EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*hb0969*
HOUSE BILL 969
C5, S2 3lr2834
CF SB 800
By: Delegate Qi
Introduced and read first time: February 10, 2023
Assigned to: Economic Matters and Health and Government Operations
Committee Report: Favorable
House action: Adopted
Read second time: March 11, 2023
CHAPTER ______
AN ACT concerning 1
Public Service Commission – Cybersecurity Staffing and Assessments 2
(Critical Infrastructure Cybersecurity Act of 2023) 3
FOR the purpose of requiring the Public Service Commission to include on its staff a certain 4
number of experts in cybersecurity to perform certain duties; requiring the 5
Commission to establish, in coordination with the Office of Security Management, 6
cybersecurity standards and best practices for regulated entities, share information 7
on cybersecurity initiatives and best practices with certain entities, and conduct a 8
certain periodic assessment; requiring certain public service companies, including 9
certain electric cooperatives, to adopt and implement certain cybersecurity 10
standards and a zero–trust cybersecurity approach for certain services, establish 11
certain minimum security standards, and periodically contract with a third party to 12
conduct a certain assessment and submit certain information to the Commission 13
beginning in a certain year; requiring the Commission to conduct an evaluation on 14
or before a certain date based on certain assessments; and generally relating to 15
cybersecurity standards and assessments for public service companies and the Public 16
Service Commission. 17
BY repealing and reenacting, with amendments, 18
Article – Corporations and Associations 19
Section 5–637 20
Annotated Code of Maryland 21
(2014 Replacement Volume and 2022 Supplement) 22
BY repealing and reenacting, without amendments, 23 2 HOUSE BILL 969
Article – Public Utilities 1
Section 1–101(a) 2
Annotated Code of Maryland 3
(2020 Replacement Volume and 2022 Supplement) 4
BY adding to 5
Article – Public Utilities 6
Section 1–101(h–1) and 5–306 7
Annotated Code of Maryland 8
(2020 Replacement Volume and 2022 Supplement) 9
BY repealing and reenacting, with amendments, 10
Article – Public Utilities 11
Section 2–108(d) and 2–113 12
Annotated Code of Maryland 13
(2020 Replacement Volume and 2022 Supplement) 14
BY repealing and reenacting, without amendments, 15
Article – State Finance and Procurement 16
Section 3.5–301(a) and (b) 17
Annotated Code of Maryland 18
(2021 Replacement Volume and 2022 Supplement) 19
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 20
That the Laws of Maryland read as follows: 21
Article – Corporations and Associations 22
5–637. 23
(a) (1) Except as provided in paragraph (2) of this subsection, this subtitle 24
applies to the provision of broadband Internet service by a member–regulated cooperative. 25
(2) A member–regulated cooperative may not, for the sole purpose of 26
providing broadband Internet service, exercise the power of condemnation under § 27
5–607(a)(16) of this subtitle. 28
(b) A member–regulated cooperative is subject to the following provisions of the 29
Public Utilities Article: 30
(1) § 5–103; 31
(2) § 5–201; 32
(3) § 5–202; 33
(4) § 5–303; 34 HOUSE BILL 969 3
(5) § 5–304; 1
(6) § 5–306; 2
[(6)] (7) § 7–103; 3
[(7)] (8) § 7–104; 4
[(8)] (9) § 7–203; 5
[(9)] (10) § 7–207; 6
[(10)] (11) § 7–302; 7
[(11)] (12) Title 7, Subtitle 5, Part I and Part II; 8
[(12)] (13) Title 7, Subtitle 7; and 9
[(13)] (14) § 13–101. 10
Article – Public Utilities 11
1–101. 12
(a) In this division the following words have the meanings indicated. 13
(H–1) “CYBERSECURITY ” HAS THE MEANING ST ATED IN § 3.5–301 OF THE 14
STATE FINANCE AND PROCUREMENT ARTICLE. 15
2–108. 16
(d) (1) The State budget shall provide sufficient money for the Commission to 17
hire, develop, and organize a staff to perform the functions of the Commission, including 18
analyzing data submitted to the Commission and participating in proceedings as provided 19
in § 3–104 of this article. 20
(2) (i) As the Commission considers necessary, the Commission shall 21
hire experts including economists, cost of capital experts, rate design experts, accountants, 22
engineers, transportation specialists, and lawyers. 23
(ii) To assist in the regulation of intrastate hazardous liquid 24
pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 25
at least one engineer who specializes in the storage of and the transportation of hazardous 26
liquid materials by pipeline. 27
4 HOUSE BILL 969
(3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 1
EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: 2
(I) ADVISE THE CHAIRMAN OF THE COMMISSION AND THE 3
COMMISSIONERS ON MEA SURES TO IMPROVE OVE RSIGHT OF THE CYBERS ECURITY 4
PRACTICES OF PUBLIC SERVICE COMPANIES ; 5
(II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT 6
ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION ; 7
(III) STUDY AND MONITOR CYBERSECURITY BEST P RACTICES 8
FOR INFORMATION TECH NOLOGY AND OPERATION AL TECHNOLOGY ; 9
(IV) ASSIST IN DRAFTING C YBERSECURITY –RELATED 10
REGULATIONS ; 11
(V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM 12
SECURITY STANDARDS D EVELOPED UNDER § 5–306 OF THIS ARTICLE; 13
(VI) CONVENE WORKSHOPS WI TH PUBLIC SERVICE CO MPANIES 14
THAT DO NOT MEET MIN IMUM SECURITY STANDA RDS; AND 15
(VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , 16
INCLUDING REPORTS ON : 17
1. CYBERSECURITY THREAT S AND SOURCES ; AND 18
2. THE EFFICACY OF CYBERSEC URITY PRACTICES OF 19
PUBLIC SERVICE COMPA NIES. 20
(4) The Commission may retain on a case by case basis additional experts 21
as required for a particular matter. 22
[(4)] (5) The lawyers who represent the Commission staff in proceedings 23
before the Commission shall be appointed by the Commission and shall be organized and 24
operate independently of the office of General Counsel. 25
[(5)] (6) (i) As required, the Commission shall hire public utility law 26
judges. 27
(ii) Public utility law judges are a separate organizational unit and 28
shall report directly to the Commission. 29
HOUSE BILL 969 5
[(6)] (7) The Commission shall hire personal staff members for each 1
commissioner as required to provide advice, draft proposed orders and rulings, and perform 2
other personal staff functions. 3
(8) THE COMMISSION SHALL : 4
(I) COLLABORATE WITH THE OFFICE OF SECURITY 5
MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES 6
FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND 7
CAPABILITIES BASED O N SIZE; 8
(II) PERIODICALLY SHARE I NFORMATION ON CYBERS ECURITY 9
INITIATIVES AND BEST PRACTICES WITH MUNIC IPAL ELECTRIC UTILIT IES; 10
(III) BEGINNING ON OR BEFO RE OCTOBER 1, 2023, AND EVERY 2 11
YEARS THEREAFTER , EVALUATE THE ASSESSM ENTS SUBMITTED UNDER § 12
5–306 OF THIS ARTICLE FOR CYBERS ECURITY–RELATED POLICIES AND 13
PROCEDURES , INCLUDING CYBERSECUR ITY AND DATA PRIVACY THREAT 14
PROTECTIONS ; AND 15
(IV) SUBMIT THE EVALUATIO N UNDER ITEM (III) OF THIS 16
PARAGRAPH TO THE OFFICE OF SECURITY MANAGEMENT IN THE DEPARTMENT OF 17
INFORMATION TECHNOLOGY AND THE MARYLAND DEPARTMENT OF EMERGENCY 18
MANAGEMENT . 19
[(7)] (9) Subject to § 3–104 of this article, the Commission may delegate 20
to a commissioner or personnel the authority to perform an administrative function 21
necessary to carry out a duty of the Commission. 22
[(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph 23
or otherwise by law, all personnel of the Commission are subject to the provisions of the 24
State Personnel and Pensions Article. 25
(ii) The following are in the executive service, management service, 26
or are special appointments in the State Personnel Management System: 27
1. each commissioner of the Commission; 28
2. the Executive Director; 29
3. the General Counsel and each assistant general counsel; 30
4. the Executive Secretary; 31
5. the commissioners’ personal staff members; 32 6 HOUSE BILL 969
6. the chief public utility law judge; and 1
7. each license hearing officer. 2
2–113. 3
(a) (1) The Commission shall: 4
(i) supervise and regulate the public service companies subject to 5
the jurisdiction of the Commission to: 6
1. ensure their operation in the interest of the public; and 7
2. promote adequate, economical, and efficient delivery of 8
utility services in the State without unjust discrimination; and 9
(ii) enforce compliance with the requirements of law by public 10
service companies, including requirements with respect to financial condition, 11
capitalization, franchises, plant, manner of operation, rates, and service. 12
(2) In supervising and regulating public service companies, the 13
Commission shall consider: 14
(i) the public safety; 15
(ii) the economy of the State; 16
(iii) the maintenance of fair and stable labor standards for affected 17
workers; 18
(iv) the conservation of natural resources; 19
(v) the preservation of environmental quality, including protection 20
of the global climate from continued short–term and long–term warming based on the best 21
available scientific information recognized by the Intergovernmental Panel on Climate 22
Change; [and] 23
(vi) the achievement of the State’s climate commitments for reducing 24
statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 25
Environment Article; AND 26
(VII) THE PROTECTION OF A PUBLIC SERVICE COMPA NY’S 27
INFRASTRUCTURE AGAIN ST CYBERSECURITY THR EATS. 28
(b) The powers and duties listed in this title do not limit the scope of the general 29
powers and duties of the Commission provided for by this division. 30 HOUSE BILL 969 7
5–306. 1
(A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBE RSECURITY APPROACH : 2
(1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 3
(2) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 4
IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 5
(B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 6
IS: 7
(1) A COMMON CARRIER ; OR 8
(2) A TELEPHONE COMPANY . 9
(C) A PUBLIC SERVICE COMPA NY SHALL: 10
(1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE 11
EQUAL TO OR EXCEED S TANDARDS ADOPTED BY THE COMMISSION; 12
(2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 13
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 14
(3) ESTABLISH MINIMUM SE CURITY STANDARDS FOR EACH 15
OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICE BAS ED ON 16
THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 17
ASSOCIATED WITH SUPP LY CHAINS; AND 18
(4) (I) BEGINNING IN 2024 AND AT LEAST ONCE EV ERY OTHER 19
YEAR THEREAFTER , CONTRACT WITH A THIR D PARTY TO CONDUCT A N ASSESSMENT 20
OF OPERATIONAL TECHN OLOGY AND INFORMATIO N TECHNOLOGY DEVICES BASED 21
ON THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY 22
FRAMEWORKS ; AND 23
(II) SUBMIT TO THE COMMISSION: 24
1. THE RESULTS AND RECO MMENDATIONS OF EACH 25
ASSESSMENT ; AND 26
8 HOUSE BILL 969
2. CERTIFICATION OF THE PUBLIC SERVICE COMPA NY’S 1
COMPLIANCE WITH STAN DARDS USED IN THE ASSES SMENTS UNDER ITEM (I) OF THIS 2
ITEM. 3
Article – State Finance and Procurement 4
3.5–301. 5
(a) In this subtitle the following words have the meanings indicated. 6
(b) “Cybersecurity” means processes or capabilities wherein systems, 7
communications, and information are protected and defended against damage, 8
unauthorized use or modification, and exploitation. 9
SECTION 2. AND BE IT FURTHER ENACTED, That, on or before October 1, 2024, 10
the Public Service Commission shall conduct an evaluation based on assessments 11
conducted on a public service company’s information technology devices conducted under 12
Section 1 of this Act. 13
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect 14
October 1, 2023. 15
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
Speaker of the House of Delegates.
________________________________________________________________________________
President of the Senate.