| Old | New | Differences | |
|---|---|---|---|
| 1 | - | WES MOORE, Governor Ch. 499 | |
| 2 | 1 | ||
| 3 | - | – 1 – | |
| 4 | - | Chapter 499 | |
| 5 | - | (House Bill 969) | |
| 6 | 2 | ||
| 7 | - | AN ACT concerning | |
| 3 | + | EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW. | |
| 4 | + | [Brackets] indicate matter deleted from existing law. | |
| 5 | + | Underlining indicates amendments to bill. | |
| 6 | + | Strike out indicates matter stricken from the bill by amendment or deleted from the law by | |
| 7 | + | amendment. | |
| 8 | + | Italics indicate opposite chamber/conference committee amendments. | |
| 9 | + | *hb0969* | |
| 8 | 10 | ||
| 9 | - | Public Service Commission – Cybersecurity Staffing and Assessments | |
| 10 | - | (Critical Infrastructure Cybersecurity Act of 2023) | |
| 11 | + | HOUSE BILL 969 | |
| 12 | + | C5, S2 (3lr2834) | |
| 13 | + | ENROLLED BILL | |
| 14 | + | — Economic Matters and Health and Government Operations/Education, Energy, and | |
| 15 | + | the Environment — | |
| 16 | + | Introduced by Delegate Qi | |
| 11 | 17 | ||
| 12 | - | FOR the purpose of requiring the Public Service Commission to include on its staff a certain | |
| 13 | - | number of experts in cybersecurity to perform certain duties; requiring the | |
| 14 | - | Commission to establish, in coordination with the Office of Security Management, | |
| 15 | - | cybersecurity standards and best practices for regulated entities, share information | |
| 16 | - | on cybersecurity initiatives and best practices with certain entities, and conduct a | |
| 17 | - | certain periodic assessment collect certain certifications, and submit a certain report; | |
| 18 | - | requiring certain public service companies, including certain electric cooperatives, to | |
| 19 | - | adopt and implement certain cybersecurity standards and a zero–trust cybersecurity | |
| 20 | - | approach for certain services, establish certain minimum security standards, and | |
| 21 | - | periodically contract engage with a third party to conduct a certain assessment and | |
| 22 | - | submit certain information to the Commission beginning in a certain year; requiring | |
| 23 | - | the Commission to conduct an evaluation on or before a certain date based on certain | |
| 24 | - | assessments; requiring each public service company to report a cybersecurity incident | |
| 25 | - | to certain entities; requiring the State Chief Information Security Officer, in | |
| 26 | - | consultation with the Commission, to establish a certain reporting process; requiring | |
| 27 | - | the State Security Operations Center to immediately notify certain agencies of a | |
| 28 | - | cybersecurity incident reported under this Act; providing that, for a certain fiscal year, | |
| 29 | - | funds from the Dedicated Purpose Account may be transferred by budget amendment | |
| 30 | - | to the Department of Information Technology for a certain purpose; and generally | |
| 31 | - | relating to cybersecurity standards and assessments for public service companies | |
| 32 | - | and the Public Service Commission. | |
| 18 | + | Read and Examined by Proofreaders: | |
| 33 | 19 | ||
| 34 | - | BY repealing and reenacting, with amendments, | |
| 35 | - | Article – Corporations and Associations | |
| 36 | - | Section 5–637 | |
| 37 | - | Annotated Code of Maryland | |
| 38 | - | (2014 Replacement Volume and 2022 Supplement) | |
| 20 | + | _______________________________________________ | |
| 21 | + | Proofreader. | |
| 22 | + | _______________________________________________ | |
| 23 | + | Proofreader. | |
| 39 | 24 | ||
| 40 | - | BY repealing and reenacting, without amendments, | |
| 41 | - | Article – Public Utilities | |
| 42 | - | Section 1–101(a) | |
| 43 | - | Annotated Code of Maryland | |
| 44 | - | (2020 Replacement Volume and 2022 Supplement) | |
| 25 | + | Sealed with the Great Seal and presented to the Governor, for his approval this | |
| 45 | 26 | ||
| 46 | - | BY adding to | |
| 47 | - | Article – Public Utilities | |
| 48 | - | Section 1–101(h–1) and 5–306 | |
| 49 | - | Annotated Code of Maryland Ch. 499 2023 LAWS OF MARYLAND | |
| 27 | + | _______ day of _______________ at ________________________ o’clock, ________M. | |
| 50 | 28 | ||
| 51 | - | ||
| 52 | - | ||
| 29 | + | ______________________________________________ | |
| 30 | + | Speaker. | |
| 53 | 31 | ||
| 54 | - | BY repealing and reenacting, with amendments, | |
| 55 | - | Article – Public Utilities | |
| 56 | - | Section 2–108(d) and 2–113 | |
| 57 | - | Annotated Code of Maryland | |
| 58 | - | (2020 Replacement Volume and 2022 Supplement) | |
| 32 | + | CHAPTER ______ | |
| 59 | 33 | ||
| 60 | - | BY repealing and reenacting, without amendments, | |
| 61 | - | Article – State Finance and Procurement | |
| 62 | - | Section 3.5–301(a) and (b) | |
| 63 | - | Annotated Code of Maryland | |
| 64 | - | (2021 Replacement Volume and 2022 Supplement) | |
| 34 | + | AN ACT concerning 1 | |
| 65 | 35 | ||
| 66 | - | ||
| 67 | - | ||
| 36 | + | Public Service Commission – Cybersecurity Staffing and Assessments 2 | |
| 37 | + | (Critical Infrastructure Cybersecurity Act of 2023) 3 | |
| 68 | 38 | ||
| 69 | - | Article – Corporations and Associations | |
| 39 | + | FOR the purpose of requiring the Public Service Commission to include on its staff a certain 4 | |
| 40 | + | number of experts in cybersecurity to perform certain duties; requiring the 5 | |
| 41 | + | Commission to establish, in coordination with the Office of Security Management, 6 | |
| 42 | + | cybersecurity standards and best practices for regulated entities, share information 7 | |
| 43 | + | on cybersecurity initiatives and best practices with certain entities, and conduct a 8 | |
| 44 | + | certain periodic assessment collect certain certifications, and submit a certain report; 9 | |
| 45 | + | requiring certain public service companies, including certain electric cooperatives, to 10 | |
| 46 | + | adopt and implement certain cybersecurity standards and a zero–trust cybersecurity 11 | |
| 47 | + | approach for certain services, establish certain minimum security standards, and 12 | |
| 48 | + | periodically contract engage with a third party to conduct a certain assessment and 13 | |
| 49 | + | submit certain information to the Commission beginning in a certain year; requiring 14 2 HOUSE BILL 969 | |
| 70 | 50 | ||
| 71 | - | 5–637. | |
| 72 | 51 | ||
| 73 | - | (a) (1) Except as provided in paragraph (2) of this subsection, this subtitle | |
| 74 | - | applies to the provision of broadband Internet service by a member–regulated cooperative. | |
| 52 | + | the Commission to conduct an evaluation on or before a certain date based on certain 1 | |
| 53 | + | assessments; requiring each public service company to report a cybersecurity incident 2 | |
| 54 | + | to certain entities; requiring the State Chief Information Security Officer, in 3 | |
| 55 | + | consultation with the Commission, to establish a certain reporting process; requiring 4 | |
| 56 | + | the State Security Operations Center to immediately notify certain agencies of a 5 | |
| 57 | + | cybersecurity incident reported under this Act; providing that, for a certain fiscal year, 6 | |
| 58 | + | funds from the Dedicated Purpose Account may be transferred by budget amendment 7 | |
| 59 | + | to the Department of Information Technology for a certain purpose; and generally 8 | |
| 60 | + | relating to cybersecurity standards and assessments for public service companies 9 | |
| 61 | + | and the Public Service Commission. 10 | |
| 75 | 62 | ||
| 76 | - | (2) A member–regulated cooperative may not, for the sole purpose of | |
| 77 | - | providing broadband Internet service, exercise the power of condemnation under § | |
| 78 | - | 5–607(a)(16) of this subtitle. | |
| 63 | + | BY repealing and reenacting, with amendments, 11 | |
| 64 | + | Article – Corporations and Associations 12 | |
| 65 | + | Section 5–637 13 | |
| 66 | + | Annotated Code of Maryland 14 | |
| 67 | + | (2014 Replacement Volume and 2022 Supplement) 15 | |
| 79 | 68 | ||
| 80 | - | (b) A member–regulated cooperative is subject to the following provisions of the | |
| 81 | - | Public Utilities Article: | |
| 69 | + | BY repealing and reenacting, without amendments, 16 | |
| 70 | + | Article – Public Utilities 17 | |
| 71 | + | Section 1–101(a) 18 | |
| 72 | + | Annotated Code of Maryland 19 | |
| 73 | + | (2020 Replacement Volume and 2022 Supplement) 20 | |
| 82 | 74 | ||
| 83 | - | (1) § 5–103; | |
| 75 | + | BY adding to 21 | |
| 76 | + | Article – Public Utilities 22 | |
| 77 | + | Section 1–101(h–1) and 5–306 23 | |
| 78 | + | Annotated Code of Maryland 24 | |
| 79 | + | (2020 Replacement Volume and 2022 Supplement) 25 | |
| 84 | 80 | ||
| 85 | - | (2) § 5–201; | |
| 81 | + | BY repealing and reenacting, with amendments, 26 | |
| 82 | + | Article – Public Utilities 27 | |
| 83 | + | Section 2–108(d) and 2–113 28 | |
| 84 | + | Annotated Code of Maryland 29 | |
| 85 | + | (2020 Replacement Volume and 2022 Supplement) 30 | |
| 86 | 86 | ||
| 87 | - | (3) § 5–202; | |
| 87 | + | BY repealing and reenacting, without amendments, 31 | |
| 88 | + | Article – State Finance and Procurement 32 | |
| 89 | + | Section 3.5–301(a) and (b) 33 | |
| 90 | + | Annotated Code of Maryland 34 | |
| 91 | + | (2021 Replacement Volume and 2022 Supplement) 35 | |
| 88 | 92 | ||
| 89 | - | (4) § 5–303; | |
| 93 | + | SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 36 | |
| 94 | + | That the Laws of Maryland read as follows: 37 | |
| 90 | 95 | ||
| 91 | - | ||
| 96 | + | Article – Corporations and Associations 38 | |
| 92 | 97 | ||
| 93 | - | ||
| 98 | + | 5–637. 39 HOUSE BILL 969 3 | |
| 94 | 99 | ||
| 95 | - | [(6)] (7) § 7–103; | |
| 96 | 100 | ||
| 97 | - | [(7)] (8) § 7–104; WES MOORE, Governor Ch. 499 | |
| 98 | 101 | ||
| 99 | - | – 3 – | |
| 102 | + | (a) (1) Except as provided in paragraph (2) of this subsection, this subtitle 1 | |
| 103 | + | applies to the provision of broadband Internet service by a member–regulated cooperative. 2 | |
| 100 | 104 | ||
| 101 | - | [(8)] (9) § 7–203; | |
| 105 | + | (2) A member–regulated cooperative may not, for the sole purpose of 3 | |
| 106 | + | providing broadband Internet service, exercise the power of condemnation under § 4 | |
| 107 | + | 5–607(a)(16) of this subtitle. 5 | |
| 102 | 108 | ||
| 103 | - | [(9)] (10) § 7–207; | |
| 109 | + | (b) A member–regulated cooperative is subject to the following provisions of the 6 | |
| 110 | + | Public Utilities Article: 7 | |
| 104 | 111 | ||
| 105 | - | ||
| 112 | + | (1) § 5–103; 8 | |
| 106 | 113 | ||
| 107 | - | ||
| 114 | + | (2) § 5–201; 9 | |
| 108 | 115 | ||
| 109 | - | ||
| 116 | + | (3) § 5–202; 10 | |
| 110 | 117 | ||
| 111 | - | ||
| 118 | + | (4) § 5–303; 11 | |
| 112 | 119 | ||
| 113 | - | ||
| 120 | + | (5) § 5–304; 12 | |
| 114 | 121 | ||
| 115 | - | ||
| 122 | + | (6) § 5–306; 13 | |
| 116 | 123 | ||
| 117 | - | ( | |
| 124 | + | [(6)] (7) § 7–103; 14 | |
| 118 | 125 | ||
| 119 | - | (H–1) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 3.5–301 OF THE | |
| 120 | - | STATE FINANCE AND PROCUREMENT ARTICLE. | |
| 126 | + | [(7)] (8) § 7–104; 15 | |
| 121 | 127 | ||
| 122 | - | ||
| 128 | + | [(8)] (9) § 7–203; 16 | |
| 123 | 129 | ||
| 124 | - | (d) (1) The State budget shall provide sufficient money for the Commission to | |
| 125 | - | hire, develop, and organize a staff to perform the functions of the Commission, including | |
| 126 | - | analyzing data submitted to the Commission and participating in proceedings as provided | |
| 127 | - | in § 3–104 of this article. | |
| 130 | + | [(9)] (10) § 7–207; 17 | |
| 128 | 131 | ||
| 129 | - | (2) (i) As the Commission considers necessary, the Commission shall | |
| 130 | - | hire experts including economists, cost of capital experts, rate design experts, accountants, | |
| 131 | - | engineers, transportation specialists, and lawyers. | |
| 132 | + | [(10)] (11) § 7–302; 18 | |
| 132 | 133 | ||
| 133 | - | (ii) To assist in the regulation of intrastate hazardous liquid | |
| 134 | - | pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff | |
| 135 | - | at least one engineer who specializes in the storage of and the transportation of hazardous | |
| 136 | - | liquid materials by pipeline. | |
| 134 | + | [(11)] (12) Title 7, Subtitle 5, Part I and Part II; 19 | |
| 137 | 135 | ||
| 138 | - | (3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE | |
| 139 | - | EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: | |
| 136 | + | [(12)] (13) Title 7, Subtitle 7; and 20 | |
| 140 | 137 | ||
| 141 | - | (I) ADVISE THE CHAIRMAN OF THE COMMISSION AND THE | |
| 142 | - | COMMISSIONERS ON MEA SURES TO IMPROVE OVE RSIGHT OF THE CYBERS ECURITY | |
| 143 | - | PRACTICES OF PUBLIC SERVICE COMPANIES ; | |
| 144 | - | Ch. 499 2023 LAWS OF MARYLAND | |
| 138 | + | [(13)] (14) § 13–101. 21 | |
| 145 | 139 | ||
| 146 | - | – 4 – | |
| 147 | - | (II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT | |
| 148 | - | ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION ; | |
| 140 | + | Article – Public Utilities 22 | |
| 149 | 141 | ||
| 150 | - | (III) STUDY AND MONITOR CY BERSECURITY BEST PRA CTICES | |
| 151 | - | FOR INFORMATION TECH NOLOGY AND OPERATION AL TECHNOLOGY ; | |
| 142 | + | 1–101. 23 | |
| 152 | 143 | ||
| 153 | - | ( | |
| 154 | - | ||
| 144 | + | (a) In this division the following words have the meanings indicated. 24 | |
| 145 | + | 4 HOUSE BILL 969 | |
| 155 | 146 | ||
| 156 | - | (V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM | |
| 157 | - | SECURITY STANDARDS D EVELOPED UNDER § 5–306 OF THIS ARTICLE; | |
| 158 | 147 | ||
| 159 | - | ( | |
| 160 | - | ||
| 148 | + | (H–1) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 3.5–301 OF THE 1 | |
| 149 | + | STATE FINANCE AND PROCUREMENT ARTICLE. 2 | |
| 161 | 150 | ||
| 162 | - | 1. APPLICABLE NATIONAL ASSOCIATION OF | |
| 163 | - | REGULATORY UTILITY COMMISSIONERS GUIDANC E; AND | |
| 151 | + | 2–108. 3 | |
| 164 | 152 | ||
| 165 | - | 2. IMPROVEMENTS TO CYBE RSECURITY PRACTICES | |
| 166 | - | RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 | |
| 167 | - | OF THIS ARTICLE; AND | |
| 153 | + | (d) (1) The State budget shall provide sufficient money for the Commission to 4 | |
| 154 | + | hire, develop, and organize a staff to perform the functions of the Commission, including 5 | |
| 155 | + | analyzing data submitted to the Commission and participating in proceedings as provided 6 | |
| 156 | + | in § 3–104 of this article. 7 | |
| 168 | 157 | ||
| 169 | - | (V) CONVENE WORKSHOPS WI TH SUPPORT PUBLIC SERVICE | |
| 170 | - | COMPANIES THAT DO NO T MEET MINIMUM SECUR ITY STANDARDS WITH | |
| 171 | - | REMEDIATING VULNERAB ILITIES OR ADDRESSIN G CYBERSECURITY ASSE SSMENT | |
| 172 | - | FINDINGS; AND. | |
| 158 | + | (2) (i) As the Commission considers necessary, the Commission shall 8 | |
| 159 | + | hire experts including economists, cost of capital experts, rate design experts, accountants, 9 | |
| 160 | + | engineers, transportation specialists, and lawyers. 10 | |
| 173 | 161 | ||
| 174 | - | (VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , | |
| 175 | - | INCLUDING REPORTS ON : | |
| 162 | + | (ii) To assist in the regulation of intrastate hazardous liquid 11 | |
| 163 | + | pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 12 | |
| 164 | + | at least one engineer who specializes in the storage of and the transportation of hazardous 13 | |
| 165 | + | liquid materials by pipeline. 14 | |
| 176 | 166 | ||
| 177 | - | 1. CYBERSECURITY THREAT S AND SOURCES ; AND | |
| 167 | + | (3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 15 | |
| 168 | + | EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: 16 | |
| 178 | 169 | ||
| 179 | - | 2. THE EFFICACY OF CYBE RSECURITY PRACTICES OF | |
| 180 | - | PUBLIC SERVICE COMPA NIES. | |
| 170 | + | (I) ADVISE THE CHAIRMAN OF THE COMMISSION AND THE 17 | |
| 171 | + | COMMISSIONERS ON MEA SURES TO IMPROVE OVE RSIGHT OF THE CYBERS ECURITY 18 | |
| 172 | + | PRACTICES OF PUBLIC SERVICE COMPANIES ; 19 | |
| 181 | 173 | ||
| 182 | - | ( | |
| 183 | - | ||
| 174 | + | (II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT 20 | |
| 175 | + | ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION; 21 | |
| 184 | 176 | ||
| 185 | - | [(4)] (5) The lawyers who represent the Commission staff in proceedings | |
| 186 | - | before the Commission shall be appointed by the Commission and shall be organized and | |
| 187 | - | operate independently of the office of General Counsel. | |
| 177 | + | (III) STUDY AND MONITOR CY BERSECURITY BEST PRA CTICES 22 | |
| 178 | + | FOR INFORMATION TECH NOLOGY AND OPERATION AL TECHNOLOGY ; 23 | |
| 188 | 179 | ||
| 189 | - | ||
| 190 | - | ||
| 180 | + | (IV) ASSIST IN DRAFTING C YBERSECURITY –RELATED 24 | |
| 181 | + | REGULATIONS ; 25 | |
| 191 | 182 | ||
| 192 | - | – 5 – | |
| 183 | + | (V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM 26 | |
| 184 | + | SECURITY STANDA RDS DEVELOPED UNDER § 5–306 OF THIS ARTICLE; 27 | |
| 193 | 185 | ||
| 194 | - | ( | |
| 195 | - | ||
| 186 | + | (VI) (IV) PARTICIPATE IN BRIEF INGS TO DISCUSS 28 | |
| 187 | + | CYBERSECURITY PRACTI CES BASED ON: 29 | |
| 196 | 188 | ||
| 197 | - | | |
| 198 | - | ||
| 199 | - | ||
| 189 | + | 1. APPLICABLE NATIONAL ASSOCIATION OF 30 | |
| 190 | + | REGULATORY UTILITY COMMISSIONERS GUIDANC E; AND 31 | |
| 191 | + | HOUSE BILL 969 5 | |
| 200 | 192 | ||
| 201 | - | (8) (I) THE COMMISSION SHALL : | |
| 202 | 193 | ||
| 203 | - | (I) 1. COLLABORATE WITH THE OFFICE OF SECURITY | |
| 204 | - | MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES | |
| 205 | - | FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND | |
| 206 | - | CAPABILITIES BASED O N SIZE; | |
| 194 | + | 2. IMPROVEMENTS TO CYBERSECURITY PRACTI CES 1 | |
| 195 | + | RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 2 | |
| 196 | + | OF THIS ARTICLE; AND 3 | |
| 207 | 197 | ||
| 208 | - | (II) 2. PERIODICALLY SHARE I NFORMATION ON | |
| 209 | - | CYBERSECURITY INITIA TIVES AND BEST PRACT ICES WITH MUNICIPAL ELECTRIC | |
| 210 | - | UTILITIES; AND | |
| 198 | + | (V) CONVENE WORKSHOPS WI TH SUPPORT PUBLIC SERVICE 4 | |
| 199 | + | COMPANIES THAT DO NO T MEET MINIMUM SECUR ITY STANDARDS WITH 5 | |
| 200 | + | REMEDIATING VULNERAB ILITIES OR ADDRESSING CYBERSECU RITY ASSESSMENT 6 | |
| 201 | + | FINDINGS; AND. 7 | |
| 211 | 202 | ||
| 212 | - | ( | |
| 213 | - | ||
| 203 | + | (VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , 8 | |
| 204 | + | INCLUDING REPORTS ON : 9 | |
| 214 | 205 | ||
| 215 | - | A. EVALUATE COLLECT CERTIFICATIO NS OF A PUBLIC | |
| 216 | - | SERVICE COMPANY ’S COMPLIANCE WITH ST ANDARDS USED IN THE ASSESSMENTS | |
| 217 | - | SUBMITTED CONDUCTED UNDER § 5–306 OF THIS ARTICLE FOR | |
| 218 | - | CYBERSECURITY –RELATED POLICIES AND PROCEDURES , INCLUDING | |
| 219 | - | CYBERSECURITY AND DA TA PRIVACY THREAT PROTECTIONS ; AND | |
| 206 | + | 1. CYBERSECURITY THREAT S AND SOURCES ; AND 10 | |
| 220 | 207 | ||
| 221 | - | (IV) B. SUBMIT THE EVALUATION UNDER ITEM (III) OF THIS | |
| 222 | - | PARAGRAPH A REPORT TO THE OFFICE OF SECURITY MANAGEMENT IN THE | |
| 223 | - | DEPARTMENT OF INFORMATION TECHNOLOGY AND THE MARYLAND DEPARTMENT | |
| 224 | - | OF EMERGENCY MANAGEMENT STATE CHIEF INFORMATION SECURITY OFFICER, | |
| 225 | - | OR THE OFFICER’S DESIGNEE. | |
| 208 | + | 2. THE EFFICACY OF CYBE RSECURITY PRACTICES OF 11 | |
| 209 | + | PUBLIC SERVICE COMPA NIES. 12 | |
| 226 | 210 | ||
| 227 | - | ( | |
| 228 | - | ||
| 211 | + | (4) The Commission may retain on a case by case basis additional experts 13 | |
| 212 | + | as required for a particular matter. 14 | |
| 229 | 213 | ||
| 230 | - | | |
| 231 | - | ||
| 232 | - | ||
| 214 | + | [(4)] (5) The lawyers who represent the Commission staff in proceedings 15 | |
| 215 | + | before the Commission shall be appointed by the Commission and shall be organized and 16 | |
| 216 | + | operate independently of the office of General Counsel. 17 | |
| 233 | 217 | ||
| 234 | - | A. INVESTOR–OWNED ELECTRIC COMPA NIES; | |
| 218 | + | [(5)] (6) (i) As required, the Commission shall hire public utility law 18 | |
| 219 | + | judges. 19 | |
| 235 | 220 | ||
| 236 | - | B. ELECTRIC COOPERATIVE S; Ch. 499 2023 LAWS OF MARYLAND | |
| 221 | + | (ii) Public utility law judges are a separate organizational unit and 20 | |
| 222 | + | shall report directly to the Commission. 21 | |
| 237 | 223 | ||
| 238 | - | – 6 – | |
| 224 | + | [(6)] (7) The Commission shall hire personal staff members for each 22 | |
| 225 | + | commissioner as required to provide advice, draft proposed orders and rulings, and perform 23 | |
| 226 | + | other personal staff functions. 24 | |
| 239 | 227 | ||
| 240 | - | | |
| 228 | + | (8) (I) THE COMMISSION SHALL : 25 | |
| 241 | 229 | ||
| 242 | - | D. GAS COMPANIES ; AND | |
| 230 | + | (I) 1. COLLABORATE WITH THE OFFICE OF SECURITY 26 | |
| 231 | + | MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES 27 | |
| 232 | + | FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND 28 | |
| 233 | + | CAPABILITIES BASED O N SIZE; 29 | |
| 243 | 234 | ||
| 244 | - | E. WATER COMPANIES ; | |
| 235 | + | (II) 2. PERIODICALLY SHARE I NFORMATION ON 30 | |
| 236 | + | CYBERSECURITY INITIA TIVES AND BEST PRACT ICES WITH MUNICIPAL ELECTRIC 31 | |
| 237 | + | UTILITIES; AND 32 | |
| 238 | + | 6 HOUSE BILL 969 | |
| 245 | 239 | ||
| 246 | - | 2. GENERAL RECOMMENDATIONS FOR IMPROVING | |
| 247 | - | CYBERSECURITY TECHNO LOGY AND POLICIES US ED BY PUBLIC SERVICE COMPANIES | |
| 248 | - | IN THE STATE, GROUPED BY THE FOLLO WING TYPES: | |
| 249 | 240 | ||
| 250 | - | A. INVESTOR–OWNED ELECTRIC COMPA NIES; | |
| 241 | + | (III) 3. BEGINNING ON OR BEFO RE OCTOBER 1, 2023 1 | |
| 242 | + | JANUARY 1, 2025, AND EVERY 2 YEARS THEREAFTER ,: 2 | |
| 251 | 243 | ||
| 252 | - | B. ELECTRIC COOPERATIVE S; | |
| 244 | + | A. EVALUATE COLLECT CERTIFICATIONS OF A PUBLIC 3 | |
| 245 | + | SERVICE COMPANY ’S COMPLIANCE WITH ST ANDARDS USED IN THE ASSESSMENTS 4 | |
| 246 | + | SUBMITTED CONDUCTED UNDER § 5–306 OF THIS ARTICLE FOR 5 | |
| 247 | + | CYBERSECURITY –RELATED POLICIES AND PROCEDURES , INCLUDING 6 | |
| 248 | + | CYBERSECURITY AND DA TA PRIVACY THREAT PROTECTIONS ; AND 7 | |
| 253 | 249 | ||
| 254 | - | C. MUNICIPAL ELECTRIC C OMPANIES; | |
| 250 | + | (IV) B. SUBMIT THE EVALUATION UNDER ITEM (III) OF THIS 8 | |
| 251 | + | PARAGRAPH A REPORT TO THE OFFICE OF SECURITY MANAGEMENT IN THE 9 | |
| 252 | + | DEPARTMENT OF INFORMATION TECHNOLOGY AND THE MARYLAND DEPARTMENT 10 | |
| 253 | + | OF EMERGENCY MANAGEMENT STATE CHIEF INFORMATION SECURITY OFFICER, 11 | |
| 254 | + | OR THE OFFICER’S DESIGNEE. 12 | |
| 255 | 255 | ||
| 256 | - | D. GAS COMPANIES ; AND | |
| 256 | + | (II) THE REPORT REQUIRED U NDER SUBPARAGRAPH (I) OF THIS 13 | |
| 257 | + | PARAGRAPH SHALL INCL UDE: 14 | |
| 257 | 258 | ||
| 258 | - | E. WATER COMPANIES ; AND | |
| 259 | + | 1. A GENERAL OVERVIEW O F CYBERSECURITY 15 | |
| 260 | + | TECHNOLOGY AND POLIC IES USED BY PUBLIC S ERVICE COMPANIES IN THE STATE, 16 | |
| 261 | + | GROUPED BY THE FOLL OWING TYPES: 17 | |
| 259 | 262 | ||
| 260 | - | | |
| 263 | + | A. INVESTOR–OWNED ELECTRIC COMPA NIES; 18 | |
| 261 | 264 | ||
| 262 | - | | |
| 265 | + | B. ELECTRIC COOPERATIVE S; 19 | |
| 263 | 266 | ||
| 264 | - | B. THE DATE OF THE PUBL IC SERVICE COMPANY ’S MOST | |
| 265 | - | RECENT CYBERSECURITY ASSESSMENT; | |
| 267 | + | C. MUNICIPAL ELECTRIC C OMPANIES; 20 | |
| 266 | 268 | ||
| 267 | - | C. THE CYBERSECURITY FR AMEWORK USED IN THE | |
| 268 | - | CYBERSECURITY ASSESS MENT OF THE PUBLIC S ERVICE COMPANY ; AND | |
| 269 | + | D. GAS COMPANIES ; AND 21 | |
| 269 | 270 | ||
| 270 | - | D. THE NAME OF THE ENTI TY THAT COMPLETED TH E | |
| 271 | - | CYBERSECURITY ASSESS MENT. | |
| 271 | + | E. WATER COMPANIES ; 22 | |
| 272 | 272 | ||
| 273 | - | | |
| 274 | - | ||
| 275 | - | ||
| 273 | + | 2. GENERAL RECOMMENDATI ONS FOR IMPROVING 23 | |
| 274 | + | CYBERSECURITY TECHNO LOGY AND POLICIES USED BY PUB LIC SERVICE COMPANIE S 24 | |
| 275 | + | IN THE STATE, GROUPED BY THE FOLLO WING TYPES: 25 | |
| 276 | 276 | ||
| 277 | - | [(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph | |
| 278 | - | or otherwise by law, all personnel of the Commission are subject to the provisions of the | |
| 279 | - | State Personnel and Pensions Article. | |
| 277 | + | A. INVESTOR–OWNED ELECTRIC COMPA NIES; 26 | |
| 280 | 278 | ||
| 281 | - | (ii) The following are in the executive service, management service, | |
| 282 | - | or are special appointments in the State Personnel Management System: WES MOORE, Governor Ch. 499 | |
| 279 | + | B. ELECTRIC COOPERATIVE S; 27 | |
| 283 | 280 | ||
| 284 | - | ||
| 281 | + | C. MUNICIPAL ELECTRIC C OMPANIES; 28 | |
| 285 | 282 | ||
| 286 | - | 1. each commissioner of the Commission; | |
| 283 | + | D. GAS COMPANIES ; AND 29 | |
| 284 | + | HOUSE BILL 969 7 | |
| 287 | 285 | ||
| 288 | - | 2. the Executive Director; | |
| 289 | 286 | ||
| 290 | - | | |
| 287 | + | E. WATER COMPANIES ; AND 1 | |
| 291 | 288 | ||
| 292 | - | | |
| 289 | + | 3. FOR EACH CERTIFICATI ON COLLECTED : 2 | |
| 293 | 290 | ||
| 294 | - | | |
| 291 | + | A. THE NAME OF THE PUBL IC SERVICE COMPANY ; 3 | |
| 295 | 292 | ||
| 296 | - | 6. the chief public utility law judge; and | |
| 293 | + | B. THE DATE OF THE PUBL IC SERVICE COMPANY ’S MOST 4 | |
| 294 | + | RECENT CYBERSECURITY ASSESSMENT; 5 | |
| 297 | 295 | ||
| 298 | - | 7. each license hearing officer. | |
| 296 | + | C. THE CYBERSECURITY FR AMEWORK USED IN THE 6 | |
| 297 | + | CYBERSECURITY ASSESS MENT OF THE PUBLIC S ERVICE COMPANY ; AND 7 | |
| 299 | 298 | ||
| 300 | - | 2–113. | |
| 299 | + | D. THE NAME OF THE ENTI TY THAT COMPLETED TH E 8 | |
| 300 | + | CYBERSECURITY ASSESS MENT. 9 | |
| 301 | 301 | ||
| 302 | - | (a) (1) The Commission shall: | |
| 302 | + | [(7)] (9) Subject to § 3–104 of this article, the Commission may delegate 10 | |
| 303 | + | to a commissioner or personnel the authority to perform an administrative function 11 | |
| 304 | + | necessary to carry out a duty of the Commission. 12 | |
| 303 | 305 | ||
| 304 | - | (i) supervise and regulate the public service companies subject to | |
| 305 | - | the jurisdiction of the Commission to: | |
| 306 | + | [(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph 13 | |
| 307 | + | or otherwise by law, all personnel of the Commission are subject to the provisions of the 14 | |
| 308 | + | State Personnel and Pensions Article. 15 | |
| 306 | 309 | ||
| 307 | - | 1. ensure their operation in the interest of the public; and | |
| 310 | + | (ii) The following are in the executive service, management service, 16 | |
| 311 | + | or are special appointments in the State Personnel Management System: 17 | |
| 308 | 312 | ||
| 309 | - | 2. promote adequate, economical, and efficient delivery of | |
| 310 | - | utility services in the State without unjust discrimination; and | |
| 313 | + | 1. each commissioner of the Commission; 18 | |
| 311 | 314 | ||
| 312 | - | (ii) enforce compliance with the requirements of law by public | |
| 313 | - | service companies, including requirements with respect to financial co ndition, | |
| 314 | - | capitalization, franchises, plant, manner of operation, rates, and service. | |
| 315 | + | 2. the Executive Director; 19 | |
| 315 | 316 | ||
| 316 | - | (2) In supervising and regulating public service companies, the | |
| 317 | - | Commission shall consider: | |
| 317 | + | 3. the General Counsel and each assistant general counsel; 20 | |
| 318 | 318 | ||
| 319 | - | | |
| 319 | + | 4. the Executive Secretary; 21 | |
| 320 | 320 | ||
| 321 | - | | |
| 321 | + | 5. the commissioners’ personal staff members; 22 | |
| 322 | 322 | ||
| 323 | - | (iii) the maintenance of fair and stable labor standards for affected | |
| 324 | - | workers; | |
| 323 | + | 6. the chief public utility law judge; and 23 | |
| 325 | 324 | ||
| 326 | - | | |
| 325 | + | 7. each license hearing officer. 24 | |
| 327 | 326 | ||
| 328 | - | (v) the preservation of environmental quality, including protection | |
| 329 | - | of the global climate from continued short–term and long–term warming based on the best Ch. 499 2023 LAWS OF MARYLAND | |
| 327 | + | 2–113. 25 | |
| 330 | 328 | ||
| 331 | - | – 8 – | |
| 332 | - | available scientific information recognized by the Intergovernmental Panel on Climate | |
| 333 | - | Change; [and] | |
| 329 | + | (a) (1) The Commission shall: 26 | |
| 334 | 330 | ||
| 335 | - | (vi) the achievement of the State’s climate commitments for reducing | |
| 336 | - | statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the | |
| 337 | - | Environment Article; AND | |
| 331 | + | (i) supervise and regulate the public service companies subject to 27 | |
| 332 | + | the jurisdiction of the Commission to: 28 8 HOUSE BILL 969 | |
| 338 | 333 | ||
| 339 | - | (VII) THE PROTECTION OF A PUBLIC SERVICE COMPA NY’S | |
| 340 | - | INFRASTRUCTURE AGAINST CYBERSECURIT Y THREATS. | |
| 341 | 334 | ||
| 342 | - | (b) The powers and duties listed in this title do not limit the scope of the general | |
| 343 | - | powers and duties of the Commission provided for by this division. | |
| 344 | 335 | ||
| 345 | - | ||
| 336 | + | 1. ensure their operation in the interest of the public; and 1 | |
| 346 | 337 | ||
| 347 | - | (A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: | |
| 338 | + | 2. promote adequate, economical, and efficient delivery of 2 | |
| 339 | + | utility services in the State without unjust discrimination; and 3 | |
| 348 | 340 | ||
| 349 | - | (1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND | |
| 341 | + | (ii) enforce compliance with the requirements of law by public 4 | |
| 342 | + | service companies, including requirements with respect to financial condition, 5 | |
| 343 | + | capitalization, franchises, plant, manner of operation, rates, and service. 6 | |
| 350 | 344 | ||
| 351 | - | (2) | |
| 352 | - | ||
| 345 | + | (2) In supervising and regulating public service companies, the 7 | |
| 346 | + | Commission shall consider: 8 | |
| 353 | 347 | ||
| 354 | - | (B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT | |
| 355 | - | IS: | |
| 348 | + | (i) the public safety; 9 | |
| 356 | 349 | ||
| 357 | - | ( | |
| 350 | + | (ii) the economy of the State; 10 | |
| 358 | 351 | ||
| 359 | - | (2) A TELEPHONE COMPANY . | |
| 352 | + | (iii) the maintenance of fair and stable labor standards for affected 11 | |
| 353 | + | workers; 12 | |
| 360 | 354 | ||
| 361 | - | ( | |
| 355 | + | (iv) the conservation of natural resources; 13 | |
| 362 | 356 | ||
| 363 | - | (1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE | |
| 364 | - | EQUAL TO OR EXCEED S TANDARDS ADOPTED BY THE COMMISSION; | |
| 357 | + | (v) the preservation of environmental quality, including protection 14 | |
| 358 | + | of the global climate from continued short–term and long–term warming based on the best 15 | |
| 359 | + | available scientific information recognized by the Intergovernmental Panel on Climate 16 | |
| 360 | + | Change; [and] 17 | |
| 365 | 361 | ||
| 366 | - | (2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR | |
| 367 | - | ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; | |
| 362 | + | (vi) the achievement of the State’s climate commitments for reducing 18 | |
| 363 | + | statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 19 | |
| 364 | + | Environment Article; AND 20 | |
| 368 | 365 | ||
| 369 | - | (3) ESTABLISH MINIMUM SE CURITY STANDARDS FOR EACH | |
| 370 | - | OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICE BAS ED ON | |
| 371 | - | THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS | |
| 372 | - | ASSOCIATED WITH SUPP LY CHAINS; AND | |
| 366 | + | (VII) THE PROTECTION OF A PUBLIC SERVICE COMPA NY’S 21 | |
| 367 | + | INFRASTRUCTURE AGAIN ST CYBERSECURITY THR EATS. 22 | |
| 373 | 368 | ||
| 374 | - | ( | |
| 375 | - | ||
| 369 | + | (b) The powers and duties listed in this title do not limit the scope of the general 23 | |
| 370 | + | powers and duties of the Commission provided for by this division. 24 | |
| 376 | 371 | ||
| 377 | - | – 9 – | |
| 378 | - | WITH ENGAGE A THIRD PARTY TO CON DUCT AN ASSESSMENT O F OPERATIONAL | |
| 379 | - | TECHNOLOGY AND INFOR MATION TECHNOLOGY DEVICES BASED ON : | |
| 372 | + | 5–306. 25 | |
| 380 | 373 | ||
| 381 | - | 1. THE CYBERSECURITY AND INFRASTRUCTURE | |
| 382 | - | SECURITY AGENCY’S CROSS–SECTOR CYBERSECURITY PERFORMANCE GOALS; OR | |
| 374 | + | (A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 26 | |
| 383 | 375 | ||
| 384 | - | 2. A MORE STRINGENT STA NDARD THAT IS BASED ON | |
| 385 | - | THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY | |
| 386 | - | FRAMEWORKS ; AND | |
| 376 | + | (1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 27 | |
| 387 | 377 | ||
| 388 | - | (II) SUBMIT TO THE COMMISSION: | |
| 378 | + | (2) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 28 | |
| 379 | + | IMPLICITLY BUT MUST BE CONTINUA LLY EVALUATED . 29 | |
| 380 | + | HOUSE BILL 969 9 | |
| 389 | 381 | ||
| 390 | - | 1. THE RESULTS AND RECO MMENDATIONS OF EACH | |
| 391 | - | ASSESSMENT ; AND | |
| 392 | 382 | ||
| 393 | - | 2. CERTIFICATION OF THE PUBLIC SERVICE COMPA NY’S | |
| 394 | - | COMPLIANCE WITH STAN DARDS USED IN THE AS SESSMENTS UNDER ITEM (I) OF THIS | |
| 395 | - | ITEM. | |
| 383 | + | (B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 1 | |
| 384 | + | IS: 2 | |
| 396 | 385 | ||
| 397 | - | (D) (1) EACH PUBLIC SERVICE C OMPANY SHALL REPORT , IN ACCORDANCE | |
| 398 | - | WITH THE PROCESS EST ABLISHED UNDER PARAG RAPH (2) OF THIS SUBSECTION , A | |
| 399 | - | CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A SYSTEM BEING US ED BY | |
| 400 | - | THE PUBLIC SERVICE C OMPANY, TO THE STATE SECURITY OPERATIONS CENTER IN | |
| 401 | - | THE DEPARTMENT OF INFORMATION TECHNOLOGY . | |
| 386 | + | (1) A COMMON CARRIER ; OR 3 | |
| 402 | 387 | ||
| 403 | - | (2) THE STATE CHIEF INFORMATION SECURITY OFFICER, IN | |
| 404 | - | CONSULTATION WITH TH E COMMISSION, SHALL ESTABLISH A PR OCESS FOR A | |
| 405 | - | PUBLIC SERVICE COMPA NY TO REPORT CYBERSE CURITY INCIDENTS UND ER | |
| 406 | - | PARAGRAPH (1) OF THIS SUBSECTION , INCLUDING ESTABLISHI NG: | |
| 388 | + | (2) A TELEPHONE COMPANY . 4 | |
| 407 | 389 | ||
| 408 | - | (I) THE CRITERIA FOR DET ERMINING THE CIRCUMS TANCES | |
| 409 | - | UNDER WHICH A CYBERS ECURITY INCIDENT MUS T BE REPORTED ; | |
| 390 | + | (C) A PUBLIC SERVICE COMPA NY SHALL: 5 | |
| 410 | 391 | ||
| 411 | - | ( | |
| 412 | - | ||
| 392 | + | (1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE 6 | |
| 393 | + | EQUAL TO OR EXCEED S TANDARDS ADOPTED BY THE COMMISSION; 7 | |
| 413 | 394 | ||
| 414 | - | ( | |
| 415 | - | ||
| 395 | + | (2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 8 | |
| 396 | + | ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 9 | |
| 416 | 397 | ||
| 417 | - | (3) THE STATE SECURITY OPERATIONS CENTER SHALL | |
| 418 | - | IMMEDIATELY NOTIFY A PPROPRIATE STATE AND LOCAL AGENC IES OF A | |
| 419 | - | CYBERSECURITY INCIDE NT REPORTED UNDER TH IS SUBSECTION. | |
| 398 | + | (3) ESTABLISH MINIMUM SE CURITY STANDARDS FOR EACH 10 | |
| 399 | + | OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICE BASED ON 11 | |
| 400 | + | THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 12 | |
| 401 | + | ASSOCIATED WITH SUPP LY CHAINS; AND 13 | |
| 420 | 402 | ||
| 421 | - | Article – State Finance and Procurement Ch. 499 2023 LAWS OF MARYLAND | |
| 403 | + | (4) (I) BEGINNING IN 2024 ON OR BEFORE JULY 1, 2024, AND AT 14 | |
| 404 | + | LEAST ONCE ON OR BEFORE JULY 1 EVERY OTHER YEAR THE REAFTER, CONTRACT 15 | |
| 405 | + | WITH ENGAGE A THIRD PARTY TO CON DUCT AN ASSESSMENT O F OPERATIONAL 16 | |
| 406 | + | TECHNOLOGY AND INFOR MATION TECHNOLOGY DE VICES BASED ON: 17 | |
| 422 | 407 | ||
| 423 | - | – 10 – | |
| 408 | + | 1. THE CYBERSECURITY AND INFRASTRUCTURE 18 | |
| 409 | + | SECURITY AGENCY’S CROSS–SECTOR CYBERSECURITY PERFORMANCE GOALS; OR 19 | |
| 424 | 410 | ||
| 425 | - | 3.5–301. | |
| 411 | + | 2. A MORE STRINGENT STAND ARD THAT IS BASED ON 20 | |
| 412 | + | THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY 21 | |
| 413 | + | FRAMEWORKS ; AND 22 | |
| 426 | 414 | ||
| 427 | - | ( | |
| 415 | + | (II) SUBMIT TO THE COMMISSION: 23 | |
| 428 | 416 | ||
| 429 | - | (b) “Cybersecurity” means processes or capabilities wherein systems, | |
| 430 | - | communications, and information are protected and defended against damage, | |
| 431 | - | unauthorized use or modification, and exploitation. | |
| 417 | + | 1. THE RESULTS AND RECO MMENDATIONS OF EACH 24 | |
| 418 | + | ASSESSMENT ; AND 25 | |
| 432 | 419 | ||
| 433 | - | SECTION 2. AND BE IT FURTHER ENACTED, That, on or before October 1, 2024, | |
| 434 | - | the Public Service Commission shall conduct an evaluation based on assessments | |
| 435 | - | conducted on a public service company’s information technology devices conducted under | |
| 436 | - | Section 1 of this Act for fiscal year 2024, funds from the Dedicated Purpose Account may be | |
| 437 | - | transferred by budget amendment, in accordance with § 7–310 of the State Finance and | |
| 438 | - | Procurement Article, to the Department of Information Technology for the purpose of adding | |
| 439 | - | additional staffing and operational capacity for the Department to improve State and local | |
| 440 | - | cybersecurity. | |
| 420 | + | 2. CERTIFICATION OF THE PUBLIC SERVICE COMPANY ’S 26 | |
| 421 | + | COMPLIANCE WITH STAN DARDS USED IN THE AS SESSMENTS UNDER ITEM (I) OF THIS 27 | |
| 422 | + | ITEM. 28 | |
| 441 | 423 | ||
| 442 | - | SECTION 3. AND BE IT FURTHER ENACTED, That it is the intent of the General | |
| 443 | - | Assembly that the Public Service Commis sion work with the Cybersecurity and | |
| 444 | - | Infrastructure Security Agency and the Office of Security Management to improve the | |
| 445 | - | Commission’s capacity to implement the provisions of this Act. | |
| 424 | + | (D) (1) EACH PUBLIC SERVICE C OMPANY SHALL REPORT , IN ACCORDANCE 29 | |
| 425 | + | WITH THE PROCESS EST ABLISHED UNDER PARAG RAPH (2) OF THIS SUBSECTION , A 30 | |
| 426 | + | CYBERSECURITY INCIDE NT, INCLUDING AN ATTACK ON A SYSTEM BEING US ED BY 31 10 HOUSE BILL 969 | |
| 446 | 427 | ||
| 447 | - | SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect | |
| 448 | - | October July 1, 2023. | |
| 449 | 428 | ||
| 450 | - | Approved by the Governor, May 8, 2023. | |
| 429 | + | THE PUBLIC SERVICE C OMPANY, TO THE STATE SECURITY OPERATIONS CENTER IN 1 | |
| 430 | + | THE DEPARTMENT OF INFORMATION TECHNOLOGY . 2 | |
| 431 | + | ||
| 432 | + | (2) THE STATE CHIEF INFORMATION SECURITY OFFICER, IN 3 | |
| 433 | + | CONSULTATION WITH TH E COMMISSION, SHALL ESTABLISH A PROCESS FOR A 4 | |
| 434 | + | PUBLIC SERVICE COMPA NY TO REPORT CYBERSE CURITY INCIDENTS UND ER 5 | |
| 435 | + | PARAGRAPH (1) OF THIS SUBSECTION , INCLUDING ESTABLISHI NG: 6 | |
| 436 | + | ||
| 437 | + | (I) THE CRITERIA FOR DET ERMINING THE CIRCUMS TANCES 7 | |
| 438 | + | UNDER WHICH A CYBERS ECURITY INCIDENT MUS T BE REPORTED ; 8 | |
| 439 | + | ||
| 440 | + | (II) THE MANNER IN WHICH A CYBERSECURITY INCI DENT MUST 9 | |
| 441 | + | BE REPORTED ; AND 10 | |
| 442 | + | ||
| 443 | + | (III) THE TIME PERIOD WITH IN WHICH A CYBERSECU RITY 11 | |
| 444 | + | INCIDENT MUST BE REP ORTED. 12 | |
| 445 | + | ||
| 446 | + | (3) THE STATE SECURITY OPERATIONS CENTER SHALL 13 | |
| 447 | + | IMMEDIATELY NOTIFY A PPROPRIATE STATE AND LOCAL AGENCIES OF A 14 | |
| 448 | + | CYBERSECURITY INCIDE NT REPORTED UNDER TH IS SUBSECTION. 15 | |
| 449 | + | ||
| 450 | + | Article – State Finance and Procurement 16 | |
| 451 | + | ||
| 452 | + | 3.5–301. 17 | |
| 453 | + | ||
| 454 | + | (a) In this subtitle the following words have the meanings indicated. 18 | |
| 455 | + | ||
| 456 | + | (b) “Cybersecurity” means processes or capabilities wherein systems, 19 | |
| 457 | + | communications, and information are protected and defended against damage, 20 | |
| 458 | + | unauthorized use or modification, and exploitation. 21 | |
| 459 | + | ||
| 460 | + | SECTION 2. AND BE IT FURTHER ENACTED, That, on or before October 1, 2024, 22 | |
| 461 | + | the Public Service Commission shall conduct an evaluation based on assessments 23 | |
| 462 | + | conducted on a public service company’s information technology devices conducted under 24 | |
| 463 | + | Section 1 of this Act for fiscal year 2024, funds from the Dedicated Purpose Account may be 25 | |
| 464 | + | transferred by budget amendment, in accordance with § 7–310 of the State Finance and 26 | |
| 465 | + | Procurement Article, to the Department of Information Technology for the purpose of adding 27 | |
| 466 | + | additional staffing and operational capacity for the Department to improve State and local 28 | |
| 467 | + | cybersecurity. 29 | |
| 468 | + | ||
| 469 | + | SECTION 3. AND BE IT FURTHER ENACTED, That it is the intent of the General 30 | |
| 470 | + | Assembly that the Public Service Commission work with the Cybersecurity and 31 | |
| 471 | + | Infrastructure Security Agency and the Office of Security Management to improve the 32 | |
| 472 | + | Commission’s capacity to implement the provisions of this Act. 33 | |
| 473 | + | HOUSE BILL 969 11 | |
| 474 | + | ||
| 475 | + | ||
| 476 | + | SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 1 | |
| 477 | + | October July 1, 2023. 2 | |
| 478 | + | ||
| 479 | + | ||
| 480 | + | ||
| 481 | + | ||
| 482 | + | Approved: | |
| 483 | + | ________________________________________________________________________________ | |
| 484 | + | Governor. | |
| 485 | + | ________________________________________________________________________________ | |
| 486 | + | Speaker of the House of Delegates. | |
| 487 | + | ________________________________________________________________________________ | |
| 488 | + | President of the Senate. |