LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 1 –
Chapter 242
(Senate Bill 812)
AN ACT concerning
State Government – Cybersecurity – Coordination and Governance
FOR the purpose of establishing the Cybersecurity Coordination and Operations Office in
the Maryland Department of Emergency Management; requiring the Secretary of
Emergency Management to appoint an Executive Director as head of the
Cybersecurity Coordination and Operations Office; requiring the Office of Security
Management to be provided with staff for the Cybersecurity Coordination and
Operations Office; requiring the Cybersecurity Coordination and Operations Office
to establish regional assistance groups to deliver or coordinate support services to
political subdivisions, agencies, or regions in accordance with certain requirements;
requiring the Cybersecurity Coordination and Operations Office to offer certain
training opportunities for counties and municipalities; establishing the Office of
Security Management within the Department of Information Technology (DoIT);
establishing certain responsibilities and authority of the Office of Security
Management; centralizing authority and control of the procurement of all
information technology for the Executive Branch of State government in DoIT;
establishing the Maryland Cybersecurity Coordinating Council; requiring the
Secretary of Information Technology to develop and maintain a statewide
cybersecurity master plan strategy; requiring DoIT to develop and require basic
security requirements to be included in certain contracts; requiring each unit of the
Legislative or Judicial Branch of State government and any division of the
University System of Maryland that uses a certain network to certify certain
compliance to DoIT on or before a certain date each year; requiring certain IT units
to certify compliance with certain cybersecurity standards; requiring each unit of the
Executive Branch of State government and certain local entities to report certain
cybersecurity incidents in a certain manner and under certain circumstances;
requiring the State Security Operations Center to notify certain agencies of a
cybersecurity incident reported in a certain manner; establishing the Maryland
Cybersecurity Coordinating Council; exempting meetings of the Council from the
Open Meetings Act; requiring the Council to study aspects of the State’s
cybersecurity vulnerabilities and procurement potential, including partnerships
with other states; requiring the Council to promote certain education and training
opportunities; requiring the Department of General Services to study the security
and financial implications of executing partnerships with other states to procure
information technology and cybersecurity products and services; requiring the
Department of General Services to establish certain basic security requirements to
be included in certain contracts; requiring DoIT to complete implementation of a
certain governance, risk, and compliance module on or before a certain date;
requiring the Office to prepare a transition strategy towards cybersecurity
centralization; requiring each agency in the Executive Branch of State government
to certify to the Office that the agency is in compliance with certain standards; Ch. 242 2022 LAWS OF MARYLAND
– 2 –
requiring the Office to assume responsibility for a certain agency’s cybersecurity
except under certain circumstances; requiring DoIT to hire a contractor to conduct a
performance and capacity assessment of DoIT; authorizing funds to be transferred
by budget amendment from the Dedicated Purpose Account in a certain fiscal year
to implement the Act; transferring certain appropriations, books and records, and
employees to DoIT; and generally relating to State cybersecurity coordination.
BY renumbering
Article – State Finance and Procurement
Section 3A–101 through 3A–702, respectively, and the title “Title 3A. Department of
Information Technology”
to be Section 3.5–101 through 3.5–702, respectively, and the title “Title 3.5.
Department of Information Technology”
Annotated Code of Maryland
(2021 Replacement Volume)
BY repealing and reenacting, with amendments,
Article – Criminal Procedure
Section 10–221(b)
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Health – General
Section 21–2C–03(h)(2)(i)
Annotated Code of Maryland
(2019 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Human Services
Section 7–806(a), (b)(1), (c)(1), (d)(1) and (2)(i), and (g)(1)
Annotated Code of Maryland
(2019 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Insurance
Section 31–103(a)(2)(i) and (b)(2)
Annotated Code of Maryland
(2017 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, with amendments,
Article – Natural Resources
Section 1–403(c)
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 3 –
BY adding to
Article – Public Safety
Section 14–104.1
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
BY repealing and reenacting, without amendments,
Article – State Finance and Procurement
Section 3.5–101(a) and (e) and 3.5–301(a)
Annotated Code of Maryland
(2021 Replacement Volume)
(As enacted by Section 1 of this Act)
BY adding to
Article – State Finance and Procurement
Section 3.5–2A–01 through 3.5–2A–07 3.5–2A–06 to be under the new subtitle
“Subtitle 2A. Office of Security Management”; and 3.5–404(d) and (e), 3.5–405
and 12–107(b)(2)(i)12., 3.5–406, 4–316.1, and 13–115
Annotated Code of Maryland
(2021 Replacement Volume)
BY repealing and reenacting, with amendments,
Article – State Finance and Procurement
Section 3.5–301(j), 3.5–302(c), 3.5–303, 3.5–305, 3.5–307 through 3.5–314, 3.5–401,
and 3.5–404 Section 3.5–301(i) and (j), 3.5–302, 3.5–303, 3.5–307, 3.5–309(c),
(i), and (l), and 3.5–311(a)(2)(i)
Annotated Code of Maryland
(2021 Replacement Volume)
(As enacted by Section 1 of this Act)
BY repealing
Article – State Finance and Procurement
Section 3.5–306
Annotated Code of Maryland
(2021 Replacement Volume)
(As enacted by Section 1 of this Act)
BY repealing and reenacting, with amendments,
Article – State Finance and Procurement
Section 12–107(b)(2)(i)10. and 11.
Annotated Code of Maryland
(2021 Replacement Volume)
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
That Section(s) 3A–101 through 3A–702, respectively, and the title “Title 3A. Department
of Information Technology” of Article – State Finance and Procurement of the Annotated Ch. 242 2022 LAWS OF MARYLAND
– 4 –
Code of Maryland be renumbered to be Section(s) 3.5–101 through 3.5–702, respectively,
and the title “Title 3.5. Department of Information Technology”.
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read
as follows:
Article – Criminal Procedure
10–221.
(b) Subject to Title [3A] 3.5, Subtitle 3 of the State Finance and Procurement
Article, the regulations adopted by the Secretary under subsection (a)(1) of this section and
the rules adopted by the Court of Appeals under subsection (a)(2) of this section shall:
(1) regulate the collection, reporting, and dissemination of criminal history
record information by a court and criminal justice units;
(2) ensure the security of the criminal justice information system and
criminal history record information reported to and collected from it;
(3) regulate the dissemination of criminal history record information in
accordance with Subtitle 1 of this title and this subtitle;
(4) regulate the procedures for inspecting and challenging criminal history
record information;
(5) regulate the auditing of criminal justice units to ensure that criminal
history record information is:
(i) accurate and complete; and
(ii) collected, reported, and disseminated in accordance with Subtitle
1 of this title and this subtitle;
(6) regulate the development and content of agreements between the
Central Repository and criminal justice units and noncriminal justice units; and
(7) regulate the development of a fee schedule and provide for the collection
of the fees for obtaining criminal history record information for other than criminal justice
purposes.
Article – Health – General
21–2C–03.
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 5 –
(h) (2) The Board is subject to the following provisions of the State Finance
and Procurement Article:
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
that the Secretary of Information Technology determines that an information technology
project of the Board is a major information technology development project;
Article – Human Services
7–806.
(a) (1) Subject to paragraph (2) of this subsection, the programs under §
7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State
Finance and Procurement Article shall be funded as provided in the State budget.
(2) For fiscal year 2019 and each fiscal year thereafter, the program under
[§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall be funded at an
amount that:
(i) is equal to the cost that the Department of Aging is expected to
incur for the upcoming fiscal year to provide the service and administer the program; and
(ii) does not exceed 5 cents per month for each account out of the
surcharge amount authorized under subsection (c) of this section.
(b) (1) There is a Universal Service Trust Fund created for the purpose of
paying the costs of maintaining and operating the programs under:
(i) § 7–804(a) of this subtitle, subject to the limitations and controls
provided in this subtitle;
(ii) § 7–902(a) of this title, subject to the limitations and controls
provided in Subtitle 9 of this title; and
(iii) [§ 3A–702] § 3.5–702 of the State Finance and Procurement
Article, subject to the limitations and controls provided in Title [3A] 3.5, Subtitle 7 of the
State Finance and Procurement Article.
(c) (1) The costs of the programs under § 7–804(a) of this subtitle, § 7–902(a)
of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement Article shall
be funded by revenues generated by:
(i) a surcharge to be paid by the subscribers to a communications
service; and
(ii) other funds as provided in the State budget. Ch. 242 2022 LAWS OF MARYLAND
– 6 –
(d) (1) The Secretary shall annually certify to the Public Service Commission
the costs of the programs under § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§
3A–702] § 3.5–702 of the State Finance and Procurement Article to be paid by the
Universal Service Trust Fund for the following fiscal year.
(2) (i) The Public Service Commission shall determine the surcharge
for the following fiscal year necessary to fund the programs under § 7–804(a) of this subtitle,
§ 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of the State Finance and Procurement
Article.
(g) (1) The Legislative Auditor may conduct postaudits of a fiscal and
compliance nature of the Universal Service Trust Fund and the expenditures made for
purposes of § 7–804(a) of this subtitle, § 7–902(a) of this title, and [§ 3A–702] § 3.5–702 of
the State Finance and Procurement Article.
Article – Insurance
31–103.
(a) The Exchange is subject to:
(2) the following provisions of the State Finance and Procurement Article:
(i) Title [3A] 3.5, Subtitle 3 (Information Processing), to the extent
that the Secretary of Information Technology determines that an information technology
project of the Exchange is a major information technology development project;
(b) The Exchange is not subject to:
(2) Title [3A] 3.5, Subtitle 3 (Information Processing) of the State Finance
and Procurement Article, except to the extent determined by the Secretary of Information
Technology under subsection (a)(2)(i) of this section;
Article – Natural Resources
1–403.
(c) The Department shall develop the electronic system consistent with the
statewide information technology master plan developed under Title [3A] 3.5, Subtitle 3 of
the State Finance and Procurement Article.
Article – Public Safety
14–104.1. LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 7 –
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS
INDICATED.
(2) “OFFICE” MEANS THE CYBERSECURITY COORDINATION AND
OPERATIONS OFFICE ESTABLISHED WI THIN THE DEPARTMENT .
(3) “REGION” MEANS A COLLECTION O F POLITICAL SUBDIVISIONS.
(B) THERE IS A CYBERSECURITY COORDINATION AND OPERATIONS
OFFICE WITHIN THE DEPARTMENT .
(C) THE PURPOSE OF THE OFFICE IS TO:
(1) IMPROVE LOCAL , REGIONAL, AND STATEWIDE CYBERS ECURITY
READINESS AND RESPON SE;
(2) ASSIST POLITICAL SUB DIVISIONS, SCHOOL BOARDS , AND
AGENCIES IN THE DEVE LOPMENT OF CYBERSECU RITY DISRUPTION PLAN S;
(3) IN CONSULTATION WITH THE DEPARTMENT OF INFORMATION
TECHNOLOGY , COORDINATE WITH POLI TICAL SUBDIVISIONS , LOCAL AGENCIES ,
AND STATE AGENCIES ON THE IMPLEMENTATION OF CYBERSECURITY BES T
PRACTICES;
(4) COORDINATE WITH POLI TICAL SUBDIVISIONS A ND AGENCIES ON
THE IMPLEMENTATION O F THE STATEWIDE MASTER PLAN DEVELOPED BY THE
DEPARTMENT OF INFORMATION TECHNOLOGY UNDER TITLE 3.5, SUBTITLE 3 OF
THE STATE FINANCE AND PROCUREMENT ARTICLE; AND
(5) CONSULT WITH THE STATE CHIEF INFORMATION SECURITY
OFFICER AND THE SECRETARY OF INFORMATION TECHNOLOGY TO CONNECT
POLITICAL SUBDIVISIO NS AND AGENCIES TO T HE APPROPRIATE RESOU RCES FOR
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY READINESS AND RESPON SE.
(D) (1) THE HEAD OF THE OFFICE IS THE EXECUTIVE DIRECTOR, WHO
SHALL BE APPOINTED B Y THE DIRECTOR.
(2) THE OFFICE OF SECURITY MANAGEMENT SHALL PROV IDE STAFF
FOR THE OFFICE.
(E) (1) THE OFFICE SHALL ESTABLIS H REGIONAL ASSISTAN CE GROUPS
TO DELIVER OR COORDI NATE SUPPORT SERVICE S TO POLITICAL SUBDI VISIONS,
AGENCIES, OR REGIONS. Ch. 242 2022 LAWS OF MARYLAND
– 8 –
(2) THE OFFICE MAY HIRE OR PR OCURE REGIONAL COORD INATORS
TO DELIVER OR COORDI NATE THE SERVICES UN DER PARAGRAPH (1) OF THIS
SUBSECTION.
(3) THE OFFICE SHALL PROVIDE OR COO RDINATE SUPPORT
SERVICES UNDER PARAG RAPH (1) OF THIS SUBSECTION T HAT INCLUDE:
(I) CONNECTING MULTIPLE POLITICAL SUBDIVISIO NS AND
AGENCIES WITH EACH O THER TO SHARE BEST P RACTICES OR OTHER IN FORMATION
TO INCREASE READINES S OR RESPONS E EFFECTIVENESS ;
(II) PROVIDING TECHNICAL SERVICES FOR THE
IMPLEMENTATION OF CY BERSECURITY BEST PRA CTICES IN ACCORDANCE WITH
SUBSECTION (C)(3) OF THIS SECTION;
(III) COMPLETING CYBERSECU RITY RISK ASSESSMENT S;
(IV) DEVELOPING CYBER SCO RECARDS AN D REPORTS ON
REGIONAL READINESS ;
(V) CREATING AND UPDATIN G CYBERSECURITY DISR UPTION
PLANS IN ACCORDANCE WITH SUBSECTION (C)(2) OF THIS SECTION; AND
(VI) CONDUCTING REGIONAL EXERCISES IN COORDIN ATION
WITH THE NATIONAL GUARD, THE DEPARTMENT , THE DEPARTMENT OF
INFORMATION TECHNOLOGY , LOCAL EMERGENCY MANA GERS, AND OTHER STATE
AND LOCAL ENTITIES.
(F) (1) THE OFFICE SHALL PROVIDE REGULAR TRAINING
OPPORTUNITIES FOR CO UNTIES AND MUNICIPAL CORPORATIONS IN THE STATE.
(2) TRAINING OPPORTUNITIE S OFFERED BY THE OFFICE SHALL:
(I) BE DESIGNED TO ENSUR E STAFF FOR COUNTIES AND
MUNICIPAL CORPORATIO NS ARE CAPABLE OF CO OPERATING EFFECTIVEL Y WITH
THE DEPARTMENT IN THE EVE NT OF A CYBERSECURIT Y EMERGENCY ; AND
(II) INCORPORATE BEST PRA CTICES AND GUIDE LINES FOR
STATE AND LOCAL GOVE RNMENTS PROVIDED BY THE MULTI–STATE INFORMATION
SHARING AND ANALYSIS CENTER AND THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY.
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 9 –
(G) ON OR BEFORE DECEMBER 1 EACH YEAR, THE OFFICE SHALL REPORT
TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE
GOVERNMENT ARTICLE, THE GENERAL ASSEMBLY ON THE ACTIV ITIES OF THE
OFFICE.
Article – State Finance and Procurement
3.5–101.
(a) In this title the following words have the meanings indicated.
(e) “Unit of State government” means an agency or unit of the Executive Branch
of State government.
SUBTITLE 2A. OFFICE OF SECURITY MANAGEMENT .
3.5–2A–01.
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
INDICATED.
(B) “COUNCIL” MEANS THE MARYLAND CYBERSECURITY COORDINATING
COUNCIL.
(C) “OFFICE” MEANS THE OFFICE OF SECURITY MANAGEMENT .
3.5–2A–02.
THERE IS AN OFFICE OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT .
3.5–2A–03.
(A) THE HEAD OF THE OFFICE IS THE STATE CHIEF INFORMATION
SECURITY OFFICER.
(B) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL:
(1) BE APPOINTED BY THE GOVERNOR WITH THE ADV ICE AND
CONSENT OF THE SENATE;
(2) SERVE AT THE PLEASUR E OF THE GOVERNOR;
(3) BE SUPERVISED BY THE SECRETARY; AND
Ch. 242 2022 LAWS OF MARYLAND
– 10 –
(4) SERVE AS THE CHIEF I NFORMATION S ECURITY OFFICER OF T HE
DEPARTMENT .
(C) AN INDIVIDUAL APPOINT ED AS THE STATE CHIEF INFORMATION
SECURITY OFFICER UNDER SUBSECT ION (B) OF THIS SECTION SHAL L:
(1) AT A MINIMUM, HOLD A BACHELOR ’S DEGREE;
(2) HOLD APPROPRIATE INF ORMATION TECHNOLOGY OR
CYBERSECURITY CERTIF ICATIONS;
(3) HAVE EXPERIENCE :
(I) IDENTIFYING, IMPLEMENTING , AND OR ASSESSING
SECURITY CONTROLS ;
(II) IN INFRASTRUCTURE , SYSTEMS ENGINEERING , AND OR
CYBERSECURITY ;
(III) MANAGING HIGHLY TECH NICAL SECURITY , SECURITY
OPERATIONS CENTERS , AND INCIDENT RESPONS E TEAMS IN A COMPLEX CLOUD
ENVIRONMENT AND SUPP ORTING MULTIPLE SITE S; AND
(IV) WORKING WITH COMMON INFORMATION SECURITY
MANAGEMENT FRAMEWORK S;
(4) HAVE EXTENSIVE K NOWLEDGE OF INFORMAT ION TECHNOLOGY
AND CYBERSECURITY FI ELD CONCEPTS , BEST PRACTICES , AND PROCEDURES , WITH
AN UNDERSTANDING OF EXISTING ENTERPRISE CAPABILITIES AND LIM ITATIONS TO
ENSURE THE SECURE IN TEGRATION AND OPERAT ION OF SECURITY NETW ORKS AND
SYSTEMS; AND
(5) HAVE KNOWLEDGE OF CU RRENT SECURITY REGUL ATIONS.
(C) (D) THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL
PROVIDE CYBERSECURIT Y ADVICE AND RECOMME NDATIONS TO THE GOVERNOR ON
REQUEST.
(D) (E) (1) (I) THERE IS A DIRECTOR OF LOCAL CYBERSECURITY
WHO SHALL BE APPOINT ED BY THE STATE CHIEF INFORMATION SECURITY
OFFICER.
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 11 –
(II) THE DIRECTOR OF LOCAL CYBERSECURITY SHALL W ORK
IN COORDINATION WITH THE MARYLAND DEPARTMENT OF EMERGENCY
MANAGEMENT TO PROVIDE TECHNICAL ASSISTANCE , COORDINATE R ESOURCES,
AND IMPROVE CYBERSEC URITY PREPAREDNESS F OR UNITS OF LOCAL
GOVERNMENT .
(2) (I) THERE IS A DIRECTOR OF STATE CYBERSECURITY WHO
SHALL BE APPOINTED B Y THE STATE CHIEF INFORMATION SECURITY OFFICER.
(II) THE DIRECTOR OF STATE CYBERSECURITY IS
RESPONSIBLE FOR IMPLEM ENTATION OF THIS SEC TION WITH RESPECT TO UNITS OF
STATE GOVERNMENT .
(E) (F) THE DEPARTMENT SHALL PROV IDE THE OFFICE WITH
SUFFICIENT STAFF TO PERFORM THE FUNCTION S OF THIS SUBTITLE.
(F) THE OFFICE MAY PROCURE RE SOURCES, INCLUDING REGIONAL
COORDINATORS , NECESSARY TO FULFILL THE REQUIREMENTS OF THIS SUBTITLE.
3.5–2A–04.
(A) (1) THE OFFICE IS RESPONSIBLE FOR:
(1) (I) THE DIRECTION , COORDINATION , AND IMPLEMENTATION
OF THE OVERALL CYBER SECURITY STRATEGY AN D POLICY FOR UNITS O F STATE
GOVERNMENT ; AND
(2) THE COORDINATION OF RESOURCES AND EFFORT S TO
IMPLEMENT CYBERSECUR ITY BEST PRACTICES A ND IMPROVE OVERALL
CYBERSECURITY PREPAR EDNESS AND RESPONSE FOR UNITS OF LOCAL
GOVERNMENT , LOCAL SCHOOL BOARDS , LOCAL SCHOOL SYSTEMS , AND LOCAL
HEALTH DEPARTMENTS .
(II) COORDINATING WITH TH E MARYLAND DEPARTMENT OF
EMERGENCY MANAGEMENT CYBER PREPAREDNESS UNIT DURING EMERGENCY
RESPONSE EFFORTS .
(2) THE OFFICE IS NOT RESPONS IBLE FOR THE INFORMA TION
TECHNOLOGY INSTALLAT ION AND MAINTENANCE OPERATIONS NORMALLY
CONDUCTED BY A UNIT OF STATE GOVERNMENT , A UNIT OF LOCAL GOVE RNMENT, A
LOCAL SCHOOL BOARD , A LOCAL SCHOOL SYSTE M, OR A LOCAL HEALTH
DEPARTMENT .
(B) THE OFFICE SHALL: Ch. 242 2022 LAWS OF MARYLAND
– 12 –
(1) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
COLLECTED OR MAINTAINED BY OR ON BEHALF OF EACH UN IT OF STATE
GOVERNMENT ;
(2) ESTABLISH STANDARDS TO CATEGORIZE ALL IN FORMATION
SYSTEMS MAINTAINED B Y OR ON BEHALF OF EA CH UNIT OF STATE GOVERNMENT ;
(3) DEVELOP GUIDELINES G OVERNING THE TYPES O F INFORMATION
AND INFORMATION SYSTEMS T O BE INCLUDED IN EAC H CATEGORY;
(4) ESTABLISH SECURITY R EQUIREMENTS FOR INFO RMATION AND
INFORMATION SYSTEMS IN EACH CATEGORY ;
(5) ASSESS THE CATEGORIZ ATION OF INFORMATION AND
INFORMATION SYSTEMS AND THE ASSOCIATED I MPLEMENTATION O F THE SECURITY
REQUIREMENTS ESTABLI SHED UNDER ITEM (4) OF THIS SUBSECTION ;
(6) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
DETERMINES THAT THER E ARE SECURITY VULNE RABILITIES OR DEFICI ENCIES IN
THE IMPLEMENTATION O F THE SECURITY REQUI REMENTS ESTABLIS HED UNDER
ITEM (4) OF THIS SUBSECTION , DETERMINE WHETHER AN INFORMATION SYSTEM
SHOULD BE ALLOWED TO CONTINUE TO OPERATE OR BE CONNECTED TO T HE
NETWORK ESTABLISHED IN ACCORDANCE WITH § 3.5–404 OF THIS TITLE; ANY
INFORMATION SYSTEMS , DETERMINE AND DIRECT OR TAKE ACTIONS NECESSA RY TO
CORRECT OR REMEDIATE THE VULNERABILITIES OR DEFICIENCIES , WHICH MAY
INCLUDE REQUIRING TH E INFORMATION SYSTEM TO BE DISCONNECTED ;
(7) IF THE STATE CHIEF INFORMATION SECURITY OFFICER
DETERMINES THAT THER E IS A CYBERSECURITY THREAT CAUSED BY AN ENTITY
CONNECTED TO THE NET WORK ESTABLISHED UND ER § 3.5–404 OF THIS TITLE THAT
INTRODUCES A SERIOUS RISK TO ENTITIES CON NECTED TO THE NETWOR K OR TO
THE STATE, TAKE OR DIRECT ACTIO NS REQUIRED TO MITIG ATE THE THREAT ;
(7) (8) MANAGE SE CURITY AWARENESS TRA INING FOR ALL
APPROPRIATE EMPLOYEE S OF UNITS OF STATE GOVERNMENT ;
(8) (9) ASSIST IN THE DEVELO PMENT OF DATA MANAGE MENT,
DATA GOVERNANCE , AND DATA SPECIFICATI ON STANDARDS TO PROM OTE
STANDARDIZATION AND REDUCE RISK;
(9) (10) ASSIST IN THE DEVELOPMENT O F A DIGITAL IDENTITY
STANDARD AND SPECIFI CATION APPLICABLE TO ALL PARTIES COMMUNIC ATING, LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 13 –
INTERACTING, OR CONDUCTING BUSINE SS WITH OR ON BEHALF OF A UNIT OF STATE
GOVERNMENT ;
(10) (11) DEVELOP AND MAINTAIN INFORMATION TECHNOLO GY
SECURITY POLICY, STANDARDS, AND GUIDANCE DOCUMEN TS, CONSISTENT WITH
BEST PRACTICES DEVEL OPED BY THE NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY ;
(11) (12) TO THE EXTENT PRACTI CABLE, SEEK, IDENTIFY, AND
INFORM RELEVANT STAK EHOLDERS OF ANY AVAI LABLE FINA NCIAL ASSISTANCE
PROVIDED BY THE FEDE RAL GOVERNMENT OR NO N–STATE ENTITIES TO SUP PORT
THE WORK OF THE OFFICE;
(12) REVIEW AND CERTIFY L OCAL CYBERSECURITY P REPAREDNESS
AND RESPONSE PLANS ;
(13) PROVIDE TECHNICAL AS SISTANCE TO LOCALITI ES IN MITIGATING
AND RECOVERING FROM CYBERSECURITY INCIDE NTS; AND
(14) PROVIDE TECHNICAL SE RVICES, ADVICE, AND GUIDANCE TO
UNITS OF LOCAL GOVER NMENT TO IMPROVE CYB ERSECURITY PREPAREDN ESS,
PREVENTION , RESPONSE, AND RECOVERY PRACTIC ES.
(C) THE OFFICE, IN COORDINATION WI TH THE MARYLAND DEPARTMENT
OF EMERGENCY MANAGEMENT , SHALL:
(1) ASSIST LOCAL POLITIC AL SUBDIVISIONS , INCLUDING COUNTIES ,
SCHOOL SYSTEMS , SCHOOL BOARDS , AND LOCAL HEALTH DEP ARTMENTS, IN:
(I) THE DEVELOPMENT OF C YBERSECURITY PREPARE DNESS
AND RESPONSE PLANS; AND
(II) IMPLEMENTING BEST PR ACTICES AND GUIDANCE
DEVELOPED BY THE DEPARTMENT ; AND
(2) CONNECT LOCAL ENTITI ES TO APPROPRIATE RE SOURCES FOR
ANY OTHER PURPOSE RE LATED TO CYBERSECURI TY PREPAREDNESS AND
RESPONSE; AND
(3) DEVELOP APPROPRIATE REPORTS ON LOCAL CYB ERSECURITY
PREPAREDNESS .
(D) THE OFFICE, IN COORDINATION WITH THE MARYLAND DEPARTMENT
OF EMERGENCY MANAGEMENT , MAY: Ch. 242 2022 LAWS OF MARYLAND
– 14 –
(1) CONDUCT REGIONAL EXE RCISES, AS NECESSARY , IN
COORDINATION WITH TH E NATIONAL GUARD, LOCAL EMERGENCY MANA GERS, AND
OTHER STATE AND LOCAL ENTIT IES; AND
(2) ESTABLISH REGIONAL A SSISTANCE GROUPS TO DELIVER OR
COORDINATE SUPPORT S ERVICES TO LOCAL POL ITICAL SUBDIVISIONS , AGENCIES,
OR REGIONS.
(E) (1) ON OR BEFORE DECEMBER 31 EACH YEAR, THE OFFICE SHALL
REPORT TO T HE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE
GOVERNMENT ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, THE
SENATE EDUCATION, HEALTH, AND ENVIRONMENTAL AFFAIRS COMMITTEE, THE
HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND GOVERNMENT
OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON CYBERSECURITY ,
INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON THE ACTIVITIES OF THE
OFFICE AND THE STATE OF CYBERSECURITY PRE PAREDNESS IN MARYLAND,
INCLUDING:
(1) (I) THE ACTIVITIES AND A CCOMPLISHMENTS OF T HE OFFICE
DURING THE PREVIOUS 12 MONTHS AT THE STATE AND LOCAL LEVEL S; AND
(2) (II) A COMPILATION AND AN ALYSIS OF THE DATA F ROM THE
INFORMATION CONTAINE D IN THE REPORTS REC EIVED BY THE OFFICE UNDER §
3.5–405 OF THIS TITLE, INCLUDING:
(I) 1. A SUMMARY OF THE ISS UES IDENTIFIED BY TH E
CYBERSECURITY PREPAR EDNESS ASSESSMENTS C ONDUCTED THAT YEAR ;
(II) 2. THE STATUS OF VULNER ABILITY ASSESSMENTS OF
ALL UNITS OF STATE GOVERNMENT AND A TIMELINE FOR COMPL ETION AND COST
TO REMEDIATE ANY VUL NERABILITIES EXPOSED;
(III) 3. RECENT AUDIT FINDING S OF ALL UNITS OF STATE
GOVERNMENT AND OPTIO NS TO IMPROVE FINDIN GS IN FUTURE AUDITS , INCLUDING
RECOMMENDATIONS FOR STAFF, BUDGET, AND TIMING;
(IV) 4. ANALYSIS OF THE STATE’S EXPENDITURE ON
CYBERSECURITY R ELATIVE TO OVERALL I NFORMATION TECHNOLOG Y SPENDING
FOR THE PRIOR 3 YEARS AND RECOMMENDA TIONS FOR CHANGES TO THE BUDGET,
INCLUDING AMOUNT , PURPOSE, AND TIMING TO IMPROV E STATE AND LOCAL
CYBERSECURITY PREPAR EDNESS;
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 15 –
(V) 5. EFFORTS TO SECURE FI NANCIAL SUP PORT FOR
CYBER RISK MITIGATIO N FROM FEDERAL OR OT HER NON–STATE RESOURCES ;
(VI) 6. KEY PERFORMANCE INDI CATORS ON THE
CYBERSECURITY STRATE GIES IN THE DEPARTMENT ’S INFORMATION TECHNO LOGY
MASTER PLAN , INCLUDING TIME , BUDGET, AND STAFF REQUIRED F OR
IMPLEMEN TATION; AND
(VII) 7. ANY ADDITIONAL RECOM MENDATIONS FOR
IMPROVING STATE AND LOCAL CYBER SECURITY PREPAREDNES S.
(2) A REPORT SUBMITTED UND ER THIS SUBSECTION M AY NOT
CONTAIN INFORMATION THAT REVEALS CYBERSE CURITY VULNERABILITI ES AND
RISKS IN THE STATE.
3.5–2A–05.
(A) THERE IS A MARYLAND CYBERSECURITY COORDINATING COUNCIL.
(B) (1) THE COUNCIL CONSISTS OF T HE FOLLOWING MEMBERS :
(1) THE SECRETARY OF BUDGET AND MANAGEMENT , OR THE
SECRETARY’S DESIGNEE;
(2) THE SECRETARY OF GENERAL SERVICES, OR THE SECRETARY’S
DESIGNEE;
(3) THE SECRETARY OF HEALTH, OR THE SECRETARY’S DESIGNEE;
(4) THE SECRETARY OF HUMAN SERVICES, OR THE SECRETARY’S
DESIGNEE;
(5) THE SECRETARY OF PUBLIC SAFETY AND CORRECTIONAL
SERVICES, OR THE SECRETARY’S DESIGNEE;
(6) THE SECRETARY OF TRANSPORTATION , OR THE SECRETARY’S
DESIGNEE;
(7) THE SECRETARY OF DISABILITIES, OR THE SECRETARY’S
DESIGNEE;
(I) THE SECRETARY OF EAC H OF THE PRINCIPAL
DEPARTMENTS LISTED I N § 8–201 OF THE STATE GOVERNMENT ARTICLE, OR A
SECRETARY’S DESIGNEE; Ch. 242 2022 LAWS OF MARYLAND
– 16 –
(8) (II) THE STATE CHIEF INFORMATION SECURITY OFFICER;
(9) (III) THE ADJUTANT GENERAL OF THE MARYLAND NATIONAL
GUARD, OR THE ADJUTANT GENERAL’S DESIGNEE;
(10) THE SECRETARY OF EMERGENCY MANAGEMENT , OR THE
SECRETARY’S DESIGNEE;
(11) (IV) THE SUPERINTENDENT OF STATE POLICE, OR THE
SUPERINTENDENT ’S DESIGNEE;
(12) (V) THE DIRECTOR OF THE GOVERNOR’S OFFICE OF
HOMELAND SECURITY, OR THE DIRECTOR’S DESIGNEE;
(13) (VI) THE EXECUTIVE DIRECTOR OF THE DEPARTMENT OF
LEGISLATIVE SERVICES, OR THE EXECUTIVE DIRECTOR’S DESIGNEE;
(14) (VII) ONE REPRESENTATIVE O F THE ADMINISTRATIVE OFFICE
OF THE COURTS;
(15) (VIII) THE CHANCELLOR OF THE UNIVERSITY SYSTEM OF
MARYLAND, OR THE CHANCELLOR ’S DESIGNEE; AND
(16) (IX) ANY OTHER STAKEHOLDER THAT THE STATE CHIEF
INFORMATION SECURITY OFFICER DEEMS APPROPR IATE.
(2) IF A DESIGNEE SERVES ON THE COUNCIL IN PLACE OF A N
OFFICIAL LISTED IN P ARAGRAPH (1) OF THIS SUBSECTION , THE DESIGNEE SHALL
REPORT INFORMATION F ROM THE COUNCIL MEETINGS AND OTHER
COMMUNICATIONS TO TH E OFFICIAL.
(C) IN ADDITION TO THE ME MBERS LISTED UNDER S UBSECTION (B) OF THIS
SECTION, THE FOLLOWING REPRES ENTATIVES MAY SERVE AS NONVOTING
MEMBERS OF THE COUNCIL:
(1) ONE MEMBER OF THE SENATE OF MARYLAND, APPOINTED BY T HE
PRESIDENT OF THE SENATE;
(2) ONE MEMBER OF THE HOUSE OF DELEGATES, APPOINTED BY THE
SPEAKER OF THE HOUSE; AND
(3) ONE REPRESENTATIVE O F THE JUDICIARY , APPOINTED BY THE
CHIEF JUDGE OF THE COURT OF APPEALS. LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 17 –
(C) (D) THE CHAIR OF THE COUNCIL IS THE STATE CHIEF INFORMATION
SECURITY OFFICER.
(D) (E) (1) THE COUNCIL SHALL MEET AT LEAST QUARTERLY AT T HE
REQUEST OF THE CHAIR .
(2) MEETINGS OF THE COUNCIL SHALL BE CLOS ED TO THE PUBLIC
AND NOT SUBJECT TO TITLE 3 OF THE GENERAL PROVISIONS ARTICLE.
(E) (F) THE COUNCIL SHALL:
(1) PROVIDE ADVICE AND R ECOMMENDATIONS TO TH E STATE CHIEF
INFORMATION SECURITY OFFICER REGARDING :
(I) THE STRATEGY AND IMP LEMENTATION OF CYBER SECURITY
INITIATIVES AND RECO MMENDATIONS ; AND
(II) BUILDING AND SUSTAIN ING THE CAPABILITY OF THE STATE
TO IDENTIFY AND MITI GATE CYBERSECURITY R ISK AND RESPOND TO A ND RECOVER
FROM CYBERSECURITY –RELATED INCIDENTS .
(2) USE THE ANALYSIS COM PILED BY THE OFFICE UNDER §
3.5–2A–04(E)(2) OF THIS SUBTITLE TO PRIORITIZE CYBERSECU RITY RISK ACROSS
THE EXECUTIVE BRANCH OF STATE GOVERNMENT AND MAKE CORRESPONDING
RECOMMENDATIONS FOR SECURITY INVESTMENTS IN THE GOVERNOR’S ANNUAL
BUDGET.
(F) (G) IN CARRYING OUT THE D UTIES OF THE COUNCIL, THE COUNCIL
MAY SHALL CONSULT WITH OUTSIDE EXPERTS, INCLUDING EXPERTS IN THE
PRIVATE SECTOR , GOVERNMENT AGENCIES , AND INSTITUTIONS OF HIGHER
EDUCATION.
3.5–2A–06.
THE COUNCIL SHALL STUDY T HE SECURITY AND FINA NCIAL IMPLICATIONS O F
EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON
TECHNOLOGY AND CYBERSECURITY PRODUC TS AND SERVICES , INCLUDING THE
IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE.
3.5–2A–07.
THE COUNCIL SHALL:
Ch. 242 2022 LAWS OF MARYLAND
– 18 –
(1) PROMOTE CYBERSECURIT Y EDUCATION AND TRAI NING
OPPORTUNITIES TO STR ENGTHEN THE STATE’S CYBERSECURITY CAPA BILITIES BY
EXPANDING EXISTING A GREEMENTS WITH EDUCA TIONAL INSTITUTIONS ;
(2) UTILIZE RELATIONSHIP S WITH INSTITUTIONS OF HIGHER
EDUCATION TO ADVERTI SE CYBERSECURITY CAR EERS AND JOB POSITIO NS
AVAILABLE IN STATE OR LOCAL GOVERN MENT, INCLUDING THE MARYLAND
TECHNOLO GY INTERNSHIP PROGRAM ESTABLISHED U NDER TITLE 18, SUBTITLE 30
OF THE EDUCATION ARTICLE; AND.
(3) ASSIST INTERESTED CA NDIDATES WITH APPLYI NG FOR
CYBERSECURITY POSITI ONS IN STATE OR LOCAL GOVERN MENT.
3.5–301.
(a) In this subtitle the following words have the meanings indicated.
(i) “Master plan” means the statewide information technology master plan AND
STATEWIDE CYBERSECUR ITY STRATEGY.
(j) “Nonvisual access” means the ability, through keyboard control, synthesized
speech, Braille, or other methods not requiring sight to receive, use, and manipulate
information and operate controls necessary to access information technology in accordance
with standards adopted under [§ 3A–303(b)] § 3.5–303(B) of this subtitle.
3.5–302.
(a) This subtitle does not apply to changes relating to or the purchase, lease, or
rental of information technology by:
(1) public institutions of higher education solely for academic or research
purposes;
(2) the Maryland Port Administration;
(3) the University System of Maryland;
(4) St. Mary’s College of Maryland;
(5) Morgan State University;
(6) the Maryland Stadium Authority; [or]
(7) Baltimore City Community College;
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 19 –
(8) THE LEGISLATIVE BRANCH OF STATE GOVERNMENT ; OR
(9) THE JUDICIAL BRANCH OF STATE GOVERNMENT .;
(10) THE OFFICE OF THE ATTORNEY GENERAL;
(11) THE COMPTROLLER ; OR
(12) THE STATE TREASURER.
(b) Except as provided in subsection (a) of this section, this subtitle applies to any
project of a unit of the Executive Branch of State government that involves an agreement
with a public institution of higher education for a portion of the development of the project,
whether the work on the development is done directly or indirectly by the public institution
of higher education.
(c) Notwithstanding any other provision of law, except as provided in subsection
(a) of this section and [§§ 3A–307(a)(2), 3A–308, and 3A–309] §§ 3.5–306(A)(2), 3.5–307,
3.5–307(A)(2), 3.5–308 AND 3.5–308 3.5–309 of this subtitle, this subtitle applies to all
units of the Executive Branch of State government including public institutions of higher
education other than Morgan State University, the University System of Maryland, St.
Mary’s College of Maryland, and Baltimore City Community College.
3.5–303.
(a) The Secretary is responsible for carrying out the following duties:
(1) developing, maintaining, revising, and enforcing information
technology policies, procedures, and standards;
(2) providing technical assistance, advice, and recommendations to the
Governor and any unit of State government concerning information technology matters;
(3) reviewing the annual project plan for each unit of State government to
make information and services available to the public over the Internet;
(4) developing and maintaining a statewide information technology master
plan that will:
(i) [be the basis for] CENTRALIZE the management and direction of
information technology POLICY within the Executive Branch of State government UNDER
THE CONTROL OF THE DEPARTMENT ;
(ii) include all aspects of State information technology including
telecommunications, security, data processing, and information management;
Ch. 242 2022 LAWS OF MARYLAND
– 20 –
(iii) consider interstate transfers as a result of federal legislation and
regulation;
(iv) [work jointly with the Secretary of Budget and Management to
ensure that information technology plans and budgets are consistent;
(v)] ensure that THE State information technology [plans, policies,]
PLAN AND RELATED POL ICIES and standards are consistent with State goals, objectives,
and resources, and represent a long–range vision for using information technology to
improve the overall effectiveness of State government; and
[(vi)] (V) include standards to assure nonvisual access to the
information and services made available to the public over the Internet; AND
(VI) ALLOWS A STATE AGENCY TO MAINT AIN THE AGENCY ’S OWN
INFORMATION TECHNOLO GY UNIT THAT PROVIDE S FOR INFORMATION
TECHNOLOGY SERVICES TO SUPPORT THE MISSI ON OF THE AGENCY .;
(5) PROVIDING OR COORDIN ATING THE PROCUREMEN T OF MANAGED
CYBERSECURITY SERVIC ES THAT ARE PAID FOR BY THE STATE AND USED BY LOC AL
GOVERNMENTS ;
(6) (5) DEVELOPING AND MAINT AINING A STATEWIDE
CYBERSECURITY MASTER PLAN STRATEGY THAT WILL:
(I) CENTRALIZE THE MANAG EMENT AND DIRECTION OF
CYBERSECURITY STRATE GY WITHIN THE EXECUTIVE BRANCH OF STATE
GOVERNMENT UNDER THE CONTROL OF THE DEPARTMENT ; AND
(II) SERVE AS THE BASIS F OR BUDGET ALLOCATION S FOR
CYBERSECURITY PREPAREDNESS FOR THE EXECUTIVE BRANCH OF STATE
GOVERNMENT ;
[(5)] (7) (6) adopting by regulation and enforcing nonvisual access standards
to be used in the procurement of information technology services by or on behalf of units of
State government in accordance with subsection (b) of this section;
[(6)] (8) (7) in consultation with the [Attorney General,] MARYLAND
CYBERSECURITY COORDINATING COUNCIL, advising and overseeing a consistent
cybersecurity strategy for units of State government, including institutions under the
control of the governing boards of the public institutions of higher education;
[(7)] (9) (8) advising and consulting with the Legislative and Judicial
branches of State government regarding a cybersecurity strategy; and LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 21 –
[(8)] (10) (9) in consultation with the [Attorney General,] MARYLAND
CYBERSECURITY COORDINATING COUNCIL, developing guidance on consistent
cybersecurity strategies for counties, municipal corporations, school systems, and all other
political subdivisions of the State.
(b) Nothing in subsection (a) of this section may be construed as establishing a
mandate for any entity listed in subsection [(a)(8)] (A)(10) of this section.
(c) On or before January 1, 2020, the Secretary, or the Secretary’s designee, shall:
(1) adopt new nonvisual access procurement standards that:
(i) provide an individual with disabilities with nonvisual access in a
way that is fully and equally accessible to and independently usable by the individual with
disabilities so that the individual is able to acquire the same information, engage in the
same interactions, and enjoy the same services as users without disabilities, with
substantially equivalent ease of use; and
(ii) are consistent with the standards of § 508 of the federal
Rehabilitation Act of 1973; and
(2) establish a process for the Secretary or the Secretary’s designee to:
(i) determine whether information technology meets the nonvisual
access standards adopted under item (1) of this subsection; and
(ii) 1. for information technology procured by a State unit before
January 1, 2020, and still used by the State unit on or after January 1, 2020, work with the
vendor to modify the information technology to meet the nonvisual access standards, if
practicable; or
2. for information technology procured by a State unit on or
after January 1, 2020, enforce the nonvisual access clause developed under [§ 3A–311] §
3.5–310 3.5–311 of this subtitle, including the enforcement of the civil penalty described
in [§ 3A–311(a)(2)(iii)1] § 3.5–310(A)(2)(III)1 3.5–311(A)(2)(III)1 of this subtitle.
(D) (1) THE GOVERNOR SHALL INCLUD E AN APPROPRIATION I N THE
ANNUAL BUDGET BILL IN AN AMOUNT NECESSA RY TO COVER THE COST S OF
IMPLEMENTING THE STA TEWIDE CYBERSECURITY MASTER PLAN DEVELOPE D
UNDER SUBSECTION (A) OF THIS SECTION WITH OUT THE NEED FOR THE
DEPARTMENT TO OPERATE A CHARGE –BACK MODEL FOR CYBER SECURITY
SERVICES PROVIDED TO OTHER UNITS OF STATE GOVERNMENT OR U NITS OF LOCAL
GOVERNMENT .
Ch. 242 2022 LAWS OF MARYLAND
– 22 –
(2) ON OR BEFORE JANUARY 31 EACH YEAR, IN A SEPARATE REPORT
OR INCLUDED WITHIN A GENERAL BUDGET REPOR T, THE GOVERNOR SHALL SUBMIT
A REPORT IN ACCORDAN CE WITH § 2–1257 OF THE STATE GOVERNMENT ARTICLE
TO THE SENATE BUDGET AND TAXATION COMMITTEE AND THE HOUSE
APPROPRIATIONS COMMITTEE THAT INCLUD ES:
(I) SPECIFIC INFORMATION ON THE INFORMATION
TECHNOLOGY BUDGET AN D CYBERSECURITY BUDG ET THAT THE GOVERNOR HAS
SUBMITTED TO THE GENERAL ASSEMBLY FOR THE UPCOMING FISCAL YEAR; AND
(II) HOW THE BUDGETS LIST ED UNDER ITEM (I) OF THIS
PARAGRAPH COMPARE TO THE ANNUAL OVERVIEW OF THE U.S. PRESIDENT’S
BUDGET SUBMISSION ON INFORMATION TECHNOLO GY AND CYBERSECURITY TO
CONGRESS CONDUCTED BY THE U.S. OFFICE OF MANAGEMENT AND BUDGET.
3.5–305.
(a) [Except as provided in subsection (b) of this section, in accordance with
guidelines established by the Secretary, each unit of State government shall develop and
submit to the Secretary:
(1) information technology policies and standards;
(2) an information technology plan; and
(3) an annual project plan outlining the status of efforts to make
information and services available to the public over the Internet.
(b) (1)] The governing boards of the public institutions of higher education shall
develop and submit information technology policies and standards and an information
technology plan for their respective institutions or systems to the Secretary.
[(2)] (B) If the Secretary finds that the submissions required under this
[subsection] SECTION are consistent with the master plan, the Secretary shall incorporate
those submissions into the master plan.
[(3)] (C) If the Secretary finds that the submissions required under this
[subsection] SECTION are not consistent with the master plan:
(i) the Secretary shall return the submissions to the governing
boards; and
(ii) the governing boards shall revise the submissions as appropriate
and submit the revised policies, standards, and plans to the Secretary.
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 23 –
[3.5–306.
Information technology of each unit of State government shall be consistent with the
master plan.]
[3.5–307.] 3.5–306.
(a) (1) [A unit of State government] THE DEPARTMENT may not purchase,
lease, or rent information technology ON BEHALF OF A UNIT OF STATE GOVERNMENT
unless consistent with the master plan STRATEGY.
(2) A unit of State government other than a public institution of higher
education [may not make] SHALL SUBMIT REQUEST S FOR expenditures for major
information technology development projects OR CYBERSECURITY PRO JECTS except as
provided in [§ 3A–308] § 3.5–307 3.5–308 of this subtitle.
(b) [(1)] The Secretary may review any information technology project OR
CYBERSECURITY PROJEC T for consistency with the master plan STRATEGY.
[(2) Any information technology project selected for review may not be
implemented without the approval of the Secretary.]
(c) (1) A unit of State government shall advise the Secretary of any
information technology proposal involving resource sharing, the exchange of goods or
services, or a gift, contribution, or grant of real or personal property.
(2) The Secretary shall determine if the value of the resources, services,
and property to be obtained by the State under the terms of any proposal submitted in
accordance with the provisions of paragraph (1) of this subsection equals or exceeds
$100,000.
(3) If the value of any proposal submitted in accordance with this
subsection equals or exceeds $100,000 and the Secretary and unit agree to proceed with the
proposal, information on the proposal shall be:
(i) advertised for a period of at least 30 days in the eMaryland
Marketplace; and
(ii) submitted, simultaneously with the advertisement, to the
Legislative Policy Committee for a 60–day review and comment period, during which time
the Committee may recommend that the proposal be treated as a procurement contract
under Division II of this article.
Ch. 242 2022 LAWS OF MARYLAND
– 24 –
(4) Following the period for review and comment by the Legislative Policy
Committee under paragraph (3) of this subsection, the proposal is subject to approval by
the Board of Public Works.
(5) This subsection may not be construed as authorizing an exception from
the requirements of Division II of this article for any contract that otherwise would be
subject to the State procurement process.
[3.5–308.] 3.5–307.
(a) This section does not apply to a public institution of higher education.
(b) In submitting its information technology project requests, a unit of State
government shall designate projects which are major information technology development
projects.
(c) In reviewing information technology project requests, the Secretary may
change a unit’s designation of a major information technology development project.
(d) The Secretary shall review and, with the advice of the Secretary of Budget and
Management, approve major information technology development projects and
specifications for consistency with all statewide plans, policies, and standards, including a
systems development life cycle plan.
(e) The Secretary shall be responsible for overseeing the implementation of major
information technology development projects[, regardless of fund source].
(f) With the advice of the Secretary of Budget and Management, expenditures for
major information technology development projects shall be subject to the approval of the
Secretary who shall approve expenditures only when those projects are consistent with
statewide plans, policies, and standards.
(g) (1) The Secretary shall approve funding for major information technology
development projects only when those projects are supported by an approved systems
development life cycle plan.
(2) An approved systems development life cycle plan shall include
submission of:
(i) a project planning request that details initial planning for the
project, including:
1. the project title, appropriation code, and summary;
2. a description of:
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 25 –
A. the needs addressed by the project;
B. the potential risks associated with the project;
C. possible alternatives; and
D. the scope and complexity of the project; and
3. an estimate of:
A. the total costs required to complete through planning; and
B. the fund sources available to support planning costs; and
(ii) a project implementation request to begin full design,
development, and implementation of the project after the completion of planning, including:
1. the project title, appropriation code, and summary;
2. a description of:
A. the needs addressed by the project;
B. the potential risks associated with the project;
C. possible alternatives;
D. the scope and complexity of the project; and
E. how the project meets the goals of the statewide master
plan; and
3. an estimate of:
A. the total project cost; and
B. the fund sources available.
(3) The Secretary may approve funding incrementally, consistent with the
systems development life cycle plan.
[3.5–309.] 3.5–308.
(a) There is a Major Information Technology Development Project Fund.
Ch. 242 2022 LAWS OF MARYLAND
– 26 –
(b) The purpose of the Fund is to support major information technology
development projects.
(c) The Secretary:
(1) shall administer the Fund in accordance with this section; and
(2) subject to the provisions of § 2–201 of this article and [§ 3A–307] §
3.5–306 3.5–307 of this subtitle, may receive and accept contributions, grants, or gifts of
money or property.
(d) (1) The Fund is a special, nonlapsing fund that is not subject to § 7–302 of
this article.
(2) The State Treasurer shall hold the Fund separately and the
Comptroller shall account for the Fund.
(3) The State Treasurer shall invest and reinvest the money of the Fund in
the same manner as other State money may be invested.
(4) Any investment earnings of the Fund shall be paid into the Fund.
(e) Except as provided in subsection (f) of this section, the Fund consists of:
(1) money appropriated in the State budget to the Fund;
(2) as approved by the Secretary, money received from:
(i) the sale, lease, or exchange of communication sites,
communication facilities, or communication frequencies for information technology
purposes; or
(ii) an information technology agreement involving resource
sharing;
(3) that portion of money earned from pay phone commissions to the extent
that the commission rates exceed those in effect in December 1993;
(4) money received and accepted as contributions, grants, or gifts as
authorized under subsection (c) of this section;
(5) general funds appropriated for major information technology
development projects of any unit of State government other than a public institution of
higher education that:
(i) are unencumbered and unexpended at the end of a fiscal year; LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 27 –
(ii) have been abandoned; or
(iii) have been withheld by the General Assembly or the Secretary;
(6) any investment earnings; and
(7) any other money from any source accepted for the benefit of the Fund.
(f) The Fund does not include any money:
(1) received by the Department of Transportation, the Maryland
Transportation Authority, Baltimore City Community College, or the Maryland Public
Broadcasting Commission;
(2) received by the Judicial or Legislative branches of State government; or
(3) generated from pay phone commissions that are credited to other
accounts or funds in accordance with other provisions of law or are authorized for other
purposes in the State budget or through an approved budget amendment.
(g) The Governor shall submit with the State budget:
(1) a summary showing the unencumbered balance in the Fund as of the
close of the prior fiscal year and a listing of any encumbrances;
(2) an estimate of projected revenue from each of the sources specified in
subsection (e) of this section for the fiscal year for which the State budget is submitted; and
(3) a descriptive listing of projects reflecting projected costs for the fiscal
year for which the State budget is submitted and any estimated future year costs.
(h) Expenditures from the Fund shall be made only:
(1) in accordance with an appropriation approved by the General Assembly
in the annual State budget; or
(2) through an approved State budget amendment under Title 7, Subtitle
2, Part II of this article, provided that a State budget amendment for any project not
requested as part of the State budget submission or for any project for which the scope or
cost has increased by more than 5% or $250,000 shall be submitted to the budget
committees allowing a 30–day period for their review and comment.
(i) The Fund may be used:
(1) for major information technology development projects; Ch. 242 2022 LAWS OF MARYLAND
– 28 –
(2) as provided in subsections (j) and (l) of this section; or
(3) notwithstanding [§ 3A–301(b)(2)] § 3.5–301(B)(2) of this subtitle, for
the costs of the first 12 months of operation and maintenance of a major information
technology development project.
(j) Notwithstanding subsection (b) of this section and except for the cost incurred
in administering the Fund, each fiscal year up to $1,000,000 of this Fund may be used for:
(1) educationally related information technology projects;
(2) application service provider initiatives as provided for in Title 9,
Subtitle 22 of the State Government Article; or
(3) information technology projects, including:
(i) pilots; and
(ii) prototypes.
(k) A unit of State government or local government may submit a request to the
Secretary to support the cost of an information technology project with money under
subsection (j) of this section.
(l) (1) Notwithstanding subsection (b) of this section and in accordance with
paragraph (2) of this subsection, money paid into the Fund under subsection (e)(2) of this
section shall be used to support:
(i) the State telecommunication and computer network established
under [§ 3A–404] § 3.5–404 of this title, including program development for these
activities; and
(ii) the Statewide Public Safety Interoperability Radio System, also
known as Maryland First (first responder interoperable radio system team), under Title 1,
Subtitle 5 of the Public Safety Article.
(2) The Secretary may determine the portion of the money paid into the
Fund that shall be allocated to each program described in paragraph (1) of this subsection.
(m) (1) On or before November 1 of each year, the Secretary shall report to the
Governor, the Secretary of Budget and Management, and to the budget committees of the
General Assembly and submit a copy of the report to the General Assembly, in accordance
with § 2–1257 of the State Government Article.
(2) The report shall include: LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 29 –
(i) the financial status of the Fund and a summary of its operations
for the preceding fiscal year;
(ii) an accounting for the preceding fiscal year of all money from each
of the revenue sources specified in subsection (e) of this section, including any expenditures
made from the Fund; and
(iii) for each project receiving money from the Fund in the preceding
fiscal year and for each major information technology development project receiving
funding from any source other than the Fund in the preceding fiscal year:
1. the status of the project;
2. a comparison of estimated and actual costs of the project;
3. any known or anticipated changes in scope or costs of the
project;
4. an evaluation of whether the project is using best
practices; and
5. a summary of any monitoring and oversight of the project
from outside the agency in which the project is being developed, including a description of
any problems identified by any external review and any corrective actions taken.
(n) On or before January 15 of each year, for each major information technology
development project currently in development or for which operations and maintenance
funding is being provided in accordance with subsection (i)(3) of this section, subject to §
2–1257 of the State Government Article, the Secretary shall provide a summary report to
the Department of Legislative Services with the most up–to–date project information
including:
(1) project status;
(2) any schedule, cost, and scope changes since the last annual report;
(3) a risk assessment including any problems identified by any internal or
external review and any corrective actions taken; and
(4) any change in the monitoring or oversight status.
[3A–310.] 3.5–309.
This subtitle may not be construed to give the Secretary authority over:
Ch. 242 2022 LAWS OF MARYLAND
– 30 –
(1) the content of educational applications or curriculum at the State or
local level; or
(2) the entities that may participate in such educational programs.
[3.5–311.] 3.5–310.
(a) (1) The Secretary or the Secretary’s designee, in consultation with other
units of State government, and after public comment, shall develop a nonvisual access
clause for use in the procurement of information technology and information technology
services that specifies that the technology and services:
(i) must provide equivalent access for effective use by both visual
and nonvisual means;
(ii) will present information, including prompts used for interactive
communications, in formats intended for both visual and nonvisual use;
(iii) can be integrated into networks for obtaining, retrieving, and
disseminating information used by individuals who are not blind or visually impaired; and
(iv) shall be obtained, whenever possible, without modification for
compatibility with software and hardware for nonvisual access.
(2) On or after January 1, 2020, the nonvisual access clause developed in
accordance with paragraph (1) of this subsection shall include a statement that:
(i) within 18 months after the award of the procurement, the
Secretary, or the Secretary’s designee, will determine whether the information technology
meets the nonvisual access standards adopted in accordance with [§ 3A–303(b)] §
3.5–303(B) of this subtitle;
(ii) if the information technology does not meet the nonvisual access
standards, the Secretary, or the Secretary’s designee, will notify the vendor in writing that
the vendor, at the vendor’s own expense, has 12 months after the date of the notification to
modify the information technology in order to meet the nonvisual access standards; and
(iii) if the vendor fails to modify the information technology to meet
the nonvisual access standards within 12 months after the date of the notification, the
vendor:
1. may be subject to a civil penalty of:
A. for a first offense, a fine not exceeding $5,000; and
B. for a subsequent offense, a fine not exceeding $10,000; and LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 31 –
2. shall indemnify the State for liability resulting from the
use of information technology that does not meet the nonvisual access standards.
(b) (1) Except as provided in paragraph (2) of this subsection, the nonvisual
access clause required under subsection (a) of this section shall be included in each
invitation for bids or request for proposals and in each procurement contract or modification
or renewal of a contract issued under Title 13 of this article, without regard to the method
chosen under Title 13, Subtitle 1 of this article for the purchase of new or upgraded
information technology and information technology services.
(2) Except as provided in subsection (a)(4) of this section, the nonvisual
access clause required under paragraph (1) of this subsection is not required if:
(i) the information technology is not available with nonvisual access
because the essential elements of the information technology are visual and nonvisual
equivalence cannot be developed; or
(ii) the cost of modifying the information technology for compatibility
with software and hardware for nonvisual access would increase the price of the
procurement by more than 15%.
[3.5–312.] 3.5–311.
The Secretary may delegate the duties set forth in this subtitle to carry out its
purposes.
[3.5–313.] 3.5–312.
(a) (1) In this section the following words have the meanings indicated.
(2) “Agency” includes a unit of State government that receives funds that
are not appropriated in the annual budget bill.
(3) (i) “Payee” means any party who receives from the State an
aggregate payment of $25,000 in a fiscal year.
(ii) “Payee” does not include:
1. a State employee with respect to the employee’s
compensation; or
2. a State retiree with respect to the retiree’s retirement
allowance.
Ch. 242 2022 LAWS OF MARYLAND
– 32 –
(4) “Searchable website” means a website created in accordance with this
section that displays and searches State payment data.
(b) (1) The Department shall develop and operate a single searchable website,
accessible to the public at no cost through the Internet.
(2) On or before the 15th day of the month that follows the month in which
an agency makes a payment to a payee, the Department shall update the payment data on
the searchable website.
(c) The searchable website shall contain State payment data, including:
(1) the name of a payee receiving a payment;
(2) the location of a payee by postal zip code;
(3) the amount of a payment; and
(4) the name of an agency making a payment.
(d) The searchable website shall allow the user to:
(1) search data for fiscal year 2008 and each year thereafter; and
(2) search by the following data fields:
(i) a payee receiving a payment;
(ii) an agency making a payment; and
(iii) the zip code of a payee receiving a payment.
(e) State agencies shall provide appropriate assistance to the Secretary to ensure
the existence and ongoing operation of the single website.
(f) This section may not be construed to require the disclosure of information that
is confidential under State or federal law.
(g) This section shall be known and may be cited as the “Maryland Funding
Accountability and Transparency Act”.
[3.5–314.] 3.5–313.
(a) In this section, “security–sensitive data” means information that is protected
against unwarranted disclosure.
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 33 –
(b) In accordance with guidelines established by the Secretary, each unit of State
government shall develop a plan to:
(1) identify unit personnel who handle security–sensitive data; and
(2) establish annual security overview training or refresher security
training for each employee who handles security–sensitive data as part of the employee’s
duties.
3.5–401.
(a) The Department shall:
(1) coordinate the development, procurement, management, and operation
of telecommunication equipment, systems, and services by State government;
(2) TO ADDRESS PREPAREDN ESS AND RESPONSE CAP ABILITIES OF
LOCAL JURISDICTIONS , COORDINATE THE PROCU REMENT OF MANAGED
CYBERSECURITY SERVIC ES PROCURED BY LOCAL GOVERNMENTS WITH STATE
FUNDING;
[(2)] (3) acquire and manage common user telecommunication
equipment, systems, or services and charge units of State government for their
proportionate share of the costs of installation, maintenance, and operation of the common
user telecommunication equipment, systems, or services;
[(3)] (4) promote compatibility of telecommunication systems by
developing policies, procedures, and standards for the [acquisition and] use of
telecommunication equipment, systems, and services by units of State government;
[(4)] (5) coordinate State government telecommunication systems and
services by reviewing requests by units of State government for, AND ACQUIRING ON
BEHALF OF UNITS OF STATE GOVERNMENT , telecommunication equipment, systems, or
services;
[(5)] (6) advise units of State government about [planning, acquisition,]
PLANNING and operation of telecommunication equipment, systems, or services; and
[(6)] (7) provide radio frequency coordination for State and local
governments in accordance with regulations of the Federal Communications Commission.
(b) The Department may make arrangement for a user other than a unit of State
government to have access to and use of State telecommunication equipment, systems, and
services and shall charge the user any appropriate amount to cover the cost of installation, Ch. 242 2022 LAWS OF MARYLAND
– 34 –
maintenance, and operation of the telecommunication equipment, system, or service
provided.
(C) (1) THE DEPARTMENT SHALL DEVE LOP AND REQUIRE BASI C
SECURITY REQUIREMENT S TO BE INCLUDED IN A CONTRACT:
(I) IN WHICH A THIRD–PARTY CONTRACTOR WIL L HAVE ACCESS
TO AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR
(II) BY A UNIT OF STATE GOVERNMENT THAT IS LESS THAN
$50,000 FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE
TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES.
(2) THE SECURITY REQUIREM ENTS DEVELOPED UNDER PARAGRAPH
(1) OF THIS SUBSECTION S HALL BE CONSISTENT W ITH A WIDELY RECOGNI ZED
SECURITY STANDARD , INCLUDING NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL
CERTIFICATION.
3.5–404.
(a) The General Assembly declares that:
(1) it is the policy of the State to foster telecommunication and computer
networking among State and local governments, their agencies, and educational
institutions in the State;
(2) there is a need to improve access, especially in rural areas, to efficient
telecommunication and computer network connections;
(3) improvement of telecommunication and computer networking for State
and local governments and educational institutions promotes economic development,
educational resource use and development, and efficiency in State and local administration;
(4) rates for the intrastate inter–LATA telephone communications needed
for effective integration of telecommunication and computer resources are prohibitive for
many smaller governments, agencies, and institutions; and
(5) the use of improved State telecommunication and computer networking
under this section is intended not to compete with commercial access to advanced network
technology, but rather to foster fundamental efficiencies in government and education for
the public good.
(b) (1) The Department shall establish a telecommunication and computer
network in the State. LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 35 –
(2) The network shall consist of:
(i) one or more connection facilities for telecommunication and
computer connection in each local access transport area (LATA) in the State; and
(ii) facilities, auxiliary equipment, and services required to support
the network in a reliable and secure manner.
(c) The network shall be accessible through direct connection and through local
intra–LATA telecommunications to State and local governments and public and private
educational institutions in the State.
(D) ON OR BEFORE DECEMBER 1 EACH YEAR , EACH UNIT OF THE
LEGISLATIVE OR JUDICIAL BRANCH OF STATE GOVERNMENT AND ANY DIVISION OF
THE UNIVERSITY SYSTEM OF MARYLAND THAT USE THE NETWORK ESTABLISHED
UNDER SUBSECTION (B) OF THIS SECTION SHAL L CERTIFY TO THE DEPARTMENT
THAT THE UNIT OR DIV ISION IS IN COMPLIAN CE WITH THE DEPARTMENT ’S MINIMUM
SECURITY STANDARDS .
3.5–404.
(D) (1) THE OFFICE SHALL ENSURE T HAT AT LEAST ONCE EV ERY 2
YEARS, OR MORE OFTEN IF REQ UIRED BY REGULATIONS ADOPTED BY THE
DEPARTMENT , EACH UNIT OF STATE GOVERNMENT SHAL L COMPLETE AN EXTERN AL
ASSESSMENT .
(2) THE OFFICE SHALL ASSIST E ACH UNIT TO REMEDIAT E ANY
SECURITY VULNERABILI TIES OR HIGH–RISK CONFIGURATIONS IDENTIFIED IN THE
ASSESSMENT REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION .
(E) (1) IN THIS SUBSECTION , “IT UNIT” MEANS A UNIT OF THE
LEGISLATIVE BRANCH OR JUDICIAL BRANCH OF STATE GOVERNMENT , THE OFFICE
OF THE ATTORNEY GENERAL, THE OFFICE OF THE COMPTROLLER , OR THE OFFICE
OF THE STATE TREASURER THAT PROVIDES INFORM ATION TECHNOLOGY SERVICES
FOR ANOTHER UNIT OF GOVERNMENT .
(2) EACH IT UNIT SHALL:
(I) BE EVALUATED BY AN I NDEPENDENT AUDITOR W ITH
CYBERSECURITY EXPERT ISE TO DETERMINE WHE THER THE IT UNIT, AND THE UNITS
IT PROVIDES INFORMAT ION TECHNOLOGY SERVI CES FOR, MEET RELEVANT
CYBERSECURITY STANDA RDS RECOMMENDED BY T HE NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY ; AND Ch. 242 2022 LAWS OF MARYLAND
– 36 –
(II) CERTIFY COMPLIANCE W ITH THE RECOMMENDED
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECUR ITY
STANDARDS TO :
1. IF THE IT UNIT IS PART OF THE LEGISLATIVE
BRANCH, THE PRESIDENT OF THE SENATE AND THE SPEAKER OF THE HOUSE; AND
2. IF THE IT UNIT IS PART OF THE OFFICE OF THE
ATTORNEY GENERAL, TO THE ATTORNEY GENERAL;
3. IF THE IT UNIT IS PART OF THE COMPTROLLER ’S
OFFICE, TO THE COMPTROLLER ;
4. IF THE IT UNIT IS PART OF THE STATE TREASURER’S
OFFICE, TO THE STATE TREASURER; AND
2. 5. IF THE IT UNIT IS PART OF THE JUDICIAL BRANCH OF
STATE GOVERNMENT , THE CHIEF JUDGE.
3.5–405.
(A) ON OR BEFORE DECEMBER 1 EACH YEAR, EACH UNIT OF STATE
GOVERNMENT SHALL :
(1) COMPLETE A CYBERSECU RITY PREPAREDNESS AS SESSMENT AND
REPORT THE RESULTS OF ANY CYBERSECURITY PREPAREDNESS ASSESSM ENTS
PERFORMED IN THE PRI OR YEAR TO THE OFFICE OF SECURITY MANAGEMENT IN
ACCORDANCE WITH GUID ELINES DEVELOPED BY THE OFFICE; AND
(2) SUBMIT A REPORT TO T HE GOVERNOR AND THE OFFICE OF
SECURITY MANAGEMENT THAT INCLU DES:
(I) AN INVENTORY OF ALL INFORMATION SYSTEMS AND
APPLICATIONS USED OR MAINTAINED BY THE UNI T;
(II) A FULL DATA INVENTOR Y OF THE UNIT;
(III) A LIST OF ALL CLOUD OR STATISTICAL ANALY SIS SYSTEM
SOLUTIONS USED BY TH E UNIT;
(IV) A LIST OF ALL PERMAN ENT AND TRANSIENT VE NDOR
INTERCONNECTIONS THA T ARE IN PLACE;
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 37 –
(V) THE NUMBER OF UNIT E MPLOYEES WHO HAVE RE CEIVED
CYBERSECURITY TRAINI NG;
(VI) THE TOTAL NUMBER OF UNIT EMPLOYEES WHO U SE THE
NETWORK;
(VII) THE NUMBER OF INFORM ATION TECHNOLOGY STA FF
POSITIONS, INCLUDING VACANCIES ;
(VIII) THE NUMBER OF NONI NFORMATION TECHNOLOG Y STAFF
POSITIONS, INCLUDING VACANCIES ;
(IX) THE UNIT ’S INFORMATION TECHNO LOGY BUDGET ,
ITEMIZED TO INCLUDE THE FOLLOWING CATEGO RIES:
1. SERVICES;
2. EQUIPMENT;
3. APPLICATIONS;
4. PERSONNEL ;
5. SOFTWARE LICENSING ;
6. DEVELOPMENT ;
7. NETWORK PROJECTS ;
8. MAINTENANCE ; AND
9. CYBERSECURITY ;
(X) ANY MAJOR INFORMATIO N TECHNOLOGY INITIAT IVES TO
MODERNIZE THE UNIT ’S INFORMATION TECHNO LOGY SYSTEMS OR IMPR OVE
CUSTOMER ACCESS TO STATE AND LOCAL SERVI CES;
(XI) THE UNIT’S PLANS FOR FUTURE F ISCAL YEARS TO
IMPLEMENT THE UNIT ’S INFORMATION TECHNO LOGY GOALS;
(XII) COMPLIANCE WITH TIME LINES AND METRICS PR OVIDED IN
THE DEPARTMENT ’S MASTER PLAN ; AND
Ch. 242 2022 LAWS OF MARYLAND
– 38 –
(XIII) ANY OTHER KEY PERFOR MANCE INDICATORS REQ UIRED BY
THE OFFICE OF SECURITY MANAGEMENT TO TRACK C OMPLIANCE OR CONSIST ENCY
WITH THE DEPARTMENT ’S STATEWIDE INFORMATION TEC HNOLOGY MASTER PLAN .
(B) (1) EACH UNIT OF STATE GOVERNMENT SHAL L REPORT A
CYBERSECURITY INCIDE NT IN ACCORDANCE WIT H PARAGRAPH (2) OF THIS
SUBSECTION TO THE STATE CHIEF INFORMATION SECURITY OFFICER.
(2) FOR THE REPORTING OF CYBERSECURITY INCIDENTS UND ER
PARAGRAPH (1) OF THIS SUBSECTION , THE STATE CHIEF INFORMATION SECURITY
OFFICER SHALL DETERMI NE:
(I) THE CRITERIA FOR DET ERMINING WHEN AN INC IDENT MUST
BE REPORTED ;
(II) THE MANNER IN WHICH TO REPORT; AND
(III) THE TIME PERIOD WITH IN WHICH A REPORT MU ST BE MADE.
3.5–406.
(C) (1) (A) THIS SUBSECTION SECTION DOES NOT APPLY TO
MUNICIPAL GOVERNMENT S.
(2) (B) ON OR BEFORE DECEMBER 1 EACH YEAR IN A MANNER AND
FREQUENCY ESTABLISHE D IN REGULATIONS ADO PTED BY THE DEPARTMENT , EACH
COUNTY GOVERNMENT , LOCAL SCHOOL SYSTEM , AND LOCAL HEALTH DEP ARTMENT
SHALL:
(I) (1) IN CONSULTATION WITH THE LOCAL EMERGENCY
MANAGER, CREATE OR UPDATE A C YBERSECURITY PREPARE DNESS AND RESPONSE
PLAN AND SUBMIT THE PLAN TO THE OFFICE OF SECURITY MANAGEMENT FOR
APPROVAL; AND
(II) (2) COMPLETE A CYBERSECU RITY PREPAREDNESS
ASSESSMENT AND REPORT THE RESUL TS TO THE OFFICE OF SECURITY
MANAGEMENT IN ACCORDA NCE WITH GUIDELINES DEVELOPED BY THE OFFICE;
AND
(III) REPORT TO THE OFFICE OF SECURITY MANAGEMENT :
1. THE NUMBER OF INFORM ATION TECHNOLOGY STA FF
POSITIONS, INCLUDING VACANCIES ; LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 39 –
2. THE ENTITY ’S CYBERSECURITY BUDG ET AND
OVERALL INFORMATION TECHNOLOGY BUDGET ;
3. THE NUMBER OF EMPLOY EES WHO HAVE RECEIVED
CYBERSECURITY TRAINI NG; AND
4. THE TOTAL NUMBER OF EMPLOYEES WITH ACCES S TO
THE ENTITY’S COMPUTER SYSTEMS A ND DATABASES .
(C) THE ASSESSMENT REQUIR ED UNDER PARAGRAPH (B)(2) OF THIS
SECTION MAY , IN ACCORDANCE WITH T HE PREFERENCE OF EAC H COUN TY
GOVERNMENT , BE PERFORMED BY THE DEPARTMENT OR BY A VE NDOR
AUTHORIZED BY THE DEPARTMENT .
(3) (I) (D) (1) EACH COUNTY LOCAL GOVERNMENT , LOCAL
SCHOOL SYSTEM, AND LOCAL HEALTH DEPARTM ENT SHALL REPORT A
CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A STATE SYSTEM BEING
USED BY THE LOCAL GO VERNMENT, TO THE APPROPRIATE L OCAL EMERGENCY
MANAGER AND THE STATE SECURITY OPERATIONS CENTER IN THE DEPARTMENT
IN ACCORDANCE WITH SUBPARAGRAPH (II) PARAGRAPH (2) OF THIS PARAGRAPH
SUBSECTION TO THE APPROPRIATE LOCAL EMERGENCY MANAGER .
(II) (2) FOR THE REPORTING OF CYBERSECURITY INCIDE NTS
TO LOCAL EMERGENCY M ANAGERS UNDER SUBPAR AGRAPH (I) OF THIS PARAGRAPH ,
THE STATE CHIEF INFORMATION SECURITY OFFICER SHALL DETERMI NE:
1. (I) THE CRITERIA FOR DET ERMINING WHEN AN INCIDENT
MUST BE REPORTED ;
2. (II) THE MANNER IN WHICH TO REPORT; AND
3. (III) THE TIME PERIOD WITH IN WHICH A REPORT
MUST BE MADE .
(3) THE STATE SECURITY OPERATIONS CENTER SHALL
IMMEDIATELY NOTIFY T HE APPROPRIATE AGENC IES OF A CYBERSECURITY
INCIDENT REPORTED UN DER THIS SUBSECTION THROUGH THE STATE SECURITY
OPERATIONS CENTER.
4–316.1.
THE DEPARTMENT , IN CONSULTATION WITH THE MARYLAND
CYBERSECURITY COORDINATING COUNCIL ESTABLISHED I N § 3.5–2A–05 OF THIS Ch. 242 2022 LAWS OF MARYLAND
– 40 –
ARTICLE, SHALL STUDY THE SECURITY AND FINANCI AL IMPLICATIONS OF
EXECUTING PARTNERSHI PS WITH OTHER STATES TO PROCURE INFORMATI ON
TECHNOLOGY AND CYBER SECURITY PRODUCTS AN D SERVICES, INCLUDING THE
IMPLICATIONS FOR POL ITICAL SUBDIVISIONS OF THE STATE.
13–115.
(A) THE DEPARTMENT OF INFORMATION TECHNOLOGY SHALL REQUIRE
BASIC SECURITY REQUI REMENTS TO BE INCLUD ED IN A CONTRACT :
(1) IN WHICH A THIRD –PARTY CONTRACTOR WIL L HAVE ACCESS TO
AND USE STATE TELECOMMUNICATI ON EQUIPMENT , SYSTEMS, OR SERVICES; OR
(2) FOR SYSTEMS OR DEVIC ES THAT WILL CONNECT TO STATE
TELECOMMUNICATION EQ UIPMENT, SYSTEMS, OR SERVICES.
(B) THE SECURITY REQUIREM ENTS DEVELOPED UNDER SUBSECTION (A) OF
THIS SECTION SHALL B E CONSISTENT WITH A WIDELY RECOGNIZED SE CURITY
STANDARD, INCLUDING NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
SP 800–171, ISO27001, OR CYBERSECURITY MATURITY MODEL CERTIFICATION.
12–107.
(b) Subject to the authority of the Board, jurisdiction over procurement is as
follows:
(2) the Department of General Services may:
(i) engage in or control procurement of:
10. information processing equipment and associated
services, as provided in Title [3A] 3.5, Subtitle 3 of this article; [and]
11. telecommunication equipment, systems, or services, as
provided in Title [3A] 3.5, Subtitle 4 of this article; AND
12. MANAGED CYBERSECURIT Y SERVICES, AS PROVIDED
IN TITLE 3.5, SUBTITLE 3 OF THIS ARTICLE;
SECTION 3. AND BE IT FURTHER ENACTED, That, as a key enabler of the
Department of Information Technology’s cybersecurity risk management strategy, on or
before December 31, 2022, the Department shall complete the implementation of a
governance, risk, and compliance module across the Executive Branch of State government
that: LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 41 –
(1) has industry–standard capabilities;
(2) is based on NIST, ISO, or other recognized security frameworks or
standards; and
(3) enables the Department to identify, monitor, and manage cybersecurity
risk on a continuous basis.
SECTION 4. AND BE IT FURTHER ENACTED, That, on or before June 30, 2023,
the Office of Security Management, in consultation with the Maryland Cybersecurity
Coordinating Council, shall:
(1) prepare a transition strategy toward cybersecurity centralization,
including recommendations for:
(1) (i) consistent incident response training;
(2) (ii) implementing security improvement dashboards to inform
budgetary appropriations;
(3) (iii) operations logs transition to the Maryland Security Operations
Center;
(4) (iv) establishing consistent performance accountability metrics for
information technology and cybersecurity staff; and
(5) (v) whether the Office needs additional staff or contractors to carry
out its duties; and
(2) report the transition strategy and recommendations prepared under
item (1) of this section to the Governor and, in accordance with § 2–1257 of the State
Government Article, the Senate Education, Health, and Environmental Affairs Committee
and the House Health and Government Operations Committee.
SECTION 5. AND BE IT FURTHER ENACTED, That:
(a) (1) On or before June 30, 2023, each agency in the Executive Branch of
State government shall certify to the Office of Security Management compliance with State
minimum cybersecurity standards established by the Department of Information Security
Technology.
(2) Except as provided in paragraph (3) of this subsection, certification
shall be reviewed by independent auditors, and any findings must be remediated.
Ch. 242 2022 LAWS OF MARYLAND
– 42 –
(3) Certification for the Department of Public Safety and Correctional
Services and any State criminal justice agency shall be reviewed by the Office of Legislative
Audits, and any findings must be remediated.
(b) If Except as provided in subsection (c) of this section, if an agency has not
remediated any findings pertaining to State cybersecurity standards found by the
independent audit required under subsection (a) of this section by July 1, 2024, the Office
of Security Management shall assume responsibility for an agency’s cybersecurity ensure
compliance of an agency’s cybersecurity with cybersecurity standards through a shared
service agreement, administrative privileges, or access to Network Maryland
notwithstanding any federal law or regulation that forbids the Office of Security
Management from managing a specific system.
(c) Subsection (b) of this section does not apply if a federal law or regulation
forbids the Office of Security Management from managing a specific system.
SECTION 6. AND BE IT FURTHER ENACTED, That:
(a) The Department of Information Technology shall hire a contractor to conduct
a performance and capacity assessment of the Department to:
(1) evaluate the Department’s capacity to implement provisions of this Act;
and
(2) recommend additional resources necessary for the Department to
implement provisions of this title and meet future needs, including additional budget
appropriations, additional staff, altered contracting authority, and pay increases for staff.
(b) The contractor hired by the Department to complete the assessment and
report required by this section shall:
(1) on or before December 1, 2023, submit an interim report of its findings
and recommendations to the Governor and, in accordance with § 2–1257 of the State
Government Article, the General Assembly; and
(2) on or before December 1, 2024, submit a final report of its findings and
recommendations to the Governor and, in accordance with § 2 –1257 of the State
Government Article, the General Assembly.
SECTION 7. AND BE IT FURTHER ENACTED, That for fiscal year 2023, funds
from the Dedicated Purpose Account may be transferred by budget amendment in
accordance with § 7–310 of the State Finance and Procurement Article to implement this
Act.
SECTION 8. AND BE IT FURTHER ENACTED, That:
LAWRENCE J. HOGAN, JR., Governor Ch. 242
– 43 –
(a) On or before June October 1, 2022, the State Chief Information Security
Officer shall establish guidelines to determine when a cybersecurity incident shall be
disclosed to the public.
(b) On or before November 1, 2022, the State Chief Information Security Officer
shall submit a report on the guidelines established under subsection (a) of this section to
the Governor and, in accordance with § 2–1257 of the State Government Article, the House
Health and Government Operations Committee and the Senate Education, Health, and
Environmental Affairs Committee.
SECTION 4. AND BE IT FURTHER ENACTED, That, on the effective date of this
Act, the following shall be transferred to the Department of Information Technology:
(1) all appropriations, including State and federal funds, held by a unit of
the Executive Branch of State government for the purpose of information technology
operations or cybersecurity for the unit on the effective date of this Act; and
(2) all books and records (including electronic records), real and personal
property, equipment, fixtures, assets, liabilities, obligations, credits, rights, and privileges
held by a unit of the Executive Branch of State government for the purpose of information
technology operations or cybersecurity for the unit on the effective date of this Act.
SECTION 5. AND BE IT FURTHER ENACTED, That all employees of a unit of the
Executive Branch of State government who are assigned more than 50% of the time to a
function related to information technology operations or cybersecurity for the unit on the
effective date of this Act shall, on the effective date of this Act, report to the Secretary of
Information Technology or the Secretary’s designee.
SECTION 6. AND BE IT FURTHER ENACTED, That any transaction affected by
the transfer of oversight of information technology operations or cybersecurity of a unit of
the Executive Branch of State government and validly entered into before the effective date
of this Act, and every right, duty, or interest flowing from it, remains valid after the
effective date of this Act and may be terminated, completed, consummated, or enforced
under the law.
SECTION 7. AND BE IT FURTHER ENACTED, That all existing laws, regulations,
proposed regulations, standards and guidelines, policies, orders and other directives, forms,
plans, memberships, contracts, property, investigations, administrative and judicial
responsibilities, rights to sue and be sued, and all other duties and responsibilities
associated with information technology operations or cybersecurity of a unit of the
Executive Branch of State government prior to the effective date of this Act shall continue
and, as appropriate, be legal and binding on the Department of Information Technology
until completed, withdrawn, canceled, modified, or otherwise changed under the law.
SECTION 8. 9. AND BE IT FURTHER ENACTED, That this Act shall take effect
October July 1, 2022. Ch. 242 2022 LAWS OF MARYLAND
– 44 –
Approved by the Governor, May 12, 2022.