EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
Italics indicate opposite chamber/conference committee amendments.
*hb0969*
HOUSE BILL 969
C5, S2 (3lr2834)
ENROLLED BILL
— Economic Matters and Health and Government Operations/Education, Energy, and
the Environment —
Introduced by Delegate Qi
Read and Examined by Proofreaders:
_______________________________________________
Proofreader.
_______________________________________________
Proofreader.
Sealed with the Great Seal and presented to the Governor, for his approval this
_______ day of _______________ at ________________________ o’clock, ________M.
______________________________________________
Speaker.
CHAPTER ______
AN ACT concerning 1
Public Service Commission – Cybersecurity Staffing and Assessments 2
(Critical Infrastructure Cybersecurity Act of 2023) 3
FOR the purpose of requiring the Public Service Commission to include on its staff a certain 4
number of experts in cybersecurity to perform certain duties; requiring the 5
Commission to establish, in coordination with the Office of Security Management, 6
cybersecurity standards and best practices for regulated entities, share information 7
on cybersecurity initiatives and best practices with certain entities, and conduct a 8
certain periodic assessment collect certain certifications, and submit a certain report; 9
requiring certain public service companies, including certain electric cooperatives, to 10
adopt and implement certain cybersecurity standards and a zero–trust cybersecurity 11
approach for certain services, establish certain minimum security standards, and 12
periodically contract engage with a third party to conduct a certain assessment and 13
submit certain information to the Commission beginning in a certain year; requiring 14 2 HOUSE BILL 969
the Commission to conduct an evaluation on or before a certain date based on certain 1
assessments; requiring each public service company to report a cybersecurity incident 2
to certain entities; requiring the State Chief Information Security Officer, in 3
consultation with the Commission, to establish a certain reporting process; requiring 4
the State Security Operations Center to immediately notify certain agencies of a 5
cybersecurity incident reported under this Act; providing that, for a certain fiscal year, 6
funds from the Dedicated Purpose Account may be transferred by budget amendment 7
to the Department of Information Technology for a certain purpose; and generally 8
relating to cybersecurity standards and assessments for public service companies 9
and the Public Service Commission. 10
BY repealing and reenacting, with amendments, 11
Article – Corporations and Associations 12
Section 5–637 13
Annotated Code of Maryland 14
(2014 Replacement Volume and 2022 Supplement) 15
BY repealing and reenacting, without amendments, 16
Article – Public Utilities 17
Section 1–101(a) 18
Annotated Code of Maryland 19
(2020 Replacement Volume and 2022 Supplement) 20
BY adding to 21
Article – Public Utilities 22
Section 1–101(h–1) and 5–306 23
Annotated Code of Maryland 24
(2020 Replacement Volume and 2022 Supplement) 25
BY repealing and reenacting, with amendments, 26
Article – Public Utilities 27
Section 2–108(d) and 2–113 28
Annotated Code of Maryland 29
(2020 Replacement Volume and 2022 Supplement) 30
BY repealing and reenacting, without amendments, 31
Article – State Finance and Procurement 32
Section 3.5–301(a) and (b) 33
Annotated Code of Maryland 34
(2021 Replacement Volume and 2022 Supplement) 35
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 36
That the Laws of Maryland read as follows: 37
Article – Corporations and Associations 38
5–637. 39 HOUSE BILL 969 3
(a) (1) Except as provided in paragraph (2) of this subsection, this subtitle 1
applies to the provision of broadband Internet service by a member–regulated cooperative. 2
(2) A member–regulated cooperative may not, for the sole purpose of 3
providing broadband Internet service, exercise the power of condemnation under § 4
5–607(a)(16) of this subtitle. 5
(b) A member–regulated cooperative is subject to the following provisions of the 6
Public Utilities Article: 7
(1) § 5–103; 8
(2) § 5–201; 9
(3) § 5–202; 10
(4) § 5–303; 11
(5) § 5–304; 12
(6) § 5–306; 13
[(6)] (7) § 7–103; 14
[(7)] (8) § 7–104; 15
[(8)] (9) § 7–203; 16
[(9)] (10) § 7–207; 17
[(10)] (11) § 7–302; 18
[(11)] (12) Title 7, Subtitle 5, Part I and Part II; 19
[(12)] (13) Title 7, Subtitle 7; and 20
[(13)] (14) § 13–101. 21
Article – Public Utilities 22
1–101. 23
(a) In this division the following words have the meanings indicated. 24
4 HOUSE BILL 969
(H–1) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 3.5–301 OF THE 1
STATE FINANCE AND PROCUREMENT ARTICLE. 2
2–108. 3
(d) (1) The State budget shall provide sufficient money for the Commission to 4
hire, develop, and organize a staff to perform the functions of the Commission, including 5
analyzing data submitted to the Commission and participating in proceedings as provided 6
in § 3–104 of this article. 7
(2) (i) As the Commission considers necessary, the Commission shall 8
hire experts including economists, cost of capital experts, rate design experts, accountants, 9
engineers, transportation specialists, and lawyers. 10
(ii) To assist in the regulation of intrastate hazardous liquid 11
pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 12
at least one engineer who specializes in the storage of and the transportation of hazardous 13
liquid materials by pipeline. 14
(3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 15
EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: 16
(I) ADVISE THE CHAIRMAN OF THE COMMISSION AND THE 17
COMMISSIONERS ON MEA SURES TO IMPROVE OVE RSIGHT OF THE CYBERS ECURITY 18
PRACTICES OF PUBLIC SERVICE COMPANIES ; 19
(II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT 20
ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION; 21
(III) STUDY AND MONITOR CY BERSECURITY BEST PRA CTICES 22
FOR INFORMATION TECH NOLOGY AND OPERATION AL TECHNOLOGY ; 23
(IV) ASSIST IN DRAFTING C YBERSECURITY –RELATED 24
REGULATIONS ; 25
(V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM 26
SECURITY STANDA RDS DEVELOPED UNDER § 5–306 OF THIS ARTICLE; 27
(VI) (IV) PARTICIPATE IN BRIEF INGS TO DISCUSS 28
CYBERSECURITY PRACTI CES BASED ON: 29
1. APPLICABLE NATIONAL ASSOCIATION OF 30
REGULATORY UTILITY COMMISSIONERS GUIDANC E; AND 31
HOUSE BILL 969 5
2. IMPROVEMENTS TO CYBERSECURITY PRACTI CES 1
RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 2
OF THIS ARTICLE; AND 3
(V) CONVENE WORKSHOPS WI TH SUPPORT PUBLIC SERVICE 4
COMPANIES THAT DO NO T MEET MINIMUM SECUR ITY STANDARDS WITH 5
REMEDIATING VULNERAB ILITIES OR ADDRESSING CYBERSECU RITY ASSESSMENT 6
FINDINGS; AND. 7
(VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , 8
INCLUDING REPORTS ON : 9
1. CYBERSECURITY THREAT S AND SOURCES ; AND 10
2. THE EFFICACY OF CYBE RSECURITY PRACTICES OF 11
PUBLIC SERVICE COMPA NIES. 12
(4) The Commission may retain on a case by case basis additional experts 13
as required for a particular matter. 14
[(4)] (5) The lawyers who represent the Commission staff in proceedings 15
before the Commission shall be appointed by the Commission and shall be organized and 16
operate independently of the office of General Counsel. 17
[(5)] (6) (i) As required, the Commission shall hire public utility law 18
judges. 19
(ii) Public utility law judges are a separate organizational unit and 20
shall report directly to the Commission. 21
[(6)] (7) The Commission shall hire personal staff members for each 22
commissioner as required to provide advice, draft proposed orders and rulings, and perform 23
other personal staff functions. 24
(8) (I) THE COMMISSION SHALL : 25
(I) 1. COLLABORATE WITH THE OFFICE OF SECURITY 26
MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES 27
FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND 28
CAPABILITIES BASED O N SIZE; 29
(II) 2. PERIODICALLY SHARE I NFORMATION ON 30
CYBERSECURITY INITIA TIVES AND BEST PRACT ICES WITH MUNICIPAL ELECTRIC 31
UTILITIES; AND 32
6 HOUSE BILL 969
(III) 3. BEGINNING ON OR BEFO RE OCTOBER 1, 2023 1
JANUARY 1, 2025, AND EVERY 2 YEARS THEREAFTER ,: 2
A. EVALUATE COLLECT CERTIFICATIONS OF A PUBLIC 3
SERVICE COMPANY ’S COMPLIANCE WITH ST ANDARDS USED IN THE ASSESSMENTS 4
SUBMITTED CONDUCTED UNDER § 5–306 OF THIS ARTICLE FOR 5
CYBERSECURITY –RELATED POLICIES AND PROCEDURES , INCLUDING 6
CYBERSECURITY AND DA TA PRIVACY THREAT PROTECTIONS ; AND 7
(IV) B. SUBMIT THE EVALUATION UNDER ITEM (III) OF THIS 8
PARAGRAPH A REPORT TO THE OFFICE OF SECURITY MANAGEMENT IN THE 9
DEPARTMENT OF INFORMATION TECHNOLOGY AND THE MARYLAND DEPARTMENT 10
OF EMERGENCY MANAGEMENT STATE CHIEF INFORMATION SECURITY OFFICER, 11
OR THE OFFICER’S DESIGNEE. 12
(II) THE REPORT REQUIRED U NDER SUBPARAGRAPH (I) OF THIS 13
PARAGRAPH SHALL INCL UDE: 14
1. A GENERAL OVERVIEW O F CYBERSECURITY 15
TECHNOLOGY AND POLIC IES USED BY PUBLIC S ERVICE COMPANIES IN THE STATE, 16
GROUPED BY THE FOLL OWING TYPES: 17
A. INVESTOR–OWNED ELECTRIC COMPA NIES; 18
B. ELECTRIC COOPERATIVE S; 19
C. MUNICIPAL ELECTRIC C OMPANIES; 20
D. GAS COMPANIES ; AND 21
E. WATER COMPANIES ; 22
2. GENERAL RECOMMENDATI ONS FOR IMPROVING 23
CYBERSECURITY TECHNO LOGY AND POLICIES USED BY PUB LIC SERVICE COMPANIE S 24
IN THE STATE, GROUPED BY THE FOLLO WING TYPES: 25
A. INVESTOR–OWNED ELECTRIC COMPA NIES; 26
B. ELECTRIC COOPERATIVE S; 27
C. MUNICIPAL ELECTRIC C OMPANIES; 28
D. GAS COMPANIES ; AND 29
HOUSE BILL 969 7
E. WATER COMPANIES ; AND 1
3. FOR EACH CERTIFICATI ON COLLECTED : 2
A. THE NAME OF THE PUBL IC SERVICE COMPANY ; 3
B. THE DATE OF THE PUBL IC SERVICE COMPANY ’S MOST 4
RECENT CYBERSECURITY ASSESSMENT; 5
C. THE CYBERSECURITY FR AMEWORK USED IN THE 6
CYBERSECURITY ASSESS MENT OF THE PUBLIC S ERVICE COMPANY ; AND 7
D. THE NAME OF THE ENTI TY THAT COMPLETED TH E 8
CYBERSECURITY ASSESS MENT. 9
[(7)] (9) Subject to § 3–104 of this article, the Commission may delegate 10
to a commissioner or personnel the authority to perform an administrative function 11
necessary to carry out a duty of the Commission. 12
[(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph 13
or otherwise by law, all personnel of the Commission are subject to the provisions of the 14
State Personnel and Pensions Article. 15
(ii) The following are in the executive service, management service, 16
or are special appointments in the State Personnel Management System: 17
1. each commissioner of the Commission; 18
2. the Executive Director; 19
3. the General Counsel and each assistant general counsel; 20
4. the Executive Secretary; 21
5. the commissioners’ personal staff members; 22
6. the chief public utility law judge; and 23
7. each license hearing officer. 24
2–113. 25
(a) (1) The Commission shall: 26
(i) supervise and regulate the public service companies subject to 27
the jurisdiction of the Commission to: 28 8 HOUSE BILL 969
1. ensure their operation in the interest of the public; and 1
2. promote adequate, economical, and efficient delivery of 2
utility services in the State without unjust discrimination; and 3
(ii) enforce compliance with the requirements of law by public 4
service companies, including requirements with respect to financial condition, 5
capitalization, franchises, plant, manner of operation, rates, and service. 6
(2) In supervising and regulating public service companies, the 7
Commission shall consider: 8
(i) the public safety; 9
(ii) the economy of the State; 10
(iii) the maintenance of fair and stable labor standards for affected 11
workers; 12
(iv) the conservation of natural resources; 13
(v) the preservation of environmental quality, including protection 14
of the global climate from continued short–term and long–term warming based on the best 15
available scientific information recognized by the Intergovernmental Panel on Climate 16
Change; [and] 17
(vi) the achievement of the State’s climate commitments for reducing 18
statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 19
Environment Article; AND 20
(VII) THE PROTECTION OF A PUBLIC SERVICE COMPA NY’S 21
INFRASTRUCTURE AGAIN ST CYBERSECURITY THR EATS. 22
(b) The powers and duties listed in this title do not limit the scope of the general 23
powers and duties of the Commission provided for by this division. 24
5–306. 25
(A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 26
(1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 27
(2) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 28
IMPLICITLY BUT MUST BE CONTINUA LLY EVALUATED . 29
HOUSE BILL 969 9
(B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 1
IS: 2
(1) A COMMON CARRIER ; OR 3
(2) A TELEPHONE COMPANY . 4
(C) A PUBLIC SERVICE COMPA NY SHALL: 5
(1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE 6
EQUAL TO OR EXCEED S TANDARDS ADOPTED BY THE COMMISSION; 7
(2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 8
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 9
(3) ESTABLISH MINIMUM SE CURITY STANDARDS FOR EACH 10
OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICE BASED ON 11
THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 12
ASSOCIATED WITH SUPP LY CHAINS; AND 13
(4) (I) BEGINNING IN 2024 ON OR BEFORE JULY 1, 2024, AND AT 14
LEAST ONCE ON OR BEFORE JULY 1 EVERY OTHER YEAR THE REAFTER, CONTRACT 15
WITH ENGAGE A THIRD PARTY TO CON DUCT AN ASSESSMENT O F OPERATIONAL 16
TECHNOLOGY AND INFOR MATION TECHNOLOGY DE VICES BASED ON: 17
1. THE CYBERSECURITY AND INFRASTRUCTURE 18
SECURITY AGENCY’S CROSS–SECTOR CYBERSECURITY PERFORMANCE GOALS; OR 19
2. A MORE STRINGENT STAND ARD THAT IS BASED ON 20
THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY 21
FRAMEWORKS ; AND 22
(II) SUBMIT TO THE COMMISSION: 23
1. THE RESULTS AND RECO MMENDATIONS OF EACH 24
ASSESSMENT ; AND 25
2. CERTIFICATION OF THE PUBLIC SERVICE COMPANY ’S 26
COMPLIANCE WITH STAN DARDS USED IN THE AS SESSMENTS UNDER ITEM (I) OF THIS 27
ITEM. 28
(D) (1) EACH PUBLIC SERVICE C OMPANY SHALL REPORT , IN ACCORDANCE 29
WITH THE PROCESS EST ABLISHED UNDER PARAG RAPH (2) OF THIS SUBSECTION , A 30
CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A SYSTEM BEING US ED BY 31 10 HOUSE BILL 969
THE PUBLIC SERVICE C OMPANY, TO THE STATE SECURITY OPERATIONS CENTER IN 1
THE DEPARTMENT OF INFORMATION TECHNOLOGY . 2
(2) THE STATE CHIEF INFORMATION SECURITY OFFICER, IN 3
CONSULTATION WITH TH E COMMISSION, SHALL ESTABLISH A PROCESS FOR A 4
PUBLIC SERVICE COMPA NY TO REPORT CYBERSE CURITY INCIDENTS UND ER 5
PARAGRAPH (1) OF THIS SUBSECTION , INCLUDING ESTABLISHI NG: 6
(I) THE CRITERIA FOR DET ERMINING THE CIRCUMS TANCES 7
UNDER WHICH A CYBERS ECURITY INCIDENT MUS T BE REPORTED ; 8
(II) THE MANNER IN WHICH A CYBERSECURITY INCI DENT MUST 9
BE REPORTED ; AND 10
(III) THE TIME PERIOD WITH IN WHICH A CYBERSECU RITY 11
INCIDENT MUST BE REP ORTED. 12
(3) THE STATE SECURITY OPERATIONS CENTER SHALL 13
IMMEDIATELY NOTIFY A PPROPRIATE STATE AND LOCAL AGENCIES OF A 14
CYBERSECURITY INCIDE NT REPORTED UNDER TH IS SUBSECTION. 15
Article – State Finance and Procurement 16
3.5–301. 17
(a) In this subtitle the following words have the meanings indicated. 18
(b) “Cybersecurity” means processes or capabilities wherein systems, 19
communications, and information are protected and defended against damage, 20
unauthorized use or modification, and exploitation. 21
SECTION 2. AND BE IT FURTHER ENACTED, That, on or before October 1, 2024, 22
the Public Service Commission shall conduct an evaluation based on assessments 23
conducted on a public service company’s information technology devices conducted under 24
Section 1 of this Act for fiscal year 2024, funds from the Dedicated Purpose Account may be 25
transferred by budget amendment, in accordance with § 7–310 of the State Finance and 26
Procurement Article, to the Department of Information Technology for the purpose of adding 27
additional staffing and operational capacity for the Department to improve State and local 28
cybersecurity. 29
SECTION 3. AND BE IT FURTHER ENACTED, That it is the intent of the General 30
Assembly that the Public Service Commission work with the Cybersecurity and 31
Infrastructure Security Agency and the Office of Security Management to improve the 32
Commission’s capacity to implement the provisions of this Act. 33
HOUSE BILL 969 11
SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 1
October July 1, 2023. 2
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
Speaker of the House of Delegates.
________________________________________________________________________________
President of the Senate.