 6
Article – State Finance and Procurement 7
Section 12–107(b)(2)(i)10. and 11. 8
Annotated Code of Maryland 9
(2021 Replacement Volume) 10
SECTION 1. BE IT ENACTED BY THE GENE RAL ASSEMBLY OF MARYLAND, 11
That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department 12
of Information Technology” of Article – State Finance and Procurement of the Annotated 13
Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively, 14
and the title “Title 3.5. Department of Information Technology”. 15
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 16
as follows: 17
Article – Criminal Procedure 18
10–221. 19
(b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement 20
Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and 21
the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall: 22
(1) regulate the collection, reporting, and dissemination of criminal history 23
record information by a court and criminal justice units; 24
(2) ensure the security of the criminal justice information system and 25
criminal history record information reported to and collected from it; 26
(3) regulate the dissemination of criminal history record information in 27
accordance with Subtitle 1 of this title and this subtitle; 28
(4) regulate the procedures for inspecting and challenging criminal history 29
record information; 30
(5) regulate the auditing of criminal justice units to ensure that criminal 31
history record information is: 32
(i) accurate and complete; and 33
SENATE BILL 812 5
(ii) collected, reported, and disseminated in accordance with Subtitle 1
1 of this title and this subtitle; 2
(6) regulate the development and content of agreements between the 3
Central Repository and criminal justice units and noncriminal justice units; and 4
(7) regulate the development of a fee schedule and provide for the collection 5
of the fees for obtaining criminal history record information for other than criminal justice 6
purposes. 7
Article – Health – General 8
21–2C–03. 9
(h) (2) The Board is subject to the following provisions of the State Finance 10
and Procurement Article: 11
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 12
that the Secretary of Information Technology determines that an information technology 13
project of the Board is a major information technology development project; 14
Article – Human Services 15
7–806. 16
(a) (1) Subject to paragraph (2) of this subsection, the programs under § 17
7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State 18
Finance and Procurement Article shall be funded as provided in the State budget. 19
(2) For fiscal year 2019 and each fiscal year thereafter, the program under 20
[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an 21
amount that: 22
(i) is equal to the cost that the Department of Aging is expected to 23
incur for the upcoming fiscal year to provide the service and administer the program; and 24
(ii) does not exceed 5 cents per month for each account out of the 25
surcharge amount authorized under subsection (c) of this section. 26
(b) (1) There is a Universal Service Trust Fund created for the purpose of 27
paying the costs of maintaining and operating the programs under: 28
(i) § 7–804(a) of this subtitle, subject to the limitations and controls 29
provided in this subtitle; 30
(ii) § 7–902(a) of this title, subject to the limitations and controls 31
provided in Subtitle 9 of this title; and 32 6 SENATE BILL 812
(iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement 1
Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the 2
State Finance and Procurement Article. 3
(c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) 4
of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall 5
be funded by revenues generated by: 6
(i) a surcharge to be paid by the subscribers to a communications 7
service; and 8
(ii) other funds as provided in the State budget. 9
(d) (1) The Secretary shall annually certify to the Public Service Commission 10
the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 11
3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the 12
Universal Service Trust Fund for the following fiscal year. 13
(2) (i) The Public Service Commission shall determine the surcharge 14
for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle, 15
§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement 16
Article. 17
(g) (1) The Legislative Auditor may conduct postaudits of a fiscal and 18
compliance nature of the Universal Service Trust Fund and the expenditures made for 19
purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of 20
the State Finance and Procurement Article. 21
Article – Insurance 22
31–103. 23
(a) The Exchange is subject to: 24
(2) the following provisions of the State Finance and Procurement Article: 25
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 26
that the Secretary of Information Technology determines that an information technology 27
project of the Exchange is a major information technology development project; 28
(b) The Exchange is not subject to: 29
(2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance 30
and Procurement Article, except to the extent determined by the Secretary of Information 31
Technology under subsection (a)(2)(i) of this section; 32 SENATE BILL 812 7
Article – Natural Resources 1
1–403. 2
(c) The Department shall develop the electronic system consistent with the 3
statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of 4
the State Finance and Procurement Article. 5
Article – Public Safety 6
14–104.1. 7
(A) (1) IN THIS SECTION THE FOL LOWING WORDS HAVE TH E MEANINGS 8
INDICATED. 9
(2) “OFFICE” MEANS THE CYBERSECURITY COORDINATION AND 10
OPERATIONS OFFICE ESTABLISHED WI THIN THE DEPARTMENT . 11
(3) “REGION” MEANS A COLLECTION O F POLITICAL SUBDIVIS IONS. 12
(B) THERE IS A CYBERSECURITY COORDINATION AND OPERATIONS 13
OFFICE WITHIN THE DEPARTMENT . 14
(C) THE PURPOSE OF THE OFFICE IS TO: 15
(1) IMPROVE LOCAL , REGIONAL, AND STATEWIDE CYBERS ECURITY 16
READINESS AND RESPON SE; 17
(2) ASSIST POLITICAL SUB DIVISIONS, SCHOOL BOARDS , AND 18
AGENCIES IN THE DEVELOPM ENT OF CYBERSECURITY DISRUPTION PLANS ; 19
(3) IN CONSULTATION WITH THE DEPARTMENT OF INFORMATION 20
TECHNOLOGY , COORDINATE WITH POLI TICAL SUBDIVISIONS , LOCAL AGENCIES , 21
AND STATE AGENCIES ON THE IMPLEMENTATION OF CY BERSECURITY BEST 22
PRACTICES; 23
(4) COORDINATE WITH POLI TICAL SUBDIVISIONS A ND AGENCIES ON 24
THE IMPLEMENTATION O F THE STATEWIDE MASTER PLAN DEVELOPED BY THE 25
DEPARTMENT OF INFORMATION TECHNOLOGY UNDER TITLE 3.5, SUBTITLE 3 OF 26
THE STATE FINANCE AND PROCUREMENT ARTICLE; AND 27
(5) CONSULT WITH THE STATE CHIEF INFORMATION SECURITY 28
OFFICER AND THE SECRETARY OF INFORMATION TECHNOLOGY TO CONNECT 29 8 SENATE BILL 812
POLITICAL SUBDIVISIO NS AND AGENCIES TO T HE APPROPRIATE RESOU RCES FOR 1
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY READINESS AND RES PONSE. 2
(D) (1) THE HEAD OF THE OFFICE IS THE EXECUTIVE DIRECTOR, WHO 3
SHALL BE APPOINTED B Y THE DIRECTOR. 4
(2) THE OFFICE OF SECURITY MANAGEMENT SHALL PROV IDE STAFF 5
FOR THE OFFICE. 6
(E) (1) THE OFFICE SHALL ESTABLIS H REGIONAL ASSISTANC E GROUPS 7
TO DELIVER OR COOR DINATE SUPPORT SERVI CES TO POLITICAL SUB DIVISIONS, 8
AGENCIES, OR REGIONS. 9
(2) THE OFFICE MAY HIRE OR PR OCURE REGIONAL COORD INATORS 10
TO DELIVER OR COORDI NATE THE SERVICES UN DER PARAGRAPH (1) OF THIS 11
SUBSECTION. 12
(3) THE OFFICE SHALL PROVIDE OR COORDINATE SUPPORT 13
SERVICES UNDER PARAG RAPH (1) OF THIS SUBSECTION T HAT INCLUDE: 14
(I) CONNECTING MULTIPLE POLITICAL SUBDIVISIO NS AND 15
AGENCIES WITH EACH O THER TO SHARE BEST P RACTICES OR OTHER IN FORMATION 16
TO INCREASE READINES S OR RESPONSE EFFECT IVENESS; 17
(II) PROVIDING TECHNICAL SE RVICES FOR THE 18
IMPLEMENTATION OF CY BERSECURITY BEST PRA CTICES IN ACCORDANCE WITH 19
SUBSECTION (C)(3) OF THIS SECTION; 20
(III) COMPLETING CYBERSECU RITY RISK ASSESSMENT S; 21
(IV) DEVELOPING CYBER SCO RECARDS AND REPORTS ON 22
REGIONAL READIN ESS; 23
(V) CREATING AND UPDATIN G CYBERSECURITY DISR UPTION 24
PLANS IN ACCORDANCE WITH SUBSECTION (C)(2) OF THIS SECTION; AND 25
(VI) CONDUCTING REGIONAL EXERCISES IN COORDIN ATION 26
WITH THE NATIONAL GUARD, THE DEPARTMENT , THE DEPARTMENT OF 27
INFORMATION TECHNOLOGY , LOCAL EMERGENCY MANA GERS, AND OTHER STATE 28
AND LOCAL ENTITIES. 29
(F) (1) THE OFFICE SHALL PROVIDE REGULAR TRAINING 30
OPPORTUNITIES FOR CO UNTIES AND MUNICIPAL CORPORATIONS IN THE STATE. 31
SENATE BILL 812 9
(2) TRAINING OPPORTUNITIE S OFFERED BY THE OFFICE SHALL: 1
(I) BE DESIGNED TO ENSUR E STAFF FOR COUNTIES AND 2
MUNICIPAL CORPORATIO NS ARE CAPABLE OF CO OPERATING EFFECTIVEL Y WITH 3
THE DEPARTMENT IN THE EVE NT OF A CYBERSECURIT Y EMERGENCY ; AND 4
(II) INCORPORATE BEST PRA CTICES AND GUIDELINE S FOR 5
STATE AND LOCAL GOVE RNMENTS PROVIDED BY TH E MULTI–STATE INFORMATION 6
SHARING AND ANALYSIS CENTER AND THE CYBERSECURITY AND 7
INFRASTRUCTURE SECURITY AGENCY. 8
(G) ON OR BEFORE DECEMBER 1 EACH YEAR, THE OFFICE SHALL REPORT 9
TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 10
GOVERNMENT ARTICLE, THE GENERAL ASSEMBLY ON THE ACTIV ITIES OF THE 11
OFFICE. 12
Article – State Finance and Procurement 13
3.5–101. 14
(a) In this title the following words have the meanings indicated. 15
(e) “Unit of State government” means an agency or unit of the Executive Branch 16
of State government. 17
SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT . 18
3.5–2A–01. 19
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 20
INDICATED. 21
(B) “COUNCIL” MEANS THE MARYLAND CYBERSECURITY COORDINATING 22
COUNCIL. 23
(C) “OFFICE” MEANS THE OFFICE OF SECURITY MANAGEMENT . 24
3.5–2A–02. 25
THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT . 26
3.5–2A–03. 27
(A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION 28
SECURITY OFFICER. 29 10 SENATE BILL 812
(B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL: 1
(1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND 2
CONSENT OF THE SENATE; 3
(2) SERVE AT THE PLEASUR E OF THE GOVERNOR; 4
(3) BE SUPERVISED BY THE SECRETARY; AND 5
(4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE 6
DEPARTMENT . 7
(C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION 8
SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L: 9
(1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE; 10
(2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR 11
CYBERSEC URITY CERTIFICATIONS ; 12
(3) HAVE EXPERIENCE : 13
(I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING 14
SECURITY CONTROLS ; 15
(II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR 16
CYBERSECURITY ; 17
(III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY 18
OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD 19
ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND 20
(IV) WORKING WITH COMMON INFORMATION SECURITY 21
MANAGEMENT FRAMEWORK S; 22
(4) HAVE EXTENSIVE KNOWL EDGE OF INFORMATION TECHNOLOGY 23
AND CYBERS ECURITY FIELD CONCEP TS, BEST PRACTICES , AND PROCEDURES , WITH 24
AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO 25
ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND 26
SYSTEMS; AND 27
(5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGULATIONS . 28
SENATE BILL 812 11
(C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL 1
PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON 2
REQUEST. 3
(D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY 4
WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY 5
OFFICER. 6
(II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK 7
IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY 8
MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES , 9
AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNI TS OF LOCAL 10
GOVERNMENT . 11
(2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY WHO 12
SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER. 13
(II) THE DIRECTOR OF STATE CYBERSECURITY IS 14
RESPONSIBLE FOR IMPL EMENTATION OF THIS S ECTION WITH RESPEC T TO UNITS OF 15
STATE GOVERNMENT . 16
(E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH 17
SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE. 18
(F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL 19
COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENT S OF THIS SUBTITLE. 20
3.5–2A–04. 21
(A) (1) THE OFFICE IS RESPONSIBLE FOR: 22
(1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION 23
OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE 24
GOVERNMENT ; AND 25
(2) THE COORDINATION OF RESOURCES AND EFFORTS TO 26
IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL 27
CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL 28
GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL 29
HEALTH DEPARTMENTS . 30
(II) COORDINATING WITH TH E MARYLAND DEPARTMENT OF 31
EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY 32
RESPONSE EFFORTS . 33 12 SENATE BILL 812
(2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION 1
TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY 2
CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVERN MENT, A 3
LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH 4
DEPARTMENT . 5
(B) THE OFFICE SHALL: 6
(1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 7
COLLECTED OR MAINTAI NED BY OR ON BEHALF OF EACH UNIT OF STATE 8
GOVERNMENT ; 9
(2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 10
SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ; 11
(3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION 12
AND INFORMATION SYST EMS TO BE INCLUDED I N EACH CATEGORY ; 13
(4) ESTABLISH SECURITY REQUI REMENTS FOR INFORMAT ION AND 14
INFORMATION SYSTEMS IN EACH CATEGORY ; 15
(5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND 16
INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF THE SECURITY 17
REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION; 18
(6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 19
DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN 20
THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER 21
ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM 22
SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE 23
NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY 24
INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECE SSARY TO 25
CORRECT OR REMEDIATE THE VULNERABI LITIES OR DEFICIENCI ES, WHICH MAY 26
INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ; 27
(7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 28
DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY 29
CONNECTED TO THE NET WORK ESTABLISHED UNDER § 3.5–404 OF THIS TITLE THAT 30
INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWOR K OR TO 31
THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; 32
(7) (8) MANAGE SECURITY AWAR ENESS TRAINING FOR A LL 33
APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ; 34 SENATE BILL 812 13
(8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT, 1
DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE 2
STANDARDIZATION AND REDUCE RISK; 3
(9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL I DENTITY 4
STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING, 5
INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE 6
GOVERNMENT ; 7
(10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY 8
SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH 9
BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND 10
TECHNOLOGY ; 11
(11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND 12
INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSISTAN CE 13
PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT 14
THE WORK OF THE OFFICE; 15
(12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS 16
AND RESPONSE PLANS ; 17
(13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING 18
AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND 19
(14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO 20
UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS, 21
PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES. 22
(C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 23
OF EMERGENCY MANAGEMENT , SHALL: 24
(1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES , 25
SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN: 26
(I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS 27
AND RESPONSE PLANS ; AND 28
(II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE 29
DEVELOPED BY THE DEPARTMENT ; AND 30
14 SENATE BILL 812
(2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR 1
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND 2
RESPONSE; AND 3
(3) DEVELOP APPROPRIATE REPORTS ON LOCAL CYBERSECURI TY 4
PREPAREDNESS . 5
(D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 6
OF EMERGENCY MANAGEMENT , MAY: 7
(1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN 8
COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANAGERS, AND 9
OTHER STATE AND LOCAL ENTIT IES; AND 10
(2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR 11
COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES, 12
OR REGIONS. 13
(E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE SHALL 14
REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 15
GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, THE 16
SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, THE 17
HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND GOVERNMENT 18
OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON CYBERSECURITY , 19
INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE ACTIVITIES OF THE 20
OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN MARYLAND, 21
INCLUDING: 22
(1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE 23
DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND 24
(2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE 25
INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER § 26
3.5–405 OF THIS TITLE, INCLUDING: 27
(I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E 28
CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THA T YEAR; 29
(II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF 30
ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST 31
TO REMEDIATE ANY VUL NERABILITIES EXPOSED ; 32
SENATE BILL 812 15
(III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE 1
GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING 2
RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING; 3
(IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON 4
CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPEND ING 5
FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET, 6
INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL 7
CYBERSECURITY PREPAR EDNESS; 8
(V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR 9
CYBER RISK MITIGAT ION FROM FEDERAL OR OTHER NON–STATE RESOURCES ; 10
(VI) 6. KEY PERFORMANCE INDI CATORS ON THE 11
CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY 12
MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR 13
IMPLEMENTATION ; AND 14
(VII) 7. ANY ADDITIONAL RECOMME NDATIONS FOR 15
IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S. 16
(2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT 17
CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND 18
RISKS IN THE STATE. 19
3.5–2A–05. 20
(A) THERE IS A MARYLAND CYBERSECURITY COORDINATING COUNCIL. 21
(B) (1) THE COUNCIL CONSISTS OF T HE FOLLOWING MEMBERS : 22
(1) THE SECRETARY OF BUDGET AND MANAGEMENT , OR THE 23
SECRETARY’S DESIGNEE; 24
(2) THE SECRETARY OF GENERAL SERVICES, OR THE SECRETARY’S 25
DESIGNEE; 26
(3) THE SECRETARY OF HEALTH, OR THE SECRETARY’S DESIGNEE; 27
(4) THE SECRETARY OF HUMAN SERVICES, OR THE SECRETARY’S 28
DESIGNEE; 29
(5) THE SECRETARY OF PUBLIC SAFETY AND CORRECTIONAL 30
SERVICES, OR THE SECRETARY’S DESIGNEE; 31 16 SENATE BILL 812
(6) THE SECRETARY OF TRANSPORTATION , OR THE SECRETARY’S 1
DESIGNEE; 2
(7) THE SECRETARY OF DISABILITIES, OR THE SECRETARY’S 3
DESIGNEE; 4
(I) THE SECRETARY OF EACH OF THE PRINCIPAL 5
DEPARTMENTS LISTED I N § 8–201 OF THE STATE GOVERNMENT ARTICLE, OR A 6
SECRETARY’S DESIGNEE; 7
(8) (II) THE STATE CHIEF INFORMATION SECURITY OFFICER; 8
(9) (III) THE ADJUTANT GENERAL OF THE MARYLAND NATIONAL 9
GUARD, OR THE ADJUTANT GENERAL’S DESIGNEE; 10
(10) THE SECRETARY OF EMERGENCY MANAGEMENT , OR THE 11
SECRETARY’S DESIGNEE; 12
(11) (IV) THE SUPERINTENDENT OF STATE POLICE, OR THE 13
SUPERINTENDENT ’S DESIGNEE; 14
(12) (V) THE DIRECTOR OF THE GOVERNOR’S OFFICE OF 15
HOMELAND SECURITY, OR THE DIRECTOR’S DESIGNEE; 16
(13) (VI) THE EXECUTIVE DIRECTOR OF THE DEPARTMENT OF 17
LEGISLATIVE SERVICES, OR THE EXECUTIVE DIRECTOR’S DESIGNEE; 18
(14) (VII) ONE REPRESENTATIVE O F THE ADMINISTRATIVE OFFICE 19
OF THE COURTS; 20
(15) (VIII) THE CHANCELLOR OF THE UNIVERSITY SYSTEM OF 21
MARYLAND, OR THE CHANCELLOR ’S DESIGNEE; AND 22
(16) (IX) ANY OTHER STAKEHOLDE R THAT THE STATE CHIEF 23
INFORMATION SECURITY OFFICER DEEMS APPROPR IATE. 24
(2) IF A DESIGNEE SERVES ON THE COUNCIL IN PLACE OF A N 25
OFFICIAL LISTED IN P ARAGRAPH (1) OF THIS SUBSECTION , THE DESIGNEE SHALL 26
REPORT INFORMATION F ROM THE COUNCIL MEETINGS AND OTHER 27
COMMUNI CATIONS TO THE OFFIC IAL. 28
SENATE BILL 812 17
(C) IN ADDITION TO THE ME MBERS LISTED UNDER S UBSECTION (B) OF THIS 1
SECTION, THE FOLLOWING REPRES ENTATIVES MAY SERVE AS NONVOTING 2
MEMBERS OF THE COUNCIL: 3
(1) ONE MEMBER OF THE SENATE OF MARYLAND, APPOINTED BY THE 4
PRESIDENT OF THE SENATE; 5
(2) ONE MEMBER OF THE HOUSE OF DELEGATES, APPOINTED BY THE 6
SPEAKER OF THE HOUSE; AND 7
(3) ONE REPRESENTATIVE O F THE JUDICIARY , APPOINTED BY THE 8
CHIEF JUDGE OF THE COURT OF APPEALS. 9
(C) (D) THE CHAIR OF THE COUNCIL IS THE STATE CHIEF INFORMATION 10
SECURITY OFFICER. 11
(D) (E) (1) THE COUNCIL SHALL MEET AT LEAST QUARTERLY AT T HE 12
REQUEST OF THE CHAIR . 13
(2) MEETINGS OF THE COUNCIL SHALL BE CLOS ED TO THE PUBLIC 14
AND NOT SUBJEC T TO TITLE 3 OF THE GENERAL PROVISIONS ARTICLE. 15
(E) (F) THE COUNCIL SHALL: 16
(1) PROVIDE ADVICE AND R ECOMMENDATIONS TO TH E STATE CHIEF 17
INFORMATION SECURITY OFFICER REGARDING : 18
(I) THE STRATEGY AND IMP LEMENTATION OF CYBER SECURITY 19
INITIATIVES AND RECOMMENDATIONS ; AND 20
(II) BUILDING AND SUSTAIN ING THE CAPABILITY O F THE STATE 21
TO IDENTIFY AND MITI GATE CYBERSECURITY R ISK AND RESPOND TO A ND RECOVER 22
FROM CYBERSECURITY –RELATED INCIDENTS . 23
(2) USE THE ANALYSIS COM PILED BY THE OFFICE UNDER § 24
3.5–2A–04(E)(2) OF THIS SUBTITLE TO PRIORITIZE CYBERSECU RITY RISK ACROSS 25
THE EXECUTIVE BRANCH OF STATE GOVERNMENT AND MAKE CORRESPONDING 26
RECOMMENDATIONS FOR SECURITY INVESTMENTS IN THE GOVERNOR’S ANNUAL 27
BUDGET. 28
(F) (G) IN CARRYING OUT THE D UTIES OF THE COUNCIL, THE COUNCIL 29
MAY SHALL CONSULT WITH OUTSIDE EXPERTS, INCLUDING EXPERTS IN THE 30
PRIVATE SECTOR , GOVERNMENT AGENCIES , AND INSTITUTIONS OF HIGHER 31
EDUCATION. 32 18 SENATE BILL 812
3.5–2A–06. 1
THE COUNCIL SHALL STUDY T HE SECURITY AND FINA NCIAL IMPLICATIONS O F 2
EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATION 3
TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE 4
IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE. 5
3.5–2A–07. 6
THE COUNCIL SHALL: 7
(1) PROMOTE CYBERSECURIT Y EDUCATION AND TRAI NING 8
OPPORTUNITIES TO STR ENGTHEN THE STATE’S CYBERSECURITY CAPA BILITIES BY 9
EXPANDING EXISTING A GREEMENTS WITH EDUCA TIONAL INSTITUTIONS ; 10
(2) UTILIZE RELATIONSHIP S WITH INSTITUTIONS OF HIGHER 11
EDUCATION TO ADVERTI SE CYBERSECURITY CAR EERS AND JOB POSITIO NS 12
AVAILABLE IN STATE OR LOCAL GOVERN MENT, INCLUDING THE MARYLAND 13
TECHNOLOGY INTERNSHIP PROGRAM ESTABLISHED U NDER TITLE 18, SUBTITLE 30 14
OF THE EDUCATION ARTICLE; AND. 15
(3) ASSIST INTERESTED CA NDIDATES WITH APPLYI NG FOR 16
CYBERSECURITY POSITI ONS IN STATE OR LOCAL G OVERNMENT . 17
3.5–301. 18
(a) In this subtitle the following words have the meanings indicated. 19
(i) “Master plan” means the statewide information technology master plan AND 20
STATEWIDE CYBERSECUR ITY STRATEGY. 21
(j) “Nonvisual access” means the ability, through keyboard control, synthesized 22
speech, Braille, or other methods not requiring sight to receive, use, and manipulate 23
information and operate controls necessary to access information technology in accordance 24
with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle. 25
3.5–302. 26
(a) This subtitle does not apply to changes relating to or the purchase, lease, or 27
rental of information technology by: 28
(1) public institutions of higher education solely for academic or research 29
purposes; 30
SENATE BILL 812 19
(2) the Maryland Port Administration; 1
(3) the University System of Maryland; 2
(4) St. Mary’s College of Maryland; 3
(5) Morgan State University; 4
(6) the Maryland Stadium Authority; [or] 5
(7) Baltimore City Community College; 6
(8) THE LEGISLATIVE BRANCH OF STATE GOVERNMENT ; OR 7
(9) THE JUDICIAL BRANCH OF STATE GOVERNMENT . 8
(b) Except as provided in subsection (a) of this section, this subtitle applies to any 9
project of a unit of the Executive Branch of State government that involves an agreement 10
with a public institution of higher education for a portion of the development of the project, 11
whether the work on the development is done directly or indirectly by the public institution 12
of higher education. 13
(c) Notwithstanding any other provision of law, except as provided in subsection 14
(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–306(A)(2), 3.5–307, 15
3.5–307(A)(2), 3.5–308 AND 3.5–308 3.5–309 of this subtitle, this subtitle applies to all 16
units of the Executive Branch of State government including public institutions of higher 17
education other than Morgan State University, the University System of Maryland, St. 18
Mary’s College of Maryland, and Baltimore City Community College. 19
3.5–303. 20
(a) The Secretary is responsible for carrying out the following duties: 21
(1) developing, maintaining, revising, and enforcing information 22
technology policies, procedures, and standards; 23
(2) providing technical assistance, advice, and recommendations to the 24
Governor and any unit of State government concerning information technology matters; 25
(3) reviewing the annual project plan for each unit of State government to 26
make information and services available to the public over the Internet; 27
(4) developing and maintaining a statewide information technology master 28
plan that will: 29
20 SENATE BILL 812
(i) [be the basis for] CENTRALIZE the management and direction of 1
information technology POLICY within the Executive Branch of State government UNDER 2
THE CONTROL OF THE DEPARTMENT ; 3
(ii) include all aspects of State information technology including 4
telecommunications, security, data processing, and information management; 5
(iii) consider interstate transfers as a result of federal legislation and 6
regulation; 7
(iv) [work jointly with the Secretary of Budget and Management to 8
ensure that information technology plans and budgets are consistent; 9
(v)] ensure that THE State information technology [plans, policies,] 10
PLAN AND RE LATED POLICIES and standards are consistent with State goals, objectives, 11
and resources, and represent a long–range vision for using information technology to 12
improve the overall effectiveness of State government; and 13
[(vi)] (V) include standards to assure nonvisual access to the 14
information and services made available to the public over the Internet; AND 15
(VI) ALLOWS A STATE AGENCY TO MAINT AIN THE AGENCY ’S OWN 16
INFORMATION TECHNOLO GY UNIT THAT PROVIDE S FOR INFORMATION 17
TECHNOLOGY SERVICES TO SUPPORT THE MISSION OF THE A GENCY.; 18
(5) PROVIDING OR COORDIN ATING THE PROCUREMEN T OF MANAGED 19
CYBERSECURITY SERVIC ES THAT ARE PAID FOR BY THE STATE AND USED BY LOC AL 20
GOVERNMENTS ; 21
(6) (5) DEVELOPING AND MAINT AINING A STATEWIDE 22
CYBERSECURITY MASTER PLAN STRATEGY THAT WILL: 23
(I) CENTRALIZE THE MANAG EMENT AND DIRECTION OF 24
CYBERSECURITY STRATE GY WITHIN THE EXECUTIVE BRANCH OF STATE 25
GOVERNMENT UNDER THE CONTROL OF THE DEPARTMENT ; AND 26
(II) SERVE AS THE BASIS F OR BUDGET ALLOCATION S FOR 27
CYBERSECURITY PREP AREDNESS FOR THE EXECUTIVE BRANCH OF STATE 28
GOVERNMENT ; 29
[(5)] (7) (6) adopting by regulation and enforcing nonvisual access standards 30
to be used in the procurement of information technology services by or on behalf of units of 31
State government in accordance with subsection (b) of this section; 32
SENATE BILL 812 21
[(6)] (8) (7) in consultation with the [Attorney General,] MARYLAND 1
CYBERSECURITY COORDINATING COUNCIL, advising and overseeing a consistent 2
cybersecurity strategy for units of State government, including institutions under the 3
control of the governing boards of the public institutions of higher education; 4
[(7)] (9) (8) advising and consulting with the Legislative and Judicial 5
branches of State government regarding a cybersecurity strategy; and 6
[(8)] (10) (9) in consultation with the [Attorney General,] MARYLAND 7
CYBERSECURITY COORDINATING COUNCIL, developing guidance on consistent 8
cybersecurity strategies for counties, municipal corporations, school systems, and all other 9
political subdivisions of the State. 10
(b) Nothing in subsection (a) of this section may be construed as establishing a 11
mandate for any entity listed in subsection [(a)(8)] (A)(10) of this section. 12
(c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall: 13
(1) adopt new nonvisual access procurement standards that: 14
(i) provide an individual with disabilities with nonvisual access in a 15
way that is fully and equally accessible to and independently usable by the individual with 16
disabilities so that the individual is able to acquire the same information, engage in the 17
same interactions, and enjoy the same services as users without disabilities, with 18
substantially equivalent ease of use; and 19
(ii) are consistent with the standards of § 508 of the federal 20
Rehabilitation Act of 1973; and 21
(2) establish a process for the Secretary or the Secretary’s designee to: 22
(i) determine whether information technology meets the nonvisual 23
access standards adopted under item (1) of this subsection; and 24
(ii) 1. for information technology procured by a State unit before 25
January 1, 2020, and still used by the State unit on or after January 1, 2020, work with the 26
vendor to modify the information technology to meet the nonvisual access standards, if 27
practicable; or 28
2. for information technology procured by a State unit on or 29
after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] § 30
3.5–310 3.5–311 of this subtitle, including the enforcement of the civil penalty described 31
in [§ 3A–311(a)(2)(iii)1] § 3.5–310(A)(2)(III)1 3.5–311(A)(2)(III)1 of this subtitle. 32
(D) (1) THE GOVERNOR SHALL INCLUD E AN APPROPRIATION I N THE 33
ANNUAL BUDGET BILL IN AN AMOUNT NE CESSARY TO COVER THE COSTS OF 34 22 SENATE BILL 812
IMPLEMENTING THE STA TEWIDE CYBERSECURITY MASTER PLAN DEVELOPE D 1
UNDER SUBSECTION (A) OF THIS SECTION WITH OUT THE NEED FOR THE 2
DEPARTMENT TO OPERATE A CHARGE –BACK MODEL FOR CYBER SECURITY 3
SERVICES PROVIDED TO OTHER UNITS OF STATE GOVERNMENT OR U NITS OF LOCAL 4
GOVERNMENT . 5
(2) ON OR BEFORE JANUARY 31 EACH YEAR, IN A SEPARATE REPORT 6
OR INCLUDED WITHIN A GENERAL BUDGET REPOR T, THE GOVERNOR SHALL SUBMIT 7
A REPORT IN ACCORDAN CE WITH § 2–1257 OF THE STATE GOVERNMENT ARTICLE 8
TO THE SENATE BUDGET AND TAXATION COMMITTEE AND THE HOUSE 9
APPROPRIATIONS COMMITTEE THAT INCLUD ES: 10
(I) SPECIFIC INFORMATION ON THE INFORMATION 11
TECHNOLOGY BUDGET AN D CYBERSECURITY BUDG ET THAT THE GOVERNOR HAS 12
SUBMITTED TO THE GENERAL ASSEMBLY FOR THE UPCOMING FISCAL YEAR; AND 13
(II) HOW THE BUDGETS LIST ED UNDER ITEM (I) OF THIS 14
PARAGRAPH COMPARE TO THE ANNUAL OVERVIEW OF THE U.S. PRESIDENT’S 15
BUDGET SUBMISSION ON INFORMATION TECHNOLO GY AND CYBERSECURITY TO 16
CONGRESS CONDUCTED BY THE U.S. OFFICE OF MANAGEMENT AND BUDGET. 17
3.5–305. 18
(a) [Except as provided in subsection (b) of this section, in accordance with 19
guidelines established by the Secretary, each unit of State government shall develop and 20
submit to the Secretary: 21
(1) information technology policies and standards; 22
(2) an information technology plan; and 23
(3) an annual project plan outlining the status of efforts to make 24
information and services available to the public over the Internet. 25
(b) (1)] The governing boards of the public institutions of higher education shall 26
develop and submit information technology policies and standards and an information 27
technology plan for their respective institutions or systems to the Secretary. 28
[(2)] (B) If the Secretary finds that the submissions required under this 29
[subsection] SECTION are consistent with the master plan, the Secretary shall incorporate 30
those submissions into the master plan. 31
[(3)] (C) If the Secretary finds that the submissions required under this 32
[subsection] SECTION are not consistent with the master plan: 33
SENATE BILL 812 23
(i) the Secretary shall return the submissions to the governing 1
boards; and 2
(ii) the governing boards shall revise the submissions as appropriate 3
and submit the revised policies, standards, and plans to the Secretary. 4
[3.5–306. 5
Information technology of each unit of State government shall be consistent with the 6
master plan.] 7
[3.5–307.] 3.5–306. 8
(a) (1) [A unit of State government] THE DEPARTMENT may not purchase, 9
lease, or rent information technology ON BEHALF OF A UNIT OF STATE GOVERNMENT 10
unless consistent with the master plan STRATEGY. 11
(2) A unit of State government other than a public institution of higher 12
education [may not make] SHALL SUB MIT REQUESTS FOR expenditures for major 13
information technology development projects OR CYBERSECURITY PRO JECTS except as 14
provided in [§ 3A–308] § 3.5–307 3.5–308 of this subtitle. 15
(b) [(1)] The Secretary may review any information technology project OR 16
CYBERSECURITY PROJECT for consistency with the master plan STRATEGY. 17
[(2) Any information technology project selected for review may not be 18
implemented without the approval of the Secretary.] 19
(c) (1) A unit of State government shall advise the Secretary of any 20
information technology proposal involving resource sharing, the exchange of goods or 21
services, or a gift, contribution, or grant of real or personal property. 22
(2) The Secretary shall determine if the value of the resources, services, 23
and property to be obtained by the State under the terms of any proposal submitted in 24
accordance with the provisions of paragraph (1) of this subsection equals or exceeds 25
$100,000. 26
(3) If the value of any proposal submitted in accordance with this 27
subsection equals or exceeds $100,000 and the Secretary and unit agree to proceed with the 28
proposal, information on the proposal shall be: 29
(i) advertised for a period of at least 30 days in the eMaryland 30
Marketplace; and 31
(ii) submitted, simultaneously with the advertisement, to the 32
Legislative Policy Committee for a 60–day review and comment period, during which time 33 24 SENATE BILL 812
the Committee may recommend that the proposal be treated as a procurement contract 1
under Division II of this article. 2
(4) Following the period for review and comment by the Legislative Policy 3
Committee under paragraph (3) of this subsection, the proposal is subject to approval by 4
the Board of Public Works. 5
(5) This subsection may not be construed as authorizing an exception from 6
the requirements of Division II of this article for any contract that otherwise would be 7
subject to the State procurement process. 8
[3.5–308.] 3.5–307. 9
(a) This section does not apply to a public institution of higher education. 10
(b) In submitting its information technology project requests, a unit of State 11
government shall designate projects which are major information technology development 12
projects. 13
(c) In reviewing information technology project requests, the Secretary may 14
change a unit’s designation of a major information technology development project. 15
(d) The Secretary shall review and, with the advice of the Secretary of Budget and 16
Management, approve major information technology development projects and 17
specifications for consistency with all statewide plans, policies, and standards, including a 18
systems development life cycle plan. 19
(e) The Secretary shall be responsible for overseeing the implementation of major 20
information technology development projects[, regardless of fund source]. 21
(f) With the advice of the Secretary of Budget and Management, expenditures for 22
major information technology development projects shall be subject to the approval of the 23
Secretary who shall approve expenditures only when those projects are consistent with 24
statewide plans, policies, and standards. 25
(g) (1) The Secretary shall approve funding for major information technology 26
development projects only when those projects are supported by an approved systems 27
development life cycle plan. 28
(2) An approved systems development life cycle plan shall include 29
submission of: 30
(i) a project planning request that details initial planning for the 31
project, including: 32
1. the project title, appropriation code, and summary; 33
SENATE BILL 812 25
2. a description of: 1
A. the needs addressed by the project; 2
B. the potential risks associated with the project; 3
C. possible alternatives; and 4
D. the scope and complexity of the project; and 5
3. an estimate of: 6
A. the total costs required to complete through planning; and 7
B. the fund sources available to support planning costs; and 8
(ii) a project implementation request to begin full design, 9
development, and implementation of the project after the completion of planning, including: 10
1. the project title, appropriation code, and summary; 11
2. a description of: 12
A. the needs addressed by the project; 13
B. the potential risks associated with the project; 14
C. possible alternatives; 15
D. the scope and complexity of the project; and 16
E. how the project meets the goals of the statewide master 17
plan; and 18
3. an estimate of: 19
A. the total project cost; and 20
B. the fund sources available. 21
(3) The Secretary may approve funding incrementally, consistent with the 22
systems development life cycle plan. 23
[3.5–309.] 3.5–308. 24
(a) There is a Major Information Technology Development Project Fund. 25
26 SENATE BILL 812
(b) The purpose of the Fund is to support major information technology 1
development projects. 2
(c) The Secretary: 3
(1) shall administer the Fund in accordance with this section; and 4
(2) subject to the provisions of § 2–201 of this article and [§ 3A–307] § 5
3.5–306 3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of 6
money or property. 7
(d) (1) The Fund is a special, nonlapsing fund that is not subject to § 7–302 of 8
this article. 9
(2) The State Treasurer shall hold the Fund separately and the 10
Comptroller shall account for the Fund. 11
(3) The State Treasurer shall invest and reinvest the money of the Fund in 12
the same manner as other State money may be invested. 13
(4) Any investment earnings of the Fund shall be paid into the Fund. 14
(e) Except as provided in subsection (f) of this section, the Fund consists of: 15
(1) money appropriated in the State budget to the Fund; 16
(2) as approved by the Secretary, money received from: 17
(i) the sale, lease, or exchange of communication sites, 18
communication facilities, or communication frequencies for information technology 19
purposes; or 20
(ii) an information technology agreement invol ving resource 21
sharing; 22
(3) that portion of money earned from pay phone commissions to the extent 23
that the commission rates exceed those in effect in December 1993; 24
(4) money received and accepted as contributions, grants, or gifts as 25
authorized under subsection (c) of this section; 26
(5) general funds appropriated for major information technology 27
development projects of any unit of State government other than a public institution of 28
higher education that: 29
(i) are unencumbered and unexpended at the end of a fiscal year; 30
SENATE BILL 812 27
(ii) have been abandoned; or 1
(iii) have been withheld by the General Assembly or the Secretary; 2
(6) any investment earnings; and 3
(7) any other money from any source accepted for the benefit of the Fund. 4
(f) The Fund does not include any money: 5
(1) received by the Department of Transportation, the Maryland 6
Transportation Authority, Baltimore City Community College, or the Maryland Public 7
Broadcasting Commission; 8
(2) received by the Judicial or Legislative branches of State government; or 9
(3) generated from pay phone commissions that are credited to other 10
accounts or funds in accordance with other provisions of law or are authorized for other 11
purposes in the State budget or through an approved budget amendment. 12
(g) The Governor shall submit with the State budget: 13
(1) a summary showing the unencumbered balance in the Fund as of the 14
close of the prior fiscal year and a listing of any encumbrances; 15
(2) an estimate of projected revenue from each of the sources specified in 16
subsection (e) of this section for the fiscal year for which the State budget is submitted; and 17
(3) a descriptive listing of projects reflecting projected costs for the fiscal 18
year for which the State budget is submitted and any estimated future year costs. 19
(h) Expenditures from the Fund shall be made only: 20
(1) in accordance with an appropriation approved by the General Assembly 21
in the annual State budget; or 22
(2) through an approved State budget amendment under Title 7, Subtitle 23
2, Part II of this article, provided that a State budget amendment for any project not 24
requested as part of the State budget submission or for any project for which the scope or 25
cost has increased by more than 5% or $250,000 shall be submitted to the budget 26
committees allowing a 30–day period for their review and comment. 27
(i) The Fund may be used: 28
(1) for major information technology development projects; 29
(2) as provided in subsections (j) and (l) of this section; or 30 28 SENATE BILL 812
(3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for 1
the costs of the first 12 months of operation and maintenance of a major information 2
technology development project. 3
(j) Notwithstanding subsection (b) of this section and except for the cost incurred 4
in administering the Fund, each fiscal year up to $1,000,000 of this Fund may be used for: 5
(1) educationally related information technology projects; 6
(2) application service provider initiatives as provided for in Title 9, 7
Subtitle 22 of the State Government Article; or 8
(3) information technology projects, including: 9
(i) pilots; and 10
(ii) prototypes. 11
(k) A unit of State government or local government may submit a request to the 12
Secretary to support the cost of an information technology project with money under 13
subsection (j) of this section. 14
(l) (1) Notwithstanding subsection (b) of this section and in accordance with 15
paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this 16
section shall be used to support: 17
(i) the State telecommunication and computer network established 18
under [§ 3A–404] § 3.5–404 of this title, including program development for these 19
activities; and 20
(ii) the Statewide Public Safety Interoperability Radio System, also 21
known as Maryland First (first responder interoperable radio system team), under Title 1, 22
Subtitle 5 of the Public Safety Article. 23
(2) The Secretary may determine the portion of the money paid into the 24
Fund that shall be allocated to each program described in paragraph (1) of this subsection. 25
(m) (1) On or before November 1 of each year, the Secretary shall report to the 26
Governor, the Secretary of Budget and Management, and to the budget committees of the 27
General Assembly and submit a copy of the report to the General Assembly, in accordance 28
with § 2–1257 of the State Government Article. 29
(2) The report shall include: 30
(i) the financial status of the Fund and a summary of its operations 31
for the preceding fiscal year; 32 SENATE BILL 812 29
(ii) an accounting for the preceding fiscal year of all money from each 1
of the revenue sources specified in subsection (e) of this section, including any expenditures 2
made from the Fund; and 3
(iii) for each project receiving money from the Fund in the preceding 4
fiscal year and for each major information technology development project receiving 5
funding from any source other than the Fund in the preceding fiscal year: 6
1. the status of the project; 7
2. a comparison of estimated and actual costs of the project; 8
3. any known or anticipated changes in scope or costs of the 9
project; 10
4. an evaluation of whether the project is using best 11
practices; and 12
5. a summary of any monitoring and oversight of the project 13
from outside the agency in which the project is being developed, including a description of 14
any problems identified by any external review and any corrective actions taken. 15
(n) On or before January 15 of each year, for each major information technology 16
development project currently in development or for which operations and maintenance 17
funding is being provided in accordance with subsection (i)(3) of this section, subject to § 18
2–1257 of the State Government Article, the Secretary shall provide a summary report to 19
the Department of Legislative Services with the most up–to–date project information 20
including: 21
(1) project status; 22
(2) any schedule, cost, and scope changes since the last annual report; 23
(3) a risk assessment including any problems identified by any internal or 24
external review and any corrective actions taken; and 25
(4) any change in the monitoring or oversight status. 26
[3A–310.] 3.5–309. 27
This subtitle may not be construed to give the Secretary authority over: 28
(1) the content of educational applications or curriculum at the State or 29
local level; or 30
(2) the entities that may participate in such educational programs. 31 30 SENATE BILL 812
[3.5–311.] 3.5–310. 1
(a) (1) The Secretary or the Secretary’s designee, in consultation with other 2
units of State government, and after public comment, shall develop a nonvisual access 3
clause for use in the procurement of information technology and information technology 4
services that specifies that the technology and services: 5
(i) must provide equivalent access for effective use by both visual 6
and nonvisual means; 7
(ii) will present information, including prompts used for interactive 8
communications, in formats intended for both visual and nonvisual use; 9
(iii) can be integrated into networks for obtaining, retrieving, and 10
disseminating information used by individuals who are not blind or visually impaired; and 11
(iv) shall be obtained, whenever possible, without modification for 12
compatibility with software and hardware for nonvisual access. 13
(2) On or after January 1, 2020, the nonvisual access clause developed in 14
accordance with paragraph (1) of this subsection shall include a statement that: 15
(i) within 18 months after the award of the procurement, the 16
Secretary, or the Secretary’s designee, will determine whether the information technology 17
meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] § 18
3.5–303(B) of this subtitle; 19
(ii) if the information technology does not meet the nonvisual access 20
standards, the Secretary, or the Secretary’s designee, will notify the vendor in writing that 21
the vendor, at the vendor’s own expense, has 12 months after the date of the notification to 22
modify the information technology in order to meet the nonvisual access standards; and 23
(iii) if the vendor fails to modify the information technology to meet 24
the nonvisual access standards within 12 months after the date of the notification, the 25
vendor: 26
1. may be subject to a civil penalty of: 27
A. for a first offense, a fine not exceeding $5,000; and 28
B. for a subsequent offense, a fine not exceeding $10,000; and 29
2. shall indemnify the State for liability resulting from the 30
use of information technology that does not meet the nonvisual access standards. 31
SENATE BILL 812 31
(b) (1) Except as provided in paragraph (2) of this subsection, the nonvisual 1
access clause required under subsection (a) of this section shall be included in each 2
invitation for bids or request for proposals and in each procurement contract or modification 3
or renewal of a contract issued under Title 13 of this article, without regard to the method 4
chosen under Title 13, Subtitle 1 of this article for the purchase of new or upgraded 5
information technology and information technology services. 6
(2) Except as provided in subsection (a)(4) of this section, the nonvisual 7
access clause required under paragraph (1) of this subsection is not required if: 8
(i) the information technology is not available with nonvisual access 9
because the essential elements of the information technology are visual and nonvisual 10
equivalence cannot be developed; or 11
(ii) the cost of modifying the information technology for compatibility 12
with software and hardware for nonvisual access would increase the price of the 13
procurement by more than 15%. 14
[3.5–312.] 3.5–311. 15
The Secretary may delegate the duties set forth in this subtitle to carry out its 16
purposes. 17
[3.5–313.] 3.5–312. 18
(a) (1) In this section the following words have the meanings indicated. 19
(2) “Agency” includes a unit of State government that receives funds that 20
are not appropriated in the annual budget bill. 21
(3) (i) “Payee” means any party who receives from the State an 22
aggregate payment of $25,000 in a fiscal year. 23
(ii) “Payee” does not include: 24
1. a State employee with respect to the employee’s 25
compensation; or 26
2. a State retiree with respect to the retiree’s retirement 27
allowance. 28
(4) “Searchable website” means a website created in accordance with this 29
section that displays and searches State payment data. 30
(b) (1) The Department shall develop and operate a single searchable website, 31
accessible to the public at no cost through the Internet. 32
32 SENATE BILL 812
(2) On or before the 15th day of the month that follows the month in which 1
an agency makes a payment to a payee, the Department shall update the payment data on 2
the searchable website. 3
(c) The searchable website shall contain State payment data, including: 4
(1) the name of a payee receiving a payment; 5
(2) the location of a payee by postal zip code; 6
(3) the amount of a payment; and 7
(4) the name of an agency making a payment. 8
(d) The searchable website shall allow the user to: 9
(1) search data for fiscal year 2008 and each year thereafter; and 10
(2) search by the following data fields: 11
(i) a payee receiving a payment; 12
(ii) an agency making a payment; and 13
(iii) the zip code of a payee receiving a payment. 14
(e) State agencies shall provide appropriate assistance to the Secretary to ensure 15
the existence and ongoing operation of the single website. 16
(f) This section may not be construed to require the disclosure of information that 17
is confidential under State or federal law. 18
(g) This section shall be known and may be cited as the “Maryland Funding 19
Accountability and Transparency Act”. 20
[3.5–314.] 3.5–313. 21
(a) In this section, “security–sensitive data” means information that is protected 22
against unwarranted disclosure. 23
(b) In accordance with guidelines established by the Secretary, each unit of State 24
government shall develop a plan to: 25
(1) identify unit personnel who handle security–sensitive data; and 26
SENATE BILL 812 33
(2) establish annual security overview training or refresher security 1
training for each employee who handles security–sensitive data as part of the employee’s 2
duties. 3
3.5–401. 4
(a) The Department shall: 5
(1) coordinate the development, procurement, management, and operation 6
of telecommunication equipment, systems, and services by State government; 7
(2) TO ADDRESS PREPAREDN ESS AND RESPONSE CAP ABILITIES OF 8
LOCAL JURISDICTIONS , COORDINATE THE PROCU REMENT OF MANAGED 9
CYBERSECURITY SERVIC ES PROCURED BY LOCAL GOVERNMENTS WITH STATE 10
FUNDING; 11
[(2)] (3) acquire and manage common user telecommunication 12
equipment, systems, or services and charge units of State government for their 13
proportionate share of the costs of installation, maintenance, and operation of the common 14
user telecommunication equipment, systems, or services; 15
[(3)] (4) promote compatibility of telecommunication systems by 16
developing policies, procedures, and standards for the [acquisition and] use of 17
telecommunication equipment, systems, and services by units of State government; 18
[(4)] (5) coordinate State government telecommunication systems and 19
services by reviewing requests by units of State government for, AND ACQUIRING ON 20
BEHALF OF UNITS OF STATE GOVERNMENT , telecommunication equipment, systems, or 21
services; 22
[(5)] (6) advise units of State government about [planning, acquisition,] 23
PLANNING and operation of telecommunication equipment, systems, or services; and 24
[(6)] (7) provide radio frequency coordination for State and local 25
governments in accordance with regulations of the Federal Communications Commission. 26
(b) The Department may make arrangement for a user other than a unit of State 27
government to have access to and use of State telecommunication equipment, systems, and 28
services and shall charge the user any appropriate amount to cover the cost of installation, 29
maintenance, and operation of the telecommunication equipment, system, or service 30
provided. 31
(C) (1) THE DEPARTMENT SHALL DEVE LOP AND REQU IRE BASIC 32
SECURITY REQUIREMENT S TO BE INCLUDED IN A CONTRACT: 33
34 SENATE BILL 812
(I) IN WHICH A THIRD–PARTY CONTRACTOR WIL L HAVE ACCESS 1
TO AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR 2
(II) BY A UNIT OF STATE GOVERNMENT THAT IS LESS THAN 3
$50,000 FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE 4
TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES. 5
(2) THE SECURITY REQUIREM ENTS DEVELOPED UNDER PARAGRAPH 6
(1) OF THIS SUBSECTION S HALL BE CONSISTENT W ITH A WIDELY RECOGNI ZED 7
SECURITY STANDARD , INCLUDING NATIONAL INSTITUTE OF STANDARDS AND 8
TECHNOLOGY SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL 9
CERTIFICATION. 10
3.5–404. 11
(a) The General Assembly declares that: 12
(1) it is the policy of the State to foster telecommunication and computer 13
networking among State and local governments, their agencies, and educational 14
institutions in the State; 15
(2) there is a need to improve access, especially in rural areas, to efficient 16
telecommunication and computer network connections; 17
(3) improvement of telecommunication and computer networking for State 18
and local governments and educational institutions promotes economic development, 19
educational resource use and development, and efficiency in State and local administration; 20
(4) rates for the intrastate inter–LATA telephone communications needed 21
for effective integration of telecommunication and computer resources are prohibitive for 22
many smaller governments, agencies, and institutions; and 23
(5) the use of improved State telecommunication and computer networking 24
under this section is intended not to compete with commercial access to advanced network 25
technology, but rather to foster fundamental efficiencies in government and education for 26
the public good. 27
(b) (1) The Department shall establish a telecommunication and computer 28
network in the State. 29
(2) The network shall consist of: 30
(i) one or more connection facilities for telecommunication and 31
computer connection in each local access transport area (LATA) in the State; and 32
SENATE BILL 812 35
(ii) facilities, auxiliary equipment, and services required to support 1
the network in a reliable and secure manner. 2
(c) The network shall be accessible through direct connection and through local 3
intra–LATA telecommunications to State and local governments and public and private 4
educational institutions in the State. 5
(D) ON OR BEFORE DECEMBER 1 EACH YEAR , EACH UNIT OF THE 6
LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT AND ANY DIVISION OF 7
THE UNIVERSITY SYSTEM OF MARYLAND THAT USE THE NETWORK ESTABLISHED 8
UNDER SUBSECT ION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT 9
THAT THE UNIT OR DIV ISION IS IN COMPLIAN CE WITH THE DEPARTMENT ’S MINIMUM 10
SECURITY STANDARDS . 11
3.5–404. 12
(D) (1) THE OFFICE SHALL ENSURE T HAT AT LEAST ONCE EV ERY 2 13
YEARS, OR MORE OFTEN IF REQ UIRED BY REGULATIONS ADOPTED BY THE 14
DEPARTMENT , EACH UNIT OF STATE GOVERNMENT SHAL L COMPLETE AN EXTERN AL 15
ASSESSMENT . 16
(2) THE OFFICE SHALL ASSIST E ACH UNIT TO REMEDIAT E ANY 17
SECURITY VULNERABILI TIES OR HIGH–RISK CONFIGURATIONS IDENTIFIED IN THE 18
ASSESSMENT REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION . 19
(E) (1) IN THIS SUBSECTION , “IT UNIT” MEANS A UNIT OF THE 20
LEGISLATIVE BRANCH OR JUDICIAL BRANCH OF STATE GOVERNMENT THAT 21
PROVIDES INFORMATION TECHNOLOGY SERVICES FOR ANOTHER UNIT OF 22
GOVERNMENT . 23
(2) EACH IT UNIT SHALL: 24
(I) BE EVALUATED BY AN I NDEPENDENT AUDITOR W ITH 25
CYBERSECURITY EXPERT ISE TO DETERMINE WHE THER THE IT UNIT, AND THE UNITS 26
IT PROVIDES INFORMAT ION TECHNOLOGY SERVI CES FOR, MEET RELEVANT 27
CYBERSECURITY STANDA RDS RECOMMENDED BY T HE NATIONAL INSTITUTE OF 28
STANDARDS AND TECHNOLOGY ; AND 29
(II) CERTIFY COMPLIANCE W ITH THE RECOMMENDED 30
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECUR ITY 31
STANDARDS TO : 32
1. IF THE IT UNIT IS PART OF THE LEGISLATIVE 33
BRANCH, THE PRESIDENT OF THE SENATE AND THE SPEAKER OF THE HOUSE; AND 34
36 SENATE BILL 812
2. IF THE IT UNIT IS PART OF THE JUDICIAL BRANCH OF 1
STATE GOVERNMENT , THE CHIEF JUDGE. 2
3.5–405. 3
(A) ON OR BEFORE DECEMBER 1 EACH YEAR, EACH UNIT OF STATE 4
GOVERNMENT SHALL : 5
(1) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND 6
REPORT THE RESULTS OF ANY CYBERSECURITY PREPAREDNESS ASSESSM ENTS 7
PERFORMED IN THE PRI OR YEAR TO THE OFFICE OF SECURITY MANAGEMENT IN 8
ACCORDANCE WITH GUID ELINES DEVELOPED BY THE OFFICE; AND 9
(2) SUBMIT A REPORT TO T HE GOVERNOR AND THE OFFICE OF 10
SECURITY MANAGEMENT THAT INCLU DES: 11
(I) AN INVENTORY OF ALL INFORMATION SYSTEMS AND 12
APPLICATIONS USED OR MAINTAINED BY THE UN IT; 13
(II) A FULL DATA INVENTOR Y OF THE UNIT; 14
(III) A LIST OF ALL CLOUD OR STATISTICAL ANALY SIS SYSTEM 15
SOLUTIONS USED BY THE UNIT; 16
(IV) A LIST OF ALL PERMAN ENT AND TRANSIENT VE NDOR 17
INTERCONNECTIONS THA T ARE IN PLACE; 18
(V) THE NUMBER OF UNIT E MPLOYEES WHO HAVE RE CEIVED 19
CYBERSECURITY TRAINI NG; 20
(VI) THE TOTAL NUMBER OF UNIT EMPLOYEES WHO U SE THE 21
NETWORK; 22
(VII) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 23
POSITIONS, INCLUDING VACANCIES ; 24
(VIII) THE NUMBER OF NONINF ORMATION TECHNOLOGY STAFF 25
POSITIONS, INCLUDING VACANCIES ; 26
(IX) THE UNIT ’S INFORMATION TECHNO LOGY BUDGET , 27
ITEMIZED TO INCLUDE THE FOLLOWING CATEGO RIES: 28
1. SERVICES; 29
SENATE BILL 812 37
2. EQUIPMENT; 1
3. APPLICATIONS; 2
4. PERSONNEL ; 3
5. SOFTWARE LICENSING ; 4
6. DEVELOPMENT ; 5
7. NETWORK PROJECTS ; 6
8. MAINTENANCE ; AND 7
9. CYBERSECURITY ; 8
(X) ANY MAJOR INFORMATIO N TECHNOLOGY INITIAT IVES TO 9
MODERNIZE THE UNIT ’S INFORMATION TECHNO LOGY SYSTEMS OR IMPR OVE 10
CUSTOMER ACCESS TO STATE AND LOCAL SERVI CES; 11
(XI) THE UNIT’S PLANS FOR FUTURE F ISCAL YEAR S TO 12
IMPLEMENT THE UNIT ’S INFORMATION TECHNO LOGY GOALS; 13
(XII) COMPLIANCE WITH TIME LINES AND METRICS PR OVIDED IN 14
THE DEPARTMENT ’S MASTER PLAN ; AND 15
(XIII) ANY OTHER KEY PERFOR MANCE INDICATORS REQ UIRED BY 16
THE OFFICE OF SECURITY MANAGEMENT TO TRACK COMPLIANCE OR CONSIS TENCY 17
WITH THE DEPARTMENT ’S STATEWIDE INFORMAT ION TECHNOLOGY MASTE R PLAN. 18
(B) (1) EACH UNIT OF STATE GOVERNMENT SHAL L REPORT A 19
CYBERSECURITY INCIDE NT IN ACCORDANCE WIT H PARAGRAPH (2) OF THIS 20
SUBSECTION TO THE STATE CHIEF INFORMATION SECURITY OFFICER. 21
(2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS UNDER 22
PARAGRAPH (1) OF THIS SUBSECTION , THE STATE CHIEF INFORMATION SECURITY 23
OFFICER SHALL DETERMI NE: 24
(I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST 25
BE REPORTED ; 26
(II) THE MANNER IN WHICH TO REPORT; AND 27
(III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE. 28
38 SENATE BILL 812
3.5–406. 1
(C) (1) (A) THIS SUBSECTION DOES NOT APPLY TO MUNICIP AL 2
GOVERNMENTS . 3
(2) (B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND 4
FREQUENCY ESTABLISHED IN REGUL ATIONS ADOPTED BY TH E DEPARTMENT , EACH 5
COUNTY GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT 6
SHALL: 7
(I) (1) IN CONSULTATION WITH THE LOCAL EMERGENCY 8
MANAGER, CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESPONSE 9
PLAN AND SUBMIT THE PLAN TO THE OFFICE OF SECURITY MANAGEMENT FOR 10
APPROVAL; AND 11
(II) (2) COMPLETE A CYBERSECU RITY PREPAREDNESS 12
ASSESSMENT AND REPORT THE RESUL TS TO THE OFFICE OF SECURITY 13
MANAGEMENT IN ACCORDA NCE WITH GUIDELINES DEVELOPED BY THE OFFICE; 14
AND 15
(III) REPORT TO THE OFFICE OF SECURITY MANAGEMENT : 16
1. THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 17
POSITIONS, INCLUDING VACANCIES ; 18
2. THE ENTITY ’S CYBERSECURITY BUDG ET AND 19
OVERALL INFORMATION TECHNOLOGY BUDGET ; 20
3. THE NUMBER OF EMPLOYEES WHO HAV E RECEIVED 21
CYBERSECURITY TRAINI NG; AND 22
4. THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO 23
THE ENTITY’S COMPUTER SYSTEMS A ND DATABASES . 24
(C) THE ASSESSMENT REQUIR ED UNDER PARAGRAPH (B)(2) OF THIS 25
SECTION MAY , IN ACCORDANCE WITH T HE PREFERENCE OF EACH C OUNTY 26
GOVERNMENT , BE PERFORMED BY THE DEPARTMENT OR BY A VE NDOR 27
AUTHORIZED BY THE DEPARTMENT . 28
(3) (I) (D) (1) EACH COUNTY LOCAL GOVERNMENT , LOCAL 29
SCHOOL SYSTEM, AND LOCAL HEALTH DEPARTM ENT SHALL REPORT A 30
CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING 31
USED BY THE LOCAL GO VERNMENT, TO THE APPROPRIATE L OCAL EMERGENCY 32
MANAGER AND THE STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT 33 SENATE BILL 812 39
IN ACCORDANCE WITH SUBPARAGRAPH (II) PARAGRAPH (2) OF THIS PARAGRAPH 1
SUBSECTION TO THE APPROPRIATE LOCAL EMERGENCY MANA GER. 2
(II) (2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS 3
TO LOCAL EMERGENCY M ANAGERS UNDER SUBPAR AGRAPH (I) OF THIS PARAGRAPH , 4
THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL DETERMI NE: 5
1. (I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT 6
MUST BE REPORTED ; 7
2. (II) THE MANNER IN WHICH TO REPORT; AND 8
3. (III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST 9
BE MADE. 10
(3) THE STATE SECURITY OPERATIONS CENTER SHALL 11
IMMEDIATELY NOTIFY T HE APPROPRIATE AGENCIES OF A CYBERSECURITY 12
INCIDENT REPORTED UN DER THIS SUBSECTION THROUGH THE STATE SECURITY 13
OPERATIONS CENTER. 14
4–316.1. 15
THE DEPARTMENT , IN CONSULTATION WITH THE MARYLAND 16
CYBERSECURITY COORDINATING COUNCIL ESTABLISHED I N § 3.5–2A–05 OF THIS 17
ARTICLE, SHALL STUDY THE SECU RITY AND FINANCIAL I MPLICATIONS OF 18
EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON 19
TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE 20
IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE. 21
13–115. 22
(A) THE DEPARTMENT SHALL REQU IRE BASIC SECURITY R EQUIREMENTS 23
TO BE INCLUDED IN A CONTRACT: 24
(1) IN WHICH A THIRD –PARTY CONTRACTOR WIL L HAVE ACCESS TO 25
AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR 26
(2) FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE 27
TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES. 28
(B) THE SECURITY REQUIREM ENTS DEVELOPED UNDER SUBSECTION (A) OF 29
THIS SECTION SHALL B E CONSISTENT WITH A WIDELY RECOGNIZED SE CURITY 30
STANDARD, INCLUDING NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL CERTIFICATION. 32 40 SENATE BILL 812
12–107. 1
(b) Subject to the authority of the Board, jurisdiction over procurement is as 2
follows: 3
(2) the Department of General Services may: 4
(i) engage in or control procurement of: 5
10. information processing equipment and associated 6
services, as provided in Title [3A] 3.5, Subtitle 3 of this article; [and] 7
11. telecommunication equipment, systems, or services, as 8
provided in Title [3A] 3.5, Subtitle 4 of this article; AND 9
12. MANAGED CYBERSECURIT Y SERVICES, AS PROVIDED 10
IN TITLE 3.5, SUBTITLE 3 OF THIS ARTICLE; 11
SECTION 3. AND BE IT FURTHER ENACTED, That, as a key enabler of the 12
Department of Information Technology’s cybersecurity risk management strategy, on or 13
before December 31, 2022, the Department shall complete the implementation of a 14
governance, risk, and compliance module across the Executive Branch of State government 15
that: 16
(1) has industry–standard capabilities; 17
(2) is based on NIST, ISO, or other recognized security frameworks or 18
standards; and 19
(3) enables the Department to identify, monitor, and manage cybersecurity 20
risk on a continuous basis. 21
SECTION 4. AND BE IT FURTHER ENACTED, That, on or before June 30, 2023, 22
the Office of Security Management, in consultation with the Maryland Cybersecurity 23
Coordinating Council, shall prepare a transition strategy toward cybersecurity 24
centralization, including recommendations for: 25
(1) consistent incident response training; 26
(2) implementing security improvement dashboards to inform budgetary 27
appropriations; 28
(3) operations logs transition to the Maryland Security Operations Center; 29
(4) establishing consistent performance accountability metrics for 30
information technology and cybersecurity staff; and 31 SENATE BILL 812 41
(5) whether the Office needs additional staff or contractors to carry out its 1
duties. 2
SECTION 5. AND BE IT FURTHER ENACTED, That: 3
(a) (1) On or before June 30, 2023, each agency in the Executive Branch of 4
State government shall certify to the Office of Security Management compliance with State 5
minimum cybersecurity standards established by the Department of Information Security 6
Technology. 7
(2) Except as provided in paragraph (3) of this subsection, certification 8
shall be reviewed by independent auditors, and any findings must be remediated. 9
(3) Certification for the Department of Public Safety and Correctional 10
Services and any State criminal justice agency shall be reviewed by the Office of Legislative 11
Audits, and any findings must be remediated. 12
(b) If an agency has not remediated any findings pertaining to State cybersecurity 13
standards found by the independent audit required under subsection (a) of this section by 14
July 1, 2024, the Office of Security Management shall assume responsibility for an agency’s 15
cybersecurity through a shared service agreement, administrative privileges, or access to 16
Network Maryland notwithstanding any federal law or regulation that forbids the Office of 17
Security Management from managing a specific system. 18
SECTION 6. AND BE IT FURTHER ENACTED, That: 19
(a) The Department of Information Technology shall hire a contractor to conduct 20
a performance and capacity assessment of the Department to: 21
(1) evaluate the Department’s capacity to implement provisions of this Act; 22
and 23
(2) recommend additional resources necessary for the Department to 24
implement provisions of this title and meet future needs, including additional budget 25
appropriations, additional staff, altered contracting authority, and pay increases for staff. 26
(b) The contractor hired by the Department to complete the assessment and 27
report required by this section shall: 28
(1) on or before December 1, 2023, submit an interim report of its findings 29
and recommendations to the Governor and, in accordance with § 2–1257 of the State 30
Government Article, the General Assembly; and 31
(2) on or before December 1, 2024, submit a final report of its findings and 32
recommendations to the Governor and, in accordance with § 2 –1257 of the State 33
Government Article, the General Assembly. 34 42 SENATE BILL 812
SECTION 7. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds 1
from the Dedicated Purpose Account may be transferred by budget amendment in 2
accordance with § 7–310 of the State Finance and Procurement Article to implement this 3
Act. 4
SECTION 8. AND BE IT FURTHER ENACTED, That: 5
(a) On or before June October 1, 2022, the State Chief Information Security 6
Officer shall establish guidelines to determine when a cybersecurity incident shall be 7
disclosed to the public. 8
(b) On or before November 1, 2022, the State Chief Information Security Officer 9
shall submit a report on the guidelines established under subsection (a) of this section to 10
the Governor and, in accordance with § 2–1257 of the State Government Article, the House 11
Health and Government Operations Committee and the Senate Education, Health, and 12
Environmental Affairs Committee. 13
SECTION 4. AND BE IT FURTHER ENACTED, That, on the effective date of this 14
Act, the following shall be transferred to the Department of Information Technology: 15
(1) all appropriations, including State and federal funds, held by a unit of 16
the Executive Branch of State government for the purpose of information technology 17
operations or cybersecurity for the unit on the effective date of this Act; and 18
(2) all books and records (including electronic records), real and personal 19
property, equipment, fixtures, assets, liabilities, obligations, credits, rights, and privileges 20
held by a unit of the Executive Branch of State government for the purpose of information 21
technology operations or cybersecurity for the unit on the effective date of this Act. 22
SECTION 5. AND BE IT FURTHER ENACTED, That all employees of a unit of the 23
Executive Branch of State government who are assigned more than 50% of the time to a 24
function related to information technology operations or cybersecurity for the unit on the 25
effective date of this Act shall, on the effective date of this Act, report to the Secretary of 26
Information Technology or the Secretary’s designee. 27
SECTION 6. AND BE IT FURTHER ENACTED, That any transaction affected by 28
the transfer of oversight of information technology operations or cybersecurity of a unit of 29
the Executive Branch of State government and validly entered into before the effective date 30
of this Act, and every right, duty, or interest flowing from it, remains valid after the 31
effective date of this Act and may be terminated, completed, consummated, or enforced 32
under the law. 33
SECTION 7. AND BE IT FURTHER ENACTED, That al l existing laws, regulations, 34
proposed regulations, standards and guidelines, policies, orders and other directives, forms, 35
plans, memberships, contracts, property, investigations, administrative and judicial 36
responsibilities, rights to sue and be sued, and all other duties and responsibilities 37 SENATE BILL 812 43
associated with information technology operations or cybersecurity of a unit of the 1
Executive Branch of State government prior to the effective date of this Act shall continue 2
and, as appropriate, be legal and binding on the Department of Information Technology 3
until completed, withdrawn, canceled, modified, or otherwise changed under the law. 4
SECTION 8. 9. AND BE IT FURTHER ENACTED, That this Act shall take effect 5
October July 1, 2022. 6
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.