MD
Maryland Senate Bill SB812

Maryland 2022 Regular Session

Maryland Senate Bill SB812 Compare Versions

OldNewDifferences
1- LAWRENCE J. HOGAN, JR., Governor Ch. 242
2-
3-– 1 –
4-Chapter 242
5-(Senate Bill 812)
6-
7-AN ACT concerning
8-
9-State Government – Cybersecurity – Coordination and Governance
10-
11-FOR the purpose of establishing the Cybersecurity Coordination and Operations Office in
12-the Maryland Department of Emergency Management; requiring the Secretary of
13-Emergency Management to appoint an Executive Director as head of the
14-Cybersecurity Coordination and Operations Office; requiring the Office of Security
15-Management to be provided with staff for the Cybersecurity Coordination and
16-Operations Office; requiring the Cybersecurity Coordination and Operations Office
17-to establish regional assistance groups to deliver or coordinate support services to
18-political subdivisions, agencies, or regions in accordance with certain requirements;
19-requiring the Cybersecurity Coordination and Operations Office to offer certain
20-training opportunities for counties and municipalities; establishing the Office of
21-Security Management within the Department of Information Technology (DoIT);
22-establishing certain responsibilities and authority of the Office of Security
23-Management; centralizing authority and control of the procurement of all
24-information technology for the Executive Branch of State government in DoIT;
25-establishing the Maryland Cybersecurity Coordinating Council; requiring the
26-Secretary of Information Technology to develop and maintain a statewide
27-cybersecurity master plan strategy; requiring DoIT to develop and require basic
28-security requirements to be included in certain contracts; requiring each unit of the
29-Legislative or Judicial Branch of State government and any division of the
30-University System of Maryland that uses a certain network to certify certain
31-compliance to DoIT on or before a certain date each year; requiring certain IT units
32-to certify compliance with certain cybersecurity standards; requiring each unit of the
33-Executive Branch of State government and certain local entities to report certain
34-cybersecurity incidents in a certain manner and under certain circumstances;
35-requiring the State Security Operations Center to notify certain agencies of a
36-cybersecurity incident reported in a certain manner; establishing the Maryland
37-Cybersecurity Coordinating Council; exempting meetings of the Council from the
38-Open Meetings Act; requiring the Council to study aspects of the State’s
39-cybersecurity vulnerabilities and procurement potential, including partnerships
40-with other states; requiring the Council to promote certain education and training
41-opportunities; requiring the Department of General Services to study the security
42-and financial implications of executing partnerships with other states to procure
43-information technology and cybersecurity products and services; requiring the
44-Department of General Services to establish certain basic security requirements to
45-be included in certain contracts; requiring DoIT to complete implementation of a
46-certain governance, risk, and compliance module on or before a certain date;
47-requiring the Office to prepare a transition strategy towards cybersecurity
48-centralization; requiring each agency in the Executive Branch of State government
49-to certify to the Office that the agency is in compliance with certain standards; Ch. 242 2022 LAWS OF MARYLAND
50-
51-– 2 –
52-requiring the Office to assume responsibility for a certain agency’s cybersecurity
53-except under certain circumstances; requiring DoIT to hire a contractor to conduct a
54-performance and capacity assessment of DoIT; authorizing funds to be transferred
55-by budget amendment from the Dedicated Purpose Account in a certain fiscal year
56-to implement the Act; transferring certain appropriations, books and records, and
57-employees to DoIT; and generally relating to State cybersecurity coordination.
58-
59-BY renumbering
60- Article – State Finance and Procurement
61-Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of
62-Information Technology”
63-to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5.
64-Department of Information Technology”
65- Annotated Code of Maryland
66- (2021 Replacement Volume)
67-
68-BY repealing and reenacting, with amendments,
69- Article – Criminal Procedure
70- Section 10–221(b)
71- Annotated Code of Maryland
72- (2018 Replacement Volume and 2021 Supplement)
73-
74-BY repealing and reenacting, with amendments,
75- Article – Health – General
76- Section 21–2C–03(h)(2)(i)
77- Annotated Code of Maryland
78- (2019 Replacement Volume and 2021 Supplement)
79-
80-BY repealing and reenacting, with amendments,
81- Article – Human Services
82- Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1)
83- Annotated Code of Maryland
84- (2019 Replacement Volume and 2021 Supplement)
85-
86-BY repealing and reenacting, with amendments,
87- Article – Insurance
88- Section 31–103(a)(2)(i) and (b)(2)
89- Annotated Code of Maryland
90- (2017 Replacement Volume and 2021 Supplement)
91-
92-BY repealing and reenacting, with amendments,
93- Article – Natural Resources
94- Section 1–403(c)
95- Annotated Code of Maryland
96- (2018 Replacement Volume and 2021 Supplement)
97- LAWRENCE J. HOGAN, JR., Governor Ch. 242
98-
99-– 3 –
100-BY adding to
101- Article – Public Safety
102-Section 14–104.1
103- Annotated Code of Maryland
104- (2018 Replacement Volume and 2021 Supplement)
105-
106-BY repealing and reenacting, without amendments,
107- Article – State Finance and Procurement
108- Section 3.5–101(a) and (e) and 3.5–301(a)
109- Annotated Code of Maryland
110- (2021 Replacement Volume)
111- (As enacted by Section 1 of this Act)
112-
113-BY adding to
114- Article – State Finance and Procurement
115-Section 3.5–2A–01 through 3.5–2A–07 3.5–2A–06 to be under the new subtitle
116-“Subtitle 2A. Office of Security Management”; and 3.5–404(d) and (e), 3.5–405
117-and 12–107(b)(2)(i)12., 3.5–406, 4–316.1, and 13–115
118- Annotated Code of Maryland
119- (2021 Replacement Volume)
120-
121-BY repealing and reenacting, with amendments,
122- Article – State Finance and Procurement
123-Section 3.5–301(j), 3.5–302(c), 3.5–303, 3.5–305, 3.5–307 through 3.5–314, 3.5–401,
124-and 3.5–404 Section 3.5–301(i) and (j), 3.5–302, 3.5–303, 3.5–307, 3.5–309(c),
125-(i), and (l), and 3.5–311(a)(2)(i)
126- Annotated Code of Maryland
127- (2021 Replacement Volume)
128- (As enacted by Section 1 of this Act)
129-
130-BY repealing
131- Article – State Finance and Procurement
132-Section 3.5–306
133- Annotated Code of Maryland
134- (2021 Replacement Volume)
135- (As enacted by Section 1 of this Act)
136-
137-BY repealing and reenacting, with amendments,
138- Article – State Finance and Procurement
139- Section 12–107(b)(2)(i)10. and 11.
140- Annotated Code of Maryland
141- (2021 Replacement Volume)
142-
143- SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
144-That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department
145-of Information Technology” of Article – State Finance and Procurement of the Annotated Ch. 242 2022 LAWS OF MARYLAND
146-
147-– 4 –
148-Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively,
149-and the title “Title 3.5. Department of Information Technology”.
150-
151- SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read
152-as follows:
153-
154-Article – Criminal Procedure
155-
156-10–221.
157-
158- (b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement
159-Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and
160-the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall:
161-
162- (1) regulate the collection, reporting, and dissemination of criminal history
163-record information by a court and criminal justice units;
164-
165- (2) ensure the security of the criminal justice information system and
166-criminal history record information reported to and collected from it;
167-
168- (3) regulate the dissemination of criminal history record information in
169-accordance with Subtitle 1 of this title and this subtitle;
170-
171- (4) regulate the procedures for inspecting and challenging criminal history
172-record information;
173-
174- (5) regulate the auditing of criminal justice units to ensure that criminal
175-history record information is:
176-
177- (i) accurate and complete; and
178-
179- (ii) collected, reported, and disseminated in accordance with Subtitle
180-1 of this title and this subtitle;
181-
182- (6) regulate the development and content of agreements between the
183-Central Repository and criminal justice units and noncriminal justice units; and
184-
185- (7) regulate the development of a fee schedule and provide for the collection
186-of the fees for obtaining criminal history record information for other than criminal justice
187-purposes.
188-
189-Article – Health – General
190-
191-21–2C–03.
192- LAWRENCE J. HOGAN, JR., Governor Ch. 242
193-
194-– 5 –
195- (h) (2) The Board is subject to the following provisions of the State Finance
196-and Procurement Article:
197-
198- (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
199-that the Secretary of Information Technology determines that an information technology
200-project of the Board is a major information technology development project;
201-
202-Article – Human Services
203-
204-7–806.
205-
206- (a) (1) Subject to paragraph (2) of this subsection, the programs under §
207-7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State
208-Finance and Procurement Article shall be funded as provided in the State budget.
209-
210- (2) For fiscal year 2019 and each fiscal year thereafter, the program under
211-[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an
212-amount that:
213-
214- (i) is equal to the cost that the Department of Aging is expected to
215-incur for the upcoming fiscal year to provide the service and administer the program; and
216-
217- (ii) does not exceed 5 cents per month for each account out of the
218-surcharge amount authorized under subsection (c) of this section.
219-
220- (b) (1) There is a Universal Service Trust Fund created for the purpose of
221-paying the costs of maintaining and operating the programs under:
222-
223- (i) § 7–804(a) of this subtitle, subject to the limitations and controls
224-provided in this subtitle;
225-
226- (ii) § 7–902(a) of this title, subject to the limitations and controls
227-provided in Subtitle 9 of this title; and
228-
229- (iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement
230-Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the
231-State Finance and Procurement Article.
232-
233- (c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a)
234-of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall
235-be funded by revenues generated by:
236-
237- (i) a surcharge to be paid by the subscribers to a communications
238-service; and
239-
240- (ii) other funds as provided in the State budget. Ch. 242 2022 LAWS OF MARYLAND
241-
242-– 6 –
243-
244- (d) (1) The Secretary shall annually certify to the Public Service Commission
245-the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§
246-3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the
247-Universal Service Trust Fund for the following fiscal year.
248-
249- (2) (i) The Public Service Commission shall determine the surcharge
250-for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle,
251-§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement
252-Article.
253-
254- (g) (1) The Legislative Auditor may conduct postaudits of a fiscal and
255-compliance nature of the Universal Service Trust Fund and the expenditures made for
256-purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of
257-the State Finance and Procurement Article.
258-
259-Article – Insurance
260-
261-31–103.
262-
263- (a) The Exchange is subject to:
264-
265- (2) the following provisions of the State Finance and Procurement Article:
266-
267- (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
268-that the Secretary of Information Technology determines that an information technology
269-project of the Exchange is a major information technology development project;
270-
271- (b) The Exchange is not subject to:
272-
273- (2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance
274-and Procurement Article, except to the extent determined by the Secretary of Information
275-Technology under subsection (a)(2)(i) of this section;
276-
277-Article – Natural Resources
278-
279-1–403.
280-
281- (c) The Department shall develop the electronic system consistent with the
282-statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of
283-the State Finance and Procurement Article.
284-
285-Article – Public Safety
286-
287-14–104.1. LAWRENCE J. HOGAN, JR., Governor Ch. 242
288-
289-– 7 –
290-
291- (A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS
292-INDICATED.
293-
294- (2) “OFFICE” MEANS THE CYBERSECURITY COORDINATION AND
295-OPERATIONS OFFICE ESTABLISHED WI THIN THE DEPARTMENT .
296-
297- (3) “REGION” MEANS A COLLECTION O F POLITICAL SUBDIVISIONS.
298-
299- (B) THERE IS A CYBERSECURITY COORDINATION AND OPERATIONS
300-OFFICE WITHIN THE DEPARTMENT .
301-
302- (C) THE PURPOSE OF THE OFFICE IS TO:
303-
304- (1) IMPROVE LOCAL , REGIONAL, AND STATEWIDE CYBERS ECURITY
305-READINESS AND RESPON SE;
306-
307- (2) ASSIST POLITICAL SUB DIVISIONS, SCHOOL BOARDS , AND
308-AGENCIES IN THE DEVE LOPMENT OF CYBERSECU RITY DISRUPTION PLAN S;
309-
310- (3) IN CONSULTATION WITH THE DEPARTMENT OF INFORMATION
311-TECHNOLOGY , COORDINATE WITH POLI TICAL SUBDIVISIONS , LOCAL AGENCIES ,
312-AND STATE AGENCIES ON THE IMPLEMENTATION OF CYBERSECURITY BES T
313-PRACTICES;
314-
315- (4) COORDINATE WITH POLI TICAL SUBDIVISIONS A ND AGENCIES ON
316-THE IMPLEMENTATION O F THE STATEWIDE MASTER PLAN DEVELOPED BY THE
317-DEPARTMENT OF INFORMATION TECHNOLOGY UNDER TITLE 3.5, SUBTITLE 3 OF
318-THE STATE FINANCE AND PROCUREMENT ARTICLE; AND
319-
320- (5) CONSULT WITH THE STATE CHIEF INFORMATION SECURITY
321-OFFICER AND THE SECRETARY OF INFORMATION TECHNOLOGY TO CONNECT
322-POLITICAL SUBDIVISIO NS AND AGENCIES TO T HE APPROPRIATE RESOU RCES FOR
323-ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY READINESS AND RESPON SE.
324-
325- (D) (1) THE HEAD OF THE OFFICE IS THE EXECUTIVE DIRECTOR, WHO
326-SHALL BE APPOINTED B Y THE DIRECTOR.
327-
328- (2) THE OFFICE OF SECURITY MANAGEMENT SHALL PROV IDE STAFF
329-FOR THE OFFICE.
330-
331- (E) (1) THE OFFICE SHALL ESTABLIS H REGIONAL ASSISTAN CE GROUPS
332-TO DELIVER OR COORDI NATE SUPPORT SERVICE S TO POLITICAL SUBDI VISIONS,
333-AGENCIES, OR REGIONS. Ch. 242 2022 LAWS OF MARYLAND
334-
335-– 8 –
336-
337- (2) THE OFFICE MAY HIRE OR PR OCURE REGIONAL COORD INATORS
338-TO DELIVER OR COORDI NATE THE SERVICES UN DER PARAGRAPH (1) OF THIS
339-SUBSECTION.
340-
341- (3) THE OFFICE SHALL PROVIDE OR COO RDINATE SUPPORT
342-SERVICES UNDER PARAG RAPH (1) OF THIS SUBSECTION T HAT INCLUDE:
343-
344- (I) CONNECTING MULTIPLE POLITICAL SUBDIVISIO NS AND
345-AGENCIES WITH EACH O THER TO SHARE BEST P RACTICES OR OTHER IN FORMATION
346-TO INCREASE READINES S OR RESPONS E EFFECTIVENESS ;
347-
348- (II) PROVIDING TECHNICAL SERVICES FOR THE
349-IMPLEMENTATION OF CY BERSECURITY BEST PRA CTICES IN ACCORDANCE WITH
350-SUBSECTION (C)(3) OF THIS SECTION;
351-
352- (III) COMPLETING CYBERSECU RITY RISK ASSESSMENT S;
353-
354- (IV) DEVELOPING CYBER SCO RECARDS AN D REPORTS ON
355-REGIONAL READINESS ;
356-
357- (V) CREATING AND UPDATIN G CYBERSECURITY DISR UPTION
358-PLANS IN ACCORDANCE WITH SUBSECTION (C)(2) OF THIS SECTION; AND
359-
360- (VI) CONDUCTING REGIONAL EXERCISES IN COORDIN ATION
361-WITH THE NATIONAL GUARD, THE DEPARTMENT , THE DEPARTMENT OF
362-INFORMATION TECHNOLOGY , LOCAL EMERGENCY MANA GERS, AND OTHER STATE
363-AND LOCAL ENTITIES.
364-
365- (F) (1) THE OFFICE SHALL PROVIDE REGULAR TRAINING
366-OPPORTUNITIES FOR CO UNTIES AND MUNICIPAL CORPORATIONS IN THE STATE.
367-
368- (2) TRAINING OPPORTUNITIE S OFFERED BY THE OFFICE SHALL:
369-
370- (I) BE DESIGNED TO ENSUR E STAFF FOR COUNTIES AND
371-MUNICIPAL CORPORATIO NS ARE CAPABLE OF CO OPERATING EFFECTIVEL Y WITH
372-THE DEPARTMENT IN THE EVE NT OF A CYBERSECURIT Y EMERGENCY ; AND
373-
374- (II) INCORPORATE BEST PRA CTICES AND GUIDE LINES FOR
375-STATE AND LOCAL GOVE RNMENTS PROVIDED BY THE MULTI–STATE INFORMATION
376-SHARING AND ANALYSIS CENTER AND THE CYBERSECURITY AND
377-INFRASTRUCTURE SECURITY AGENCY.
378- LAWRENCE J. HOGAN, JR., Governor Ch. 242
379-
380-– 9 –
381- (G) ON OR BEFORE DECEMBER 1 EACH YEAR, THE OFFICE SHALL REPORT
382-TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE
383-GOVERNMENT ARTICLE, THE GENERAL ASSEMBLY ON THE ACTIV ITIES OF THE
384-OFFICE.
385-
386-Article – State Finance and Procurement
387-
388-3.5–101.
389-
390- (a) In this title the following words have the meanings indicated.
391-
392- (e) “Unit of State government” means an agency or unit of the Executive Branch
393-of State government.
394-
395-SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT .
396-
397-3.5–2A–01.
398-
399- (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
400-INDICATED.
401-
402- (B) “COUNCIL” MEANS THE MARYLAND CYBERSECURITY COORDINATING
403-COUNCIL.
404-
405- (C) “OFFICE” MEANS THE OFFICE OF SECURITY MANAGEMENT .
406-
407-3.5–2A–02.
408-
409- THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT .
410-
411-3.5–2A–03.
412-
413- (A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION
414-SECURITY OFFICER.
415-
416- (B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL:
417-
418- (1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND
419-CONSENT OF THE SENATE;
420-
421- (2) SERVE AT THE PLEASUR E OF THE GOVERNOR;
422-
423- (3) BE SUPERVISED BY THE SECRETARY; AND
424- Ch. 242 2022 LAWS OF MARYLAND
425-
426-– 10 –
427- (4) SERVE AS THE CHIEF I NFORMATION S ECURITY OFFICER OF T HE
428-DEPARTMENT .
429-
430- (C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION
431-SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L:
432-
433- (1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE;
434-
435- (2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR
436-CYBERSECURITY CERTIF ICATIONS;
437-
438- (3) HAVE EXPERIENCE :
439-
440- (I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING
441-SECURITY CONTROLS ;
442-
443- (II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR
444-CYBERSECURITY ;
445-
446- (III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY
447-OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD
448-ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND
449-
450- (IV) WORKING WITH COMMON INFORMATION SECURITY
451-MANAGEMENT FRAMEWORK S;
452-
453- (4) HAVE EXTENSIVE K NOWLEDGE OF INFORMAT ION TECHNOLOGY
454-AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH
455-AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO
456-ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND
457-SYSTEMS; AND
458-
459- (5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS.
460-
461- (C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL
462-PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON
463-REQUEST.
464-
465- (D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY
466-WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY
467-OFFICER.
468- LAWRENCE J. HOGAN, JR., Governor Ch. 242
469-
470-– 11 –
471- (II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK
472-IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY
473-MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE R ESOURCES,
474-AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNITS OF LOCAL
475-GOVERNMENT .
476-
477- (2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY WHO
478-SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER.
479-
480- (II) THE DIRECTOR OF STATE CYBERSECURITY IS
481-RESPONSIBLE FOR IMPLEM ENTATION OF THIS SEC TION WITH RESPECT TO UNITS OF
482-STATE GOVERNMENT .
483-
484- (E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH
485-SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE.
486-
487- (F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL
488-COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE.
489-
490-3.5–2A–04.
491-
492- (A) (1) THE OFFICE IS RESPONSIBLE FOR:
493-
494- (1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION
495-OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE
496-GOVERNMENT ; AND
497-
498- (2) THE COORDINATION OF RESOURCES AND EFFORT S TO
499-IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL
500-CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL
501-GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL
502-HEALTH DEPARTMENTS .
503-
504- (II) COORDINATING WITH TH E MARYLAND DEPARTMENT OF
505-EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY
506-RESPONSE EFFORTS .
507-
508- (2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION
509-TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY
510-CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A
511-LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH
512-DEPARTMENT .
513-
514- (B) THE OFFICE SHALL: Ch. 242 2022 LAWS OF MARYLAND
515-
516-– 12 –
517-
518- (1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
519-COLLECTED OR MAINTAINED BY OR ON BEHALF OF EACH UN IT OF STATE
520-GOVERNMENT ;
521-
522- (2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
523-SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ;
524-
525- (3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION
526-AND INFORMATION SYSTEMS T O BE INCLUDED IN EAC H CATEGORY;
527-
528- (4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND
529-INFORMATION SYSTEMS IN EACH CATEGORY ;
530-
531- (5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND
532-INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION O F THE SECURITY
533-REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ;
534-
535- (6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
536-DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN
537-THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLIS HED UNDER
538-ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM
539-SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE
540-NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY
541-INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECESSA RY TO
542-CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY
543-INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ;
544-
545- (7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
546-DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY
547-CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT
548-INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWOR K OR TO
549-THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ;
550-
551- (7) (8) MANAGE SE CURITY AWARENESS TRA INING FOR ALL
552-APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ;
553-
554- (8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT,
555-DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE
556-STANDARDIZATION AND REDUCE RISK;
557-
558- (9) (10) ASSIST IN THE DEVELOPMENT O F A DIGITAL IDENTITY
559-STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING, LAWRENCE J. HOGAN, JR., Governor Ch. 242
560-
561-– 13 –
562-INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE
563-GOVERNMENT ;
564-
565- (10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY
566-SECURITY POLICY, STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH
567-BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND
568-TECHNOLOGY ;
569-
570- (11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND
571-INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINA NCIAL ASSISTANCE
572-PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT
573-THE WORK OF THE OFFICE;
574-
575- (12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS
576-AND RESPONSE PLANS ;
577-
578- (13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING
579-AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND
580-
581- (14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO
582-UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS,
583-PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES.
584-
585- (C) THE OFFICE, IN COORDINATION WI TH THE MARYLAND DEPARTMENT
586-OF EMERGENCY MANAGEMENT , SHALL:
587-
588- (1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES ,
589-SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN:
590-
591- (I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS
592-AND RESPONSE PLANS; AND
593-
594- (II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE
595-DEVELOPED BY THE DEPARTMENT ; AND
596-
597- (2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR
598-ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND
599-RESPONSE; AND
600-
601- (3) DEVELOP APPROPRIATE REPORTS ON LOCAL CYB ERSECURITY
602-PREPAREDNESS .
603-
604- (D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT
605-OF EMERGENCY MANAGEMENT , MAY: Ch. 242 2022 LAWS OF MARYLAND
606-
607-– 14 –
608-
609- (1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN
610-COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND
611-OTHER STATE AND LOCAL ENTIT IES; AND
612-
613- (2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR
614-COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES,
615-OR REGIONS.
616-
617- (E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE SHALL
618-REPORT TO T HE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE
619-GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, THE
620-SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, THE
621-HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND GOVERNMENT
622-OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON CYBERSECURITY ,
623-INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE ACTIVITIES OF THE
624-OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN MARYLAND,
625-INCLUDING:
626-
627- (1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF T HE OFFICE
628-DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND
629-
630- (2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE
631-INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER §
632-3.5–405 OF THIS TITLE, INCLUDING:
633-
634- (I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E
635-CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THAT YEAR ;
636-
637- (II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF
638-ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST
639-TO REMEDIATE ANY VUL NERABILITIES EXPOSED;
640-
641- (III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE
642-GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING
643-RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING;
644-
645- (IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON
646-CYBERSECURITY R ELATIVE TO OVERALL I NFORMATION TECHNOLOG Y SPENDING
647-FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET,
648-INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL
649-CYBERSECURITY PREPAR EDNESS;
650- LAWRENCE J. HOGAN, JR., Governor Ch. 242
651-
652-– 15 –
653- (V) 5. EFFORTS TO SECURE FI NANCIAL SUP PORT FOR
654-CYBER RISK MITIGATIO N FROM FEDERAL OR OT HER NON–STATE RESOURCES ;
655-
656- (VI) 6. KEY PERFORMANCE INDI CATORS ON THE
657-CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY
658-MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR
659-IMPLEMEN TATION; AND
660-
661- (VII) 7. ANY ADDITIONAL RECOM MENDATIONS FOR
662-IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S.
663-
664- (2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT
665-CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND
666-RISKS IN THE STATE.
667-
668-3.5–2A–05.
669-
670- (A) THERE IS A MARYLAND CYBERSECURITY COORDINATING COUNCIL.
671-
672- (B) (1) THE COUNCIL CONSISTS OF T HE FOLLOWING MEMBERS :
673-
674- (1) THE SECRETARY OF BUDGET AND MANAGEMENT , OR THE
675-SECRETARY’S DESIGNEE;
676-
677- (2) THE SECRETARY OF GENERAL SERVICES, OR THE SECRETARY’S
678-DESIGNEE;
679-
680- (3) THE SECRETARY OF HEALTH, OR THE SECRETARY’S DESIGNEE;
681-
682- (4) THE SECRETARY OF HUMAN SERVICES, OR THE SECRETARY’S
683-DESIGNEE;
684-
685- (5) THE SECRETARY OF PUBLIC SAFETY AND CORRECTIONAL
686-SERVICES, OR THE SECRETARY’S DESIGNEE;
687-
688- (6) THE SECRETARY OF TRANSPORTATION , OR THE SECRETARY’S
689-DESIGNEE;
690-
691- (7) THE SECRETARY OF DISABILITIES, OR THE SECRETARY’S
692-DESIGNEE;
693-
694- (I) THE SECRETARY OF EAC H OF THE PRINCIPAL
695-DEPARTMENTS LISTED I N § 8–201 OF THE STATE GOVERNMENT ARTICLE, OR A
696-SECRETARY’S DESIGNEE; Ch. 242 2022 LAWS OF MARYLAND
697-
698-– 16 –
699-
700- (8) (II) THE STATE CHIEF INFORMATION SECURITY OFFICER;
701-
702- (9) (III) THE ADJUTANT GENERAL OF THE MARYLAND NATIONAL
703-GUARD, OR THE ADJUTANT GENERAL’S DESIGNEE;
704-
705- (10) THE SECRETARY OF EMERGENCY MANAGEMENT , OR THE
706-SECRETARY’S DESIGNEE;
707-
708- (11) (IV) THE SUPERINTENDENT OF STATE POLICE, OR THE
709-SUPERINTENDENT ’S DESIGNEE;
710-
711- (12) (V) THE DIRECTOR OF THE GOVERNOR’S OFFICE OF
712-HOMELAND SECURITY, OR THE DIRECTOR’S DESIGNEE;
713-
714- (13) (VI) THE EXECUTIVE DIRECTOR OF THE DEPARTMENT OF
715-LEGISLATIVE SERVICES, OR THE EXECUTIVE DIRECTOR’S DESIGNEE;
716-
717- (14) (VII) ONE REPRESENTATIVE O F THE ADMINISTRATIVE OFFICE
718-OF THE COURTS;
719-
720- (15) (VIII) THE CHANCELLOR OF THE UNIVERSITY SYSTEM OF
721-MARYLAND, OR THE CHANCELLOR ’S DESIGNEE; AND
722-
723- (16) (IX) ANY OTHER STAKEHOLDER THAT THE STATE CHIEF
724-INFORMATION SECURITY OFFICER DEEMS APPROPR IATE.
725-
726- (2) IF A DESIGNEE SERVES ON THE COUNCIL IN PLACE OF A N
727-OFFICIAL LISTED IN P ARAGRAPH (1) OF THIS SUBSECTION , THE DESIGNEE SHALL
728-REPORT INFORMATION F ROM THE COUNCIL MEETINGS AND OTHER
729-COMMUNICATIONS TO TH E OFFICIAL.
730-
731- (C) IN ADDITION TO THE ME MBERS LISTED UNDER S UBSECTION (B) OF THIS
732-SECTION, THE FOLLOWING REPRES ENTATIVES MAY SERVE AS NONVOTING
733-MEMBERS OF THE COUNCIL:
734-
735- (1) ONE MEMBER OF THE SENATE OF MARYLAND, APPOINTED BY T HE
736-PRESIDENT OF THE SENATE;
737-
738- (2) ONE MEMBER OF THE HOUSE OF DELEGATES, APPOINTED BY THE
739-SPEAKER OF THE HOUSE; AND
740-
741- (3) ONE REPRESENTATIVE O F THE JUDICIARY , APPOINTED BY THE
742-CHIEF JUDGE OF THE COURT OF APPEALS. LAWRENCE J. HOGAN, JR., Governor Ch. 242
743-
744-– 17 –
745-
746- (C) (D) THE CHAIR OF THE COUNCIL IS THE STATE CHIEF INFORMATION
747-SECURITY OFFICER.
748-
749- (D) (E) (1) THE COUNCIL SHALL MEET AT LEAST QUARTERLY AT T HE
750-REQUEST OF THE CHAIR .
751-
752- (2) MEETINGS OF THE COUNCIL SHALL BE CLOS ED TO THE PUBLIC
753-AND NOT SUBJECT TO TITLE 3 OF THE GENERAL PROVISIONS ARTICLE.
754-
755- (E) (F) THE COUNCIL SHALL:
756-
757- (1) PROVIDE ADVICE AND R ECOMMENDATIONS TO TH E STATE CHIEF
758-INFORMATION SECURITY OFFICER REGARDING :
759-
760- (I) THE STRATEGY AND IMP LEMENTATION OF CYBER SECURITY
761-INITIATIVES AND RECO MMENDATIONS ; AND
762-
763- (II) BUILDING AND SUSTAIN ING THE CAPABILITY OF THE STATE
764-TO IDENTIFY AND MITI GATE CYBERSECURITY R ISK AND RESPOND TO A ND RECOVER
765-FROM CYBERSECURITY –RELATED INCIDENTS .
766-
767- (2) USE THE ANALYSIS COM PILED BY THE OFFICE UNDER §
768-3.5–2A–04(E)(2) OF THIS SUBTITLE TO PRIORITIZE CYBERSECU RITY RISK ACROSS
769-THE EXECUTIVE BRANCH OF STATE GOVERNMENT AND MAKE CORRESPONDING
770-RECOMMENDATIONS FOR SECURITY INVESTMENTS IN THE GOVERNOR’S ANNUAL
771-BUDGET.
772-
773- (F) (G) IN CARRYING OUT THE D UTIES OF THE COUNCIL, THE COUNCIL
774-MAY SHALL CONSULT WITH OUTSIDE EXPERTS, INCLUDING EXPERTS IN THE
775-PRIVATE SECTOR , GOVERNMENT AGENCIES , AND INSTITUTIONS OF HIGHER
776-EDUCATION.
777-
778-3.5–2A–06.
779-
780- THE COUNCIL SHALL STUDY T HE SECURITY AND FINA NCIAL IMPLICATIONS O F
781-EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON
782-TECHNOLOGY AND CYBERSECURITY PRODUC TS AND SERVICES , INCLUDING THE
783-IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE.
784-
785-3.5–2A–07.
786-
787- THE COUNCIL SHALL:
788- Ch. 242 2022 LAWS OF MARYLAND
789-
790-– 18 –
791- (1) PROMOTE CYBERSECURIT Y EDUCATION AND TRAI NING
792-OPPORTUNITIES TO STR ENGTHEN THE STATE’S CYBERSECURITY CAPA BILITIES BY
793-EXPANDING EXISTING A GREEMENTS WITH EDUCA TIONAL INSTITUTIONS ;
794-
795- (2) UTILIZE RELATIONSHIP S WITH INSTITUTIONS OF HIGHER
796-EDUCATION TO ADVERTI SE CYBERSECURITY CAR EERS AND JOB POSITIO NS
797-AVAILABLE IN STATE OR LOCAL GOVERN MENT, INCLUDING THE MARYLAND
798-TECHNOLO GY INTERNSHIP PROGRAM ESTABLISHED U NDER TITLE 18, SUBTITLE 30
799-OF THE EDUCATION ARTICLE; AND.
800-
801- (3) ASSIST INTERESTED CA NDIDATES WITH APPLYI NG FOR
802-CYBERSECURITY POSITI ONS IN STATE OR LOCAL GOVERN MENT.
803-
804-3.5–301.
805-
806- (a) In this subtitle the following words have the meanings indicated.
807-
808- (i) “Master plan” means the statewide information technology master plan AND
809-STATEWIDE CYBERSECUR ITY STRATEGY.
810-
811- (j) “Nonvisual access” means the ability, through keyboard control, synthesized
812-speech, Braille, or other methods not requiring sight to receive, use, and manipulate
813-information and operate controls necessary to access information technology in accordance
814-with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle.
815-
816-3.5–302.
817-
818- (a) This subtitle does not apply to changes relating to or the purchase, lease, or
819-rental of information technology by:
820-
821- (1) public institutions of higher education solely for academic or research
822-purposes;
823-
824- (2) the Maryland Port Administration;
825-
826- (3) the University System of Maryland;
827-
828- (4) St. Mary’s College of Maryland;
829-
830- (5) Morgan State University;
831-
832- (6) the Maryland Stadium Authority; [or]
833-
834- (7) Baltimore City Community College;
835- LAWRENCE J. HOGAN, JR., Governor Ch. 242
836-
837-– 19 –
838- (8) THE LEGISLATIVE BRANCH OF STATE GOVERNMENT ; OR
839-
840- (9) THE JUDICIAL BRANCH OF STATE GOVERNMENT .;
841-
842- (10) THE OFFICE OF THE ATTORNEY GENERAL;
843-
844- (11) THE COMPTROLLER ; OR
845-
846- (12) THE STATE TREASURER.
847-
848- (b) Except as provided in subsection (a) of this section, this subtitle applies to any
849-project of a unit of the Executive Branch of State government that involves an agreement
850-with a public institution of higher education for a portion of the development of the project,
851-whether the work on the development is done directly or indirectly by the public institution
852-of higher education.
853-
854- (c) Notwithstanding any other provision of law, except as provided in subsection
855-(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–306(A)(2), 3.5–307,
856-3.5–307(A)(2), 3.5–308 AND 3.5–308 3.5–309 of this subtitle, this subtitle applies to all
857-units of the Executive Branch of State government including public institutions of higher
858-education other than Morgan State University, the University System of Maryland, St.
859-Mary’s College of Maryland, and Baltimore City Community College.
860-
861-3.5–303.
862-
863- (a) The Secretary is responsible for carrying out the following duties:
864-
865- (1) developing, maintaining, revising, and enforcing information
866-technology policies, procedures, and standards;
867-
868- (2) providing technical assistance, advice, and recommendations to the
869-Governor and any unit of State government concerning information technology matters;
870-
871- (3) reviewing the annual project plan for each unit of State government to
872-make information and services available to the public over the Internet;
873-
874- (4) developing and maintaining a statewide information technology master
875-plan that will:
876-
877- (i) [be the basis for] CENTRALIZE the management and direction of
878-information technology POLICY within the Executive Branch of State government UNDER
879-THE CONTROL OF THE DEPARTMENT ;
880-
881- (ii) include all aspects of State information technology including
882-telecommunications, security, data processing, and information management;
883- Ch. 242 2022 LAWS OF MARYLAND
884-
885-– 20 –
886- (iii) consider interstate transfers as a result of federal legislation and
887-regulation;
888-
889- (iv) [work jointly with the Secretary of Budget and Management to
890-ensure that information technology plans and budgets are consistent;
891-
892- (v)] ensure that THE State information technology [plans, policies,]
893-PLAN AND RELATED POL ICIES and standards are consistent with State goals, objectives,
894-and resources, and represent a long–range vision for using information technology to
895-improve the overall effectiveness of State government; and
896-
897- [(vi)] (V) include standards to assure nonvisual access to the
898-information and services made available to the public over the Internet; AND
899-
900- (VI) ALLOWS A STATE AGENCY TO MAINT AIN THE AGENCY ’S OWN
901-INFORMATION TECHNOLO GY UNIT THAT PROVIDE S FOR INFORMATION
902-TECHNOLOGY SERVICES TO SUPPORT THE MISSI ON OF THE AGENCY .;
903-
904- (5) PROVIDING OR COORDIN ATING THE PROCUREMEN T OF MANAGED
905-CYBERSECURITY SERVIC ES THAT ARE PAID FOR BY THE STATE AND USED BY LOC AL
906-GOVERNMENTS ;
907-
908- (6) (5) DEVELOPING AND MAINT AINING A STATEWIDE
909-CYBERSECURITY MASTER PLAN STRATEGY THAT WILL:
910-
911- (I) CENTRALIZE THE MANAG EMENT AND DIRECTION OF
912-CYBERSECURITY STRATE GY WITHIN THE EXECUTIVE BRANCH OF STATE
913-GOVERNMENT UNDER THE CONTROL OF THE DEPARTMENT ; AND
914-
915- (II) SERVE AS THE BASIS F OR BUDGET ALLOCATION S FOR
916-CYBERSECURITY PREPAREDNESS FOR THE EXECUTIVE BRANCH OF STATE
917-GOVERNMENT ;
918-
919- [(5)] (7) (6) adopting by regulation and enforcing nonvisual access standards
920-to be used in the procurement of information technology services by or on behalf of units of
921-State government in accordance with subsection (b) of this section;
922-
923- [(6)] (8) (7) in consultation with the [Attorney General,] MARYLAND
924-CYBERSECURITY COORDINATING COUNCIL, advising and overseeing a consistent
925-cybersecurity strategy for units of State government, including institutions under the
926-control of the governing boards of the public institutions of higher education;
927-
928- [(7)] (9) (8) advising and consulting with the Legislative and Judicial
929-branches of State government regarding a cybersecurity strategy; and LAWRENCE J. HOGAN, JR., Governor Ch. 242
930-
931-– 21 –
932-
933- [(8)] (10) (9) in consultation with the [Attorney General,] MARYLAND
934-CYBERSECURITY COORDINATING COUNCIL, developing guidance on consistent
935-cybersecurity strategies for counties, municipal corporations, school systems, and all other
936-political subdivisions of the State.
937-
938- (b) Nothing in subsection (a) of this section may be construed as establishing a
939-mandate for any entity listed in subsection [(a)(8)] (A)(10) of this section.
940-
941- (c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall:
942-
943- (1) adopt new nonvisual access procurement standards that:
944-
945- (i) provide an individual with disabilities with nonvisual access in a
946-way that is fully and equally accessible to and independently usable by the individual with
947-disabilities so that the individual is able to acquire the same information, engage in the
948-same interactions, and enjoy the same services as users without disabilities, with
949-substantially equivalent ease of use; and
950-
951- (ii) are consistent with the standards of § 508 of the federal
952-Rehabilitation Act of 1973; and
953-
954- (2) establish a process for the Secretary or the Secretary’s designee to:
955-
956- (i) determine whether information technology meets the nonvisual
957-access standards adopted under item (1) of this subsection; and
958-
959- (ii) 1. for information technology procured by a State unit before
960-January 1, 2020, and still used by the State unit on or after January 1, 2020, work with the
961-vendor to modify the information technology to meet the nonvisual access standards, if
962-practicable; or
963-
964- 2. for information technology procured by a State unit on or
965-after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] §
966-3.5–310 3.5–311 of this subtitle, including the enforcement of the civil penalty described
967-in [§ 3A–311(a)(2)(iii)1] § 3.5–310(A)(2)(III)1 3.5–311(A)(2)(III)1 of this subtitle.
968-
969- (D) (1) THE GOVERNOR SHALL INCLUD E AN APPROPRIATION I N THE
970-ANNUAL BUDGET BILL IN AN AMOUNT NECESSA RY TO COVER THE COST S OF
971-IMPLEMENTING THE STA TEWIDE CYBERSECURITY MASTER PLAN DEVELOPE D
972-UNDER SUBSECTION (A) OF THIS SECTION WITH OUT THE NEED FOR THE
973-DEPARTMENT TO OPERATE A CHARGE –BACK MODEL FOR CYBER SECURITY
974-SERVICES PROVIDED TO OTHER UNITS OF STATE GOVERNMENT OR U NITS OF LOCAL
975-GOVERNMENT .
976- Ch. 242 2022 LAWS OF MARYLAND
977-
978-– 22 –
979- (2) ON OR BEFORE JANUARY 31 EACH YEAR, IN A SEPARATE REPORT
980-OR INCLUDED WITHIN A GENERAL BUDGET REPOR T, THE GOVERNOR SHALL SUBMIT
981-A REPORT IN ACCORDAN CE WITH § 2–1257 OF THE STATE GOVERNMENT ARTICLE
982-TO THE SENATE BUDGET AND TAXATION COMMITTEE AND THE HOUSE
983-APPROPRIATIONS COMMITTEE THAT INCLUD ES:
984-
985- (I) SPECIFIC INFORMATION ON THE INFORMATION
986-TECHNOLOGY BUDGET AN D CYBERSECURITY BUDG ET THAT THE GOVERNOR HAS
987-SUBMITTED TO THE GENERAL ASSEMBLY FOR THE UPCOMING FISCAL YEAR; AND
988-
989- (II) HOW THE BUDGETS LIST ED UNDER ITEM (I) OF THIS
990-PARAGRAPH COMPARE TO THE ANNUAL OVERVIEW OF THE U.S. PRESIDENT’S
991-BUDGET SUBMISSION ON INFORMATION TECHNOLO GY AND CYBERSECURITY TO
992-CONGRESS CONDUCTED BY THE U.S. OFFICE OF MANAGEMENT AND BUDGET.
993-
994-3.5–305.
995-
996- (a) [Except as provided in subsection (b) of this section, in accordance with
997-guidelines established by the Secretary, each unit of State government shall develop and
998-submit to the Secretary:
999-
1000- (1) information technology policies and standards;
1001-
1002- (2) an information technology plan; and
1003-
1004- (3) an annual project plan outlining the status of efforts to make
1005-information and services available to the public over the Internet.
1006-
1007- (b) (1)] The governing boards of the public institutions of higher education shall
1008-develop and submit information technology policies and standards and an information
1009-technology plan for their respective institutions or systems to the Secretary.
1010-
1011- [(2)] (B) If the Secretary finds that the submissions required under this
1012-[subsection] SECTION are consistent with the master plan, the Secretary shall incorporate
1013-those submissions into the master plan.
1014-
1015- [(3)] (C) If the Secretary finds that the submissions required under this
1016-[subsection] SECTION are not consistent with the master plan:
1017-
1018- (i) the Secretary shall return the submissions to the governing
1019-boards; and
1020-
1021- (ii) the governing boards shall revise the submissions as appropriate
1022-and submit the revised policies, standards, and plans to the Secretary.
1023- LAWRENCE J. HOGAN, JR., Governor Ch. 242
1024-
1025-– 23 –
1026-[3.5–306.
1027-
1028- Information technology of each unit of State government shall be consistent with the
1029-master plan.]
1030-
1031-[3.5–307.] 3.5–306.
1032-
1033- (a) (1) [A unit of State government] THE DEPARTMENT may not purchase,
1034-lease, or rent information technology ON BEHALF OF A UNIT OF STATE GOVERNMENT
1035-unless consistent with the master plan STRATEGY.
1036-
1037- (2) A unit of State government other than a public institution of higher
1038-education [may not make] SHALL SUBMIT REQUEST S FOR expenditures for major
1039-information technology development projects OR CYBERSECURITY PRO JECTS except as
1040-provided in [§ 3A–308] § 3.5–307 3.5–308 of this subtitle.
1041-
1042- (b) [(1)] The Secretary may review any information technology project OR
1043-CYBERSECURITY PROJEC T for consistency with the master plan STRATEGY.
1044-
1045- [(2) Any information technology project selected for review may not be
1046-implemented without the approval of the Secretary.]
1047-
1048- (c) (1) A unit of State government shall advise the Secretary of any
1049-information technology proposal involving resource sharing, the exchange of goods or
1050-services, or a gift, contribution, or grant of real or personal property.
1051-
1052- (2) The Secretary shall determine if the value of the resources, services,
1053-and property to be obtained by the State under the terms of any proposal submitted in
1054-accordance with the provisions of paragraph (1) of this subsection equals or exceeds
1055-$100,000.
1056-
1057- (3) If the value of any proposal submitted in accordance with this
1058-subsection equals or exceeds $100,000 and the Secretary and unit agree to proceed with the
1059-proposal, information on the proposal shall be:
1060-
1061- (i) advertised for a period of at least 30 days in the eMaryland
1062-Marketplace; and
1063-
1064- (ii) submitted, simultaneously with the advertisement, to the
1065-Legislative Policy Committee for a 60–day review and comment period, during which time
1066-the Committee may recommend that the proposal be treated as a procurement contract
1067-under Division II of this article.
1068- Ch. 242 2022 LAWS OF MARYLAND
1069-
1070-– 24 –
1071- (4) Following the period for review and comment by the Legislative Policy
1072-Committee under paragraph (3) of this subsection, the proposal is subject to approval by
1073-the Board of Public Works.
1074-
1075- (5) This subsection may not be construed as authorizing an exception from
1076-the requirements of Division II of this article for any contract that otherwise would be
1077-subject to the State procurement process.
1078-
1079-[3.5–308.] 3.5–307.
1080-
1081- (a) This section does not apply to a public institution of higher education.
1082-
1083- (b) In submitting its information technology project requests, a unit of State
1084-government shall designate projects which are major information technology development
1085-projects.
1086-
1087- (c) In reviewing information technology project requests, the Secretary may
1088-change a unit’s designation of a major information technology development project.
1089-
1090- (d) The Secretary shall review and, with the advice of the Secretary of Budget and
1091-Management, approve major information technology development projects and
1092-specifications for consistency with all statewide plans, policies, and standards, including a
1093-systems development life cycle plan.
1094-
1095- (e) The Secretary shall be responsible for overseeing the implementation of major
1096-information technology development projects[, regardless of fund source].
1097-
1098- (f) With the advice of the Secretary of Budget and Management, expenditures for
1099-major information technology development projects shall be subject to the approval of the
1100-Secretary who shall approve expenditures only when those projects are consistent with
1101-statewide plans, policies, and standards.
1102-
1103- (g) (1) The Secretary shall approve funding for major information technology
1104-development projects only when those projects are supported by an approved systems
1105-development life cycle plan.
1106-
1107- (2) An approved systems development life cycle plan shall include
1108-submission of:
1109-
1110- (i) a project planning request that details initial planning for the
1111-project, including:
1112-
1113- 1. the project title, appropriation code, and summary;
1114-
1115- 2. a description of:
1116- LAWRENCE J. HOGAN, JR., Governor Ch. 242
1117-
1118-– 25 –
1119- A. the needs addressed by the project;
1120-
1121- B. the potential risks associated with the project;
1122-
1123- C. possible alternatives; and
1124-
1125- D. the scope and complexity of the project; and
1126-
1127- 3. an estimate of:
1128-
1129- A. the total costs required to complete through planning; and
1130-
1131- B. the fund sources available to support planning costs; and
1132-
1133- (ii) a project implementation request to begin full design,
1134-development, and implementation of the project after the completion of planning, including:
1135-
1136- 1. the project title, appropriation code, and summary;
1137-
1138- 2. a description of:
1139-
1140- A. the needs addressed by the project;
1141-
1142- B. the potential risks associated with the project;
1143-
1144- C. possible alternatives;
1145-
1146- D. the scope and complexity of the project; and
1147-
1148- E. how the project meets the goals of the statewide master
1149-plan; and
1150-
1151- 3. an estimate of:
1152-
1153- A. the total project cost; and
1154-
1155- B. the fund sources available.
1156-
1157- (3) The Secretary may approve funding incrementally, consistent with the
1158-systems development life cycle plan.
1159-
1160-[3.5–309.] 3.5–308.
1161-
1162- (a) There is a Major Information Technology Development Project Fund.
1163- Ch. 242 2022 LAWS OF MARYLAND
1164-
1165-– 26 –
1166- (b) The purpose of the Fund is to support major information technology
1167-development projects.
1168-
1169- (c) The Secretary:
1170-
1171- (1) shall administer the Fund in accordance with this section; and
1172-
1173- (2) subject to the provisions of § 2–201 of this article and [§ 3A–307] §
1174-3.5–306 3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of
1175-money or property.
1176-
1177- (d) (1) The Fund is a special, nonlapsing fund that is not subject to § 7–302 of
1178-this article.
1179-
1180- (2) The State Treasurer shall hold the Fund separately and the
1181-Comptroller shall account for the Fund.
1182-
1183- (3) The State Treasurer shall invest and reinvest the money of the Fund in
1184-the same manner as other State money may be invested.
1185-
1186- (4) Any investment earnings of the Fund shall be paid into the Fund.
1187-
1188- (e) Except as provided in subsection (f) of this section, the Fund consists of:
1189-
1190- (1) money appropriated in the State budget to the Fund;
1191-
1192- (2) as approved by the Secretary, money received from:
1193-
1194- (i) the sale, lease, or exchange of communication sites,
1195-communication facilities, or communication frequencies for information technology
1196-purposes; or
1197-
1198- (ii) an information technology agreement involving resource
1199-sharing;
1200-
1201- (3) that portion of money earned from pay phone commissions to the extent
1202-that the commission rates exceed those in effect in December 1993;
1203-
1204- (4) money received and accepted as contributions, grants, or gifts as
1205-authorized under subsection (c) of this section;
1206-
1207- (5) general funds appropriated for major information technology
1208-development projects of any unit of State government other than a public institution of
1209-higher education that:
1210-
1211- (i) are unencumbered and unexpended at the end of a fiscal year; LAWRENCE J. HOGAN, JR., Governor Ch. 242
1212-
1213-– 27 –
1214-
1215- (ii) have been abandoned; or
1216-
1217- (iii) have been withheld by the General Assembly or the Secretary;
1218-
1219- (6) any investment earnings; and
1220-
1221- (7) any other money from any source accepted for the benefit of the Fund.
1222-
1223- (f) The Fund does not include any money:
1224-
1225- (1) received by the Department of Transportation, the Maryland
1226-Transportation Authority, Baltimore City Community College, or the Maryland Public
1227-Broadcasting Commission;
1228-
1229- (2) received by the Judicial or Legislative branches of State government; or
1230-
1231- (3) generated from pay phone commissions that are credited to other
1232-accounts or funds in accordance with other provisions of law or are authorized for other
1233-purposes in the State budget or through an approved budget amendment.
1234-
1235- (g) The Governor shall submit with the State budget:
1236-
1237- (1) a summary showing the unencumbered balance in the Fund as of the
1238-close of the prior fiscal year and a listing of any encumbrances;
1239-
1240- (2) an estimate of projected revenue from each of the sources specified in
1241-subsection (e) of this section for the fiscal year for which the State budget is submitted; and
1242-
1243- (3) a descriptive listing of projects reflecting projected costs for the fiscal
1244-year for which the State budget is submitted and any estimated future year costs.
1245-
1246- (h) Expenditures from the Fund shall be made only:
1247-
1248- (1) in accordance with an appropriation approved by the General Assembly
1249-in the annual State budget; or
1250-
1251- (2) through an approved State budget amendment under Title 7, Subtitle
1252-2, Part II of this article, provided that a State budget amendment for any project not
1253-requested as part of the State budget submission or for any project for which the scope or
1254-cost has increased by more than 5% or $250,000 shall be submitted to the budget
1255-committees allowing a 30–day period for their review and comment.
1256-
1257- (i) The Fund may be used:
1258-
1259- (1) for major information technology development projects; Ch. 242 2022 LAWS OF MARYLAND
1260-
1261-– 28 –
1262-
1263- (2) as provided in subsections (j) and (l) of this section; or
1264-
1265- (3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for
1266-the costs of the first 12 months of operation and maintenance of a major information
1267-technology development project.
1268-
1269- (j) Notwithstanding subsection (b) of this section and except for the cost incurred
1270-in administering the Fund, each fiscal year up to $1,000,000 of this Fund may be used for:
1271-
1272- (1) educationally related information technology projects;
1273-
1274- (2) application service provider initiatives as provided for in Title 9,
1275-Subtitle 22 of the State Government Article; or
1276-
1277- (3) information technology projects, including:
1278-
1279- (i) pilots; and
1280-
1281- (ii) prototypes.
1282-
1283- (k) A unit of State government or local government may submit a request to the
1284-Secretary to support the cost of an information technology project with money under
1285-subsection (j) of this section.
1286-
1287- (l) (1) Notwithstanding subsection (b) of this section and in accordance with
1288-paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this
1289-section shall be used to support:
1290-
1291- (i) the State telecommunication and computer network established
1292-under [§ 3A–404] § 3.5–404 of this title, including program development for these
1293-activities; and
1294-
1295- (ii) the Statewide Public Safety Interoperability Radio System, also
1296-known as Maryland First (first responder interoperable radio system team), under Title 1,
1297-Subtitle 5 of the Public Safety Article.
1298-
1299- (2) The Secretary may determine the portion of the money paid into the
1300-Fund that shall be allocated to each program described in paragraph (1) of this subsection.
1301-
1302- (m) (1) On or before November 1 of each year, the Secretary shall report to the
1303-Governor, the Secretary of Budget and Management, and to the budget committees of the
1304-General Assembly and submit a copy of the report to the General Assembly, in accordance
1305-with § 2–1257 of the State Government Article.
1306-
1307- (2) The report shall include: LAWRENCE J. HOGAN, JR., Governor Ch. 242
1308-
1309-– 29 –
1310-
1311- (i) the financial status of the Fund and a summary of its operations
1312-for the preceding fiscal year;
1313-
1314- (ii) an accounting for the preceding fiscal year of all money from each
1315-of the revenue sources specified in subsection (e) of this section, including any expenditures
1316-made from the Fund; and
1317-
1318- (iii) for each project receiving money from the Fund in the preceding
1319-fiscal year and for each major information technology development project receiving
1320-funding from any source other than the Fund in the preceding fiscal year:
1321-
1322- 1. the status of the project;
1323-
1324- 2. a comparison of estimated and actual costs of the project;
1325-
1326- 3. any known or anticipated changes in scope or costs of the
1327-project;
1328-
1329- 4. an evaluation of whether the project is using best
1330-practices; and
1331-
1332- 5. a summary of any monitoring and oversight of the project
1333-from outside the agency in which the project is being developed, including a description of
1334-any problems identified by any external review and any corrective actions taken.
1335-
1336- (n) On or before January 15 of each year, for each major information technology
1337-development project currently in development or for which operations and maintenance
1338-funding is being provided in accordance with subsection (i)(3) of this section, subject to §
1339-2–1257 of the State Government Article, the Secretary shall provide a summary report to
1340-the Department of Legislative Services with the most up–to–date project information
1341-including:
1342-
1343- (1) project status;
1344-
1345- (2) any schedule, cost, and scope changes since the last annual report;
1346-
1347- (3) a risk assessment including any problems identified by any internal or
1348-external review and any corrective actions taken; and
1349-
1350- (4) any change in the monitoring or oversight status.
1351-
1352-[3A–310.] 3.5–309.
1353-
1354- This subtitle may not be construed to give the Secretary authority over:
1355- Ch. 242 2022 LAWS OF MARYLAND
1356-
1357-– 30 –
1358- (1) the content of educational applications or curriculum at the State or
1359-local level; or
1360-
1361- (2) the entities that may participate in such educational programs.
1362-
1363-[3.5–311.] 3.5–310.
1364-
1365- (a) (1) The Secretary or the Secretary’s designee, in consultation with other
1366-units of State government, and after public comment, shall develop a nonvisual access
1367-clause for use in the procurement of information technology and information technology
1368-services that specifies that the technology and services:
1369-
1370- (i) must provide equivalent access for effective use by both visual
1371-and nonvisual means;
1372-
1373- (ii) will present information, including prompts used for interactive
1374-communications, in formats intended for both visual and nonvisual use;
1375-
1376- (iii) can be integrated into networks for obtaining, retrieving, and
1377-disseminating information used by individuals who are not blind or visually impaired; and
1378-
1379- (iv) shall be obtained, whenever possible, without modification for
1380-compatibility with software and hardware for nonvisual access.
1381-
1382- (2) On or after January 1, 2020, the nonvisual access clause developed in
1383-accordance with paragraph (1) of this subsection shall include a statement that:
1384-
1385- (i) within 18 months after the award of the procurement, the
1386-Secretary, or the Secretary’s designee, will determine whether the information technology
1387-meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] §
1388-3.5–303(B) of this subtitle;
1389-
1390- (ii) if the information technology does not meet the nonvisual access
1391-standards, the Secretary, or the Secretary’s designee, will notify the vendor in writing that
1392-the vendor, at the vendor’s own expense, has 12 months after the date of the notification to
1393-modify the information technology in order to meet the nonvisual access standards; and
1394-
1395- (iii) if the vendor fails to modify the information technology to meet
1396-the nonvisual access standards within 12 months after the date of the notification, the
1397-vendor:
1398-
1399- 1. may be subject to a civil penalty of:
1400-
1401- A. for a first offense, a fine not exceeding $5,000; and
1402-
1403- B. for a subsequent offense, a fine not exceeding $10,000; and LAWRENCE J. HOGAN, JR., Governor Ch. 242
1404-
1405-– 31 –
1406-
1407- 2. shall indemnify the State for liability resulting from the
1408-use of information technology that does not meet the nonvisual access standards.
1409-
1410- (b) (1) Except as provided in paragraph (2) of this subsection, the nonvisual
1411-access clause required under subsection (a) of this section shall be included in each
1412-invitation for bids or request for proposals and in each procurement contract or modification
1413-or renewal of a contract issued under Title 13 of this article, without regard to the method
1414-chosen under Title 13, Subtitle 1 of this article for the purchase of new or upgraded
1415-information technology and information technology services.
1416-
1417- (2) Except as provided in subsection (a)(4) of this section, the nonvisual
1418-access clause required under paragraph (1) of this subsection is not required if:
1419-
1420- (i) the information technology is not available with nonvisual access
1421-because the essential elements of the information technology are visual and nonvisual
1422-equivalence cannot be developed; or
1423-
1424- (ii) the cost of modifying the information technology for compatibility
1425-with software and hardware for nonvisual access would increase the price of the
1426-procurement by more than 15%.
1427-
1428-[3.5–312.] 3.5–311.
1429-
1430- The Secretary may delegate the duties set forth in this subtitle to carry out its
1431-purposes.
1432-
1433-[3.5–313.] 3.5–312.
1434-
1435- (a) (1) In this section the following words have the meanings indicated.
1436-
1437- (2) “Agency” includes a unit of State government that receives funds that
1438-are not appropriated in the annual budget bill.
1439-
1440- (3) (i) “Payee” means any party who receives from the State an
1441-aggregate payment of $25,000 in a fiscal year.
1442-
1443- (ii) “Payee” does not include:
1444-
1445- 1. a State employee with respect to the employee’s
1446-compensation; or
1447-
1448- 2. a State retiree with respect to the retiree’s retirement
1449-allowance.
1450- Ch. 242 2022 LAWS OF MARYLAND
1451-
1452-– 32 –
1453- (4) “Searchable website” means a website created in accordance with this
1454-section that displays and searches State payment data.
1455-
1456- (b) (1) The Department shall develop and operate a single searchable website,
1457-accessible to the public at no cost through the Internet.
1458-
1459- (2) On or before the 15th day of the month that follows the month in which
1460-an agency makes a payment to a payee, the Department shall update the payment data on
1461-the searchable website.
1462-
1463- (c) The searchable website shall contain State payment data, including:
1464-
1465- (1) the name of a payee receiving a payment;
1466-
1467- (2) the location of a payee by postal zip code;
1468-
1469- (3) the amount of a payment; and
1470-
1471- (4) the name of an agency making a payment.
1472-
1473- (d) The searchable website shall allow the user to:
1474-
1475- (1) search data for fiscal year 2008 and each year thereafter; and
1476-
1477- (2) search by the following data fields:
1478-
1479- (i) a payee receiving a payment;
1480-
1481- (ii) an agency making a payment; and
1482-
1483- (iii) the zip code of a payee receiving a payment.
1484-
1485- (e) State agencies shall provide appropriate assistance to the Secretary to ensure
1486-the existence and ongoing operation of the single website.
1487-
1488- (f) This section may not be construed to require the disclosure of information that
1489-is confidential under State or federal law.
1490-
1491- (g) This section shall be known and may be cited as the “Maryland Funding
1492-Accountability and Transparency Act”.
1493-
1494-[3.5–314.] 3.5–313.
1495-
1496- (a) In this section, “security–sensitive data” means information that is protected
1497-against unwarranted disclosure.
1498- LAWRENCE J. HOGAN, JR., Governor Ch. 242
1499-
1500-– 33 –
1501- (b) In accordance with guidelines established by the Secretary, each unit of State
1502-government shall develop a plan to:
1503-
1504- (1) identify unit personnel who handle security–sensitive data; and
1505-
1506- (2) establish annual security overview training or refresher security
1507-training for each employee who handles security–sensitive data as part of the employee’s
1508-duties.
1509-
1510-3.5–401.
1511-
1512- (a) The Department shall:
1513-
1514- (1) coordinate the development, procurement, management, and operation
1515-of telecommunication equipment, systems, and services by State government;
1516-
1517- (2) TO ADDRESS PREPAREDN ESS AND RESPONSE CAP ABILITIES OF
1518-LOCAL JURISDICTIONS , COORDINATE THE PROCU REMENT OF MANAGED
1519-CYBERSECURITY SERVIC ES PROCURED BY LOCAL GOVERNMENTS WITH STATE
1520-FUNDING;
1521-
1522- [(2)] (3) acquire and manage common user telecommunication
1523-equipment, systems, or services and charge units of State government for their
1524-proportionate share of the costs of installation, maintenance, and operation of the common
1525-user telecommunication equipment, systems, or services;
1526-
1527- [(3)] (4) promote compatibility of telecommunication systems by
1528-developing policies, procedures, and standards for the [acquisition and] use of
1529-telecommunication equipment, systems, and services by units of State government;
1530-
1531- [(4)] (5) coordinate State government telecommunication systems and
1532-services by reviewing requests by units of State government for, AND ACQUIRING ON
1533-BEHALF OF UNITS OF STATE GOVERNMENT , telecommunication equipment, systems, or
1534-services;
1535-
1536- [(5)] (6) advise units of State government about [planning, acquisition,]
1537-PLANNING and operation of telecommunication equipment, systems, or services; and
1538-
1539- [(6)] (7) provide radio frequency coordination for State and local
1540-governments in accordance with regulations of the Federal Communications Commission.
1541-
1542- (b) The Department may make arrangement for a user other than a unit of State
1543-government to have access to and use of State telecommunication equipment, systems, and
1544-services and shall charge the user any appropriate amount to cover the cost of installation, Ch. 242 2022 LAWS OF MARYLAND
1545-
1546-– 34 –
1547-maintenance, and operation of the telecommunication equipment, system, or service
1548-provided.
1549-
1550- (C) (1) THE DEPARTMENT SHALL DEVE LOP AND REQUIRE BASI C
1551-SECURITY REQUIREMENT S TO BE INCLUDED IN A CONTRACT:
1552-
1553- (I) IN WHICH A THIRD–PARTY CONTRACTOR WIL L HAVE ACCESS
1554-TO AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR
1555-
1556- (II) BY A UNIT OF STATE GOVERNMENT THAT IS LESS THAN
1557-$50,000 FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE
1558-TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES.
1559-
1560- (2) THE SECURITY REQUIREM ENTS DEVELOPED UNDER PARAGRAPH
1561-(1) OF THIS SUBSECTION S HALL BE CONSISTENT W ITH A WIDELY RECOGNI ZED
1562-SECURITY STANDARD , INCLUDING NATIONAL INSTITUTE OF STANDARDS AND
1563-TECHNOLOGY SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL
1564-CERTIFICATION.
1565-
1566-3.5–404.
1567-
1568- (a) The General Assembly declares that:
1569-
1570- (1) it is the policy of the State to foster telecommunication and computer
1571-networking among State and local governments, their agencies, and educational
1572-institutions in the State;
1573-
1574- (2) there is a need to improve access, especially in rural areas, to efficient
1575-telecommunication and computer network connections;
1576-
1577- (3) improvement of telecommunication and computer networking for State
1578-and local governments and educational institutions promotes economic development,
1579-educational resource use and development, and efficiency in State and local administration;
1580-
1581- (4) rates for the intrastate inter–LATA telephone communications needed
1582-for effective integration of telecommunication and computer resources are prohibitive for
1583-many smaller governments, agencies, and institutions; and
1584-
1585- (5) the use of improved State telecommunication and computer networking
1586-under this section is intended not to compete with commercial access to advanced network
1587-technology, but rather to foster fundamental efficiencies in government and education for
1588-the public good.
1589-
1590- (b) (1) The Department shall establish a telecommunication and computer
1591-network in the State. LAWRENCE J. HOGAN, JR., Governor Ch. 242
1592-
1593-– 35 –
1594-
1595- (2) The network shall consist of:
1596-
1597- (i) one or more connection facilities for telecommunication and
1598-computer connection in each local access transport area (LATA) in the State; and
1599-
1600- (ii) facilities, auxiliary equipment, and services required to support
1601-the network in a reliable and secure manner.
1602-
1603- (c) The network shall be accessible through direct connection and through local
1604-intra–LATA telecommunications to State and local governments and public and private
1605-educational institutions in the State.
1606-
1607- (D) ON OR BEFORE DECEMBER 1 EACH YEAR , EACH UNIT OF THE
1608-LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT AND ANY DIVISION OF
1609-THE UNIVERSITY SYSTEM OF MARYLAND THAT USE THE NETWORK ESTABLISHED
1610-UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT
1611-THAT THE UNIT OR DIV ISION IS IN COMPLIAN CE WITH THE DEPARTMENT ’S MINIMUM
1612-SECURITY STANDARDS .
1613-
1614-3.5–404.
1615-
1616- (D) (1) THE OFFICE SHALL ENSURE T HAT AT LEAST ONCE EV ERY 2
1617-YEARS, OR MORE OFTEN IF REQ UIRED BY REGULATIONS ADOPTED BY THE
1618-DEPARTMENT , EACH UNIT OF STATE GOVERNMENT SHAL L COMPLETE AN EXTERN AL
1619-ASSESSMENT .
1620-
1621- (2) THE OFFICE SHALL ASSIST E ACH UNIT TO REMEDIAT E ANY
1622-SECURITY VULNERABILI TIES OR HIGH–RISK CONFIGURATIONS IDENTIFIED IN THE
1623-ASSESSMENT REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION .
1624-
1625- (E) (1) IN THIS SUBSECTION , “IT UNIT” MEANS A UNIT OF THE
1626-LEGISLATIVE BRANCH OR JUDICIAL BRANCH OF STATE GOVERNMENT , THE OFFICE
1627-OF THE ATTORNEY GENERAL, THE OFFICE OF THE COMPTROLLER , OR THE OFFICE
1628-OF THE STATE TREASURER THAT PROVIDES INFORM ATION TECHNOLOGY SERVICES
1629-FOR ANOTHER UNIT OF GOVERNMENT .
1630-
1631- (2) EACH IT UNIT SHALL:
1632-
1633- (I) BE EVALUATED BY AN I NDEPENDENT AUDITOR W ITH
1634-CYBERSECURITY EXPERT ISE TO DETERMINE WHE THER THE IT UNIT, AND THE UNITS
1635-IT PROVIDES INFORMAT ION TECHNOLOGY SERVI CES FOR, MEET RELEVANT
1636-CYBERSECURITY STANDA RDS RECOMMENDED BY T HE NATIONAL INSTITUTE OF
1637-STANDARDS AND TECHNOLOGY ; AND Ch. 242 2022 LAWS OF MARYLAND
1638-
1639-– 36 –
1640-
1641- (II) CERTIFY COMPLIANCE W ITH THE RECOMMENDED
1642-NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECUR ITY
1643-STANDARDS TO :
1644-
1645- 1. IF THE IT UNIT IS PART OF THE LEGISLATIVE
1646-BRANCH, THE PRESIDENT OF THE SENATE AND THE SPEAKER OF THE HOUSE; AND
1647-
1648- 2. IF THE IT UNIT IS PART OF THE OFFICE OF THE
1649-ATTORNEY GENERAL, TO THE ATTORNEY GENERAL;
1650-
1651- 3. IF THE IT UNIT IS PART OF THE COMPTROLLER ’S
1652-OFFICE, TO THE COMPTROLLER ;
1653-
1654- 4. IF THE IT UNIT IS PART OF THE STATE TREASURER’S
1655-OFFICE, TO THE STATE TREASURER; AND
1656-
1657- 2. 5. IF THE IT UNIT IS PART OF THE JUDICIAL BRANCH OF
1658-STATE GOVERNMENT , THE CHIEF JUDGE.
1659-
1660-3.5–405.
1661-
1662- (A) ON OR BEFORE DECEMBER 1 EACH YEAR, EACH UNIT OF STATE
1663-GOVERNMENT SHALL :
1664-
1665- (1) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND
1666-REPORT THE RESULTS OF ANY CYBERSECURITY PREPAREDNESS ASSESSM ENTS
1667-PERFORMED IN THE PRI OR YEAR TO THE OFFICE OF SECURITY MANAGEMENT IN
1668-ACCORDANCE WITH GUID ELINES DEVELOPED BY THE OFFICE; AND
1669-
1670- (2) SUBMIT A REPORT TO T HE GOVERNOR AND THE OFFICE OF
1671-SECURITY MANAGEMENT THAT INCLU DES:
1672-
1673- (I) AN INVENTORY OF ALL INFORMATION SYSTEMS AND
1674-APPLICATIONS USED OR MAINTAINED BY THE UNI T;
1675-
1676- (II) A FULL DATA INVENTOR Y OF THE UNIT;
1677-
1678- (III) A LIST OF ALL CLOUD OR STATISTICAL ANALY SIS SYSTEM
1679-SOLUTIONS USED BY TH E UNIT;
1680-
1681- (IV) A LIST OF ALL PERMAN ENT AND TRANSIENT VE NDOR
1682-INTERCONNECTIONS THA T ARE IN PLACE;
1683- LAWRENCE J. HOGAN, JR., Governor Ch. 242
1684-
1685-– 37 –
1686- (V) THE NUMBER OF UNIT E MPLOYEES WHO HAVE RE CEIVED
1687-CYBERSECURITY TRAINI NG;
1688-
1689- (VI) THE TOTAL NUMBER OF UNIT EMPLOYEES WHO U SE THE
1690-NETWORK;
1691-
1692- (VII) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF
1693-POSITIONS, INCLUDING VACANCIES ;
1694-
1695- (VIII) THE NUMBER OF NONI NFORMATION TECHNOLOG Y STAFF
1696-POSITIONS, INCLUDING VACANCIES ;
1697-
1698- (IX) THE UNIT ’S INFORMATION TECHNO LOGY BUDGET ,
1699-ITEMIZED TO INCLUDE THE FOLLOWING CATEGO RIES:
1700-
1701- 1. SERVICES;
1702-
1703- 2. EQUIPMENT;
1704-
1705- 3. APPLICATIONS;
1706-
1707- 4. PERSONNEL ;
1708-
1709- 5. SOFTWARE LICENSING ;
1710-
1711- 6. DEVELOPMENT ;
1712-
1713- 7. NETWORK PROJECTS ;
1714-
1715- 8. MAINTENANCE ; AND
1716-
1717- 9. CYBERSECURITY ;
1718-
1719- (X) ANY MAJOR INFORMATIO N TECHNOLOGY INITIAT IVES TO
1720-MODERNIZE THE UNIT ’S INFORMATION TECHNO LOGY SYSTEMS OR IMPR OVE
1721-CUSTOMER ACCESS TO STATE AND LOCAL SERVI CES;
1722-
1723- (XI) THE UNIT’S PLANS FOR FUTURE F ISCAL YEARS TO
1724-IMPLEMENT THE UNIT ’S INFORMATION TECHNO LOGY GOALS;
1725-
1726- (XII) COMPLIANCE WITH TIME LINES AND METRICS PR OVIDED IN
1727-THE DEPARTMENT ’S MASTER PLAN ; AND
1728- Ch. 242 2022 LAWS OF MARYLAND
1729-
1730-– 38 –
1731- (XIII) ANY OTHER KEY PERFOR MANCE INDICATORS REQ UIRED BY
1732-THE OFFICE OF SECURITY MANAGEMENT TO TRACK C OMPLIANCE OR CONSIST ENCY
1733-WITH THE DEPARTMENT ’S STATEWIDE INFORMATION TEC HNOLOGY MASTER PLAN .
1734-
1735- (B) (1) EACH UNIT OF STATE GOVERNMENT SHAL L REPORT A
1736-CYBERSECURITY INCIDE NT IN ACCORDANCE WIT H PARAGRAPH (2) OF THIS
1737-SUBSECTION TO THE STATE CHIEF INFORMATION SECURITY OFFICER.
1738-
1739- (2) FOR THE REPORTING OF CYBERSECURITY INCIDENTS UND ER
1740-PARAGRAPH (1) OF THIS SUBSECTION , THE STATE CHIEF INFORMATION SECURITY
1741-OFFICER SHALL DETERMI NE:
1742-
1743- (I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST
1744-BE REPORTED ;
1745-
1746- (II) THE MANNER IN WHICH TO REPORT; AND
1747-
1748- (III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE.
1749-
1750-3.5–406.
1751-
1752- (C) (1) (A) THIS SUBSECTION SECTION DOES NOT APPLY TO
1753-MUNICIPAL GOVERNMENT S.
1754-
1755- (2) (B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND
1756-FREQUENCY ESTABLISHE D IN REGULATIONS ADO PTED BY THE DEPARTMENT , EACH
1757-COUNTY GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT
1758-SHALL:
1759-
1760- (I) (1) IN CONSULTATION WITH THE LOCAL EMERGENCY
1761-MANAGER, CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESPONSE
1762-PLAN AND SUBMIT THE PLAN TO THE OFFICE OF SECURITY MANAGEMENT FOR
1763-APPROVAL; AND
1764-
1765- (II) (2) COMPLETE A CYBERSECU RITY PREPAREDNESS
1766-ASSESSMENT AND REPORT THE RESUL TS TO THE OFFICE OF SECURITY
1767-MANAGEMENT IN ACCORDA NCE WITH GUIDELINES DEVELOPED BY THE OFFICE;
1768-AND
1769-
1770- (III) REPORT TO THE OFFICE OF SECURITY MANAGEMENT :
1771-
1772- 1. THE NUMBER OF INFORM ATION TECHNOLOGY STA FF
1773-POSITIONS, INCLUDING VACANCIES ; LAWRENCE J. HOGAN, JR., Governor Ch. 242
1774-
1775-– 39 –
1776-
1777- 2. THE ENTITY ’S CYBERSECURITY BUDG ET AND
1778-OVERALL INFORMATION TECHNOLOGY BUDGET ;
1779-
1780- 3. THE NUMBER OF EMPLOY EES WHO HAVE RECEIVED
1781-CYBERSECURITY TRAINI NG; AND
1782-
1783- 4. THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO
1784-THE ENTITY’S COMPUTER SYSTEMS A ND DATABASES .
1785-
1786- (C) THE ASSESSMENT REQUIR ED UNDER PARAGRAPH (B)(2) OF THIS
1787-SECTION MAY , IN ACCORDANCE WITH T HE PREFERENCE OF EAC H COUN TY
1788-GOVERNMENT , BE PERFORMED BY THE DEPARTMENT OR BY A VE NDOR
1789-AUTHORIZED BY THE DEPARTMENT .
1790-
1791- (3) (I) (D) (1) EACH COUNTY LOCAL GOVERNMENT , LOCAL
1792-SCHOOL SYSTEM, AND LOCAL HEALTH DEPARTM ENT SHALL REPORT A
1793-CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING
1794-USED BY THE LOCAL GO VERNMENT, TO THE APPROPRIATE L OCAL EMERGENCY
1795-MANAGER AND THE STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT
1796-IN ACCORDANCE WITH SUBPARAGRAPH (II) PARAGRAPH (2) OF THIS PARAGRAPH
1797-SUBSECTION TO THE APPROPRIATE LOCAL EMERGENCY MANAGER .
1798-
1799- (II) (2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS
1800-TO LOCAL EMERGENCY M ANAGERS UNDER SUBPAR AGRAPH (I) OF THIS PARAGRAPH ,
1801-THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL DETERMI NE:
1802-
1803- 1. (I) THE CRITERIA FOR DET ERMINING WHEN AN INCIDENT
1804-MUST BE REPORTED ;
1805-
1806- 2. (II) THE MANNER IN WHICH TO REPORT; AND
1807-
1808- 3. (III) THE TIME PERIOD WITH IN WHICH A REPORT
1809-MUST BE MADE .
1810-
1811- (3) THE STATE SECURITY OPERATIONS CENTER SHALL
1812-IMMEDIATELY NOTIFY T HE APPROPRIATE AGENC IES OF A CYBERSECURITY
1813-INCIDENT REPORTED UN DER THIS SUBSECTION THROUGH THE STATE SECURITY
1814-OPERATIONS CENTER.
1815-
1816-4–316.1.
1817-
1818- THE DEPARTMENT , IN CONSULTATION WITH THE MARYLAND
1819-CYBERSECURITY COORDINATING COUNCIL ESTABLISHED I N § 3.5–2A–05 OF THIS Ch. 242 2022 LAWS OF MARYLAND
1820-
1821-– 40 –
1822-ARTICLE, SHALL STUDY THE SECURITY AND FINANCI AL IMPLICATIONS OF
1823-EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON
1824-TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE
1825-IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE.
1826-
1827-13–115.
1828-
1829- (A) THE DEPARTMENT OF INFORMATION TECHNOLOGY SHALL REQUIRE
1830-BASIC SECURITY REQUI REMENTS TO BE INCLUD ED IN A CONTRACT :
1831-
1832- (1) IN WHICH A THIRD –PARTY CONTRACTOR WIL L HAVE ACCESS TO
1833-AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR
1834-
1835- (2) FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE
1836-TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES.
1837-
1838- (B) THE SECURITY REQUIREM ENTS DEVELOPED UNDER SUBSECTION (A) OF
1839-THIS SECTION SHALL B E CONSISTENT WITH A WIDELY RECOGNIZED SE CURITY
1840-STANDARD, INCLUDING NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
1841-SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL CERTIFICATION.
1842-
1843-12–107.
1844-
1845- (b) Subject to the authority of the Board, jurisdiction over procurement is as
1846-follows:
1847-
1848- (2) the Department of General Services may:
1849-
1850- (i) engage in or control procurement of:
1851-
1852- 10. information processing equipment and associated
1853-services, as provided in Title [3A] 3.5, Subtitle 3 of this article; [and]
1854-
1855- 11. telecommunication equipment, systems, or services, as
1856-provided in Title [3A] 3.5, Subtitle 4 of this article; AND
1857-
1858- 12. MANAGED CYBERSECURIT Y SERVICES, AS PROVIDED
1859-IN TITLE 3.5, SUBTITLE 3 OF THIS ARTICLE;
1860-
1861- SECTION 3. AND BE IT FURTHER ENACTED, That, as a key enabler of the
1862-Department of Information Technology’s cybersecurity risk management strategy, on or
1863-before December 31, 2022, the Department shall complete the implementation of a
1864-governance, risk, and compliance module across the Executive Branch of State government
1865-that: LAWRENCE J. HOGAN, JR., Governor Ch. 242
1866-
1867-– 41 –
1868-
1869- (1) has industry–standard capabilities;
1870-
1871- (2) is based on NIST, ISO, or other recognized security frameworks or
1872-standards; and
1873-
1874- (3) enables the Department to identify, monitor, and manage cybersecurity
1875-risk on a continuous basis.
1876-
1877- SECTION 4. AND BE IT FURTHER ENACTED, That, on or before June 30, 2023,
1878-the Office of Security Management, in consultation with the Maryland Cybersecurity
1879-Coordinating Council, shall:
1880-
1881- (1) prepare a transition strategy toward cybersecurity centralization,
1882-including recommendations for:
1883-
1884- (1) (i) consistent incident response training;
1885-
1886- (2) (ii) implementing security improvement dashboards to inform
1887-budgetary appropriations;
1888-
1889- (3) (iii) operations logs transition to the Maryland Security Operations
1890-Center;
1891-
1892- (4) (iv) establishing consistent performance accountability metrics for
1893-information technology and cybersecurity staff; and
1894-
1895- (5) (v) whether the Office needs additional staff or contractors to carry
1896-out its duties; and
1897-
1898- (2) report the transition strategy and recommendations prepared under
1899-item (1) of this section to the Governor and, in accordance with § 2–1257 of the State
1900-Government Article, the Senate Education, Health, and Environmental Affairs Committee
1901-and the House Health and Government Operations Committee.
1902-
1903- SECTION 5. AND BE IT FURTHER ENACTED, That:
1904-
1905- (a) (1) On or before June 30, 2023, each agency in the Executive Branch of
1906-State government shall certify to the Office of Security Management compliance with State
1907-minimum cybersecurity standards established by the Department of Information Security
1908-Technology.
1909-
1910- (2) Except as provided in paragraph (3) of this subsection, certification
1911-shall be reviewed by independent auditors, and any findings must be remediated.
1912- Ch. 242 2022 LAWS OF MARYLAND
1913-
1914-– 42 –
1915- (3) Certification for the Department of Public Safety and Correctional
1916-Services and any State criminal justice agency shall be reviewed by the Office of Legislative
1917-Audits, and any findings must be remediated.
1918-
1919- (b) If Except as provided in subsection (c) of this section, if an agency has not
1920-remediated any findings pertaining to State cybersecurity standards found by the
1921-independent audit required under subsection (a) of this section by July 1, 2024, the Office
1922-of Security Management shall assume responsibility for an agency’s cybersecurity ensure
1923-compliance of an agency’s cybersecurity with cybersecurity standards through a shared
1924-service agreement, administrative privileges, or access to Network Maryland
1925-notwithstanding any federal law or regulation that forbids the Office of Security
1926-Management from managing a specific system.
1927-
1928- (c) Subsection (b) of this section does not apply if a federal law or regulation
1929-forbids the Office of Security Management from managing a specific system.
1930-
1931- SECTION 6. AND BE IT FURTHER ENACTED, That:
1932-
1933- (a) The Department of Information Technology shall hire a contractor to conduct
1934-a performance and capacity assessment of the Department to:
1935-
1936- (1) evaluate the Department’s capacity to implement provisions of this Act;
1937-and
1938-
1939- (2) recommend additional resources necessary for the Department to
1940-implement provisions of this title and meet future needs, including additional budget
1941-appropriations, additional staff, altered contracting authority, and pay increases for staff.
1942-
1943- (b) The contractor hired by the Department to complete the assessment and
1944-report required by this section shall:
1945-
1946- (1) on or before December 1, 2023, submit an interim report of its findings
1947-and recommendations to the Governor and, in accordance with § 2–1257 of the State
1948-Government Article, the General Assembly; and
1949-
1950- (2) on or before December 1, 2024, submit a final report of its findings and
1951-recommendations to the Governor and, in accordance with § 2 –1257 of the State
1952-Government Article, the General Assembly.
1953-
1954- SECTION 7. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds
1955-from the Dedicated Purpose Account may be transferred by budget amendment in
1956-accordance with § 7–310 of the State Finance and Procurement Article to implement this
1957-Act.
1958-
1959- SECTION 8. AND BE IT FURTHER ENACTED, That:
1960- LAWRENCE J. HOGAN, JR., Governor Ch. 242
1961-
1962-– 43 –
1963- (a) On or before June October 1, 2022, the State Chief Information Security
1964-Officer shall establish guidelines to determine when a cybersecurity incident shall be
1965-disclosed to the public.
1966-
1967- (b) On or before November 1, 2022, the State Chief Information Security Officer
1968-shall submit a report on the guidelines established under subsection (a) of this section to
1969-the Governor and, in accordance with § 2–1257 of the State Government Article, the House
1970-Health and Government Operations Committee and the Senate Education, Health, and
1971-Environmental Affairs Committee.
1972-
1973- SECTION 4. AND BE IT FURTHER ENACTED, That, on the effective date of this
1974-Act, the following shall be transferred to the Department of Information Technology:
1975-
1976- (1) all appropriations, including State and federal funds, held by a unit of
1977-the Executive Branch of State government for the purpose of information technology
1978-operations or cybersecurity for the unit on the effective date of this Act; and
1979-
1980- (2) all books and records (including electronic records), real and personal
1981-property, equipment, fixtures, assets, liabilities, obligations, credits, rights, and privileges
1982-held by a unit of the Executive Branch of State government for the purpose of information
1983-technology operations or cybersecurity for the unit on the effective date of this Act.
1984-
1985- SECTION 5. AND BE IT FURTHER ENACTED, That all employees of a unit of the
1986-Executive Branch of State government who are assigned more than 50% of the time to a
1987-function related to information technology operations or cybersecurity for the unit on the
1988-effective date of this Act shall, on the effective date of this Act, report to the Secretary of
1989-Information Technology or the Secretary’s designee.
1990-
1991- SECTION 6. AND BE IT FURTHER ENACTED, That any transaction affected by
1992-the transfer of oversight of information technology operations or cybersecurity of a unit of
1993-the Executive Branch of State government and validly entered into before the effective date
1994-of this Act, and every right, duty, or interest flowing from it, remains valid after the
1995-effective date of this Act and may be terminated, completed, consummated, or enforced
1996-under the law.
1997-
1998- SECTION 7. AND BE IT FURTHER ENACTED, That all existing laws, regulations,
1999-proposed regulations, standards and guidelines, policies, orders and other directives, forms,
2000-plans, memberships, contracts, property, investigations, administrative and judicial
2001-responsibilities, rights to sue and be sued, and all other duties and responsibilities
2002-associated with information technology operations or cybersecurity of a unit of the
2003-Executive Branch of State government prior to the effective date of this Act shall continue
2004-and, as appropriate, be legal and binding on the Department of Information Technology
2005-until completed, withdrawn, canceled, modified, or otherwise changed under the law.
2006-
2007- SECTION 8. 9. AND BE IT FURTHER ENACTED, That this Act shall take effect
2008-October July 1, 2022. Ch. 242 2022 LAWS OF MARYLAND
2009-
2010-– 44 –
2011-
2012-Approved by the Governor, May 12, 2022.
1+
2+
3+EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4+ [Brackets] indicate matter deleted from existing law.
5+ Underlining indicates amendments to bill.
6+ Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7+amendment.
8+ Italics indicate opposite chamber/conference committee amendments.
9+ *sb0812*
10+
11+SENATE BILL 812
12+S2, P1, P2 (2lr1779)
13+ENROLLED BILL
14+— Education, Health, and Environmental Affairs/Health and Government
15+Operations —
16+Introduced by Senator Hester Senators Hester, Hershey, Jennings, Jackson,
17+Rosapepe, Lee, and Watson
18+
19+Read and Examined by Proofreaders:
20+
21+_______________________________________________
22+Proofreader.
23+_______________________________________________
24+Proofreader.
25+
26+Sealed with the Great Seal and presented to the Governor, for his approval this
27+
28+_______ day of _______________ at ________________________ o’clock, ________M.
29+
30+______________________________________________
31+President.
32+
33+CHAPTER ______
34+
35+AN ACT concerning 1
36+
37+State Government – Cybersecurity – Coordination and Governance 2
38+
39+FOR the purpose of establishing the Cybersecurity Coordination and Operations Office in 3
40+the Maryland Department of Emergency Management; requiring the Secretary of 4
41+Emergency Management to appoint an Executive Director as head of the 5
42+Cybersecurity Coordination and Operations Office; requiring the Office of Security 6
43+Management to be provided with staff for the Cybersecurity Coordination and 7
44+Operations Office; requiring the Cybersecurity Coordination and Operations Office 8
45+to establish regional assistance groups to deliver or coordinate support services to 9
46+political subdivisions, agencies, or regions in accordance with certain requirements; 10
47+requiring the Cybersecurity Coordination and Operations Office to offer certain 11
48+training opportunities for counties and municipalities; establishing the Office of 12
49+Security Management within the Department of Information Technology (DoIT); 13 2 SENATE BILL 812
50+
51+
52+establishing certain responsibilities and authority of the Office of Security 1
53+Management; centralizing authority and control of the procurement of all 2
54+information technology for the Executive Branch of State government in DoIT; 3
55+establishing the Maryland Cybersecurity Coordinating Council; requiring the 4
56+Secretary of Information Technology to develop and maintain a statewide 5
57+cybersecurity master plan strategy; requiring DoIT to develop and require basic 6
58+security requirements to be included in certain contracts; requiring each unit of the 7
59+Legislative or Judicial Branch of State government and any division of the 8
60+University System of Maryland that uses a certain network to certify certain 9
61+compliance to DoIT on or before a certain date each year; requiring certain IT units 10
62+to certify compliance with certain cybersecurity standards; requiring each unit of the 11
63+Executive Branch of State government and certain local entities to report certain 12
64+cybersecurity incidents in a certain manner and under certain circumstances; 13
65+requiring the State Security Operations Center to notify certain agencies of a 14
66+cybersecurity incident reported in a certain manner; establishing the Maryland 15
67+Cybersecurity Coordinating Council; exempting meetings of the Council from the 16
68+Open Meetings Act; requiring the Council to study aspects of the State’s 17
69+cybersecurity vulnerabilities and procurement potential, including partnerships 18
70+with other states; requiring the Council to promote certain education and training 19
71+opportunities; requiring the Department of General Services to study the security 20
72+and financial implications of executing partnerships with other states to procure 21
73+information technology and cybersecurity products and services; requiring the 22
74+Department of General Services to establish certain basic security requirements to 23
75+be included in certain contracts; requiring DoIT to complete implementation of a 24
76+certain governance, risk, and compliance module on or before a certain date; 25
77+requiring the Office to prepare a transition strategy towards cybersecurity 26
78+centralization; requiring each agency in the Executive Branch of State government 27
79+to certify to the Office that the agency is in compliance with certain standards; 28
80+requiring the Office to assume responsibility for a certain agency’s cybersecurity 29
81+except under certain circumstances; requiring DoIT to hire a contractor to conduct a 30
82+performance and capacity assessment of DoIT; authorizing funds to be transferred 31
83+by budget amendment from the Dedicated Purpose Account in a certain fiscal year 32
84+to implement the Act; transferring certain appropriations, books and records, and 33
85+employees to DoIT; and generally relating to State cybersecurity coordination. 34
86+
87+BY renumbering 35
88+ Article – State Finance and Procurement 36
89+Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of 37
90+Information Technology” 38
91+to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5. 39
92+Department of Information Technology” 40
93+ Annotated Code of Maryland 41
94+ (2021 Replacement Volume) 42
95+
96+BY repealing and reenacting, with amendments, 43
97+ Article – Criminal Procedure 44
98+ Section 10–221(b) 45 SENATE BILL 812 3
99+
100+
101+ Annotated Code of Maryland 1
102+ (2018 Replacement Volume and 2021 Supplement) 2
103+
104+BY repealing and reenacting, with amendments, 3
105+ Article – Health – General 4
106+ Section 21–2C–03(h)(2)(i) 5
107+ Annotated Code of Maryland 6
108+ (2019 Replacement Volume and 2021 Supplement) 7
109+
110+BY repealing and reenacting, with amendments, 8
111+ Article – Human Services 9
112+ Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1) 10
113+ Annotated Code of Maryland 11
114+ (2019 Replacement Volume and 2021 Supplement) 12
115+
116+BY repealing and reenacting, with amendments, 13
117+ Article – Insurance 14
118+ Section 31–103(a)(2)(i) and (b)(2) 15
119+ Annotated Code of Maryland 16
120+ (2017 Replacement Volume and 2021 Supplement) 17
121+
122+BY repealing and reenacting, with amendments, 18
123+ Article – Natural Resources 19
124+ Section 1–403(c) 20
125+ Annotated Code of Maryland 21
126+ (2018 Replacement Volume and 2021 Supplement) 22
127+
128+BY adding to 23
129+ Article – Public Safety 24
130+Section 14–104.1 25
131+ Annotated Code of Maryland 26
132+ (2018 Replacement Volume and 2021 Supplement) 27
133+
134+BY repealing and reenacting, without amendments, 28
135+ Article – State Finance and Procurement 29
136+ Section 3.5–101(a) and (e) and 3.5–301(a) 30
137+ Annotated Code of Maryland 31
138+ (2021 Replacement Volume) 32
139+ (As enacted by Section 1 of this Act) 33
140+
141+BY adding to 34
142+ Article – State Finance and Procurement 35
143+Section 3.5–2A–01 through 3.5–2A–07 3.5–2A–06 to be under the new subtitle 36
144+“Subtitle 2A. Office of Security Management”; and 3.5–404(d) and (e), 3.5–405 37
145+and 12–107(b)(2)(i)12., 3.5–406, 4–316.1, and 13–115 38
146+ Annotated Code of Maryland 39
147+ (2021 Replacement Volume) 40 4 SENATE BILL 812
148+
149+
150+
151+BY repealing and reenacting, with amendments, 1
152+ Article – State Finance and Procurement 2
153+Section 3.5–301(j), 3.5–302(c), 3.5–303, 3.5–305, 3.5–307 through 3.5–314, 3.5–401, 3
154+and 3.5–404 Section 3.5–301(i) and (j), 3.5–302, 3.5–303, 3.5–307, 3.5–309(c), 4
155+(i), and (l), and 3.5–311(a)(2)(i) 5
156+ Annotated Code of Maryland 6
157+ (2021 Replacement Volume) 7
158+ (As enacted by Section 1 of this Act) 8
159+
160+BY repealing 9
161+ Article – State Finance and Procurement 10
162+Section 3.5–306 11
163+ Annotated Code of Maryland 12
164+ (2021 Replacement Volume) 13
165+ (As enacted by Section 1 of this Act) 14
166+
167+BY repealing and reenacting, with amendments, 15
168+ Article – State Finance and Procurement 16
169+ Section 12–107(b)(2)(i)10. and 11. 17
170+ Annotated Code of Maryland 18
171+ (2021 Replacement Volume) 19
172+
173+ SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 20
174+That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department 21
175+of Information Technology” of Article – State Finance and Procurement of the Annotated 22
176+Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively, 23
177+and the title “Title 3.5. Department of Information Technology”. 24
178+
179+ SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 25
180+as follows: 26
181+
182+Article – Criminal Procedure 27
183+
184+10–221. 28
185+
186+ (b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement 29
187+Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and 30
188+the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall: 31
189+
190+ (1) regulate the collection, reporting, and dissemination of criminal history 32
191+record information by a court and criminal justice units; 33
192+
193+ (2) ensure the security of the criminal justice information system and 34
194+criminal history record information reported to and collected from it; 35
195+ SENATE BILL 812 5
196+
197+
198+ (3) regulate the dissemination of criminal history record information in 1
199+accordance with Subtitle 1 of this title and this subtitle; 2
200+
201+ (4) regulate the procedures for inspecting and challenging criminal history 3
202+record information; 4
203+
204+ (5) regulate the auditing of criminal justice units to ensure that criminal 5
205+history record information is: 6
206+
207+ (i) accurate and complete; and 7
208+
209+ (ii) collected, reported, and disseminated in accordance with Subtitle 8
210+1 of this title and this subtitle; 9
211+
212+ (6) regulate the development and content of agreements between the 10
213+Central Repository and criminal justice units and noncriminal justice units; and 11
214+
215+ (7) regulate the development of a fee schedule and provide for the collection 12
216+of the fees for obtaining criminal history record information for other than criminal justice 13
217+purposes. 14
218+
219+Article – Health – General 15
220+
221+21–2C–03. 16
222+
223+ (h) (2) The Board is subject to the following provisions of the State Finance 17
224+and Procurement Article: 18
225+
226+ (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 19
227+that the Secretary of Information Technology determines that an information technology 20
228+project of the Board is a major information technology development project; 21
229+
230+Article – Human Services 22
231+
232+7–806. 23
233+
234+ (a) (1) Subject to paragraph (2) of this subsection, the programs under § 24
235+7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State 25
236+Finance and Procurement Article shall be funded as provided in the State budget. 26
237+
238+ (2) For fiscal year 2019 and each fiscal year thereafter, the program under 27
239+[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an 28
240+amount that: 29
241+
242+ (i) is equal to the cost that the Department of Aging is expected to 30
243+incur for the upcoming fiscal year to provide the service and administer the program; and 31 6 SENATE BILL 812
244+
245+
246+
247+ (ii) does not exceed 5 cents per month for each account out of the 1
248+surcharge amount authorized under subsection (c) of this section. 2
249+
250+ (b) (1) There is a Universal Service Trust Fund created for the purpose of 3
251+paying the costs of maintaining and operating the programs under: 4
252+
253+ (i) § 7–804(a) of this subtitle, subject to the limitations and controls 5
254+provided in this subtitle; 6
255+
256+ (ii) § 7–902(a) of this title, subject to the limitations and controls 7
257+provided in Subtitle 9 of this title; and 8
258+
259+ (iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement 9
260+Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the 10
261+State Finance and Procurement Article. 11
262+
263+ (c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) 12
264+of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall 13
265+be funded by revenues generated by: 14
266+
267+ (i) a surcharge to be paid by the subscribers to a communications 15
268+service; and 16
269+
270+ (ii) other funds as provided in the State budget. 17
271+
272+ (d) (1) The Secretary shall annually certify to the Public Service Commission 18
273+the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 19
274+3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the 20
275+Universal Service Trust Fund for the following fiscal year. 21
276+
277+ (2) (i) The Public Service Commission shall determine the surcharge 22
278+for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle, 23
279+§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement 24
280+Article. 25
281+
282+ (g) (1) The Legislative Auditor may conduct postaudits of a fiscal and 26
283+compliance nature of the Universal Service Trust Fund and the expenditures made for 27
284+purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of 28
285+the State Finance and Procurement Article. 29
286+
287+Article – Insurance 30
288+
289+31–103. 31
290+
291+ (a) The Exchange is subject to: 32 SENATE BILL 812 7
292+
293+
294+
295+ (2) the following provisions of the State Finance and Procurement Article: 1
296+
297+ (i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent 2
298+that the Secretary of Information Technology determines that an information technology 3
299+project of the Exchange is a major information technology development project; 4
300+
301+ (b) The Exchange is not subject to: 5
302+
303+ (2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance 6
304+and Procurement Article, except to the extent determined by the Secretary of Information 7
305+Technology under subsection (a)(2)(i) of this section; 8
306+
307+Article – Natural Resources 9
308+
309+1–403. 10
310+
311+ (c) The Department shall develop the electronic system consistent with the 11
312+statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of 12
313+the State Finance and Procurement Article. 13
314+
315+Article – Public Safety 14
316+
317+14–104.1. 15
318+
319+ (A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 16
320+INDICATED. 17
321+
322+ (2) “OFFICE” MEANS THE CYBERSECURITY COORDINATION AND 18
323+OPERATIONS OFFICE ESTABLISHED WI THIN THE DEPARTMENT . 19
324+
325+ (3) “REGION” MEANS A COLLECTION O F POLITICAL SUBDIVIS IONS. 20
326+
327+ (B) THERE IS A CYBERSECURITY COORDINATION AND OPERATIONS 21
328+OFFICE WITHIN THE DEPARTMENT . 22
329+
330+ (C) THE PURPOSE OF THE OFFICE IS TO: 23
331+
332+ (1) IMPROVE LOCAL , REGIONAL, AND STATEWIDE CYBERS ECURITY 24
333+READINESS AND RESPON SE; 25
334+
335+ (2) ASSIST POLITICAL SUB DIVISIONS, SCHOOL BOARDS , AND 26
336+AGENCIES IN THE DEVE LOPMENT OF CYBERSECU RITY DISRUPTION PLAN S; 27
337+ 8 SENATE BILL 812
338+
339+
340+ (3) IN CONSULTATION WITH THE DEPARTMENT OF INFORMATION 1
341+TECHNOLOGY , COORDINATE WITH POLI TICAL SUBDIVISIONS , LOCAL AGENCIES , 2
342+AND STATE AGENCIES ON THE IMPLEMENTATION OF CY BERSECURITY BEST 3
343+PRACTICES; 4
344+
345+ (4) COORDINATE WITH POLI TICAL SUBDIVISIONS A ND AGENCIES ON 5
346+THE IMPLEMENTATION O F THE STATEWIDE MASTER PLAN DEVELOPED BY THE 6
347+DEPARTMENT OF INFORMATION TECHNOLOGY UNDER TITLE 3.5, SUBTITLE 3 OF 7
348+THE STATE FINANCE AND PROCUREMENT ARTICLE; AND 8
349+
350+ (5) CONSULT WITH THE STATE CHIEF INFORMATION SECURITY 9
351+OFFICER AND THE SECRETARY OF INFORMATION TECHNOLOGY TO CONNECT 10
352+POLITICAL SUBDIVISIO NS AND AGENCIES TO T HE APPROPRIATE RESOU RCES FOR 11
353+ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY READINESS AND RES PONSE. 12
354+
355+ (D) (1) THE HEAD OF THE OFFICE IS THE EXECUTIVE DIRECTOR, WHO 13
356+SHALL BE APPOINTED B Y THE DIRECTOR. 14
357+
358+ (2) THE OFFICE OF SECURITY MANAGEMENT SHALL PROV IDE STAFF 15
359+FOR THE OFFICE. 16
360+
361+ (E) (1) THE OFFICE SHALL ESTABLIS H REGIONAL ASSISTANC E GROUPS 17
362+TO DELIVER OR COORDI NATE SUPPORT SERVICE S TO POLITICAL SUBDI VISIONS, 18
363+AGENCIES, OR REGIONS. 19
364+
365+ (2) THE OFFICE MAY HIRE OR PR OCURE REGIONAL COORD INATORS 20
366+TO DELIVER OR COORDI NATE THE SERVICES UN DER PARAGRAPH (1) OF THIS 21
367+SUBSECTION. 22
368+
369+ (3) THE OFFICE SHALL PROVIDE OR COORDINATE SUPPOR T 23
370+SERVICES UNDER PARAG RAPH (1) OF THIS SUBSECTION T HAT INCLUDE: 24
371+
372+ (I) CONNECTING MULTIPLE POLITICAL SUBDIVISIO NS AND 25
373+AGENCIES WITH EACH O THER TO SHARE BEST P RACTICES OR OTHER IN FORMATION 26
374+TO INCREASE READINES S OR RESPONSE EFFECT IVENESS; 27
375+
376+ (II) PROVIDING TECHNICAL SERVICES FOR THE 28
377+IMPLEMENTATION OF CY BERSECURITY BEST PRACTICES IN ACCORDANCE WITH 29
378+SUBSECTION (C)(3) OF THIS SECTION; 30
379+
380+ (III) COMPLETING CYBERSECU RITY RISK ASSESSMENT S; 31
381+
382+ (IV) DEVELOPING CYBER SCO RECARDS AND REPORTS ON 32
383+REGIONAL READINESS ; 33 SENATE BILL 812 9
384+
385+
386+
387+ (V) CREATING AND UPDATIN G CYBERSECURITY DISR UPTION 1
388+PLANS IN ACCORDANCE W ITH SUBSECTION (C)(2) OF THIS SECTION; AND 2
389+
390+ (VI) CONDUCTING REGIONAL EXERCISES IN COORDIN ATION 3
391+WITH THE NATIONAL GUARD, THE DEPARTMENT , THE DEPARTMENT OF 4
392+INFORMATION TECHNOLOGY , LOCAL EMERGENCY MANA GERS, AND OTHER STATE 5
393+AND LOCAL ENTITIES. 6
394+
395+ (F) (1) THE OFFICE SHALL PROVIDE REGULAR TRAINING 7
396+OPPORTUNITIES FOR CO UNTIES AND MUNICIPAL CORPORATIONS IN THE STATE. 8
397+
398+ (2) TRAINING OPPORTUNITIE S OFFERED BY THE OFFICE SHALL: 9
399+
400+ (I) BE DESIGNED TO ENSUR E STAFF FOR COUNTIES AND 10
401+MUNICIPAL CORPORATIONS ARE CAP ABLE OF COOPERATING EFFECTIVELY WITH 11
402+THE DEPARTMENT IN THE EVE NT OF A CYBERSECURIT Y EMERGENCY ; AND 12
403+
404+ (II) INCORPORATE BEST PRA CTICES AND GUIDELINE S FOR 13
405+STATE AND LOCAL GOVE RNMENTS PROVIDED BY THE MULTI–STATE INFORMATION 14
406+SHARING AND ANALYSIS CENTER AND THE CYBERSECURITY AND 15
407+INFRASTRUCTURE SECURITY AGENCY. 16
408+
409+ (G) ON OR BEFORE DECEMBER 1 EACH YEAR, THE OFFICE SHALL REPORT 17
410+TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 18
411+GOVERNMENT ARTICLE, THE GENERAL ASSEMBLY ON THE ACTIV ITIES OF THE 19
412+OFFICE. 20
413+
414+Article – State Finance and Procurement 21
415+
416+3.5–101. 22
417+
418+ (a) In this title the following words have the meanings indicated. 23
419+
420+ (e) “Unit of State government” means an agency or unit of the Executive Branch 24
421+of State government. 25
422+
423+SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT . 26
424+
425+3.5–2A–01. 27
426+
427+ (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 28
428+INDICATED. 29
429+ 10 SENATE BILL 812
430+
431+
432+ (B) “COUNCIL” MEANS THE MARYLAND CYBERSECURITY COORDINATING 1
433+COUNCIL. 2
434+
435+ (C) “OFFICE” MEANS THE OFFICE OF SECURITY MANAGEMENT . 3
436+
437+3.5–2A–02. 4
438+
439+ THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT . 5
440+
441+3.5–2A–03. 6
442+
443+ (A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION 7
444+SECURITY OFFICER. 8
445+
446+ (B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL: 9
447+
448+ (1) BE APPOINTED BY THE GOVERNOR WITH THE ADVICE AND 10
449+CONSENT OF THE SENATE; 11
450+
451+ (2) SERVE AT THE PLEASUR E OF THE GOVERNOR; 12
452+
453+ (3) BE SUPERVISED BY THE SECRETARY; AND 13
454+
455+ (4) SERVE AS THE CHIEF I NFORMATION SECURITY OFFICER OF THE 14
456+DEPARTMENT . 15
457+
458+ (C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION 16
459+SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L: 17
460+
461+ (1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE; 18
462+
463+ (2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR 19
464+CYBERSECURITY CERTIF ICATIONS; 20
465+
466+ (3) HAVE EXPERIENCE : 21
467+
468+ (I) IDENTIFYING, IMPLEMEN TING, AND OR ASSESSING 22
469+SECURITY CONTROLS ; 23
470+
471+ (II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR 24
472+CYBERSECURITY ; 25
473+ SENATE BILL 812 11
474+
475+
476+ (III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY 1
477+OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD 2
478+ENVIRONMENT AND SUP PORTING MULTIPLE SIT ES; AND 3
479+
480+ (IV) WORKING WITH COMMON INFORMATION SECURITY 4
481+MANAGEMENT FRAMEWORK S; 5
482+
483+ (4) HAVE EXTENSIVE KNOWL EDGE OF INFORMATION TECHNOLOGY 6
484+AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH 7
485+AN UNDERSTANDING OF EXISTING ENTERPRISE CAPAB ILITIES AND LIMITATI ONS TO 8
486+ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND 9
487+SYSTEMS; AND 10
488+
489+ (5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS. 11
490+
491+ (C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL 12
492+PROVIDE CYBERSECURITY ADVICE AND RECOMMENDATIONS TO THE GOVERNOR ON 13
493+REQUEST. 14
494+
495+ (D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY 15
496+WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY 16
497+OFFICER. 17
498+
499+ (II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK 18
500+IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY 19
501+MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE RESOURCES , 20
502+AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNITS OF LOCAL 21
503+GOVERNMENT . 22
504+
505+ (2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY WHO 23
506+SHALL BE APPOINTED BY THE STATE CHIEF INFORMATION SECURITY OFFICER. 24
507+
508+ (II) THE DIRECTOR OF STATE CYBERSECURITY IS 25
509+RESPONSIBLE FOR IMPL EMENTATION OF THIS S ECTION WITH RESPECT TO UNITS OF 26
510+STATE GOVERNMENT . 27
511+
512+ (E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WI TH 28
513+SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE. 29
514+
515+ (F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL 30
516+COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE. 31
517+
518+3.5–2A–04. 32
519+ 12 SENATE BILL 812
520+
521+
522+ (A) (1) THE OFFICE IS RESPONSIBLE FOR: 1
523+
524+ (1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION 2
525+OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE 3
526+GOVERNMENT ; AND 4
527+
528+ (2) THE COORDINATION OF RESOURCES AND EFFORT S TO 5
529+IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL 6
530+CYBERSECURITY PREPAREDNESS AND RES PONSE FOR UNITS OF L OCAL 7
531+GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL 8
532+HEALTH DEPARTMENTS . 9
533+
534+ (II) COORDINATING WITH TH E MARYLAND DEPARTMENT OF 10
535+EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY 11
536+RESPONSE EFFORTS. 12
537+
538+ (2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION 13
539+TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY 14
540+CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A 15
541+LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH 16
542+DEPARTMENT . 17
543+
544+ (B) THE OFFICE SHALL: 18
545+
546+ (1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 19
547+COLLECTED OR MAINTAI NED BY OR ON BEHALF OF EACH UNIT OF STATE 20
548+GOVERNMENT ; 21
549+
550+ (2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION 22
551+SYSTEMS MAINTAINED B Y OR ON BEHALF OF EACH UN IT OF STATE GOVERNMENT ; 23
552+
553+ (3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION 24
554+AND INFORMATION SYST EMS TO BE INCLUDED I N EACH CATEGORY ; 25
555+
556+ (4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND 26
557+INFORMATION SYSTEMS IN EACH CATEGO RY; 27
558+
559+ (5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND 28
560+INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION OF THE SECURITY 29
561+REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ; 30
562+
563+ (6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 31
564+DETERMINES THAT THERE ARE SECURITY V ULNERABILITIES OR DE FICIENCIES IN 32
565+THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLISHED UNDER 33 SENATE BILL 812 13
566+
567+
568+ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM 1
569+SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE 2
570+NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY 3
571+INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECE SSARY TO 4
572+CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY 5
573+INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ; 6
574+
575+ (7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER 7
576+DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY 8
577+CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT 9
578+INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWORK OR TO 10
579+THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ; 11
580+
581+ (7) (8) MANAGE SECURITY AWAR ENESS TRAINING FOR A LL 12
582+APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ; 13
583+
584+ (8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT, 14
585+DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE 15
586+STANDARDIZATION AND REDUCE RISK; 16
587+
588+ (9) (10) ASSIST IN THE DEVELO PMENT OF A DIGITAL I DENTITY 17
589+STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING, 18
590+INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE 19
591+GOVERNMENT ; 20
592+
593+ (10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY 21
594+SECURITY POLICY , STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH 22
595+BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND 23
596+TECHNOLOGY ; 24
597+
598+ (11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND 25
599+INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINANCIAL ASSI STANCE 26
600+PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT 27
601+THE WORK OF THE OFFICE; 28
602+
603+ (12) REVIEW AND CERTIFY L OCAL CYBERSECURITY PREPAR EDNESS 29
604+AND RESPONSE PLANS ; 30
605+
606+ (13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING 31
607+AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND 32
608+
609+ (14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO 33
610+UNITS OF LOCAL GOVER NMENT TO IMPROVE CYBERSECURIT Y PREPAREDNESS , 34
611+PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES. 35 14 SENATE BILL 812
612+
613+
614+
615+ (C) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 1
616+OF EMERGENCY MANAGEMENT , SHALL: 2
617+
618+ (1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES , 3
619+SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN: 4
620+
621+ (I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS 5
622+AND RESPONSE PLANS ; AND 6
623+
624+ (II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE 7
625+DEVELOPED BY THE DEPARTMENT ; AND 8
626+
627+ (2) CONNECT LOCAL ENTITI ES TO APPROPRIA TE RESOURCES FOR 9
628+ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND 10
629+RESPONSE; AND 11
630+
631+ (3) DEVELOP APPROPRIATE REPORTS ON LOCAL CYB ERSECURITY 12
632+PREPAREDNESS . 13
633+
634+ (D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT 14
635+OF EMERGENCY MANAGEMENT , MAY: 15
636+
637+ (1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN 16
638+COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND 17
639+OTHER STATE AND LOCAL ENTIT IES; AND 18
640+
641+ (2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR 19
642+COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES, 20
643+OR REGIONS. 21
644+
645+ (E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE SHALL 22
646+REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 23
647+GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, THE 24
648+SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, THE 25
649+HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND GOVERNMENT 26
650+OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON CYBERSECURITY , 27
651+INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE ACTIVITIES OF THE 28
652+OFFICE AND THE STATE OF CYBE RSECURITY PREPAREDNE SS IN MARYLAND, 29
653+INCLUDING: 30
654+
655+ (1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF TH E OFFICE 31
656+DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND 32
657+ SENATE BILL 812 15
658+
659+
660+ (2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE 1
661+INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER § 2
662+3.5–405 OF THIS TITLE, INCLUDING: 3
663+
664+ (I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E 4
665+CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THA T YEAR; 5
666+
667+ (II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF 6
668+ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST 7
669+TO REMEDIATE ANY VUL NERABILITIES EXPOSED ; 8
670+
671+ (III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE 9
672+GOVERNMENT AND OPTIO NS TO IMPROVE FINDINGS IN FUTURE AUDITS , INCLUDING 10
673+RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING; 11
674+
675+ (IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON 12
676+CYBERSECURITY RELATI VE TO OVERALL INFORM ATION TECHNOLOGY SPE NDING 13
677+FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BU DGET, 14
678+INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL 15
679+CYBERSECURITY PREPAR EDNESS; 16
680+
681+ (V) 5. EFFORTS TO SECURE FI NANCIAL SUPPORT FOR 17
682+CYBER RISK MITIGATIO N FROM FEDERAL OR OT HER NON–STATE RESOURCES ; 18
683+
684+ (VI) 6. KEY PERF ORMANCE INDICATORS O N THE 19
685+CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY 20
686+MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR 21
687+IMPLEMENTATION ; AND 22
688+
689+ (VII) 7. ANY ADDITIONAL RECOM MENDATIONS FOR 23
690+IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNESS . 24
691+
692+ (2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT 25
693+CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND 26
694+RISKS IN THE STATE. 27
695+
696+3.5–2A–05. 28
697+
698+ (A) THERE IS A MARYLAND CYBERSECURITY COORDINATING COUNCIL. 29
699+
700+ (B) (1) THE COUNCIL CONSISTS OF T HE FOLLOWING MEMBERS : 30
701+
702+ (1) THE SECRETARY OF BUDGET AND MANAGEMENT , OR THE 31
703+SECRETARY’S DESIGNEE; 32 16 SENATE BILL 812
704+
705+
706+
707+ (2) THE SECRETARY OF GENERAL SERVICES, OR THE SECRETARY’S 1
708+DESIGNEE; 2
709+
710+ (3) THE SECRETARY OF HEALTH, OR THE SECRETARY’S DESIGNEE; 3
711+
712+ (4) THE SECRETARY OF HUMAN SERVICES, OR THE SECRETARY’S 4
713+DESIGNEE; 5
714+
715+ (5) THE SECRETARY OF PUBLIC SAFETY AND CORRECTIONAL 6
716+SERVICES, OR THE SECRETARY’S DESIGNEE; 7
717+
718+ (6) THE SECRETARY OF TRANSPORTATION , OR THE SECRETARY’S 8
719+DESIGNEE; 9
720+
721+ (7) THE SECRETARY OF DISABILITIES, OR THE SECRETARY’S 10
722+DESIGNEE; 11
723+
724+ (I) THE SECRETARY OF EAC H OF THE PRINCIPAL 12
725+DEPARTMENTS LISTED I N § 8–201 OF THE STATE GOVERNMENT ARTICLE, OR A 13
726+SECRETARY’S DESIGNEE; 14
727+
728+ (8) (II) THE STATE CHIEF INFORMATION SECURITY OFFICER; 15
729+
730+ (9) (III) THE ADJUTANT GENERAL OF THE MARYLAND NATIONAL 16
731+GUARD, OR THE ADJUTANT GENERAL’S DESIGNEE; 17
732+
733+ (10) THE SECRETARY OF EMERGENCY MANAGEMENT , OR THE 18
734+SECRETARY’S DESIGNEE; 19
735+
736+ (11) (IV) THE SUPERINTENDENT OF STATE POLICE, OR THE 20
737+SUPERINTENDENT ’S DESIGNEE; 21
738+
739+ (12) (V) THE DIRECTOR OF THE GOVERNOR’S OFFICE OF 22
740+HOMELAND SECURITY, OR THE DIRECTOR’S DESIGNEE; 23
741+
742+ (13) (VI) THE EXECUTIVE DIRECTOR OF THE DEPARTMENT OF 24
743+LEGISLATIVE SERVICES, OR THE EXECUTIVE DIRECTOR’S DESIGNEE; 25
744+
745+ (14) (VII) ONE REPRESENTATIVE O F THE ADMINISTRATIVE OFFICE 26
746+OF THE COURTS; 27
747+
748+ (15) (VIII) THE CHANCELLOR OF THE UNIVERSITY SYSTEM OF 28
749+MARYLAND, OR THE CHANCELLOR ’S DESIGNEE; AND 29 SENATE BILL 812 17
750+
751+
752+
753+ (16) (IX) ANY OTHER STAKEHOLDE R THAT THE STATE CHIEF 1
754+INFORMATION SECURITY OFFICER DEEMS APPROPRIATE . 2
755+
756+ (2) IF A DESIGNEE SERVES ON THE COUNCIL IN PLACE OF A N 3
757+OFFICIAL LISTED IN P ARAGRAPH (1) OF THIS SUBSECTION , THE DESIGNEE SHALL 4
758+REPORT INFORMATION F ROM THE COUNCIL MEETINGS AND OTHER 5
759+COMMUNICATIONS TO TH E OFFICIAL. 6
760+
761+ (C) IN ADDITION TO THE MEMBERS LISTED UNDER SUBSECTION (B) OF THIS 7
762+SECTION, THE FOLLOWING REPRES ENTATIVES MAY SERVE AS NONVOTING 8
763+MEMBERS OF THE COUNCIL: 9
764+
765+ (1) ONE MEMBER OF THE SENATE OF MARYLAND, APPOINTED BY THE 10
766+PRESIDENT OF THE SENATE; 11
767+
768+ (2) ONE MEMBER OF THE HOUSE OF DELEGATES, APPOINTED BY THE 12
769+SPEAKER OF THE HOUSE; AND 13
770+
771+ (3) ONE REPRESENTATIVE O F THE JUDICIARY , APPOINTED BY THE 14
772+CHIEF JUDGE OF THE COURT OF APPEALS. 15
773+
774+ (C) (D) THE CHAIR OF THE COUNCIL IS THE STATE CHIEF INFORMATION 16
775+SECURITY OFFICER. 17
776+
777+ (D) (E) (1) THE COUNCIL SHALL MEET AT LEA ST QUARTERLY AT THE 18
778+REQUEST OF THE CHAIR . 19
779+
780+ (2) MEETINGS OF THE COUNCIL SHALL BE CLOS ED TO THE PUBLIC 20
781+AND NOT SUBJECT TO TITLE 3 OF THE GENERAL PROVISIONS ARTICLE. 21
782+
783+ (E) (F) THE COUNCIL SHALL: 22
784+
785+ (1) PROVIDE ADVICE AND R ECOMMENDATIONS TO THE STATE CHIEF 23
786+INFORMATION SECURITY OFFICER REGARDING : 24
787+
788+ (I) THE STRATEGY AND IMP LEMENTATION OF CYBER SECURITY 25
789+INITIATIVES AND RECO MMENDATIONS ; AND 26
790+
791+ (II) BUILDING AND SUSTAIN ING THE CAPABILITY O F THE STATE 27
792+TO IDENTIFY AND MITI GATE CYBERSECURITY RISK AND RESPOND TO AND RECOVER 28
793+FROM CYBERSECURITY –RELATED INCIDENTS . 29
794+ 18 SENATE BILL 812
795+
796+
797+ (2) USE THE ANALYSIS COM PILED BY THE OFFICE UNDER § 1
798+3.5–2A–04(E)(2) OF THIS SUBTITLE TO PRIORITIZE CYBERSECU RITY RISK ACROSS 2
799+THE EXECUTIVE BRANCH OF STATE GOVERNMENT AND MAKE CORRESP ONDING 3
800+RECOMMENDATIONS FOR SECURITY INVESTMENTS IN THE GOVERNOR’S ANNUAL 4
801+BUDGET. 5
802+
803+ (F) (G) IN CARRYING OUT THE D UTIES OF THE COUNCIL, THE COUNCIL 6
804+MAY SHALL CONSULT WITH OUTSIDE EXPERTS, INCLUDING EXPERTS IN THE 7
805+PRIVATE SECTOR , GOVERNMENT AGENCIES , AND INST ITUTIONS OF HIGHER 8
806+EDUCATION. 9
807+
808+3.5–2A–06. 10
809+
810+ THE COUNCIL SHALL STUDY T HE SECURITY AND FINA NCIAL IMPLICATIONS O F 11
811+EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON 12
812+TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE 13
813+IMPLICATIONS FOR POLITICAL SUBDIV ISIONS OF THE STATE. 14
814+
815+3.5–2A–07. 15
816+
817+ THE COUNCIL SHALL: 16
818+
819+ (1) PROMOTE CYBERSECURIT Y EDUCATION AND TRAI NING 17
820+OPPORTUNITIES TO STR ENGTHEN THE STATE’S CYBERSECURITY CAPA BILITIES BY 18
821+EXPANDING EXISTING A GREEMENTS WITH EDUCA TIONAL INSTITUTIONS ; 19
822+
823+ (2) UTILIZE RELATIONSHIP S WITH INSTITUTIONS OF HIGHER 20
824+EDUCATION TO ADVERTI SE CYBERSECURITY CAR EERS AND JOB POSITIO NS 21
825+AVAILABLE IN STATE OR LOCAL GOVERN MENT, INCLUDING THE MARYLAND 22
826+TECHNOLOGY INTERNSHIP PROGRAM ESTABLISHED U NDER TITLE 18, SUBTITLE 30 23
827+OF THE EDUCATION ARTICLE; AND. 24
828+
829+ (3) ASSIST INTERESTED CA NDIDATES WITH APPLYI NG FOR 25
830+CYBERSECURITY POSITI ONS IN STATE OR LOCAL GOVERN MENT. 26
831+
832+3.5–301. 27
833+
834+ (a) In this subtitle the following words have the meanings indicated. 28
835+
836+ (i) “Master plan” means the statewide information technology master plan AND 29
837+STATEWIDE CYBERSECUR ITY STRATEGY. 30
838+
839+ (j) “Nonvisual access” means the ability, through keyboard control, synthesized 31
840+speech, Braille, or other methods not requiring sight to receive, use, and manipulate 32 SENATE BILL 812 19
841+
842+
843+information and operate controls necessary to access information technology in accordance 1
844+with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle. 2
845+
846+3.5–302. 3
847+
848+ (a) This subtitle does not apply to changes relating to or the purchase, lease, or 4
849+rental of information technology by: 5
850+
851+ (1) public institutions of higher education solely for academic or research 6
852+purposes; 7
853+
854+ (2) the Maryland Port Administration; 8
855+
856+ (3) the University System of Maryland; 9
857+
858+ (4) St. Mary’s College of Maryland; 10
859+
860+ (5) Morgan State University; 11
861+
862+ (6) the Maryland Stadium Authority; [or] 12
863+
864+ (7) Baltimore City Community College; 13
865+
866+ (8) THE LEGISLATIVE BRANCH OF STATE GOVERNMENT ; OR 14
867+
868+ (9) THE JUDICIAL BRANCH OF STATE GOVERNMENT .; 15
869+
870+ (10) THE OFFICE OF THE ATTORNEY GENERAL; 16
871+
872+ (11) THE COMPTROLLER ; OR 17
873+
874+ (12) THE STATE TREASURER. 18
875+
876+ (b) Except as provided in subsection (a) of this section, this subtitle applies to any 19
877+project of a unit of the Executive Branch of State government that involves an agreement 20
878+with a public institution of higher education for a portion of the development of the project, 21
879+whether the work on the development is done directly or indirectly by the public institution 22
880+of higher education. 23
881+
882+ (c) Notwithstanding any other provision of law, except as provided in subsection 24
883+(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–306(A)(2), 3.5–307, 25
884+3.5–307(A)(2), 3.5–308 AND 3.5–308 3.5–309 of this subtitle, this subtitle applies to all 26
885+units of the Executive Branch of State government including public institutions of higher 27
886+education other than Morgan State University, the University System of Maryland, St. 28
887+Mary’s College of Maryland, and Baltimore City Community College. 29
888+ 20 SENATE BILL 812
889+
890+
891+3.5–303. 1
892+
893+ (a) The Secretary is responsible for carrying out the following duties: 2
894+
895+ (1) developing, maintaining, revising, and enforcing information 3
896+technology policies, procedures, and standards; 4
897+
898+ (2) providing technical assistance, advice, and recommendations to the 5
899+Governor and any unit of State government concerning information technology matters; 6
900+
901+ (3) reviewing the annual project plan for each unit of State government to 7
902+make information and services available to the public over the Internet; 8
903+
904+ (4) developing and maintaining a statewide information technology master 9
905+plan that will: 10
906+
907+ (i) [be the basis for] CENTRALIZE the management and direction of 11
908+information technology POLICY within the Executive Branch of State government UNDER 12
909+THE CONTROL OF THE DEPARTMENT ; 13
910+
911+ (ii) include all aspects of State information technology including 14
912+telecommunications, security, data processing, and information management; 15
913+
914+ (iii) consider interstate transfers as a result of federal legislation and 16
915+regulation; 17
916+
917+ (iv) [work jointly with the Secretary of Budget and Management to 18
918+ensure that information technology plans and budgets are consistent; 19
919+
920+ (v)] ensure that THE State information technology [plans, policies,] 20
921+PLAN AND RELATED POL ICIES and standards are consistent with State goals, objectives, 21
922+and resources, and represent a long–range vision for using information technology to 22
923+improve the overall effectiveness of State government; and 23
924+
925+ [(vi)] (V) include standards to assure nonvisual access to the 24
926+information and services made available to the public over the Internet; AND 25
927+
928+ (VI) ALLOWS A STATE AGENCY TO MAINT AIN THE AGENCY ’S OWN 26
929+INFORMATION TECHNOLO GY UNIT THAT PROVIDE S FOR INFORMATION 27
930+TECHNOLOGY SERVICES TO SUPPORT THE MISSI ON OF THE AGENCY .; 28
931+
932+ (5) PROVIDING OR COORDIN ATING THE PROCUREMEN T OF MANAGED 29
933+CYBERSECURITY SERVIC ES THAT ARE PAID FOR BY THE STATE AND USED BY LOC AL 30
934+GOVERNMENTS ; 31
935+ SENATE BILL 812 21
936+
937+
938+ (6) (5) DEVELOPING AND MAINT AINING A STATEWIDE 1
939+CYBERSECURITY MASTER PLAN STRATEGY THAT WILL: 2
940+
941+ (I) CENTRALIZE THE MANAG EMENT AND DIRECTION OF 3
942+CYBERSECURITY STRATE GY WITHIN THE EXECUTIVE BRANCH OF STATE 4
943+GOVERNMENT UNDER THE CONTROL OF THE DEPARTMENT ; AND 5
944+
945+ (II) SERVE AS THE BASIS F OR BUDGET ALLOCATION S FOR 6
946+CYBERSECURITY PREPAREDNESS FOR THE EXECUTIVE BRANCH OF STATE 7
947+GOVERNMENT ; 8
948+
949+ [(5)] (7) (6) adopting by regulation and enforcing nonvisual access standards 9
950+to be used in the procurement of information technology services by or on behalf of units of 10
951+State government in accordance with subsection (b) of this section; 11
952+
953+ [(6)] (8) (7) in consultation with the [Attorney General,] MARYLAND 12
954+CYBERSECURITY COORDINATING COUNCIL, advising and overseeing a consistent 13
955+cybersecurity strategy for units of State government, including institutions under the 14
956+control of the governing boards of the public institutions of higher education; 15
957+
958+ [(7)] (9) (8) advising and consulting with the Legislative and Judicial 16
959+branches of State government regarding a cybersecurity strategy; and 17
960+
961+ [(8)] (10) (9) in consultation with the [Attorney General,] MARYLAND 18
962+CYBERSECURITY COORDINATING COUNCIL, developing guidance on consistent 19
963+cybersecurity strategies for counties, municipal corporations, school systems, and all other 20
964+political subdivisions of the State. 21
965+
966+ (b) Nothing in subsection (a) of this section may be construed as establishing a 22
967+mandate for any entity listed in subsection [(a)(8)] (A)(10) of this section. 23
968+
969+ (c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall: 24
970+
971+ (1) adopt new nonvisual access procurement standards that: 25
972+
973+ (i) provide an individual with disabilities with nonvisual access in a 26
974+way that is fully and equally accessible to and independently usable by the individual with 27
975+disabilities so that the individual is able to acquire the same information, engage in the 28
976+same interactions, and enjoy the same services as users without disabilities, with 29
977+substantially equivalent ease of use; and 30
978+
979+ (ii) are consistent with the standards of § 508 of the federal 31
980+Rehabilitation Act of 1973; and 32
981+
982+ (2) establish a process for the Secretary or the Secretary’s designee to: 33 22 SENATE BILL 812
983+
984+
985+
986+ (i) determine whether information technology meets the nonvisual 1
987+access standards adopted under item (1) of this subsection; and 2
988+
989+ (ii) 1. for information technology procured by a State unit before 3
990+January 1, 2020, and still used by the State unit on or after January 1, 2020, work with the 4
991+vendor to modify the information technology to meet the nonvisual access standards, if 5
992+practicable; or 6
993+
994+ 2. for information technology procured by a State unit on or 7
995+after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] § 8
996+3.5–310 3.5–311 of this subtitle, including the enforcement of the civil penalty described 9
997+in [§ 3A–311(a)(2)(iii)1] § 3.5–310(A)(2)(III)1 3.5–311(A)(2)(III)1 of this subtitle. 10
998+
999+ (D) (1) THE GOVERNOR SHALL INCLUD E AN APPROPRIATION I N THE 11
1000+ANNUAL BUDGET BILL I N AN AMOUNT NECESSAR Y TO COVER THE COSTS OF 12
1001+IMPLEMENTING THE STA TEWIDE CYBERSECURITY MASTER PLAN DEVE LOPED 13
1002+UNDER SUBSECTION (A) OF THIS SECTION WITH OUT THE NEED FOR THE 14
1003+DEPARTMENT TO OPERATE A CHARGE –BACK MODEL FOR CYBER SECURITY 15
1004+SERVICES PROVIDED TO OTHER UNITS OF STATE GOVERNMENT OR U NITS OF LOCAL 16
1005+GOVERNMENT . 17
1006+
1007+ (2) ON OR BEFORE JANUARY 31 EACH YEAR, IN A SEPARATE REPORT 18
1008+OR INCLUDED WITHIN A GENERAL BUDGET REPOR T, THE GOVERNOR SHALL SUBMIT 19
1009+A REPORT IN ACCORDAN CE WITH § 2–1257 OF THE STATE GOVERNMENT ARTICLE 20
1010+TO THE SENATE BUDGET AND TAXATION COMMITTEE AND THE HOUSE 21
1011+APPROPRIATIONS COMMITTEE THAT INCLUD ES: 22
1012+
1013+ (I) SPECIFIC INFORMATION ON THE INFORMATION 23
1014+TECHNOLOGY BUDGET AN D CYBERSECURITY BUDG ET THAT THE GOVERNOR HAS 24
1015+SUBMITTED TO THE GENERAL ASSEMBLY FOR THE UPCO MING FISCAL YEAR ; AND 25
1016+
1017+ (II) HOW THE BUDGETS LIST ED UNDER ITEM (I) OF THIS 26
1018+PARAGRAPH COMPARE TO THE ANNUAL OVERVIEW OF THE U.S. PRESIDENT’S 27
1019+BUDGET SUBMISSION ON INFORMATION TECHNOLO GY AND CYBERSECURITY TO 28
1020+CONGRESS CONDUCTED BY THE U.S. OFFICE OF MANAGEMENT AND BUDGET. 29
1021+
1022+3.5–305. 30
1023+
1024+ (a) [Except as provided in subsection (b) of this section, in accordance with 31
1025+guidelines established by the Secretary, each unit of State government shall develop and 32
1026+submit to the Secretary: 33
1027+
1028+ (1) information technology policies and standards; 34
1029+ SENATE BILL 812 23
1030+
1031+
1032+ (2) an information technology plan; and 1
1033+
1034+ (3) an annual project plan outlining the status of efforts to make 2
1035+information and services available to the public over the Internet. 3
1036+
1037+ (b) (1)] The governing boards of the public institutions of higher education shall 4
1038+develop and submit information technology policies and standards and an information 5
1039+technology plan for their respective institutions or systems to the Secretary. 6
1040+
1041+ [(2)] (B) If the Secretary finds that the submissions required under this 7
1042+[subsection] SECTION are consistent with the master plan, the Secretary shall incorporate 8
1043+those submissions into the master plan. 9
1044+
1045+ [(3)] (C) If the Secretary finds that the submissions required under this 10
1046+[subsection] SECTION are not consistent with the master plan: 11
1047+
1048+ (i) the Secretary shall return the submissions to the governing 12
1049+boards; and 13
1050+
1051+ (ii) the governing boards shall revise the submissions as appropriate 14
1052+and submit the revised policies, standards, and plans to the Secretary. 15
1053+
1054+[3.5–306. 16
1055+
1056+ Information technology of each unit of State government shall be consistent with the 17
1057+master plan.] 18
1058+
1059+[3.5–307.] 3.5–306. 19
1060+
1061+ (a) (1) [A unit of State government] THE DEPARTMENT may not purchase, 20
1062+lease, or rent information technology ON BEHALF OF A UNIT OF STATE GOVERNMENT 21
1063+unless consistent with the master plan STRATEGY. 22
1064+
1065+ (2) A unit of State government other than a public institution of higher 23
1066+education [may not make] SHALL SUBMIT REQUEST S FOR expenditures for major 24
1067+information technology development projects OR CYBERSECURITY PRO JECTS except as 25
1068+provided in [§ 3A–308] § 3.5–307 3.5–308 of this subtitle. 26
1069+
1070+ (b) [(1)] The Secretary may review any information technology project OR 27
1071+CYBERSECURITY PROJEC T for consistency with the master plan STRATEGY. 28
1072+
1073+ [(2) Any information technology project selected for review may not be 29
1074+implemented without the approval of the Secretary.] 30
1075+ 24 SENATE BILL 812
1076+
1077+
1078+ (c) (1) A unit of State government shall advise the Secretary of any 1
1079+information technology proposal involving resource sharing, the exchange of goods or 2
1080+services, or a gift, contribution, or grant of real or personal property. 3
1081+
1082+ (2) The Secretary shall determine if the value of the resources, services, 4
1083+and property to be obtained by the State under the terms of any proposal submitted in 5
1084+accordance with the provisions of paragraph (1) of this subsection equals or exceeds 6
1085+$100,000. 7
1086+
1087+ (3) If the value of any proposal submitted in accordance with this 8
1088+subsection equals or exceeds $100,000 and the Secretary and unit agree to proceed with the 9
1089+proposal, information on the proposal shall be: 10
1090+
1091+ (i) advertised for a period of at least 30 days in the eMaryland 11
1092+Marketplace; and 12
1093+
1094+ (ii) submitted, simultaneously with the advertisement, to the 13
1095+Legislative Policy Committee for a 60–day review and comment period, during which time 14
1096+the Committee may recommend that the proposal be treated as a procurement contract 15
1097+under Division II of this article. 16
1098+
1099+ (4) Following the period for review and comment by the Legislative Policy 17
1100+Committee under paragraph (3) of this subsection, the proposal is subject to approval by 18
1101+the Board of Public Works. 19
1102+
1103+ (5) This subsection may not be construed as authorizing an exception from 20
1104+the requirements of Division II of this article for any contract that otherwise would be 21
1105+subject to the State procurement process. 22
1106+
1107+[3.5–308.] 3.5–307. 23
1108+
1109+ (a) This section does not apply to a public institution of higher education. 24
1110+
1111+ (b) In submitting its information technology project requests, a unit of State 25
1112+government shall designate projects which are major information technology development 26
1113+projects. 27
1114+
1115+ (c) In reviewing information technology project requests, the Secretary may 28
1116+change a unit’s designation of a major information technology development project. 29
1117+
1118+ (d) The Secretary shall review and, with the advice of the Secretary of Budget and 30
1119+Management, approve major inform ation technology development projects and 31
1120+specifications for consistency with all statewide plans, policies, and standards, including a 32
1121+systems development life cycle plan. 33
1122+
1123+ (e) The Secretary shall be responsible for overseeing the implementation of major 34
1124+information technology development projects[, regardless of fund source]. 35 SENATE BILL 812 25
1125+
1126+
1127+
1128+ (f) With the advice of the Secretary of Budget and Management, expenditures for 1
1129+major information technology development projects shall be subject to the approval of the 2
1130+Secretary who shall approve expenditures only when those projects are consistent with 3
1131+statewide plans, policies, and standards. 4
1132+
1133+ (g) (1) The Secretary shall approve funding for major information technology 5
1134+development projects only when those projects are supported by an approved systems 6
1135+development life cycle plan. 7
1136+
1137+ (2) An approved systems development life cycle plan shall include 8
1138+submission of: 9
1139+
1140+ (i) a project planning request that details initial planning for the 10
1141+project, including: 11
1142+
1143+ 1. the project title, appropriation code, and summary; 12
1144+
1145+ 2. a description of: 13
1146+
1147+ A. the needs addressed by the project; 14
1148+
1149+ B. the potential risks associated with the project; 15
1150+
1151+ C. possible alternatives; and 16
1152+
1153+ D. the scope and complexity of the project; and 17
1154+
1155+ 3. an estimate of: 18
1156+
1157+ A. the total costs required to complete through planning; and 19
1158+
1159+ B. the fund sources available to support planning costs; and 20
1160+
1161+ (ii) a project implementation request to begin full design, 21
1162+development, and implementation of the project after the completion of planning, including: 22
1163+
1164+ 1. the project title, appropriation code, and summary; 23
1165+
1166+ 2. a description of: 24
1167+
1168+ A. the needs addressed by the project; 25
1169+
1170+ B. the potential risks associated with the project; 26
1171+
1172+ C. possible alternatives; 27
1173+ 26 SENATE BILL 812
1174+
1175+
1176+ D. the scope and complexity of the project; and 1
1177+
1178+ E. how the project meets the goals of the statewide master 2
1179+plan; and 3
1180+
1181+ 3. an estimate of: 4
1182+
1183+ A. the total project cost; and 5
1184+
1185+ B. the fund sources available. 6
1186+
1187+ (3) The Secretary may approve funding incrementally, consistent with the 7
1188+systems development life cycle plan. 8
1189+
1190+[3.5–309.] 3.5–308. 9
1191+
1192+ (a) There is a Major Information Technology Development Project Fund. 10
1193+
1194+ (b) The purpose of the Fund is to support major information technology 11
1195+development projects. 12
1196+
1197+ (c) The Secretary: 13
1198+
1199+ (1) shall administer the Fund in accordance with this section; and 14
1200+
1201+ (2) subject to the provisions of § 2–201 of this article and [§ 3A–307] § 15
1202+3.5–306 3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of 16
1203+money or property. 17
1204+
1205+ (d) (1) The Fund is a special, nonlapsing fund that is not subject to § 7–302 of 18
1206+this article. 19
1207+
1208+ (2) The State Treasurer shall hold the Fund separately and the 20
1209+Comptroller shall account for the Fund. 21
1210+
1211+ (3) The State Treasurer shall invest and reinvest the money of the Fund in 22
1212+the same manner as other State money may be invested. 23
1213+
1214+ (4) Any investment earnings of the Fund shall be paid into the Fund. 24
1215+
1216+ (e) Except as provided in subsection (f) of this section, the Fund consists of: 25
1217+
1218+ (1) money appropriated in the State budget to the Fund; 26
1219+
1220+ (2) as approved by the Secretary, money received from: 27
1221+ SENATE BILL 812 27
1222+
1223+
1224+ (i) the sale, lease, or exchange of communication sites, 1
1225+communication facilities, or communication frequencies for information technology 2
1226+purposes; or 3
1227+
1228+ (ii) an information technology agreement involving resource 4
1229+sharing; 5
1230+
1231+ (3) that portion of money earned from pay phone commissions to the extent 6
1232+that the commission rates exceed those in effect in December 1993; 7
1233+
1234+ (4) money received and accepted as contributions, grants, or gifts as 8
1235+authorized under subsection (c) of this section; 9
1236+
1237+ (5) general funds appropriated for major information technology 10
1238+development projects of any unit of State government other than a public institution of 11
1239+higher education that: 12
1240+
1241+ (i) are unencumbered and unexpended at the end of a fiscal year; 13
1242+
1243+ (ii) have been abandoned; or 14
1244+
1245+ (iii) have been withheld by the General Assembly or the Secretary; 15
1246+
1247+ (6) any investment earnings; and 16
1248+
1249+ (7) any other money from any source accepted for the benefit of the Fund. 17
1250+
1251+ (f) The Fund does not include any money: 18
1252+
1253+ (1) received by the Department of Transportation, the Maryland 19
1254+Transportation Authority, Baltimore City Community College, or the Maryland Public 20
1255+Broadcasting Commission; 21
1256+
1257+ (2) received by the Judicial or Legislative branches of State government; or 22
1258+
1259+ (3) generated from pay phone commissions that are credited to other 23
1260+accounts or funds in accordance with other provisions of law or are authorized for other 24
1261+purposes in the State budget or through an approved budget amendment. 25
1262+
1263+ (g) The Governor shall submit with the State budget: 26
1264+
1265+ (1) a summary showing the unencumbered balance in the Fund as of the 27
1266+close of the prior fiscal year and a listing of any encumbrances; 28
1267+
1268+ (2) an estimate of projected revenue from each of the sources specified in 29
1269+subsection (e) of this section for the fiscal year for which the State budget is submitted; and 30
1270+ 28 SENATE BILL 812
1271+
1272+
1273+ (3) a descriptive listing of projects reflecting projected costs for the fiscal 1
1274+year for which the State budget is submitted and any estimated future year costs. 2
1275+
1276+ (h) Expenditures from the Fund shall be made only: 3
1277+
1278+ (1) in accordance with an appropriation approved by the General Assembly 4
1279+in the annual State budget; or 5
1280+
1281+ (2) through an approved State budget amendment under Title 7, Subtitle 6
1282+2, Part II of this article, provided that a State budget amendment for any project not 7
1283+requested as part of the State budget submission or for any project for which the scope or 8
1284+cost has increased by more than 5% or $250,000 shall be submitted to the budget 9
1285+committees allowing a 30–day period for their review and comment. 10
1286+
1287+ (i) The Fund may be used: 11
1288+
1289+ (1) for major information technology development projects; 12
1290+
1291+ (2) as provided in subsections (j) and (l) of this section; or 13
1292+
1293+ (3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for 14
1294+the costs of the first 12 months of operation and maintenance of a major information 15
1295+technology development project. 16
1296+
1297+ (j) Notwithstanding subsection (b) of this section and except for the cost incurred 17
1298+in administering the Fund, each fiscal year up to $1,000,000 of this Fund may be used for: 18
1299+
1300+ (1) educationally related information technology projects; 19
1301+
1302+ (2) application service provider initiatives as provided for in Title 9, 20
1303+Subtitle 22 of the State Government Article; or 21
1304+
1305+ (3) information technology projects, including: 22
1306+
1307+ (i) pilots; and 23
1308+
1309+ (ii) prototypes. 24
1310+
1311+ (k) A unit of State government or local government may submit a request to the 25
1312+Secretary to support the cost of an information technology project with money under 26
1313+subsection (j) of this section. 27
1314+
1315+ (l) (1) Notwithstanding subsection (b) of this section and in accordance with 28
1316+paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this 29
1317+section shall be used to support: 30
1318+ SENATE BILL 812 29
1319+
1320+
1321+ (i) the State telecommunication and computer network established 1
1322+under [§ 3A–404] § 3.5–404 of this title, including program development for these 2
1323+activities; and 3
1324+
1325+ (ii) the Statewide Public Safety Interoperability Radio System, also 4
1326+known as Maryland First (first responder interoperable radio system team), under Title 1, 5
1327+Subtitle 5 of the Public Safety Article. 6
1328+
1329+ (2) The Secretary may determine the portion of the money paid into the 7
1330+Fund that shall be allocated to each program described in paragraph (1) of this subsection. 8
1331+
1332+ (m) (1) On or before November 1 of each year, the Secretary shall report to the 9
1333+Governor, the Secretary of Budget and Management, and to the budget committees of the 10
1334+General Assembly and submit a copy of the report to the General Assembly, in accordance 11
1335+with § 2–1257 of the State Government Article. 12
1336+
1337+ (2) The report shall include: 13
1338+
1339+ (i) the financial status of the Fund and a summary of its operations 14
1340+for the preceding fiscal year; 15
1341+
1342+ (ii) an accounting for the preceding fiscal year of all money from each 16
1343+of the revenue sources specified in subsection (e) of this section, including any expenditures 17
1344+made from the Fund; and 18
1345+
1346+ (iii) for each project receiving money from the Fund in the preceding 19
1347+fiscal year and for each major information technology development project receiving 20
1348+funding from any source other than the Fund in the preceding fiscal year: 21
1349+
1350+ 1. the status of the project; 22
1351+
1352+ 2. a comparison of estimated and actual costs of the project; 23
1353+
1354+ 3. any known or anticipated changes in scope or costs of the 24
1355+project; 25
1356+
1357+ 4. an evaluation of whether the project is using best 26
1358+practices; and 27
1359+
1360+ 5. a summary of any monitoring and oversight of the project 28
1361+from outside the agency in which the project is being developed, including a description of 29
1362+any problems identified by any external review and any corrective actions taken. 30
1363+
1364+ (n) On or before January 15 of each year, for each major information technology 31
1365+development project currently in development or for which operations and maintenance 32
1366+funding is being provided in accordance with subsection (i)(3) of this section, subject to § 33
1367+2–1257 of the State Government Article, the Secretary shall provide a summary report to 34 30 SENATE BILL 812
1368+
1369+
1370+the Department of Legislative Services with the most up–to–date project information 1
1371+including: 2
1372+
1373+ (1) project status; 3
1374+
1375+ (2) any schedule, cost, and scope changes since the last annual report; 4
1376+
1377+ (3) a risk assessment including any problems identified by any internal or 5
1378+external review and any corrective actions taken; and 6
1379+
1380+ (4) any change in the monitoring or oversight status. 7
1381+
1382+[3A–310.] 3.5–309. 8
1383+
1384+ This subtitle may not be construed to give the Secretary authority over: 9
1385+
1386+ (1) the content of educational applications or curriculum at the State or 10
1387+local level; or 11
1388+
1389+ (2) the entities that may participate in such educational programs. 12
1390+
1391+[3.5–311.] 3.5–310. 13
1392+
1393+ (a) (1) The Secretary or the Secretary’s designee, in consultation with other 14
1394+units of State government, and after public comment, shall develop a nonvisual access 15
1395+clause for use in the procurement of information technology and information technology 16
1396+services that specifies that the technology and services: 17
1397+
1398+ (i) must provide equivalent access for effective use by both visual 18
1399+and nonvisual means; 19
1400+
1401+ (ii) will present information, including prompts used for interactive 20
1402+communications, in formats intended for both visual and nonvisual use; 21
1403+
1404+ (iii) can be integrated into networks for obtaining, retrieving, and 22
1405+disseminating information used by individuals who are not blind or visually impaired; and 23
1406+
1407+ (iv) shall be obtained, whenever possible, without modification for 24
1408+compatibility with software and hardware for nonvisual access. 25
1409+
1410+ (2) On or after January 1, 2020, the nonvisual access clause developed in 26
1411+accordance with paragraph (1) of this subsection shall include a statement that: 27
1412+
1413+ (i) within 18 months after the award of the procurement, the 28
1414+Secretary, or the Secretary’s designee, will determine whether the information technology 29 SENATE BILL 812 31
1415+
1416+
1417+meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] § 1
1418+3.5–303(B) of this subtitle; 2
1419+
1420+ (ii) if the information technology does not meet the nonvisual access 3
1421+standards, the Secretary, or the Secretary’s designee, will notify the vendor in writing that 4
1422+the vendor, at the vendor’s own expense, has 12 months after the date of the notification to 5
1423+modify the information technology in order to meet the nonvisual access standards; and 6
1424+
1425+ (iii) if the vendor fails to modify the information technology to meet 7
1426+the nonvisual access standards within 12 months after the date of the notification, the 8
1427+vendor: 9
1428+
1429+ 1. may be subject to a civil penalty of: 10
1430+
1431+ A. for a first offense, a fine not exceeding $5,000; and 11
1432+
1433+ B. for a subsequent offense, a fine not exceeding $10,000; and 12
1434+
1435+ 2. shall indemnify the State for liability resulting from the 13
1436+use of information technology that does not meet the nonvisual access standards. 14
1437+
1438+ (b) (1) Except as provided in paragraph (2) of this subsection, the nonvisual 15
1439+access clause required under subsection (a) of this section shall be included in each 16
1440+invitation for bids or request for proposals and in each procurement contract or modification 17
1441+or renewal of a contract issued under Title 13 of this article, without regard to the method 18
1442+chosen under Title 13, Subtitle 1 of this article for the purchase of new or upgraded 19
1443+information technology and information technology services. 20
1444+
1445+ (2) Except as provided in subsection (a)(4) of this section, the nonvisual 21
1446+access clause required under paragraph (1) of this subsection is not required if: 22
1447+
1448+ (i) the information technology is not available with nonvisual access 23
1449+because the essential elements of the information technology are visual and nonvisual 24
1450+equivalence cannot be developed; or 25
1451+
1452+ (ii) the cost of modifying the information technology for compatibility 26
1453+with software and hardware for nonvisual access would increase the price of the 27
1454+procurement by more than 15%. 28
1455+
1456+[3.5–312.] 3.5–311. 29
1457+
1458+ The Secretary may delegate the duties set forth in this subtitle to carry out its 30
1459+purposes. 31
1460+
1461+[3.5–313.] 3.5–312. 32
1462+ 32 SENATE BILL 812
1463+
1464+
1465+ (a) (1) In this section the following words have the meanings indicated. 1
1466+
1467+ (2) “Agency” includes a unit of State government that receives funds that 2
1468+are not appropriated in the annual budget bill. 3
1469+
1470+ (3) (i) “Payee” means any party who receives from the State an 4
1471+aggregate payment of $25,000 in a fiscal year. 5
1472+
1473+ (ii) “Payee” does not include: 6
1474+
1475+ 1. a State employee with respect to the employee’s 7
1476+compensation; or 8
1477+
1478+ 2. a State retiree with respect to the retiree’s retirement 9
1479+allowance. 10
1480+
1481+ (4) “Searchable website” means a website created in accordance with this 11
1482+section that displays and searches State payment data. 12
1483+
1484+ (b) (1) The Department shall develop and operate a single searchable website, 13
1485+accessible to the public at no cost through the Internet. 14
1486+
1487+ (2) On or before the 15th day of the month that follows the month in which 15
1488+an agency makes a payment to a payee, the Department shall update the payment data on 16
1489+the searchable website. 17
1490+
1491+ (c) The searchable website shall contain State payment data, including: 18
1492+
1493+ (1) the name of a payee receiving a payment; 19
1494+
1495+ (2) the location of a payee by postal zip code; 20
1496+
1497+ (3) the amount of a payment; and 21
1498+
1499+ (4) the name of an agency making a payment. 22
1500+
1501+ (d) The searchable website shall allow the user to: 23
1502+
1503+ (1) search data for fiscal year 2008 and each year thereafter; and 24
1504+
1505+ (2) search by the following data fields: 25
1506+
1507+ (i) a payee receiving a payment; 26
1508+
1509+ (ii) an agency making a payment; and 27
1510+
1511+ (iii) the zip code of a payee receiving a payment. 28 SENATE BILL 812 33
1512+
1513+
1514+
1515+ (e) State agencies shall provide appropriate assistance to the Secretary to ensure 1
1516+the existence and ongoing operation of the single website. 2
1517+
1518+ (f) This section may not be construed to require the disclosure of information that 3
1519+is confidential under State or federal law. 4
1520+
1521+ (g) This section shall be known and may be cited as the “Maryland Funding 5
1522+Accountability and Transparency Act”. 6
1523+
1524+[3.5–314.] 3.5–313. 7
1525+
1526+ (a) In this section, “security–sensitive data” means information that is protected 8
1527+against unwarranted disclosure. 9
1528+
1529+ (b) In accordance with guidelines established by the Secretary, each unit of State 10
1530+government shall develop a plan to: 11
1531+
1532+ (1) identify unit personnel who handle security–sensitive data; and 12
1533+
1534+ (2) establish annual security overview training or refresher security 13
1535+training for each employee who handles security–sensitive data as part of the employee’s 14
1536+duties. 15
1537+
1538+3.5–401. 16
1539+
1540+ (a) The Department shall: 17
1541+
1542+ (1) coordinate the development, procurement, management, and operation 18
1543+of telecommunication equipment, systems, and services by State government; 19
1544+
1545+ (2) TO ADDRESS PREPAREDN ESS AND RESPONSE CAP ABILITIES OF 20
1546+LOCAL JURISDICTIONS , COORDINATE THE PROCU REMENT OF MANAGED 21
1547+CYBERSECURITY SERVIC ES PROCURED BY LOCAL GOVERNMENTS WITH STATE 22
1548+FUNDING; 23
1549+
1550+ [(2)] (3) acquire and manage common user telecommunication 24
1551+equipment, systems, or services and charge units of State government for their 25
1552+proportionate share of the costs of installation, maintenance, and operation of the common 26
1553+user telecommunication equipment, systems, or services; 27
1554+
1555+ [(3)] (4) promote compatibility of telecommunication systems by 28
1556+developing policies, procedures, and standards for the [acquisition and] use of 29
1557+telecommunication equipment, systems, and services by units of State government; 30
1558+ 34 SENATE BILL 812
1559+
1560+
1561+ [(4)] (5) coordinate State government telecommunication systems and 1
1562+services by reviewing requests by units of State government for, AND ACQUIRING ON 2
1563+BEHALF OF UNITS OF STATE GOVERNMENT , telecommunication equipment, systems, or 3
1564+services; 4
1565+
1566+ [(5)] (6) advise units of State government about [planning, acquisition,] 5
1567+PLANNING and operation of telecommunication equipment, systems, or services; and 6
1568+
1569+ [(6)] (7) provide radio frequency coordination for State and local 7
1570+governments in accordance with regulations of the Federal Communications Commission. 8
1571+
1572+ (b) The Department may make arrangement for a user other than a unit of State 9
1573+government to have access to and use of State telecommunication equipment, systems, and 10
1574+services and shall charge the user any appropriate amount to cover the cost of installation, 11
1575+maintenance, and operation of the telecommunication equipment, system, or service 12
1576+provided. 13
1577+
1578+ (C) (1) THE DEPARTMENT SHALL DEVE LOP AND REQUIRE BASI C 14
1579+SECURITY REQUIREMENT S TO BE INCLUDED IN A CONTRACT: 15
1580+
1581+ (I) IN WHICH A THIRD–PARTY CONTRACTOR WIL L HAVE ACCESS 16
1582+TO AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR 17
1583+
1584+ (II) BY A UNIT OF STATE GOVERNMENT THAT IS LESS THAN 18
1585+$50,000 FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE 19
1586+TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES. 20
1587+
1588+ (2) THE SECURITY REQUIREM ENTS DEVELOPED UNDER PARAGRAPH 21
1589+(1) OF THIS SUBSECTION S HALL BE CONSISTENT W ITH A WIDELY RECOGNI ZED 22
1590+SECURITY STANDARD , INCLUDING NATIONAL INSTITUTE OF STANDARDS AND 23
1591+TECHNOLOGY SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL 24
1592+CERTIFICATION. 25
1593+
1594+3.5–404. 26
1595+
1596+ (a) The General Assembly declares that: 27
1597+
1598+ (1) it is the policy of the State to foster telecommunication and computer 28
1599+networking among State and local governments, their agencie s, and educational 29
1600+institutions in the State; 30
1601+
1602+ (2) there is a need to improve access, especially in rural areas, to efficient 31
1603+telecommunication and computer network connections; 32
1604+ SENATE BILL 812 35
1605+
1606+
1607+ (3) improvement of telecommunication and computer networking for State 1
1608+and local governments and educational institutions promotes economic development, 2
1609+educational resource use and development, and efficiency in State and local administration; 3
1610+
1611+ (4) rates for the intrastate inter–LATA telephone communications needed 4
1612+for effective integration of telecommunication and computer resources are prohibitive for 5
1613+many smaller governments, agencies, and institutions; and 6
1614+
1615+ (5) the use of improved State telecommunication and computer networking 7
1616+under this section is intended not to compete with commercial access to advanced network 8
1617+technology, but rather to foster fundamental efficiencies in government and education for 9
1618+the public good. 10
1619+
1620+ (b) (1) The Department shall establish a telecommunication and computer 11
1621+network in the State. 12
1622+
1623+ (2) The network shall consist of: 13
1624+
1625+ (i) one or more connection facilities for telecommunication and 14
1626+computer connection in each local access transport area (LATA) in the State; and 15
1627+
1628+ (ii) facilities, auxiliary equipment, and services required to support 16
1629+the network in a reliable and secure manner. 17
1630+
1631+ (c) The network shall be accessible through direct connection and through local 18
1632+intra–LATA telecommunications to State and local governments and public and private 19
1633+educational institutions in the State. 20
1634+
1635+ (D) ON OR BEFORE DECEMBER 1 EACH YEAR , EACH UNIT OF THE 21
1636+LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT AND ANY DIVISION OF 22
1637+THE UNIVERSITY SYSTEM OF MARYLAND THAT USE THE NETWORK ESTABLISHED 23
1638+UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT 24
1639+THAT THE UNIT OR DIV ISION IS IN COMPLIAN CE WITH THE DEPARTMENT ’S MINIMUM 25
1640+SECURITY STANDARDS . 26
1641+
1642+3.5–404. 27
1643+
1644+ (D) (1) THE OFFICE SHALL ENSURE T HAT AT LEAST ONCE EV ERY 2 28
1645+YEARS, OR MORE OFTEN IF REQ UIRED BY REGULATIONS ADOPTED BY THE 29
1646+DEPARTMENT , EACH UNIT OF STATE GOVERNMENT SHAL L COMPLETE AN EXTERN AL 30
1647+ASSESSMENT . 31
1648+
1649+ (2) THE OFFICE SHALL ASSIST E ACH UNIT TO REMEDIAT E ANY 32
1650+SECURITY VULNERABILI TIES OR HIGH–RISK CONFIGURATIONS IDENTIFIED IN THE 33
1651+ASSESSMENT REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION . 34
1652+ 36 SENATE BILL 812
1653+
1654+
1655+ (E) (1) IN THIS SUBSECTION , “IT UNIT” MEANS A UNIT OF THE 1
1656+LEGISLATIVE BRANCH OR JUDICIAL BRANCH OF STATE GOVERNMENT , THE OFFICE 2
1657+OF THE ATTORNEY GENERAL, THE OFFICE OF THE COMPTROLLER , OR THE OFFICE 3
1658+OF THE STATE TREASURER THAT PROVIDES INFORM ATION TECHNOLOGY SER VICES 4
1659+FOR ANOTHER UNIT OF GOVERNMENT . 5
1660+
1661+ (2) EACH IT UNIT SHALL: 6
1662+
1663+ (I) BE EVALUATED BY AN I NDEPENDENT AUDITOR W ITH 7
1664+CYBERSECURITY EXPERT ISE TO DETERMINE WHE THER THE IT UNIT, AND THE UNITS 8
1665+IT PROVIDES INFORMAT ION TECHNOLOGY SERVI CES FOR, MEET RELEVANT 9
1666+CYBERSECURITY STANDARDS R ECOMMENDED BY THE NATIONAL INSTITUTE OF 10
1667+STANDARDS AND TECHNOLOGY ; AND 11
1668+
1669+ (II) CERTIFY COMPLIANCE W ITH THE RECOMMENDED 12
1670+NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECUR ITY 13
1671+STANDARDS TO : 14
1672+
1673+ 1. IF THE IT UNIT IS PART OF THE LEGISLATIVE 15
1674+BRANCH, THE PRESIDENT OF THE SENATE AND THE SPEAKER OF THE HOUSE; AND 16
1675+
1676+ 2. IF THE IT UNIT IS PART OF THE OFFICE OF THE 17
1677+ATTORNEY GENERAL, TO THE ATTORNEY GENERAL; 18
1678+
1679+ 3. IF THE IT UNIT IS PART OF THE COMPTROLLER ’S 19
1680+OFFICE, TO THE COMPTROLLER ; 20
1681+
1682+ 4. IF THE IT UNIT IS PART OF THE STATE TREASURER’S 21
1683+OFFICE, TO THE STATE TREASURER; AND 22
1684+
1685+ 2. 5. IF THE IT UNIT IS PART OF THE JUDICIAL BRANCH OF 23
1686+STATE GOVERNMENT , THE CHIEF JUDGE. 24
1687+
1688+3.5–405. 25
1689+
1690+ (A) ON OR BEFORE DECEMBER 1 EACH YEAR, EACH UNIT OF STATE 26
1691+GOVERNMENT SHALL : 27
1692+
1693+ (1) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND 28
1694+REPORT THE RESULTS OF ANY CYBERSECURITY PREPAREDNESS ASSESSM ENTS 29
1695+PERFORMED IN THE PRI OR YEAR TO THE OFFICE OF SECURITY MANAGEMENT IN 30
1696+ACCORDANCE WITH GUID ELINES DEVELOPED BY THE OFFICE; AND 31
1697+ SENATE BILL 812 37
1698+
1699+
1700+ (2) SUBMIT A REPORT TO T HE GOVERNOR AND THE OFFICE OF 1
1701+SECURITY MANAGEMENT THAT INCLU DES: 2
1702+
1703+ (I) AN INVENTORY OF ALL INFORMATION SYSTEMS AND 3
1704+APPLICATIONS USED OR MAINTAINED BY THE UNI T; 4
1705+
1706+ (II) A FULL DATA INVENTOR Y OF THE UNIT; 5
1707+
1708+ (III) A LIST OF ALL CLOUD OR STATISTICAL ANALY SIS SYSTEM 6
1709+SOLUTIONS USED BY TH E UNIT; 7
1710+
1711+ (IV) A LIST OF ALL PERMAN ENT AND TRANSIENT VE NDOR 8
1712+INTERCONNECTIONS THA T ARE IN PLACE; 9
1713+
1714+ (V) THE NUMBER OF UNIT E MPLOYEES WHO HAVE RE CEIVED 10
1715+CYBERSECURITY TRAINI NG; 11
1716+
1717+ (VI) THE TOTAL NUMBER OF UNIT EMPLOYEES WHO U SE THE 12
1718+NETWORK; 13
1719+
1720+ (VII) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 14
1721+POSITIONS, INCLUDING VACANCIES ; 15
1722+
1723+ (VIII) THE NUMBER OF NONI NFORMATION TECHNOLOG Y STAFF 16
1724+POSITIONS, INCLUDING VACANCIES ; 17
1725+
1726+ (IX) THE UNIT ’S INFORMATION TECHNO LOGY BUDGET , 18
1727+ITEMIZED TO INCLUDE THE FOLLOWING CATEGO RIES: 19
1728+
1729+ 1. SERVICES; 20
1730+
1731+ 2. EQUIPMENT; 21
1732+
1733+ 3. APPLICATIONS; 22
1734+
1735+ 4. PERSONNEL ; 23
1736+
1737+ 5. SOFTWARE LICENSING; 24
1738+
1739+ 6. DEVELOPMENT ; 25
1740+
1741+ 7. NETWORK PROJECTS ; 26
1742+
1743+ 8. MAINTENANCE ; AND 27 38 SENATE BILL 812
1744+
1745+
1746+
1747+ 9. CYBERSECURITY ; 1
1748+
1749+ (X) ANY MAJOR INFORMATIO N TECHNOLOGY INITIAT IVES TO 2
1750+MODERNIZE THE UNIT ’S INFORMATION TECHNO LOGY SYSTEMS OR IMPR OVE 3
1751+CUSTOMER ACCESS TO STATE AND LOCAL SERVI CES; 4
1752+
1753+ (XI) THE UNIT’S PLANS FOR FUTURE F ISCAL YEARS TO 5
1754+IMPLEMENT THE UNIT ’S INFORMATION TECHNO LOGY GOALS; 6
1755+
1756+ (XII) COMPLIANCE WITH TIME LINES AND METRICS PR OVIDED IN 7
1757+THE DEPARTMENT ’S MASTER PLAN ; AND 8
1758+
1759+ (XIII) ANY OTHER KEY PERFOR MANCE INDICATORS REQ UIRED BY 9
1760+THE OFFICE OF SECURITY MANAGEMENT TO TRACK C OMPLIANCE OR CONSIST ENCY 10
1761+WITH THE DEPARTMENT ’S STATEWIDE INFORMATION TEC HNOLOGY MASTER PLAN . 11
1762+
1763+ (B) (1) EACH UNIT OF STATE GOVERNMENT SHAL L REPORT A 12
1764+CYBERSECURITY INCIDE NT IN ACCORDANCE WIT H PARAGRAPH (2) OF THIS 13
1765+SUBSECTION TO THE STATE CHIEF INFORMATION SECURITY OFFICER. 14
1766+
1767+ (2) FOR THE REPORTING OF CYBERSECURITY INCIDENTS UND ER 15
1768+PARAGRAPH (1) OF THIS SUBSECTION , THE STATE CHIEF INFORMATION SECURITY 16
1769+OFFICER SHALL DETERMI NE: 17
1770+
1771+ (I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST 18
1772+BE REPORTED ; 19
1773+
1774+ (II) THE MANNER IN WHICH TO REPORT; AND 20
1775+
1776+ (III) THE TIME PERIOD WITHIN WHICH A REPORT MUST BE MADE . 21
1777+
1778+3.5–406. 22
1779+
1780+ (C) (1) (A) THIS SUBSECTION SECTION DOES NOT APPLY TO 23
1781+MUNICIPAL GOVERNMENT S. 24
1782+
1783+ (2) (B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND 25
1784+FREQUENCY ESTABLISHE D IN REGULATIONS ADO PTED BY THE DEPARTMENT , EACH 26
1785+COUNTY GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT 27
1786+SHALL: 28
1787+
1788+ (I) (1) IN CONSULTATION WITH THE LOCAL EMERGENCY 29
1789+MANAGER, CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESPONSE 30 SENATE BILL 812 39
1790+
1791+
1792+PLAN AND SUBMIT THE PLAN TO THE OFFICE OF SECURITY MANAGEMENT FOR 1
1793+APPROVAL; AND 2
1794+
1795+ (II) (2) COMPLETE A CYBERSECU RITY PREPAREDNESS 3
1796+ASSESSMENT AND REPORT THE RESUL TS TO THE OFFICE OF SECURITY 4
1797+MANAGEMENT IN ACCORDA NCE WITH GUIDELINES DEVELOPED BY THE OFFICE; 5
1798+AND 6
1799+
1800+ (III) REPORT TO THE OFFICE OF SECURITY MANAGEMENT : 7
1801+
1802+ 1. THE NUMBER OF INFORM ATION TECHNOLOGY STA FF 8
1803+POSITIONS, INCLUDING VACANCIES ; 9
1804+
1805+ 2. THE ENTITY ’S CYBERSECURITY BUDG ET AND 10
1806+OVERALL INFORMATION TECHNOLOGY BUDGET ; 11
1807+
1808+ 3. THE NUMBER OF EMPLOY EES WHO HAVE RECEIVED 12
1809+CYBERSECURITY TRAINI NG; AND 13
1810+
1811+ 4. THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO 14
1812+THE ENTITY’S COMPUTER SYSTEMS A ND DATABASES . 15
1813+
1814+ (C) THE ASSESSMENT REQUIR ED UNDER PARAGRAPH (B)(2) OF THIS 16
1815+SECTION MAY , IN ACCORDANCE WITH T HE PREFERENCE OF EAC H COUN TY 17
1816+GOVERNMENT , BE PERFORMED BY THE DEPARTMENT OR BY A VE NDOR 18
1817+AUTHORIZED BY THE DEPARTMENT . 19
1818+
1819+ (3) (I) (D) (1) EACH COUNTY LOCAL GOVERNMENT , LOCAL 20
1820+SCHOOL SYSTEM, AND LOCAL HEALTH DEPARTM ENT SHALL REPORT A 21
1821+CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING 22
1822+USED BY THE LOCAL GO VERNMENT, TO THE APPROPRIATE L OCAL EMERGENCY 23
1823+MANAGER AND THE STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT 24
1824+IN ACCORDANCE WITH SUBPARAGRAPH (II) PARAGRAPH (2) OF THIS PARAGRAPH 25
1825+SUBSECTION TO THE APPROPRIATE LOCAL EMERGENCY MANAGER . 26
1826+
1827+ (II) (2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS 27
1828+TO LOCAL EMERGENCY M ANAGERS UNDER SUBPAR AGRAPH (I) OF THIS PARAGRAPH , 28
1829+THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL DETERMI NE: 29
1830+
1831+ 1. (I) THE CRITERIA FOR DET ERMINING WHEN AN INCIDENT 30
1832+MUST BE REPORTED ; 31
1833+
1834+ 2. (II) THE MANNER IN WHICH TO REPORT; AND 32
1835+ 40 SENATE BILL 812
1836+
1837+
1838+ 3. (III) THE TIME PERIOD WITH IN WHICH A REPORT 1
1839+MUST BE MADE . 2
1840+
1841+ (3) THE STATE SECURITY OPERATIONS CENTER SHALL 3
1842+IMMEDIATELY NOTIFY T HE APPROPRIATE AGENC IES OF A CYBERSECURITY 4
1843+INCIDENT REPORTED UN DER THIS SUBSECTION THROUGH THE STATE SECURITY 5
1844+OPERATIONS CENTER. 6
1845+
1846+4–316.1. 7
1847+
1848+ THE DEPARTMENT , IN CONSULTATION WITH THE MARYLAND 8
1849+CYBERSECURITY COORDINATING COUNCIL ESTABLISHED I N § 3.5–2A–05 OF THIS 9
1850+ARTICLE, SHALL STUDY THE SECURITY AND FINANCI AL IMPLICATIONS OF 10
1851+EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON 11
1852+TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE 12
1853+IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE. 13
1854+
1855+13–115. 14
1856+
1857+ (A) THE DEPARTMENT OF INFORMATION TECHNOLOGY SHALL REQUIRE 15
1858+BASIC SECURITY REQUI REMENTS TO BE INCLUD ED IN A CONTRACT : 16
1859+
1860+ (1) IN WHICH A THIRD –PARTY CONTRACTOR WIL L HAVE ACCESS TO 17
1861+AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR 18
1862+
1863+ (2) FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE 19
1864+TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES. 20
1865+
1866+ (B) THE SECURITY REQUIREM ENTS DEVELOPED UNDER SUBSECTION (A) OF 21
1867+THIS SECTION SHALL B E CONSISTENT WITH A WIDELY RECOGNIZED SE CURITY 22
1868+STANDARD, INCLUDING NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
1869+SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL CERTIFICATION. 24
1870+
1871+12–107. 25
1872+
1873+ (b) Subject to the authority of the Board, jurisdiction over procurement is as 26
1874+follows: 27
1875+
1876+ (2) the Department of General Services may: 28
1877+
1878+ (i) engage in or control procurement of: 29
1879+
1880+ 10. information processing equipment and associated 30
1881+services, as provided in Title [3A] 3.5, Subtitle 3 of this article; [and] 31
1882+ SENATE BILL 812 41
1883+
1884+
1885+ 11. telecommunication equipment, systems, or services, as 1
1886+provided in Title [3A] 3.5, Subtitle 4 of this article; AND 2
1887+
1888+ 12. MANAGED CYBERSECURIT Y SERVICES, AS PROVIDED 3
1889+IN TITLE 3.5, SUBTITLE 3 OF THIS ARTICLE; 4
1890+
1891+ SECTION 3. AND BE IT FURTHER ENACTED, That, as a key enabler of the 5
1892+Department of Information Technology’s cybersecurity risk management strategy, on or 6
1893+before December 31, 2022, the Department shall complete the implementation of a 7
1894+governance, risk, and compliance module across the Executive Branch of State government 8
1895+that: 9
1896+
1897+ (1) has industry–standard capabilities; 10
1898+
1899+ (2) is based on NIST, ISO, or other recognized security frameworks or 11
1900+standards; and 12
1901+
1902+ (3) enables the Department to identify, monitor, and manage cybersecurity 13
1903+risk on a continuous basis. 14
1904+
1905+ SECTION 4. AND BE IT FURTHER ENACTED, That, on or before June 30, 2023, 15
1906+the Office of Security Management, in consultation with the Maryland Cybersecurity 16
1907+Coordinating Council, shall: 17
1908+
1909+ (1) prepare a transition strategy toward cybersecurity centralization, 18
1910+including recommendations for: 19
1911+
1912+ (1) (i) consistent incident response training; 20
1913+
1914+ (2) (ii) implementing security improvement dashboards to inform 21
1915+budgetary appropriations; 22
1916+
1917+ (3) (iii) operations logs transition to the Maryland Security Operations 23
1918+Center; 24
1919+
1920+ (4) (iv) establishing consistent performance accountability metrics for 25
1921+information technology and cybersecurity staff; and 26
1922+
1923+ (5) (v) whether the Office needs additional staff or contractors to carry 27
1924+out its duties; and 28
1925+
1926+ (2) report the transition strategy and recommendations prepared under 29
1927+item (1) of this section to the Governor and, in accordance with § 2–1257 of the State 30
1928+Government Article, the Senate Education, Health, and Environmental Affairs Committee 31
1929+and the House Health and Government Operations Committee. 32
1930+ 42 SENATE BILL 812
1931+
1932+
1933+ SECTION 5. AND BE IT FURTHER ENACTED, That: 1
1934+
1935+ (a) (1) On or before June 30, 2023, each agency in the Executive Branch of 2
1936+State government shall certify to the Office of Security Management compliance with State 3
1937+minimum cybersecurity standards established by the Department of Information Security 4
1938+Technology. 5
1939+
1940+ (2) Except as provided in paragraph (3) of this subsection, certification 6
1941+shall be reviewed by independent auditors, and any findings must be remediated. 7
1942+
1943+ (3) Certification for the Department of Public Safety and Correctional 8
1944+Services and any State criminal justice agency shall be reviewed by the Office of Legislative 9
1945+Audits, and any findings must be remediated. 10
1946+
1947+ (b) If Except as provided in subsection (c) of this section, if an agency has not 11
1948+remediated any findings pertaining to State cybersecurity standards found by the 12
1949+independent audit required under subsection (a) of this section by July 1, 2024, the Office 13
1950+of Security Management shall assume responsibility for an agency’s cybersecurity ensure 14
1951+compliance of an agency’s cybersecurity with cybersecurity standards through a shared 15
1952+service agreement, administrative privileges, or access to Network Maryland 16
1953+notwithstanding any federal law or regulation that forbids the Office of Security 17
1954+Management from managing a specific system. 18
1955+
1956+ (c) Subsection (b) of this section does not apply if a federal law or regulation 19
1957+forbids the Office of Security Management from managing a specific system. 20
1958+
1959+ SECTION 6. AND BE IT FURTHER ENACTED, That: 21
1960+
1961+ (a) The Department of Information Technology shall hire a contractor to conduct 22
1962+a performance and capacity assessment of the Department to: 23
1963+
1964+ (1) evaluate the Department’s capacity to implement provisions of this Act; 24
1965+and 25
1966+
1967+ (2) recommend additional resources necessary for the Department to 26
1968+implement provisions of this title and meet future needs, including additional budget 27
1969+appropriations, additional staff, altered contracting authority, and pay increases for staff. 28
1970+
1971+ (b) The contractor hired by the Department to complete the assessment and 29
1972+report required by this section shall: 30
1973+
1974+ (1) on or before December 1, 2023, submit an interim report of its findings 31
1975+and recommendations to the Governor and, in accordance with § 2–1257 of the State 32
1976+Government Article, the General Assembly; and 33
1977+ SENATE BILL 812 43
1978+
1979+
1980+ (2) on or before December 1, 2024, submit a final report of its findings and 1
1981+recommendations to the Governor and, in accordance with § 2 –1257 of the State 2
1982+Government Article, the General Assembly. 3
1983+
1984+ SECTION 7. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds 4
1985+from the Dedicated Purpose Account may be transferred by budget amendment in 5
1986+accordance with § 7–310 of the State Finance and Procurement Article to implement this 6
1987+Act. 7
1988+
1989+ SECTION 8. AND BE IT FURTHER ENACTED, That: 8
1990+
1991+ (a) On or before June October 1, 2022, the State Chief Information Security 9
1992+Officer shall establish guidelines to determine when a cybersecurity incident shall be 10
1993+disclosed to the public. 11
1994+
1995+ (b) On or before November 1, 2022, the State Chief Information Security Officer 12
1996+shall submit a report on the guidelines established under subsection (a) of this section to 13
1997+the Governor and, in accordance with § 2–1257 of the State Government Article, the House 14
1998+Health and Government Operations Committee and the Senate Education, Health, and 15
1999+Environmental Affairs Committee. 16
2000+
2001+ SECTION 4. AND BE IT FURTHER ENACTED, That, on the effective date of this 17
2002+Act, the following shall be transferred to the Department of Information Technology: 18
2003+
2004+ (1) all appropriations, including State and federal funds, held by a unit of 19
2005+the Executive Branch of State government for the purpose of information technology 20
2006+operations or cybersecurity for the unit on the effective date of this Act; and 21
2007+
2008+ (2) all books and records (including electronic records), real and personal 22
2009+property, equipment, fixtures, assets, liabilities, obligations, credits, rights, and privileges 23
2010+held by a unit of the Executive Branch of State government for the purpose of information 24
2011+technology operations or cybersecurity for the unit on the effective date of this Act. 25
2012+
2013+ SECTION 5. AND BE IT FURTHER ENACTED, That all employees of a unit of the 26
2014+Executive Branch of State government who are assigned more than 50% of the time to a 27
2015+function related to information technology operations or cybersecurity for the unit on the 28
2016+effective date of this Act shall, on the effective date of this Act, report to the Secretary of 29
2017+Information Technology or the Secretary’s designee. 30
2018+
2019+ SECTION 6. AND BE IT FURTHER ENACTED, That any transaction affected by 31
2020+the transfer of oversight of information technology operations or cybersecurity of a unit of 32
2021+the Executive Branch of State government and validly entered into before the effective date 33
2022+of this Act, and every right, duty, or interest flowing from it, remains valid after the 34
2023+effective date of this Act and may be terminated, completed, consummated, or enforced 35
2024+under the law. 36
2025+ 44 SENATE BILL 812
2026+
2027+
2028+ SECTION 7. AND BE IT FURTHER ENACTED, That all existing laws, regulations, 1
2029+proposed regulations, standards and guidelines, policies, orders and other directives, forms, 2
2030+plans, memberships, contracts, property, investigations, administrative and judicial 3
2031+responsibilities, rights to sue and be sued, and all other duties and responsibilities 4
2032+associated with information technology operations or cybersecurity of a unit of the 5
2033+Executive Branch of State government prior to the effective date of this Act shall continue 6
2034+and, as appropriate, be legal and binding on the Department of Information Technology 7
2035+until completed, withdrawn, canceled, modified, or otherwise changed under the law. 8
2036+
2037+ SECTION 8. 9. AND BE IT FURTHER ENACTED, That this Act shall take effect 9
2038+October July 1, 2022. 10
2039+
2040+
2041+
2042+
2043+Approved:
2044+________________________________________________________________________________
2045+ Governor.
2046+________________________________________________________________________________
2047+ President of the Senate.
2048+________________________________________________________________________________
2049+ Speaker of the House of Delegates.