EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0800*
SENATE BILL 800
C5, S2 3lr1842
CF HB 969
By: Senator Hester
Introduced and read first time: February 6, 2023
Assigned to: Education, Energy, and the Environment
A BILL ENTITLED
AN ACT concerning 1
Public Service Commission – Cybersecurity Staffing and Assessments 2
(Critical Infrastructure Cybersecurity Act of 2023) 3
FOR the purpose of requiring the Public Service Commission to include on its staff a certain 4
number of experts in cybersecurity to perform certain duties; requiring the 5
Commission to establish, in coordination with the Office of Security Management, 6
cybersecurity standards and best practices for regulated entities, share information 7
on cybersecurity initiatives and best practices with certain entities, and conduct a 8
certain periodic assessment; requiring certain public service companies, including 9
certain electric cooperatives, to adopt and implement certain cybersecurity 10
standards and a zero–trust cybersecurity approach for certain services, establish 11
certain minimum security standards, and periodically contract with a third party to 12
conduct a certain assessment and submit certain information to the Commission 13
beginning in a certain year; requiring the Commission to conduct an evaluation on 14
or before a certain date based on certain assessments; and generally relating to 15
cybersecurity standards and assessments for public service companies and the Public 16
Service Commission. 17
BY repealing and reenacting, with amendments, 18
Article – Corporations and Associations 19
Section 5–637 20
Annotated Code of Maryland 21
(2014 Replacement Volume and 2022 Supplement) 22
BY repealing and reenacting, without amendments, 23
Article – Public Utilities 24
Section 1–101(a) 25
Annotated Code of Maryland 26
(2020 Replacement Volume and 2022 Supplement) 27
BY adding to 28 2 SENATE BILL 800
Article – Public Utilities 1
Section 1–101(h–1) and 5–306 2
Annotated Code of Maryland 3
(2020 Replacement Volume and 2022 Supplement) 4
BY repealing and reenacting, with amendments, 5
Article – Public Utilities 6
Section 2–108(d) and 2–113 7
Annotated Code of Maryland 8
(2020 Replacement Volume and 2022 Supplement) 9
BY repealing and reenacting, without amendments, 10
Article – State Finance and Procurement 11
Section 3.5–301(a) and (b) 12
Annotated Code of Maryland 13
(2021 Replacement Volume and 2022 Supplement) 14
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 15
That the Laws of Maryland read as follows: 16
Article – Corporations and Associations 17
5–637. 18
(a) (1) Except as provided in paragraph (2) of this subsection, this subtitle 19
applies to the provision of broadband Internet service by a member–regulated cooperative. 20
(2) A member–regulated cooperative may not, for the sole purpose of 21
providing broadband Internet service, exercise the power of condemnation under § 22
5–607(a)(16) of this subtitle. 23
(b) A member–regulated cooperative is subject to the following provisions of the 24
Public Utilities Article: 25
(1) § 5–103; 26
(2) § 5–201; 27
(3) § 5–202; 28
(4) § 5–303; 29
(5) § 5–304; 30
(6) § 5–306; 31
[(6)] (7) § 7–103; 32 SENATE BILL 800 3
[(7)] (8) § 7–104; 1
[(8)] (9) § 7–203; 2
[(9)] (10) § 7–207; 3
[(10)] (11) § 7–302; 4
[(11)] (12) Title 7, Subtitle 5, Part I and Part II; 5
[(12)] (13) Title 7, Subtitle 7; and 6
[(13)] (14) § 13–101. 7
Article – Public Utilities 8
1–101. 9
(a) In this division the following words have the meanings indicated. 10
(H–1) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 3.5–301 OF THE 11
STATE FINANCE AND PROCUREMENT ARTICLE. 12
2–108. 13
(d) (1) The State budget shall provide sufficient money for the Commission to 14
hire, develop, and organize a staff to perform the functions of the Commission, including 15
analyzing data submitted to the Commission and participating in proceedings as provided 16
in § 3–104 of this article. 17
(2) (i) As the Commission considers necessary, the Commission shall 18
hire experts including economists, cost of capital experts, rate design experts, accountants, 19
engineers, transportation specialists, and lawyers. 20
(ii) To assist in the regulation of intrastate hazardous liquid 21
pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 22
at least one engineer who specializes in the storage of and the transportation of hazardous 23
liquid materials by pipeline. 24
(3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 25
EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: 26
(I) ADVISE THE CHAIRMAN OF THE COMMISSION AND THE 27
COMMISSIONERS ON MEASURES TO IMPROVE OVERSIGHT OF THE CYBERSECURITY 28
PRACTICES OF PUBLIC SERVICE COMPAN IES; 29 4 SENATE BILL 800
(II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT 1
ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION ; 2
(III) STUDY AND MONITOR CYBERSECURITY BEST PRACTICES 3
FOR INFORMATION TECHNOLO GY AND OPERATIONAL T ECHNOLOGY ; 4
(IV) ASSIST IN DRAFTING CY BERSECURITY –RELATED 5
REGULATIONS ; 6
(V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM 7
SECURITY STANDARDS DEVELOPED UNDER § 5–306 OF THIS ARTICLE; 8
(VI) CONVENE WORKSHOPS WITH PUBLI C SERVICE COMPANIES 9
THAT DO NOT MEET MIN IMUM SECURITY STANDA RDS; AND 10
(VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , 11
INCLUDING REPORTS ON: 12
1. CYBERSECURITY THREAT S AND SOURCES ; AND 13
2. THE EFFICACY OF CYBE RSECURITY PRACTICES OF 14
PUBLIC SERVICE COMPA NIES. 15
(4) The Commission may retain on a case by case basis additional experts 16
as required for a particular matter. 17
[(4)] (5) The lawyers who represent the Commission staff in proceedings 18
before the Commission shall be appointed by the Commission and shall be organized and 19
operate independently of the office of General Counsel. 20
[(5)] (6) (i) As required, the Commission shall hire public utility law 21
judges. 22
(ii) Public utility law judges are a separate organizational unit and 23
shall report directly to the Commission. 24
[(6)] (7) The Commission shall hire personal staff members for each 25
commissioner as required to provide advice, draft proposed orders and rulings, and perform 26
other personal staff functions. 27
(8) THE COMMISSION SHALL : 28
SENATE BILL 800 5
(I) COLLABORATE WITH THE OFFICE OF SECURITY 1
MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES 2
FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND 3
CAPABILITIES BASED O N SIZE; 4
(II) PERIODICALLY SHARE IN FORMATION ON CYBERSE CURITY 5
INITIATIVES AND BEST PRACTICES WITH MUNICIPAL ELECTRIC UTILITIES; 6
(III) BEGINNING ON OR BEFORE OCTOBER 1, 2023, AND EVERY 2 7
YEARS THEREAFTER , EVALUATE THE ASSESSMENTS SUBMITTE D UNDER § 8
5–306 OF THIS ARTICLE FOR CYBERSECURITY –RELATED POLICIES AND 9
PROCEDURES , INCLUDING CYBERSECUR ITY AND DATA PRIVACY THREAT 10
PROTECTIONS ; AND 11
(IV) SUBMIT THE EVALUATION UNDER ITEM (III) OF THIS 12
PARAGRAPH TO THE OFFICE OF SECURITY MANAGEMENT IN THE DEPARTMENT OF 13
INFORMATI ON TECHNOLOGY AND THE MARYLAND DEPARTMENT OF EMERGENCY 14
MANAGEMENT . 15
[(7)] (9) Subject to § 3–104 of this article, the Commission may delegate 16
to a commissioner or personnel the authority to perform an administrative function 17
necessary to carry out a duty of the Commission. 18
[(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph 19
or otherwise by law, all personnel of the Commission are subject to the provisions of the 20
State Personnel and Pensions Article. 21
(ii) The following are in the executive service, management service, 22
or are special appointments in the State Personnel Management System: 23
1. each commissioner of the Commission; 24
2. the Executive Director; 25
3. the General Counsel and each assistant general counsel; 26
4. the Executive Secretary; 27
5. the commissioners’ personal staff members; 28
6. the chief public utility law judge; and 29
7. each license hearing officer. 30
2–113. 31 6 SENATE BILL 800
(a) (1) The Commission shall: 1
(i) supervise and regulate the public service companies subject to 2
the jurisdiction of the Commission to: 3
1. ensure their operation in the interest of the public; and 4
2. promote adequate, economical, and efficient delivery of 5
utility services in the State without unjust discrimination; and 6
(ii) enforce compliance with the requirements of law by public 7
service companies, including requirements with respect to financial condition, 8
capitalization, franchises, plant, manner of operation, rates, and service. 9
(2) In supervising and regulating public service companies, the 10
Commission shall consider: 11
(i) the public safety; 12
(ii) the economy of the State; 13
(iii) the maintenance of fair and stable labor standards for affected 14
workers; 15
(iv) the conservation of natural resources; 16
(v) the preservation of environmental quality, including protection 17
of the global climate from continued short–term and long–term warming based on the best 18
available scientific information recognized by the Intergovernmental Panel on Climate 19
Change; [and] 20
(vi) the achievement of the State’s climate commitments for reducing 21
statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 22
Environment Article; AND 23
(VII) THE PROTECTION OF A PUBLIC SERVICE COM PANY’S 24
INFRASTRUCTURE AGAINS T CYBERSECURITY THRE ATS. 25
(b) The powers and duties listed in this title do not limit the scope of the general 26
powers and duties of the Commission provided for by this division. 27
5–306. 28
(A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBERSECURITY APPROA CH: 29
SENATE BILL 800 7
(1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 1
(2) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 2
IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 3
(B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 4
IS: 5
(1) A COMMON CARRIER ; OR 6
(2) A TELEPHONE COMPANY . 7
(C) A PUBLIC SERVICE COMPA NY SHALL: 8
(1) ADOPT AND IMPLEMEN T CYBERSECURITY STAN DARDS THAT ARE 9
EQUAL TO OR EXCEED S TANDARDS ADOPTED BY THE COMMISSION; 10
(2) ADOPT A ZERO–TRUST CYBERSECURITY APPROACH FOR 11
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 12
(3) ESTABLISH MINIMUM SECURITY STA NDARDS FOR EACH 13
OPERATIONAL TECHNOLO GY AND INFORMATION TECHNOLO GY DEVICE BASED ON 14
THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 15
ASSOCIATED WITH SUPPLY CHAI NS; AND 16
(4) (I) BEGINNING IN 2024 AND AT LEAST ONCE EVERY OTHER 17
YEAR THEREAFTER , CONTRACT WITH A THIRD PARTY TO CONDUCT AN ASSESSMENT 18
OF OPERATIONAL TECHNOLO GY AND INFORMATION TECHNOLO GY DEVICES BASED 19
ON THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY 20
FRAMEWORK S; AND 21
(II) SUBMIT TO THE COMMISSION: 22
1. THE RESULTS AND RECO MMENDATIONS OF EACH 23
ASSESSMENT ; AND 24
2. CERTIFICATION OF THE PUBLI C SERVICE COMPANY ’S 25
COMPLIANCE WITH STAND ARDS USED IN THE ASS ESSMENTS UNDE R ITEM (I) OF THIS 26
ITEM. 27
Article – State Finance and Procurement 28
3.5–301. 29
8 SENATE BILL 800
(a) In this subtitle the following words have the meanings indicated. 1
(b) “Cybersecurity” means processes or capabilities wherein systems, 2
communications, and information are protected and defended against damage, 3
unauthorized use or modification, and exploitation. 4
SECTION 2. AND BE IT FURTHER ENACTED, That , on or before October 1, 2024, 5
the Public Service Commission shall conduct an evaluation based on assessments 6
conducted on a public service company’s information technology devices conducted under 7
Section 1 of this Act. 8
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect 9
October 1, 2023. 10