EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
Italics indicate opposite chamber/conference committee amendments.
*sb0812*
SENATE BILL 812
S2, P1, P2 (2lr1779)
ENROLLED BILL
— Education, Health, and Environmental Affairs/Health and Government
Operations —
Introduced by Senator Hester Senators Hester, Hershey, Jennings, Jackson,
Rosapepe, Lee, and Watson
Read and Examined by Proofreaders:
_______________________________________________
Proofreader.
_______________________________________________
Proofreader.
Sealed with the Great Seal and presented to the Governor, for his approval this
_______ day of _______________ at ________________________ o’clock, ________M.
______________________________________________
President.
CHAPTER ______
AN ACT concerning 1
State Government – Cybersecurity – Coordination and Governance 2
FOR the purpose of establishing the Cybersecurity Coordination and Operations Office in 3
the Maryland Department of Emergency Management; requiring the Secretary of 4
Emergency Management to appoint an Executive Director as head of the 5
Cybersecurity Coordination and Operations Office; requiring the Office of Security 6
Management to be provided with staff for the Cybersecurity Coordination and 7
Operations Office; requiring the Cybersecurity Coordination and Operations Office 8
to establish regional assistance groups to deliver or coordinate support services to 9
political subdivisions, agencies, or regions in accordance with certain requirements; 10
requiring the Cybersecurity Coordination and Operations Office to offer certain 11
training opportunities for counties and municipalities; establishing the Office of 12
Security Management within the Department of Information Technology (DoIT); 13 2 SENATE BILL 812
establishing certain responsibilities and authority of the Office of Security 1
Management; centralizing authority and control of the procurement of all 2
information technology for the Executive Branch of State government in DoIT; 3
establishing the Maryland Cybersecurity Coordinating Council; requiring the 4
Secretary of Information Technology to develop and maintain a statewide 5
cybersecurity master plan strategy; requiring DoIT to develop and require basic 6
security requirements to be included in certain contracts; requiring each unit of the 7
Legislative or Judicial Branch of State government and any division of the 8
University System of Maryland that uses a certain network to certify certain 9
compliance to DoIT on or before a certain date each year; requiring certain IT units 10
to certify compliance with certain cybersecurity standards; requiring each unit of the 11
Executive Branch of State government and certain local entities to report certain 12
cybersecurity incidents in a certain manner and under certain circumstances; 13
requiring the State Security Operations Center to notify certain agencies of a 14
cybersecurity incident reported in a certain manner; establishing the Maryland 15
Cybersecurity Coordinating Council; exempting meetings of the Council from the 16
Open Meetings Act; requiring the Council to study aspects of the State’s 17
cybersecurity vulnerabilities and procurement potential, including partnerships 18
with other states; requiring the Council to promote certain education and training 19
opportunities; requiring the Department of General Services to study the security 20
and financial implications of executing partnerships with other states to procure 21
information technology and cybersecurity products and services; requiring the 22
Department of General Services to establish certain basic security requirements to 23
be included in certain contracts; requiring DoIT to complete implementation of a 24
certain governance, risk, and compliance module on or before a certain date; 25
requiring the Office to prepare a transition strategy towards cybersecurity 26
centralization; requiring each agency in the Executive Branch of State government 27
to certify to the Office that the agency is in compliance with certain standards; 28
requiring the Office to assume responsibility for a certain agency’s cybersecurity 29
except under certain circumstances; requiring DoIT to hire a contractor to conduct a 30
performance and capacity assessment of DoIT; authorizing funds to be transferred 31
by budget amendment from the Dedicated Purpose Account in a certain fiscal year 32
to implement the Act; transferring certain appropriations, books and records, and 33
employees to DoIT; and generally relating to State cybersecurity coordination. 34
BY renumbering 35
Article – State Finance and Procurement 36
Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of 37
Information Technology” 38
to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5. 39
Department of Information Technology” 40
Annotated Code of Maryland 41
(2021 Replacement Volume) 42
BY repealing and reenacting, with amendments, 43
Article – Criminal Procedure 44
Section 10–221(b) 45 SENATE BILL 812 3
Annotated Code of Maryland 1
(2018 Replacement Volume and 2021 Supplement) 2
BY repealing and reenacting, with amendments, 3
Article – Health – General 4
Section 21–2C–03(h)(2)(i) 5
Annotated Code of Maryland 6
(2019 Replacement Volume and 2021 Supplement) 7
BY repealing and reenacting, with amendments, 8
Article – Human Services 9
Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1) 10
Annotated Code of Maryland 11
(2019 Replacement Volume and 2021 Supplement) 12
BY repealing and reenacting, with amendments, 13
Article – Insurance 14
Section 31–103(a)(2)(i) and (b)(2) 15
Annotated Code of Maryland 16
(2017 Replacement Volume and 2021 Supplement) 17
BY repealing and reenacting, with amendments, 18
Article – Natural Resources 19
Section 1–403(c) 20
Annotated Code of Maryland 21
(2018 Replacement Volume and 2021 Supplement) 22
BY adding to 23
Article – Public Safety 24
Section 14–104.1 25
Annotated Code of Maryland 26
(2018 Replacement Volume and 2021 Supplement) 27
BY repealing and reenacting, without amendments, 28
Article – State Finance and Procurement 29
Section 3.5–101(a) and (e) and 3.5–301(a) 30
Annotated Code of Maryland 31
(2021 Replacement Volume) 32
(As enacted by Section 1 of this Act) 33
BY adding to 34
Article – State Finance and Procurement 35
Section 3.5–2A–01 through 3.5–2A–07 3.5–2A–06 to be under the new subtitle 36
“Subtitle 2A. Office of Security Management”; and 3.5–404(d) and (e), 3.5–405 37
and 12–107(b)(2)(i)12., 3.5–406, 4–316.1, and 13–115 38
Annotated Code of Maryland 39
(2021 Replacement Volume) 40 4 SENATE BILL 812
BY repealing and reenacting, with amendments, 1
Article – State Finance and Procurement 2
Section 3.5–301(j), 3.5–302(c), 3.5–303, 3.5–305, 3.5–307 through 3.5–314, 3.5–401, 3
and 3.5–404 Section 3.5–301(i) and (j), 3.5–302, 3.5–303, 3.5–307, 3.5–309(c), 4
(i), and (l), and 3.5–311(a)(2)(i) 5
Annotated Code of Maryland 6
(2021 Replacement Volume) 7
(As enacted by Section 1 of this Act) 8
BY repealing 9
Article – State Finance and Procurement 10
Section 3.5–306 11
Annotated Code of Maryland 12
(2021 Replacement Volume) 13
(As enacted by Section 1 of this Act) 14
BY repealing and reenacting, with amendments, 15
Article – State Finance and Procurement 16
Section 12–107(b)(2)(i)10. and 11. 17
Annotated Code of Maryland 18
(2021 Replacement Volume) 19
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 20
That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department 21
of Information Technology” of Article – State Finance and Procurement of the Annotated 22
Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively, 23
and the title “Title 3.5. Department of Information Technology”. 24
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 25
as follows: 26
Article – Criminal Procedure 27
10–221. 28
(b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement 29
Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and 30
the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall: 31
(1) regulate the collection, reporting, and dissemination of criminal history 32
record information by a court and criminal justice units; 33
(2) ensure the security of the criminal justice information system and 34
criminal history record information reported to and collected from it; 35
SENATE BILL 812 5
(3) regulate the dissemination of criminal history record information in 1
accordance with Subtitle 1 of this title and this subtitle; 2
(4) regulate the procedures for inspecting and challenging criminal history 3
record information; 4
(5) regulate the auditing of criminal justice units to ensure that criminal 5
history record information is: 6
(i) accurate and complete; and 7
(ii) collected, reported, and disseminated in accordance with Subtitle 8
1 of this title and this subtitle; 9
(6) regulate the development and content of agreements between the 10
Central Repository and criminal justice units and noncriminal justice units; and 11
(7) regulate the development of a fee schedule and provide for the collection 12
of the fees for obtaining criminal history record information for other than criminal justice 13
purposes. 14
Article – Health – General 15
21–2C–03. 16
(h) (2) The Board is subject to the following provisions of the State Finance 17
and Procurement Article: 18
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 19
that the Secretary of Information Technology determines that an information technology 20
project of the Board is a major information technology development project; 21
Article – Human Services 22
7–806. 23
(a) (1) Subject to paragraph (2) of this subsection, the programs under § 24
7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State 25
Finance and Procurement Article shall be funded as provided in the State budget. 26
(2) For fiscal year 2019 and each fiscal year thereafter, the program under 27
[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an 28
amount that: 29
(i) is equal to the cost that the Department of Aging is expected to 30
incur for the upcoming fiscal year to provide the service and administer the program; and 31 6 SENATE BILL 812
(ii) does not exceed 5 cents per month for each account out of the 1
surcharge amount authorized under subsection (c) of this section. 2
(b) (1) There is a Universal Service Trust Fund created for the purpose of 3
paying the costs of maintaining and operating the programs under: 4
(i) § 7–804(a) of this subtitle, subject to the limitations and controls 5
provided in this subtitle; 6
(ii) § 7–902(a) of this title, subject to the limitations and controls 7
provided in Subtitle 9 of this title; and 8
(iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement 9
Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the 10
State Finance and Procurement Article. 11
(c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) 12
of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall 13
be funded by revenues generated by: 14
(i) a surcharge to be paid by the subscribers to a communications 15
service; and 16
(ii) other funds as provided in the State budget. 17
(d) (1) The Secretary shall annually certify to the Public Service Commission 18
the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 19
3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the 20
Universal Service Trust Fund for the following fiscal year. 21
(2) (i) The Public Service Commission shall determine the surcharge 22
for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle, 23
§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement 24
Article. 25
(g) (1) The Legislative Auditor may conduct postaudits of a fiscal and 26
compliance nature of the Universal Service Trust Fund and the expenditures made for 27
purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of 28
the State Finance and Procurement Article. 29
Article – Insurance 30
31–103. 31
(a) The Exchange is subject to: 32 SENATE BILL 812 7
(2) the following provisions of the State Finance and Procurement Article: 1
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 2
that the Secretary of Information Technology determines that an information technology 3
project of the Exchange is a major information technology development project; 4
(b) The Exchange is not subject to: 5
(2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance 6
and Procurement Article, except to the extent determined by the Secretary of Information 7
Technology under subsection (a)(2)(i) of this section; 8
Article – Natural Resources 9
1–403. 10
(c) The Department shall develop the electronic system consistent with the 11
statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of 12
the State Finance and Procurement Article. 13
Article – Public Safety 14
14–104.1. 15
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 16
INDICATED. 17
(2) “OFFICE” MEANS THE CYBERSECURITY COORDINATION AND 18
OPERATIONS OFFICE ESTABLISHED WI THIN THE DEPARTMENT . 19
(3) “REGION” MEANS A COLLECTION O F POLITICAL SUBDIVIS IONS. 20
(B) THERE IS A CYBERSECURITY COORDINATION AND OPERATIONS 21
OFFICE WITHIN THE DEPARTMENT . 22
(C) THE PURPOSE OF THE OFFICE IS TO: 23
(1) IMPROVE LOCAL , REGIONAL, AND STATEWIDE CYBERS ECURITY 24
READINESS AND RESPON SE; 25
(2) ASSIST POLITICAL SUB DIVISIONS, SCHOOL BOARDS , AND 26
AGENCIES IN THE DEVE LOPMENT OF CYBERSECU RITY DISRUPTION PLAN S; 27
8 SENATE BILL 812
(3) IN CONSULTATION WITH THE DEPARTMENT OF INFORMATION 1
TECHNOLOGY , COORDINATE WITH POLI TICAL SUBDIVISIONS , LOCAL AGENCIES , 2
AND STATE AGENCIES ON THE IMPLEMENTATION OF CY BERSECURITY BEST 3
PRACTICES; 4
(4) COORDINATE WITH POLI TICAL SUBDIVISIONS A ND AGENCIES ON 5
THE IMPLEMENTATION O F THE STATEWIDE MASTER PLAN DEVELOPED BY THE 6
DEPARTMENT OF INFORMATION TECHNOLOGY UNDER TITLE 3.5, SUBTITLE 3 OF 7
THE STATE FINANCE AND PROCUREMENT ARTICLE; AND 8
(5) CONSULT WITH THE STATE CHIEF INFORMATION SECURITY 9
OFFICER AND THE SECRETARY OF INFORMATION TECHNOLOGY TO CONNECT 10
POLITICAL SUBDIVISIO NS AND AGENCIES TO T HE APPROPRIATE RESOU RCES FOR 11
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY READINESS AND RES PONSE. 12
(D) (1) THE HEAD OF THE OFFICE IS THE EXECUTIVE DIRECTOR, WHO 13
SHALL BE APPOINTED B Y THE DIRECTOR. 14
(2) THE OFFICE OF SECURITY MANAGEMENT SHALL PROV IDE STAFF 15
FOR THE OFFICE. 16
(E) (1) THE OFFICE SHALL ESTABLIS H REGIONAL ASSISTANC E GROUPS 17
TO DELIVER OR COORDI NATE SUPPORT SERVICE S TO POLITICAL SUBDI VISIONS, 18
AGENCIES, OR REGIONS. 19
(2) THE OFFICE MAY HIRE OR PR OCURE REGIONAL COORD INATORS 20
TO DELIVER OR COORDI NATE THE SERVICES UN DER PARAGRAPH (1) OF THIS 21
SUBSECTION. 22
(3) THE OFFICE SHALL PROVIDE OR COORDINATE SUPPOR T 23
SERVICES UNDER PARAG RAPH (1) OF THIS SUBSECTION T HAT INCLUDE: 24
(I) CONNECTING MULTIPLE POLITICAL SUBDIVISIO NS AND 25
AGENCIES WITH EACH O THER TO SHARE BEST P RACTICES OR OTHER IN FORMATION 26
TO INCREASE READINES S OR RESPONSE EFFECT IVENESS; 27
(II) PROVIDING TECHNICAL SERVICES FOR THE 28
IMPLEMENTATION OF CY BERSECURITY BEST PRACTICES IN ACCORDANCE WITH 29
SUBSECTION (C)(3) OF THIS SECTION; 30
(III) COMPLETING CYBERSECU RITY RISK ASSESSMENT S; 31
(IV) DEVELOPING CYBER SCO RECARDS AND REPORTS ON 32
REGIONAL READINESS ; 33 SENATE BILL 812 9
(V) CREATING AND UPDATIN G CYBERSECURITY DISR UPTION 1
PLANS IN ACCORDANCE W ITH SUBSECTION (C)(2) OF THIS SECTION; AND 2
(VI) CONDUCTING REGIONAL EXERCISES IN COORDIN ATION 3
WITH THE NATIONAL GUARD, THE DEPARTMENT , THE DEPARTMENT OF 4
INFORMATION TECHNOLOGY , LOCAL EMERGENCY MANA GERS, AND OTHER STATE 5
AND LOCAL ENTITIES. 6
(F) (1) THE OFFICE SHALL PROVIDE REGULAR TRAINING 7
OPPORTUNITIES FOR CO UNTIES AND MUNICIPAL CORPORATIONS IN THE STATE. 8
(2) TRAINING OPPORTUNITIE S OFFERED BY THE OFFICE SHALL: 9
(I) BE DESIGNED TO ENSUR E STAFF FOR COUNTIES AND 10
MUNICIPAL CORPORATIONS ARE CAP ABLE OF COOPERATING EFFECTIVELY WITH 11
THE DEPARTMENT IN THE EVE NT OF A CYBERSECURIT Y EMERGENCY ; AND 12
(II) INCORPORATE BEST PRA CTICES AND GUIDELINE S FOR 13
STATE AND LOCAL GOVE RNMENTS PROVIDED BY THE MULTI–STATE INFORMATION 14
SHARING AND ANALYSIS CENTER AND THE CYBERSECURITY AND 15
INFRASTRUCTURE SECURITY AGENCY. 16
(G) ON OR BEFORE DECEMBER 1 EACH YEAR, THE OFFICE SHALL REPORT 17
TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 18
GOVERNMENT ARTICLE, THE GENERAL ASSEMBLY ON THE ACTIV ITIES OF THE 19
OFFICE. 20
Article – State Finance and Procurement 21
3.5–101. 22
(a) In this title the following words have the meanings indicated. 23
(e) “Unit of State government” means an agency or unit of the Executive Branch 24
of State government. 25
SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT . 26
3.5–2A–01. 27
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 28
INDICATED. 29
10 SENATE BILL 812
(B) “COUNCIL” MEANS THE MARYLAND CYBERSECURITY COORDINATING 1
COUNCIL. 2
(C) “OFFICE” MEANS THE OFFICE OF SECURITY MANAGEMENT . 3
3.5–2A–02. 4
THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT . 5
3.5–2A–03. 6
(A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION 7
SECURITY OFFICER. 8
(B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL: 9
(1) BE APPOINTED BY THE GOVERNOR WITH THE ADVICE AND 10
CONSENT OF THE SENATE; 11
(2) SERVE AT THE PLEASUR E OF THE GOVERNOR; 12
(3) BE SUPERVISED BY THE SECRETARY; AND 13
(4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE 14
DEPARTMENT . 15
(C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION 16
SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L: 17
(1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE; 18
(2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR 19
CYBERSECURITY CERTIF ICATIONS; 20
(3) HAVE EXPERIENCE : 21
(I) IDENTIFYING, IMPLEMEN TING, AND OR ASSESSING 22
SECURITY CONTROLS ; 23
(II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR 24
CYBERSECURITY ; 25
SENATE BILL 812 11
(III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY 1
OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD 2
ENVIRONMENT AND SUP PORTING MULTIPLE SIT ES; AND 3
(IV) WORKING WITH COMMON INFORMATION SECURITY 4
MANAGEMENT FRAMEWORK S; 5
(4) HAVE EXTENSIVE KNOWL EDGE OF INFORMATION TECHNOLOGY 6
AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH 7
AN UNDERSTANDING OF EXISTING ENTERPRISE CAPAB ILITIES AND LIMITATI ONS TO 8
ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND 9
SYSTEMS; AND 10
(5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS. 11
(C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL 12
PROVIDE CYBERSECURITY ADVICE AND RECOMMENDATIONS TO THE GOVERNOR ON 13
REQUEST. 14
(D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY 15
WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY 16
OFFICER. 17
(II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK 18
IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY 19
MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES , 20
AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNITS OF LOCAL 21
GOVERNMENT . 22
(2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY WHO 23
SHALL BE APPOINTED BY THE STATE CHIEF INFORMATION SECURITY OFFICER. 24
(II) THE DIRECTOR OF STATE CYBERSECURITY IS 25
RESPONSIBLE FOR IMPL EMENTATION OF THIS S ECTION WITH RESPECT TO UNITS OF 26
STATE GOVERNMENT . 27
(E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WI TH 28
SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE. 29
(F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL 30
COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE. 31
3.5–2A–04. 32
12 SENATE BILL 812
(A) (1) THE OFFICE IS RESPONSIBLE FOR: 1
(1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION 2
OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE 3
GOVERNMENT ; AND 4
(2) THE COORDINATION OF RESOURCES AND EFFORT S TO 5
IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL 6
CYBERSECURITY PREPAREDNESS AND RES PONSE FOR UNITS OF L OCAL 7
GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL 8
HEALTH DEPARTMENTS . 9
(II) COORDINATING WITH TH E MARYLAND DEPARTMENT OF 10
EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY 11
RESPONSE EFFORTS. 12
(2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION 13
TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY 14
CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A 15
LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH 16
DEPARTMENT . 17
(B) THE OFFICE SHALL: 18
(1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 19
COLLECTED OR MAINTAI NED BY OR ON BEHALF OF EACH UNIT OF STATE 20
GOVERNMENT ; 21
(2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 22
SYSTEMS MAINTAINED B Y OR ON BEHALF OF EACH UN IT OF STATE GOVERNMENT ; 23
(3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION 24
AND INFORMATION SYST EMS TO BE INCLUDED I N EACH CATEGORY ; 25
(4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND 26
INFORMATION SYSTEMS IN EACH CATEGO RY; 27
(5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND 28
INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF THE SECURITY 29
REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ; 30
(6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 31
DETERMINES THAT THERE ARE SECURITY V ULNERABILITIES OR DE FICIENCIES IN 32
THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER 33 SENATE BILL 812 13
ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM 1
SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE 2
NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY 3
INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECE SSARY TO 4
CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY 5
INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ; 6
(7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 7
DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY 8
CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT 9
INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWORK OR TO 10
THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; 11
(7) (8) MANAGE SECURITY AWAR ENESS TRAINING FOR A LL 12
APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ; 13
(8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT, 14
DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE 15
STANDARDIZATION AND REDUCE RISK; 16
(9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL I DENTITY 17
STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING, 18
INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE 19
GOVERNMENT ; 20
(10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY 21
SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH 22
BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND 23
TECHNOLOGY ; 24
(11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND 25
INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSI STANCE 26
PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT 27
THE WORK OF THE OFFICE; 28
(12) REVIEW AND CERTIFY L OCAL CYBERSECURITY PREPAR EDNESS 29
AND RESPONSE PLANS ; 30
(13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING 31
AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND 32
(14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO 33
UNITS OF LOCAL GOVER NMENT TO IMPROVE CYBERSECURIT Y PREPAREDNESS , 34
PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES. 35 14 SENATE BILL 812
(C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 1
OF EMERGENCY MANAGEMENT , SHALL: 2
(1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES , 3
SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN: 4
(I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS 5
AND RESPONSE PLANS ; AND 6
(II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE 7
DEVELOPED BY THE DEPARTMENT ; AND 8
(2) CONNECT LOCAL ENTITI ES TO APPROPRIA TE RESOURCES FOR 9
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND 10
RESPONSE; AND 11
(3) DEVELOP APPROPRIATE REPORTS ON LOCAL CYB ERSECURITY 12
PREPAREDNESS . 13
(D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 14
OF EMERGENCY MANAGEMENT , MAY: 15
(1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN 16
COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND 17
OTHER STATE AND LOCAL ENTIT IES; AND 18
(2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR 19
COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES, 20
OR REGIONS. 21
(E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE SHALL 22
REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 23
GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, THE 24
SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, THE 25
HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND GOVERNMENT 26
OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON CYBERSECURITY , 27
INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE ACTIVITIES OF THE 28
OFFICE AND THE STATE OF CYBE RSECURITY PREPAREDNE SS IN MARYLAND, 29
INCLUDING: 30
(1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE 31
DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND 32
SENATE BILL 812 15
(2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE 1
INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER § 2
3.5–405 OF THIS TITLE, INCLUDING: 3
(I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E 4
CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THA T YEAR; 5
(II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF 6
ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST 7
TO REMEDIATE ANY VUL NERABILITIES EXPOSED ; 8
(III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE 9
GOVERNMENT AND OPTIO NS TO IMPROVE FINDINGS IN FUTURE AUDITS , INCLUDING 10
RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING; 11
(IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON 12
CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPE NDING 13
FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BU DGET, 14
INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL 15
CYBERSECURITY PREPAR EDNESS; 16
(V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR 17
CYBER RISK MITIGATIO N FROM FEDERAL OR OT HER NON–STATE RESOURCES ; 18
(VI) 6. KEY PERF ORMANCE INDICATORS O N THE 19
CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY 20
MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR 21
IMPLEMENTATION ; AND 22
(VII) 7. ANY ADDITIONAL RECOM MENDATIONS FOR 23
IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNESS . 24
(2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT 25
CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND 26
RISKS IN THE STATE. 27
3.5–2A–05. 28
(A) THERE IS A MARYLAND CYBERSECURITY COORDINATING COUNCIL. 29
(B) (1) THE COUNCIL CONSISTS OF T HE FOLLOWING MEMBERS : 30
(1) THE SECRETARY OF BUDGET AND MANAGEMENT , OR THE 31
SECRETARY’S DESIGNEE; 32 16 SENATE BILL 812
(2) THE SECRETARY OF GENERAL SERVICES, OR THE SECRETARY’S 1
DESIGNEE; 2
(3) THE SECRETARY OF HEALTH, OR THE SECRETARY’S DESIGNEE; 3
(4) THE SECRETARY OF HUMAN SERVICES, OR THE SECRETARY’S 4
DESIGNEE; 5
(5) THE SECRETARY OF PUBLIC SAFETY AND CORRECTIONAL 6
SERVICES, OR THE SECRETARY’S DESIGNEE; 7
(6) THE SECRETARY OF TRANSPORTATION , OR THE SECRETARY’S 8
DESIGNEE; 9
(7) THE SECRETARY OF DISABILITIES, OR THE SECRETARY’S 10
DESIGNEE; 11
(I) THE SECRETARY OF EAC H OF THE PRINCIPAL 12
DEPARTMENTS LISTED I N § 8–201 OF THE STATE GOVERNMENT ARTICLE, OR A 13
SECRETARY’S DESIGNEE; 14
(8) (II) THE STATE CHIEF INFORMATION SECURITY OFFICER; 15
(9) (III) THE ADJUTANT GENERAL OF THE MARYLAND NATIONAL 16
GUARD, OR THE ADJUTANT GENERAL’S DESIGNEE; 17
(10) THE SECRETARY OF EMERGENCY MANAGEMENT , OR THE 18
SECRETARY’S DESIGNEE; 19
(11) (IV) THE SUPERINTENDENT OF STATE POLICE, OR THE 20
SUPERINTENDENT ’S DESIGNEE; 21
(12) (V) THE DIRECTOR OF THE GOVERNOR’S OFFICE OF 22
HOMELAND SECURITY, OR THE DIRECTOR’S DESIGNEE; 23
(13) (VI) THE EXECUTIVE DIRECTOR OF THE DEPARTMENT OF 24
LEGISLATIVE SERVICES, OR THE EXECUTIVE DIRECTOR’S DESIGNEE; 25
(14) (VII) ONE REPRESENTATIVE O F THE ADMINISTRATIVE OFFICE 26
OF THE COURTS; 27
(15) (VIII) THE CHANCELLOR OF THE UNIVERSITY SYSTEM OF 28
MARYLAND, OR THE CHANCELLOR ’S DESIGNEE; AND 29 SENATE BILL 812 17
(16) (IX) ANY OTHER STAKEHOLDE R THAT THE STATE CHIEF 1
INFORMATION SECURITY OFFICER DEEMS APPROPRIATE . 2
(2) IF A DESIGNEE SERVES ON THE COUNCIL IN PLACE OF A N 3
OFFICIAL LISTED IN P ARAGRAPH (1) OF THIS SUBSECTION , THE DESIGNEE SHALL 4
REPORT INFORMATION F ROM THE COUNCIL MEETINGS AND OTHER 5
COMMUNICATIONS TO TH E OFFICIAL. 6
(C) IN ADDITION TO THE MEMBERS LISTED UNDER SUBSECTION (B) OF THIS 7
SECTION, THE FOLLOWING REPRES ENTATIVES MAY SERVE AS NONVOTING 8
MEMBERS OF THE COUNCIL: 9
(1) ONE MEMBER OF THE SENATE OF MARYLAND, APPOINTED BY THE 10
PRESIDENT OF THE SENATE; 11
(2) ONE MEMBER OF THE HOUSE OF DELEGATES, APPOINTED BY THE 12
SPEAKER OF THE HOUSE; AND 13
(3) ONE REPRESENTATIVE O F THE JUDICIARY , APPOINTED BY THE 14
CHIEF JUDGE OF THE COURT OF APPEALS. 15
(C) (D) THE CHAIR OF THE COUNCIL IS THE STATE CHIEF INFORMATION 16
SECURITY OFFICER. 17
(D) (E) (1) THE COUNCIL SHALL MEET AT LEA ST QUARTERLY AT THE 18
REQUEST OF THE CHAIR . 19
(2) MEETINGS OF THE COUNCIL SHALL BE CLOS ED TO THE PUBLIC 20
AND NOT SUBJECT TO TITLE 3 OF THE GENERAL PROVISIONS ARTICLE. 21
(E) (F) THE COUNCIL SHALL: 22
(1) PROVIDE ADVICE AND R ECOMMENDATIONS TO THE STATE CHIEF 23
INFORMATION SECURITY OFFICER REGARDING : 24
(I) THE STRATEGY AND IMP LEMENTATION OF CYBER SECURITY 25
INITIATIVES AND RECO MMENDATIONS ; AND 26
(II) BUILDING AND SUSTAIN ING THE CAPABILITY O F THE STATE 27
TO IDENTIFY AND MITI GATE CYBERSECURITY RISK AND RESPOND TO AND RECOVER 28
FROM CYBERSECURITY –RELATED INCIDENTS . 29
18 SENATE BILL 812
(2) USE THE ANALYSIS COM PILED BY THE OFFICE UNDER § 1
3.5–2A–04(E)(2) OF THIS SUBTITLE TO PRIORITIZE CYBERSECU RITY RISK ACROSS 2
THE EXECUTIVE BRANCH OF STATE GOVERNMENT AND MAKE CORRESP ONDING 3
RECOMMENDATIONS FOR SECURITY INVESTMENTS IN THE GOVERNOR’S ANNUAL 4
BUDGET. 5
(F) (G) IN CARRYING OUT THE D UTIES OF THE COUNCIL, THE COUNCIL 6
MAY SHALL CONSULT WITH OUTSIDE EXPERTS, INCLUDING EXPERTS IN THE 7
PRIVATE SECTOR , GOVERNMENT AGENCIES , AND INST ITUTIONS OF HIGHER 8
EDUCATION. 9
3.5–2A–06. 10
THE COUNCIL SHALL STUDY T HE SECURITY AND FINA NCIAL IMPLICATIONS O F 11
EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON 12
TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE 13
IMPLICATIONS FOR POLITICAL SUBDIV ISIONS OF THE STATE. 14
3.5–2A–07. 15
THE COUNCIL SHALL: 16
(1) PROMOTE CYBERSECURIT Y EDUCATION AND TRAI NING 17
OPPORTUNITIES TO STR ENGTHEN THE STATE’S CYBERSECURITY CAPA BILITIES BY 18
EXPANDING EXISTING A GREEMENTS WITH EDUCA TIONAL INSTITUTIONS ; 19
(2) UTILIZE RELATIONSHIP S WITH INSTITUTIONS OF HIGHER 20
EDUCATION TO ADVERTI SE CYBERSECURITY CAR EERS AND JOB POSITIO NS 21
AVAILABLE IN STATE OR LOCAL GOVERN MENT, INCLUDING THE MARYLAND 22
TECHNOLOGY INTERNSHIP PROGRAM ESTABLISHED U NDER TITLE 18, SUBTITLE 30 23
OF THE EDUCATION ARTICLE; AND. 24
(3) ASSIST INTERESTED CA NDIDATES WITH APPLYI NG FOR 25
CYBERSECURITY POSITI ONS IN STATE OR LOCAL GOVERN MENT. 26
3.5–301. 27
(a) In this subtitle the following words have the meanings indicated. 28
(i) “Master plan” means the statewide information technology master plan AND 29
STATEWIDE CYBERSECUR ITY STRATEGY. 30
(j) “Nonvisual access” means the ability, through keyboard control, synthesized 31
speech, Braille, or other methods not requiring sight to receive, use, and manipulate 32 SENATE BILL 812 19
information and operate controls necessary to access information technology in accordance 1
with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle. 2
3.5–302. 3
(a) This subtitle does not apply to changes relating to or the purchase, lease, or 4
rental of information technology by: 5
(1) public institutions of higher education solely for academic or research 6
purposes; 7
(2) the Maryland Port Administration; 8
(3) the University System of Maryland; 9
(4) St. Mary’s College of Maryland; 10
(5) Morgan State University; 11
(6) the Maryland Stadium Authority; [or] 12
(7) Baltimore City Community College; 13
(8) THE LEGISLATIVE BRANCH OF STATE GOVERNMENT ; OR 14
(9) THE JUDICIAL BRANCH OF STATE GOVERNMENT .; 15
(10) THE OFFICE OF THE ATTORNEY GENERAL; 16
(11) THE COMPTROLLER ; OR 17
(12) THE STATE TREASURER. 18
(b) Except as provided in subsection (a) of this section, this subtitle applies to any 19
project of a unit of the Executive Branch of State government that involves an agreement 20
with a public institution of higher education for a portion of the development of the project, 21
whether the work on the development is done directly or indirectly by the public institution 22
of higher education. 23
(c) Notwithstanding any other provision of law, except as provided in subsection 24
(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–306(A)(2), 3.5–307, 25
3.5–307(A)(2), 3.5–308 AND 3.5–308 3.5–309 of this subtitle, this subtitle applies to all 26
units of the Executive Branch of State government including public institutions of higher 27
education other than Morgan State University, the University System of Maryland, St. 28
Mary’s College of Maryland, and Baltimore City Community College. 29
20 SENATE BILL 812
3.5–303. 1
(a) The Secretary is responsible for carrying out the following duties: 2
(1) developing, maintaining, revising, and enforcing information 3
technology policies, procedures, and standards; 4
(2) providing technical assistance, advice, and recommendations to the 5
Governor and any unit of State government concerning information technology matters; 6
(3) reviewing the annual project plan for each unit of State government to 7
make information and services available to the public over the Internet; 8
(4) developing and maintaining a statewide information technology master 9
plan that will: 10
(i) [be the basis for] CENTRALIZE the management and direction of 11
information technology POLICY within the Executive Branch of State government UNDER 12
THE CONTROL OF THE DEPARTMENT ; 13
(ii) include all aspects of State information technology including 14
telecommunications, security, data processing, and information management; 15
(iii) consider interstate transfers as a result of federal legislation and 16
regulation; 17
(iv) [work jointly with the Secretary of Budget and Management to 18
ensure that information technology plans and budgets are consistent; 19
(v)] ensure that THE State information technology [plans, policies,] 20
PLAN AND RELATED POL ICIES and standards are consistent with State goals, objectives, 21
and resources, and represent a long–range vision for using information technology to 22
improve the overall effectiveness of State government; and 23
[(vi)] (V) include standards to assure nonvisual access to the 24
information and services made available to the public over the Internet; AND 25
(VI) ALLOWS A STATE AGENCY TO MAINT AIN THE AGENCY ’S OWN 26
INFORMATION TECHNOLO GY UNIT THAT PROVIDE S FOR INFORMATION 27
TECHNOLOGY SERVICES TO SUPPORT THE MISSI ON OF THE AGENCY .; 28
(5) PROVIDING OR COORDIN ATING THE PROCUREMEN T OF MANAGED 29
CYBERSECURITY SERVIC ES THAT ARE PAID FOR BY THE STATE AND USED BY LOC AL 30
GOVERNMENTS ; 31
SENATE BILL 812 21
(6) (5) DEVELOPING AND MAINT AINING A STATEWIDE 1
CYBERSECURITY MASTER PLAN STRATEGY THAT WILL: 2
(I) CENTRALIZE THE MANAG EMENT AND DIRECTION OF 3
CYBERSECURITY STRATE GY WITHIN THE EXECUTIVE BRANCH OF STATE 4
GOVERNMENT UNDER THE CONTROL OF THE DEPARTMENT ; AND 5
(II) SERVE AS THE BASIS F OR BUDGET ALLOCATION S FOR 6
CYBERSECURITY PREPAREDNESS FOR THE EXECUTIVE BRANCH OF STATE 7
GOVERNMENT ; 8
[(5)] (7) (6) adopting by regulation and enforcing nonvisual access standards 9
to be used in the procurement of information technology services by or on behalf of units of 10
State government in accordance with subsection (b) of this section; 11
[(6)] (8) (7) in consultation with the [Attorney General,] MARYLAND 12
CYBERSECURITY COORDINATING COUNCIL, advising and overseeing a consistent 13
cybersecurity strategy for units of State government, including institutions under the 14
control of the governing boards of the public institutions of higher education; 15
[(7)] (9) (8) advising and consulting with the Legislative and Judicial 16
branches of State government regarding a cybersecurity strategy; and 17
[(8)] (10) (9) in consultation with the [Attorney General,] MARYLAND 18
CYBERSECURITY COORDINATING COUNCIL, developing guidance on consistent 19
cybersecurity strategies for counties, municipal corporations, school systems, and all other 20
political subdivisions of the State. 21
(b) Nothing in subsection (a) of this section may be construed as establishing a 22
mandate for any entity listed in subsection [(a)(8)] (A)(10) of this section. 23
(c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall: 24
(1) adopt new nonvisual access procurement standards that: 25
(i) provide an individual with disabilities with nonvisual access in a 26
way that is fully and equally accessible to and independently usable by the individual with 27
disabilities so that the individual is able to acquire the same information, engage in the 28
same interactions, and enjoy the same services as users without disabilities, with 29
substantially equivalent ease of use; and 30
(ii) are consistent with the standards of § 508 of the federal 31
Rehabilitation Act of 1973; and 32
(2) establish a process for the Secretary or the Secretary’s designee to: 33 22 SENATE BILL 812
(i) determine whether information technology meets the nonvisual 1
access standards adopted under item (1) of this subsection; and 2
(ii) 1. for information technology procured by a State unit before 3
January 1, 2020, and still used by the State unit on or after January 1, 2020, work with the 4
vendor to modify the information technology to meet the nonvisual access standards, if 5
practicable; or 6
2. for information technology procured by a State unit on or 7
after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] § 8
3.5–310 3.5–311 of this subtitle, including the enforcement of the civil penalty described 9
in [§ 3A–311(a)(2)(iii)1] § 3.5–310(A)(2)(III)1 3.5–311(A)(2)(III)1 of this subtitle. 10
(D) (1) THE GOVERNOR SHALL INCLUD E AN APPROPRIATION I N THE 11
ANNUAL BUDGET BILL I N AN AMOUNT NECESSAR Y TO COVER THE COSTS OF 12
IMPLEMENTING THE STA TEWIDE CYBERSECURITY MASTER PLAN DEVE LOPED 13
UNDER SUBSECTION (A) OF THIS SECTION WITH OUT THE NEED FOR THE 14
DEPARTMENT TO OPERATE A CHARGE –BACK MODEL FOR CYBER SECURITY 15
SERVICES PROVIDED TO OTHER UNITS OF STATE GOVERNMENT OR U NITS OF LOCAL 16
GOVERNMENT . 17
(2) ON OR BEFORE JANUARY 31 EACH YEAR, IN A SEPARATE REPORT 18
OR INCLUDED WITHIN A GENERAL BUDGET REPOR T, THE GOVERNOR SHALL SUBMIT 19
A REPORT IN ACCORDAN CE WITH § 2–1257 OF THE STATE GOVERNMENT ARTICLE 20
TO THE SENATE BUDGET AND TAXATION COMMITTEE AND THE HOUSE 21
APPROPRIATIONS COMMITTEE THAT INCLUD ES: 22
(I) SPECIFIC INFORMATION ON THE INFORMATION 23
TECHNOLOGY BUDGET AN D CYBERSECURITY BUDG ET THAT THE GOVERNOR HAS 24
SUBMITTED TO THE GENERAL ASSEMBLY FOR THE UPCO MING FISCAL YEAR ; AND 25
(II) HOW THE BUDGETS LIST ED UNDER ITEM (I) OF THIS 26
PARAGRAPH COMPARE TO THE ANNUAL OVERVIEW OF THE U.S. PRESIDENT’S 27
BUDGET SUBMISSION ON INFORMATION TECHNOLO GY AND CYBERSECURITY TO 28
CONGRESS CONDUCTED BY THE U.S. OFFICE OF MANAGEMENT AND BUDGET. 29
3.5–305. 30
(a) [Except as provided in subsection (b) of this section, in accordance with 31
guidelines established by the Secretary, each unit of State government shall develop and 32
submit to the Secretary: 33
(1) information technology policies and standards; 34
SENATE BILL 812 23
(2) an information technology plan; and 1
(3) an annual project plan outlining the status of efforts to make 2
information and services available to the public over the Internet. 3
(b) (1)] The governing boards of the public institutions of higher education shall 4
develop and submit information technology policies and standards and an information 5
technology plan for their respective institutions or systems to the Secretary. 6
[(2)] (B) If the Secretary finds that the submissions required under this 7
[subsection] SECTION are consistent with the master plan, the Secretary shall incorporate 8
those submissions into the master plan. 9
[(3)] (C) If the Secretary finds that the submissions required under this 10
[subsection] SECTION are not consistent with the master plan: 11
(i) the Secretary shall return the submissions to the governing 12
boards; and 13
(ii) the governing boards shall revise the submissions as appropriate 14
and submit the revised policies, standards, and plans to the Secretary. 15
[3.5–306. 16
Information technology of each unit of State government shall be consistent with the 17
master plan.] 18
[3.5–307.] 3.5–306. 19
(a) (1) [A unit of State government] THE DEPARTMENT may not purchase, 20
lease, or rent information technology ON BEHALF OF A UNIT OF STATE GOVERNMENT 21
unless consistent with the master plan STRATEGY. 22
(2) A unit of State government other than a public institution of higher 23
education [may not make] SHALL SUBMIT REQUEST S FOR expenditures for major 24
information technology development projects OR CYBERSECURITY PRO JECTS except as 25
provided in [§ 3A–308] § 3.5–307 3.5–308 of this subtitle. 26
(b) [(1)] The Secretary may review any information technology project OR 27
CYBERSECURITY PROJEC T for consistency with the master plan STRATEGY. 28
[(2) Any information technology project selected for review may not be 29
implemented without the approval of the Secretary.] 30
24 SENATE BILL 812
(c) (1) A unit of State government shall advise the Secretary of any 1
information technology proposal involving resource sharing, the exchange of goods or 2
services, or a gift, contribution, or grant of real or personal property. 3
(2) The Secretary shall determine if the value of the resources, services, 4
and property to be obtained by the State under the terms of any proposal submitted in 5
accordance with the provisions of paragraph (1) of this subsection equals or exceeds 6
$100,000. 7
(3) If the value of any proposal submitted in accordance with this 8
subsection equals or exceeds $100,000 and the Secretary and unit agree to proceed with the 9
proposal, information on the proposal shall be: 10
(i) advertised for a period of at least 30 days in the eMaryland 11
Marketplace; and 12
(ii) submitted, simultaneously with the advertisement, to the 13
Legislative Policy Committee for a 60–day review and comment period, during which time 14
the Committee may recommend that the proposal be treated as a procurement contract 15
under Division II of this article. 16
(4) Following the period for review and comment by the Legislative Policy 17
Committee under paragraph (3) of this subsection, the proposal is subject to approval by 18
the Board of Public Works. 19
(5) This subsection may not be construed as authorizing an exception from 20
the requirements of Division II of this article for any contract that otherwise would be 21
subject to the State procurement process. 22
[3.5–308.] 3.5–307. 23
(a) This section does not apply to a public institution of higher education. 24
(b) In submitting its information technology project requests, a unit of State 25
government shall designate projects which are major information technology development 26
projects. 27
(c) In reviewing information technology project requests, the Secretary may 28
change a unit’s designation of a major information technology development project. 29
(d) The Secretary shall review and, with the advice of the Secretary of Budget and 30
Management, approve major inform ation technology development projects and 31
specifications for consistency with all statewide plans, policies, and standards, including a 32
systems development life cycle plan. 33
(e) The Secretary shall be responsible for overseeing the implementation of major 34
information technology development projects[, regardless of fund source]. 35 SENATE BILL 812 25
(f) With the advice of the Secretary of Budget and Management, expenditures for 1
major information technology development projects shall be subject to the approval of the 2
Secretary who shall approve expenditures only when those projects are consistent with 3
statewide plans, policies, and standards. 4
(g) (1) The Secretary shall approve funding for major information technology 5
development projects only when those projects are supported by an approved systems 6
development life cycle plan. 7
(2) An approved systems development life cycle plan shall include 8
submission of: 9
(i) a project planning request that details initial planning for the 10
project, including: 11
1. the project title, appropriation code, and summary; 12
2. a description of: 13
A. the needs addressed by the project; 14
B. the potential risks associated with the project; 15
C. possible alternatives; and 16
D. the scope and complexity of the project; and 17
3. an estimate of: 18
A. the total costs required to complete through planning; and 19
B. the fund sources available to support planning costs; and 20
(ii) a project implementation request to begin full design, 21
development, and implementation of the project after the completion of planning, including: 22
1. the project title, appropriation code, and summary; 23
2. a description of: 24
A. the needs addressed by the project; 25
B. the potential risks associated with the project; 26
C. possible alternatives; 27
26 SENATE BILL 812
D. the scope and complexity of the project; and 1
E. how the project meets the goals of the statewide master 2
plan; and 3
3. an estimate of: 4
A. the total project cost; and 5
B. the fund sources available. 6
(3) The Secretary may approve funding incrementally, consistent with the 7
systems development life cycle plan. 8
[3.5–309.] 3.5–308. 9
(a) There is a Major Information Technology Development Project Fund. 10
(b) The purpose of the Fund is to support major information technology 11
development projects. 12
(c) The Secretary: 13
(1) shall administer the Fund in accordance with this section; and 14
(2) subject to the provisions of § 2–201 of this article and [§ 3A–307] § 15
3.5–306 3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of 16
money or property. 17
(d) (1) The Fund is a special, nonlapsing fund that is not subject to § 7–302 of 18
this article. 19
(2) The State Treasurer shall hold the Fund separately and the 20
Comptroller shall account for the Fund. 21
(3) The State Treasurer shall invest and reinvest the money of the Fund in 22
the same manner as other State money may be invested. 23
(4) Any investment earnings of the Fund shall be paid into the Fund. 24
(e) Except as provided in subsection (f) of this section, the Fund consists of: 25
(1) money appropriated in the State budget to the Fund; 26
(2) as approved by the Secretary, money received from: 27
SENATE BILL 812 27
(i) the sale, lease, or exchange of communication sites, 1
communication facilities, or communication frequencies for information technology 2
purposes; or 3
(ii) an information technology agreement involving resource 4
sharing; 5
(3) that portion of money earned from pay phone commissions to the extent 6
that the commission rates exceed those in effect in December 1993; 7
(4) money received and accepted as contributions, grants, or gifts as 8
authorized under subsection (c) of this section; 9
(5) general funds appropriated for major information technology 10
development projects of any unit of State government other than a public institution of 11
higher education that: 12
(i) are unencumbered and unexpended at the end of a fiscal year; 13
(ii) have been abandoned; or 14
(iii) have been withheld by the General Assembly or the Secretary; 15
(6) any investment earnings; and 16
(7) any other money from any source accepted for the benefit of the Fund. 17
(f) The Fund does not include any money: 18
(1) received by the Department of Transportation, the Maryland 19
Transportation Authority, Baltimore City Community College, or the Maryland Public 20
Broadcasting Commission; 21
(2) received by the Judicial or Legislative branches of State government; or 22
(3) generated from pay phone commissions that are credited to other 23
accounts or funds in accordance with other provisions of law or are authorized for other 24
purposes in the State budget or through an approved budget amendment. 25
(g) The Governor shall submit with the State budget: 26
(1) a summary showing the unencumbered balance in the Fund as of the 27
close of the prior fiscal year and a listing of any encumbrances; 28
(2) an estimate of projected revenue from each of the sources specified in 29
subsection (e) of this section for the fiscal year for which the State budget is submitted; and 30
28 SENATE BILL 812
(3) a descriptive listing of projects reflecting projected costs for the fiscal 1
year for which the State budget is submitted and any estimated future year costs. 2
(h) Expenditures from the Fund shall be made only: 3
(1) in accordance with an appropriation approved by the General Assembly 4
in the annual State budget; or 5
(2) through an approved State budget amendment under Title 7, Subtitle 6
2, Part II of this article, provided that a State budget amendment for any project not 7
requested as part of the State budget submission or for any project for which the scope or 8
cost has increased by more than 5% or $250,000 shall be submitted to the budget 9
committees allowing a 30–day period for their review and comment. 10
(i) The Fund may be used: 11
(1) for major information technology development projects; 12
(2) as provided in subsections (j) and (l) of this section; or 13
(3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for 14
the costs of the first 12 months of operation and maintenance of a major information 15
technology development project. 16
(j) Notwithstanding subsection (b) of this section and except for the cost incurred 17
in administering the Fund, each fiscal year up to $1,000,000 of this Fund may be used for: 18
(1) educationally related information technology projects; 19
(2) application service provider initiatives as provided for in Title 9, 20
Subtitle 22 of the State Government Article; or 21
(3) information technology projects, including: 22
(i) pilots; and 23
(ii) prototypes. 24
(k) A unit of State government or local government may submit a request to the 25
Secretary to support the cost of an information technology project with money under 26
subsection (j) of this section. 27
(l) (1) Notwithstanding subsection (b) of this section and in accordance with 28
paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this 29
section shall be used to support: 30
SENATE BILL 812 29
(i) the State telecommunication and computer network established 1
under [§ 3A–404] § 3.5–404 of this title, including program development for these 2
activities; and 3
(ii) the Statewide Public Safety Interoperability Radio System, also 4
known as Maryland First (first responder interoperable radio system team), under Title 1, 5
Subtitle 5 of the Public Safety Article. 6
(2) The Secretary may determine the portion of the money paid into the 7
Fund that shall be allocated to each program described in paragraph (1) of this subsection. 8
(m) (1) On or before November 1 of each year, the Secretary shall report to the 9
Governor, the Secretary of Budget and Management, and to the budget committees of the 10
General Assembly and submit a copy of the report to the General Assembly, in accordance 11
with § 2–1257 of the State Government Article. 12
(2) The report shall include: 13
(i) the financial status of the Fund and a summary of its operations 14
for the preceding fiscal year; 15
(ii) an accounting for the preceding fiscal year of all money from each 16
of the revenue sources specified in subsection (e) of this section, including any expenditures 17
made from the Fund; and 18
(iii) for each project receiving money from the Fund in the preceding 19
fiscal year and for each major information technology development project receiving 20
funding from any source other than the Fund in the preceding fiscal year: 21
1. the status of the project; 22
2. a comparison of estimated and actual costs of the project; 23
3. any known or anticipated changes in scope or costs of the 24
project; 25
4. an evaluation of whether the project is using best 26
practices; and 27
5. a summary of any monitoring and oversight of the project 28
from outside the agency in which the project is being developed, including a description of 29
any problems identified by any external review and any corrective actions taken. 30
(n) On or before January 15 of each year, for each major information technology 31
development project currently in development or for which operations and maintenance 32
funding is being provided in accordance with subsection (i)(3) of this section, subject to § 33
2–1257 of the State Government Article, the Secretary shall provide a summary report to 34 30 SENATE BILL 812
the Department of Legislative Services with the most up–to–date project information 1
including: 2
(1) project status; 3
(2) any schedule, cost, and scope changes since the last annual report; 4
(3) a risk assessment including any problems identified by any internal or 5
external review and any corrective actions taken; and 6
(4) any change in the monitoring or oversight status. 7
[3A–310.] 3.5–309. 8
This subtitle may not be construed to give the Secretary authority over: 9
(1) the content of educational applications or curriculum at the State or 10
local level; or 11
(2) the entities that may participate in such educational programs. 12
[3.5–311.] 3.5–310. 13
(a) (1) The Secretary or the Secretary’s designee, in consultation with other 14
units of State government, and after public comment, shall develop a nonvisual access 15
clause for use in the procurement of information technology and information technology 16
services that specifies that the technology and services: 17
(i) must provide equivalent access for effective use by both visual 18
and nonvisual means; 19
(ii) will present information, including prompts used for interactive 20
communications, in formats intended for both visual and nonvisual use; 21
(iii) can be integrated into networks for obtaining, retrieving, and 22
disseminating information used by individuals who are not blind or visually impaired; and 23
(iv) shall be obtained, whenever possible, without modification for 24
compatibility with software and hardware for nonvisual access. 25
(2) On or after January 1, 2020, the nonvisual access clause developed in 26
accordance with paragraph (1) of this subsection shall include a statement that: 27
(i) within 18 months after the award of the procurement, the 28
Secretary, or the Secretary’s designee, will determine whether the information technology 29 SENATE BILL 812 31
meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] § 1
3.5–303(B) of this subtitle; 2
(ii) if the information technology does not meet the nonvisual access 3
standards, the Secretary, or the Secretary’s designee, will notify the vendor in writing that 4
the vendor, at the vendor’s own expense, has 12 months after the date of the notification to 5
modify the information technology in order to meet the nonvisual access standards; and 6
(iii) if the vendor fails to modify the information technology to meet 7
the nonvisual access standards within 12 months after the date of the notification, the 8
vendor: 9
1. may be subject to a civil penalty of: 10
A. for a first offense, a fine not exceeding $5,000; and 11
B. for a subsequent offense, a fine not exceeding $10,000; and 12
2. shall indemnify the State for liability resulting from the 13
use of information technology that does not meet the nonvisual access standards. 14
(b) (1) Except as provided in paragraph (2) of this subsection, the nonvisual 15
access clause required under subsection (a) of this section shall be included in each 16
invitation for bids or request for proposals and in each procurement contract or modification 17
or renewal of a contract issued under Title 13 of this article, without regard to the method 18
chosen under Title 13, Subtitle 1 of this article for the purchase of new or upgraded 19
information technology and information technology services. 20
(2) Except as provided in subsection (a)(4) of this section, the nonvisual 21
access clause required under paragraph (1) of this subsection is not required if: 22
(i) the information technology is not available with nonvisual access 23
because the essential elements of the information technology are visual and nonvisual 24
equivalence cannot be developed; or 25
(ii) the cost of modifying the information technology for compatibility 26
with software and hardware for nonvisual access would increase the price of the 27
procurement by more than 15%. 28
[3.5–312.] 3.5–311. 29
The Secretary may delegate the duties set forth in this subtitle to carry out its 30
purposes. 31
[3.5–313.] 3.5–312. 32
32 SENATE BILL 812
(a) (1) In this section the following words have the meanings indicated. 1
(2) “Agency” includes a unit of State government that receives funds that 2
are not appropriated in the annual budget bill. 3
(3) (i) “Payee” means any party who receives from the State an 4
aggregate payment of $25,000 in a fiscal year. 5
(ii) “Payee” does not include: 6
1. a State employee with respect to the employee’s 7
compensation; or 8
2. a State retiree with respect to the retiree’s retirement 9
allowance. 10
(4) “Searchable website” means a website created in accordance with this 11
section that displays and searches State payment data. 12
(b) (1) The Department shall develop and operate a single searchable website, 13
accessible to the public at no cost through the Internet. 14
(2) On or before the 15th day of the month that follows the month in which 15
an agency makes a payment to a payee, the Department shall update the payment data on 16
the searchable website. 17
(c) The searchable website shall contain State payment data, including: 18
(1) the name of a payee receiving a payment; 19
(2) the location of a payee by postal zip code; 20
(3) the amount of a payment; and 21
(4) the name of an agency making a payment. 22
(d) The searchable website shall allow the user to: 23
(1) search data for fiscal year 2008 and each year thereafter; and 24
(2) search by the following data fields: 25
(i) a payee receiving a payment; 26
(ii) an agency making a payment; and 27
(iii) the zip code of a payee receiving a payment. 28 SENATE BILL 812 33
(e) State agencies shall provide appropriate assistance to the Secretary to ensure 1
the existence and ongoing operation of the single website. 2
(f) This section may not be construed to require the disclosure of information that 3
is confidential under State or federal law. 4
(g) This section shall be known and may be cited as the “Maryland Funding 5
Accountability and Transparency Act”. 6
[3.5–314.] 3.5–313. 7
(a) In this section, “security–sensitive data” means information that is protected 8
against unwarranted disclosure. 9
(b) In accordance with guidelines established by the Secretary, each unit of State 10
government shall develop a plan to: 11
(1) identify unit personnel who handle security–sensitive data; and 12
(2) establish annual security overview training or refresher security 13
training for each employee who handles security–sensitive data as part of the employee’s 14
duties. 15
3.5–401. 16
(a) The Department shall: 17
(1) coordinate the development, procurement, management, and operation 18
of telecommunication equipment, systems, and services by State government; 19
(2) TO ADDRESS PREPAREDN ESS AND RESPONSE CAP ABILITIES OF 20
LOCAL JURISDICTIONS , COORDINATE THE PROCU REMENT OF MANAGED 21
CYBERSECURITY SERVIC ES PROCURED BY LOCAL GOVERNMENTS WITH STATE 22
FUNDING; 23
[(2)] (3) acquire and manage common user telecommunication 24
equipment, systems, or services and charge units of State government for their 25
proportionate share of the costs of installation, maintenance, and operation of the common 26
user telecommunication equipment, systems, or services; 27
[(3)] (4) promote compatibility of telecommunication systems by 28
developing policies, procedures, and standards for the [acquisition and] use of 29
telecommunication equipment, systems, and services by units of State government; 30
34 SENATE BILL 812
[(4)] (5) coordinate State government telecommunication systems and 1
services by reviewing requests by units of State government for, AND ACQUIRING ON 2
BEHALF OF UNITS OF STATE GOVERNMENT , telecommunication equipment, systems, or 3
services; 4
[(5)] (6) advise units of State government about [planning, acquisition,] 5
PLANNING and operation of telecommunication equipment, systems, or services; and 6
[(6)] (7) provide radio frequency coordination for State and local 7
governments in accordance with regulations of the Federal Communications Commission. 8
(b) The Department may make arrangement for a user other than a unit of State 9
government to have access to and use of State telecommunication equipment, systems, and 10
services and shall charge the user any appropriate amount to cover the cost of installation, 11
maintenance, and operation of the telecommunication equipment, system, or service 12
provided. 13
(C) (1) THE DEPARTMENT SHALL DEVE LOP AND REQUIRE BASI C 14
SECURITY REQUIREMENT S TO BE INCLUDED IN A CONTRACT: 15
(I) IN WHICH A THIRD–PARTY CONTRACTOR WIL L HAVE ACCESS 16
TO AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR 17
(II) BY A UNIT OF STATE GOVERNMENT THAT IS LESS THAN 18
$50,000 FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE 19
TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES. 20
(2) THE SECURITY REQUIREM ENTS DEVELOPED UNDER PARAGRAPH 21
(1) OF THIS SUBSECTION S HALL BE CONSISTENT W ITH A WIDELY RECOGNI ZED 22
SECURITY STANDARD , INCLUDING NATIONAL INSTITUTE OF STANDARDS AND 23
TECHNOLOGY SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL 24
CERTIFICATION. 25
3.5–404. 26
(a) The General Assembly declares that: 27
(1) it is the policy of the State to foster telecommunication and computer 28
networking among State and local governments, their agencie s, and educational 29
institutions in the State; 30
(2) there is a need to improve access, especially in rural areas, to efficient 31
telecommunication and computer network connections; 32
SENATE BILL 812 35
(3) improvement of telecommunication and computer networking for State 1
and local governments and educational institutions promotes economic development, 2
educational resource use and development, and efficiency in State and local administration; 3
(4) rates for the intrastate inter–LATA telephone communications needed 4
for effective integration of telecommunication and computer resources are prohibitive for 5
many smaller governments, agencies, and institutions; and 6
(5) the use of improved State telecommunication and computer networking 7
under this section is intended not to compete with commercial access to advanced network 8
technology, but rather to foster fundamental efficiencies in government and education for 9
the public good. 10
(b) (1) The Department shall establish a telecommunication and computer 11
network in the State. 12
(2) The network shall consist of: 13
(i) one or more connection facilities for telecommunication and 14
computer connection in each local access transport area (LATA) in the State; and 15
(ii) facilities, auxiliary equipment, and services required to support 16
the network in a reliable and secure manner. 17
(c) The network shall be accessible through direct connection and through local 18
intra–LATA telecommunications to State and local governments and public and private 19
educational institutions in the State. 20
(D) ON OR BEFORE DECEMBER 1 EACH YEAR , EACH UNIT OF THE 21
LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT AND ANY DIVISION OF 22
THE UNIVERSITY SYSTEM OF MARYLAND THAT USE THE NETWORK ESTABLISHED 23
UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT 24
THAT THE UNIT OR DIV ISION IS IN COMPLIAN CE WITH THE DEPARTMENT ’S MINIMUM 25
SECURITY STANDARDS . 26
3.5–404. 27
(D) (1) THE OFFICE SHALL ENSURE T HAT AT LEAST ONCE EV ERY 2 28
YEARS, OR MORE OFTEN IF REQ UIRED BY REGULATIONS ADOPTED BY THE 29
DEPARTMENT , EACH UNIT OF STATE GOVERNMENT SHAL L COMPLETE AN EXTERN AL 30
ASSESSMENT . 31
(2) THE OFFICE SHALL ASSIST E ACH UNIT TO REMEDIAT E ANY 32
SECURITY VULNERABILI TIES OR HIGH–RISK CONFIGURATIONS IDENTIFIED IN THE 33
ASSESSMENT REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION . 34
36 SENATE BILL 812
(E) (1) IN THIS SUBSECTION , “IT UNIT” MEANS A UNIT OF THE 1
LEGISLATIVE BRANCH OR JUDICIAL BRANCH OF STATE GOVERNMENT , THE OFFICE 2
OF THE ATTORNEY GENERAL, THE OFFICE OF THE COMPTROLLER , OR THE OFFICE 3
OF THE STATE TREASURER THAT PROVIDES INFORM ATION TECHNOLOGY SER VICES 4
FOR ANOTHER UNIT OF GOVERNMENT . 5
(2) EACH IT UNIT SHALL: 6
(I) BE EVALUATED BY AN I NDEPENDENT AUDITOR W ITH 7
CYBERSECURITY EXPERT ISE TO DETERMINE WHE THER THE IT UNIT, AND THE UNITS 8
IT PROVIDES INFORMAT ION TECHNOLOGY SERVI CES FOR, MEET RELEVANT 9
CYBERSECURITY STANDARDS R ECOMMENDED BY THE NATIONAL INSTITUTE OF 10
STANDARDS AND TECHNOLOGY ; AND 11
(II) CERTIFY COMPLIANCE W ITH THE RECOMMENDED 12
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECUR ITY 13
STANDARDS TO : 14
1. IF THE IT UNIT IS PART OF THE LEGISLATIVE 15
BRANCH, THE PRESIDENT OF THE SENATE AND THE SPEAKER OF THE HOUSE; AND 16
2. IF THE IT UNIT IS PART OF THE OFFICE OF THE 17
ATTORNEY GENERAL, TO THE ATTORNEY GENERAL; 18
3. IF THE IT UNIT IS PART OF THE COMPTROLLER ’S 19
OFFICE, TO THE COMPTROLLER ; 20
4. IF THE IT UNIT IS PART OF THE STATE TREASURER’S 21
OFFICE, TO THE STATE TREASURER; AND 22
2. 5. IF THE IT UNIT IS PART OF THE JUDICIAL BRANCH OF 23
STATE GOVERNMENT , THE CHIEF JUDGE. 24
3.5–405. 25
(A) ON OR BEFORE DECEMBER 1 EACH YEAR, EACH UNIT OF STATE 26
GOVERNMENT SHALL : 27
(1) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND 28
REPORT THE RESULTS OF ANY CYBERSECURITY PREPAREDNESS ASSESSM ENTS 29
PERFORMED IN THE PRI OR YEAR TO THE OFFICE OF SECURITY MANAGEMENT IN 30
ACCORDANCE WITH GUID ELINES DEVELOPED BY THE OFFICE; AND 31
SENATE BILL 812 37
(2) SUBMIT A REPORT TO T HE GOVERNOR AND THE OFFICE OF 1
SECURITY MANAGEMENT THAT INCLU DES: 2
(I) AN INVENTORY OF ALL INFORMATION SYSTEMS AND 3
APPLICATIONS USED OR MAINTAINED BY THE UNI T; 4
(II) A FULL DATA INVENTOR Y OF THE UNIT; 5
(III) A LIST OF ALL CLOUD OR STATISTICAL ANALY SIS SYSTEM 6
SOLUTIONS USED BY TH E UNIT; 7
(IV) A LIST OF ALL PERMAN ENT AND TRANSIENT VE NDOR 8
INTERCONNECTIONS THA T ARE IN PLACE; 9
(V) THE NUMBER OF UNIT E MPLOYEES WHO HAVE RE CEIVED 10
CYBERSECURITY TRAINI NG; 11
(VI) THE TOTAL NUMBER OF UNIT EMPLOYEES WHO U SE THE 12
NETWORK; 13
(VII) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 14
POSITIONS, INCLUDING VACANCIES ; 15
(VIII) THE NUMBER OF NONI NFORMATION TECHNOLOG Y STAFF 16
POSITIONS, INCLUDING VACANCIES ; 17
(IX) THE UNIT ’S INFORMATION TECHNO LOGY BUDGET , 18
ITEMIZED TO INCLUDE THE FOLLOWING CATEGO RIES: 19
1. SERVICES; 20
2. EQUIPMENT; 21
3. APPLICATIONS; 22
4. PERSONNEL ; 23
5. SOFTWARE LICENSING; 24
6. DEVELOPMENT ; 25
7. NETWORK PROJECTS ; 26
8. MAINTENANCE ; AND 27 38 SENATE BILL 812
9. CYBERSECURITY ; 1
(X) ANY MAJOR INFORMATIO N TECHNOLOGY INITIAT IVES TO 2
MODERNIZE THE UNIT ’S INFORMATION TECHNO LOGY SYSTEMS OR IMPR OVE 3
CUSTOMER ACCESS TO STATE AND LOCAL SERVI CES; 4
(XI) THE UNIT’S PLANS FOR FUTURE F ISCAL YEARS TO 5
IMPLEMENT THE UNIT ’S INFORMATION TECHNO LOGY GOALS; 6
(XII) COMPLIANCE WITH TIME LINES AND METRICS PR OVIDED IN 7
THE DEPARTMENT ’S MASTER PLAN ; AND 8
(XIII) ANY OTHER KEY PERFOR MANCE INDICATORS REQ UIRED BY 9
THE OFFICE OF SECURITY MANAGEMENT TO TRACK C OMPLIANCE OR CONSIST ENCY 10
WITH THE DEPARTMENT ’S STATEWIDE INFORMATION TEC HNOLOGY MASTER PLAN . 11
(B) (1) EACH UNIT OF STATE GOVERNMENT SHAL L REPORT A 12
CYBERSECURITY INCIDE NT IN ACCORDANCE WIT H PARAGRAPH (2) OF THIS 13
SUBSECTION TO THE STATE CHIEF INFORMATION SECURITY OFFICER. 14
(2) FOR THE REPORTING OF CYBERSECURITY INCIDENTS UND ER 15
PARAGRAPH (1) OF THIS SUBSECTION , THE STATE CHIEF INFORMATION SECURITY 16
OFFICER SHALL DETERMI NE: 17
(I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST 18
BE REPORTED ; 19
(II) THE MANNER IN WHICH TO REPORT; AND 20
(III) THE TIME PERIOD WITHIN WHICH A REPORT MUST BE MADE . 21
3.5–406. 22
(C) (1) (A) THIS SUBSECTION SECTION DOES NOT APPLY TO 23
MUNICIPAL GOVERNMENT S. 24
(2) (B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND 25
FREQUENCY ESTABLISHE D IN REGULATIONS ADO PTED BY THE DEPARTMENT , EACH 26
COUNTY GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT 27
SHALL: 28
(I) (1) IN CONSULTATION WITH THE LOCAL EMERGENCY 29
MANAGER, CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESPONSE 30 SENATE BILL 812 39
PLAN AND SUBMIT THE PLAN TO THE OFFICE OF SECURITY MANAGEMENT FOR 1
APPROVAL; AND 2
(II) (2) COMPLETE A CYBERSECU RITY PREPAREDNESS 3
ASSESSMENT AND REPORT THE RESUL TS TO THE OFFICE OF SECURITY 4
MANAGEMENT IN ACCORDA NCE WITH GUIDELINES DEVELOPED BY THE OFFICE; 5
AND 6
(III) REPORT TO THE OFFICE OF SECURITY MANAGEMENT : 7
1. THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 8
POSITIONS, INCLUDING VACANCIES ; 9
2. THE ENTITY ’S CYBERSECURITY BUDG ET AND 10
OVERALL INFORMATION TECHNOLOGY BUDGET ; 11
3. THE NUMBER OF EMPLOY EES WHO HAVE RECEIVED 12
CYBERSECURITY TRAINI NG; AND 13
4. THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO 14
THE ENTITY’S COMPUTER SYSTEMS A ND DATABASES . 15
(C) THE ASSESSMENT REQUIR ED UNDER PARAGRAPH (B)(2) OF THIS 16
SECTION MAY , IN ACCORDANCE WITH T HE PREFERENCE OF EAC H COUN TY 17
GOVERNMENT , BE PERFORMED BY THE DEPARTMENT OR BY A VE NDOR 18
AUTHORIZED BY THE DEPARTMENT . 19
(3) (I) (D) (1) EACH COUNTY LOCAL GOVERNMENT , LOCAL 20
SCHOOL SYSTEM, AND LOCAL HEALTH DEPARTM ENT SHALL REPORT A 21
CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING 22
USED BY THE LOCAL GO VERNMENT, TO THE APPROPRIATE L OCAL EMERGENCY 23
MANAGER AND THE STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT 24
IN ACCORDANCE WITH SUBPARAGRAPH (II) PARAGRAPH (2) OF THIS PARAGRAPH 25
SUBSECTION TO THE APPROPRIATE LOCAL EMERGENCY MANAGER . 26
(II) (2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS 27
TO LOCAL EMERGENCY M ANAGERS UNDER SUBPAR AGRAPH (I) OF THIS PARAGRAPH , 28
THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL DETERMI NE: 29
1. (I) THE CRITERIA FOR DET ERMINING WHEN AN INCIDENT 30
MUST BE REPORTED ; 31
2. (II) THE MANNER IN WHICH TO REPORT; AND 32
40 SENATE BILL 812
3. (III) THE TIME PERIOD WITH IN WHICH A REPORT 1
MUST BE MADE . 2
(3) THE STATE SECURITY OPERATIONS CENTER SHALL 3
IMMEDIATELY NOTIFY T HE APPROPRIATE AGENC IES OF A CYBERSECURITY 4
INCIDENT REPORTED UN DER THIS SUBSECTION THROUGH THE STATE SECURITY 5
OPERATIONS CENTER. 6
4–316.1. 7
THE DEPARTMENT , IN CONSULTATION WITH THE MARYLAND 8
CYBERSECURITY COORDINATING COUNCIL ESTABLISHED I N § 3.5–2A–05 OF THIS 9
ARTICLE, SHALL STUDY THE SECURITY AND FINANCI AL IMPLICATIONS OF 10
EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON 11
TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE 12
IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE. 13
13–115. 14
(A) THE DEPARTMENT OF INFORMATION TECHNOLOGY SHALL REQUIRE 15
BASIC SECURITY REQUI REMENTS TO BE INCLUD ED IN A CONTRACT : 16
(1) IN WHICH A THIRD –PARTY CONTRACTOR WIL L HAVE ACCESS TO 17
AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR 18
(2) FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE 19
TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES. 20
(B) THE SECURITY REQUIREM ENTS DEVELOPED UNDER SUBSECTION (A) OF 21
THIS SECTION SHALL B E CONSISTENT WITH A WIDELY RECOGNIZED SE CURITY 22
STANDARD, INCLUDING NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL CERTIFICATION. 24
12–107. 25
(b) Subject to the authority of the Board, jurisdiction over procurement is as 26
follows: 27
(2) the Department of General Services may: 28
(i) engage in or control procurement of: 29
10. information processing equipment and associated 30
services, as provided in Title [3A] 3.5, Subtitle 3 of this article; [and] 31
SENATE BILL 812 41
11. telecommunication equipment, systems, or services, as 1
provided in Title [3A] 3.5, Subtitle 4 of this article; AND 2
12. MANAGED CYBERSECURIT Y SERVICES, AS PROVIDED 3
IN TITLE 3.5, SUBTITLE 3 OF THIS ARTICLE; 4
SECTION 3. AND BE IT FURTHER ENACTED, That, as a key enabler of the 5
Department of Information Technology’s cybersecurity risk management strategy, on or 6
before December 31, 2022, the Department shall complete the implementation of a 7
governance, risk, and compliance module across the Executive Branch of State government 8
that: 9
(1) has industry–standard capabilities; 10
(2) is based on NIST, ISO, or other recognized security frameworks or 11
standards; and 12
(3) enables the Department to identify, monitor, and manage cybersecurity 13
risk on a continuous basis. 14
SECTION 4. AND BE IT FURTHER ENACTED, That, on or before June 30, 2023, 15
the Office of Security Management, in consultation with the Maryland Cybersecurity 16
Coordinating Council, shall: 17
(1) prepare a transition strategy toward cybersecurity centralization, 18
including recommendations for: 19
(1) (i) consistent incident response training; 20
(2) (ii) implementing security improvement dashboards to inform 21
budgetary appropriations; 22
(3) (iii) operations logs transition to the Maryland Security Operations 23
Center; 24
(4) (iv) establishing consistent performance accountability metrics for 25
information technology and cybersecurity staff; and 26
(5) (v) whether the Office needs additional staff or contractors to carry 27
out its duties; and 28
(2) report the transition strategy and recommendations prepared under 29
item (1) of this section to the Governor and, in accordance with § 2–1257 of the State 30
Government Article, the Senate Education, Health, and Environmental Affairs Committee 31
and the House Health and Government Operations Committee. 32
42 SENATE BILL 812
SECTION 5. AND BE IT FURTHER ENACTED, That: 1
(a) (1) On or before June 30, 2023, each agency in the Executive Branch of 2
State government shall certify to the Office of Security Management compliance with State 3
minimum cybersecurity standards established by the Department of Information Security 4
Technology. 5
(2) Except as provided in paragraph (3) of this subsection, certification 6
shall be reviewed by independent auditors, and any findings must be remediated. 7
(3) Certification for the Department of Public Safety and Correctional 8
Services and any State criminal justice agency shall be reviewed by the Office of Legislative 9
Audits, and any findings must be remediated. 10
(b) If Except as provided in subsection (c) of this section, if an agency has not 11
remediated any findings pertaining to State cybersecurity standards found by the 12
independent audit required under subsection (a) of this section by July 1, 2024, the Office 13
of Security Management shall assume responsibility for an agency’s cybersecurity ensure 14
compliance of an agency’s cybersecurity with cybersecurity standards through a shared 15
service agreement, administrative privileges, or access to Network Maryland 16
notwithstanding any federal law or regulation that forbids the Office of Security 17
Management from managing a specific system. 18
(c) Subsection (b) of this section does not apply if a federal law or regulation 19
forbids the Office of Security Management from managing a specific system. 20
SECTION 6. AND BE IT FURTHER ENACTED, That: 21
(a) The Department of Information Technology shall hire a contractor to conduct 22
a performance and capacity assessment of the Department to: 23
(1) evaluate the Department’s capacity to implement provisions of this Act; 24
and 25
(2) recommend additional resources necessary for the Department to 26
implement provisions of this title and meet future needs, including additional budget 27
appropriations, additional staff, altered contracting authority, and pay increases for staff. 28
(b) The contractor hired by the Department to complete the assessment and 29
report required by this section shall: 30
(1) on or before December 1, 2023, submit an interim report of its findings 31
and recommendations to the Governor and, in accordance with § 2–1257 of the State 32
Government Article, the General Assembly; and 33
SENATE BILL 812 43
(2) on or before December 1, 2024, submit a final report of its findings and 1
recommendations to the Governor and, in accordance with § 2 –1257 of the State 2
Government Article, the General Assembly. 3
SECTION 7. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds 4
from the Dedicated Purpose Account may be transferred by budget amendment in 5
accordance with § 7–310 of the State Finance and Procurement Article to implement this 6
Act. 7
SECTION 8. AND BE IT FURTHER ENACTED, That: 8
(a) On or before June October 1, 2022, the State Chief Information Security 9
Officer shall establish guidelines to determine when a cybersecurity incident shall be 10
disclosed to the public. 11
(b) On or before November 1, 2022, the State Chief Information Security Officer 12
shall submit a report on the guidelines established under subsection (a) of this section to 13
the Governor and, in accordance with § 2–1257 of the State Government Article, the House 14
Health and Government Operations Committee and the Senate Education, Health, and 15
Environmental Affairs Committee. 16
SECTION 4. AND BE IT FURTHER ENACTED, That, on the effective date of this 17
Act, the following shall be transferred to the Department of Information Technology: 18
(1) all appropriations, including State and federal funds, held by a unit of 19
the Executive Branch of State government for the purpose of information technology 20
operations or cybersecurity for the unit on the effective date of this Act; and 21
(2) all books and records (including electronic records), real and personal 22
property, equipment, fixtures, assets, liabilities, obligations, credits, rights, and privileges 23
held by a unit of the Executive Branch of State government for the purpose of information 24
technology operations or cybersecurity for the unit on the effective date of this Act. 25
SECTION 5. AND BE IT FURTHER ENACTED, That all employees of a unit of the 26
Executive Branch of State government who are assigned more than 50% of the time to a 27
function related to information technology operations or cybersecurity for the unit on the 28
effective date of this Act shall, on the effective date of this Act, report to the Secretary of 29
Information Technology or the Secretary’s designee. 30
SECTION 6. AND BE IT FURTHER ENACTED, That any transaction affected by 31
the transfer of oversight of information technology operations or cybersecurity of a unit of 32
the Executive Branch of State government and validly entered into before the effective date 33
of this Act, and every right, duty, or interest flowing from it, remains valid after the 34
effective date of this Act and may be terminated, completed, consummated, or enforced 35
under the law. 36
44 SENATE BILL 812
SECTION 7. AND BE IT FURTHER ENACTED, That all existing laws, regulations, 1
proposed regulations, standards and guidelines, policies, orders and other directives, forms, 2
plans, memberships, contracts, property, investigations, administrative and judicial 3
responsibilities, rights to sue and be sued, and all other duties and responsibilities 4
associated with information technology operations or cybersecurity of a unit of the 5
Executive Branch of State government prior to the effective date of this Act shall continue 6
and, as appropriate, be legal and binding on the Department of Information Technology 7
until completed, withdrawn, canceled, modified, or otherwise changed under the law. 8
SECTION 8. 9. AND BE IT FURTHER ENACTED, That this Act shall take effect 9
October July 1, 2022. 10
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.