EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*sb0800*
SENATE BILL 800
C5, S2 3lr1842
CF HB 969
By: Senator Hester
Introduced and read first time: February 6, 2023
Assigned to: Education, Energy, and the Environment
Committee Report: Favorable with amendments
Senate action: Adopted
Read second time: March 26, 2023
CHAPTER ______
AN ACT concerning 1
Public Service Commission – Cybersecurity Staffing and Assessments 2
(Critical Infrastructure Cybersecurity Act of 2023) 3
FOR the purpose of requiring the Public Service Commission to include on its staff a certain 4
number of experts in cybersecurity to perform certain duties; requiring the 5
Commission to establish, in coordination with the Office of Security Management, 6
cybersecurity standards and best practices for regulated entities, share information 7
on cybersecurity initiatives and best practices with certain entities, and conduct a 8
certain periodic assessment collect certain certifications, and submit a certain report; 9
requiring certain public service companies, including certain electric cooperatives, to 10
adopt and implement certain cybersecurity standards and a zero–trust cybersecurity 11
approach for certain services, establish certain minimum security standards, and 12
periodically contract engage with a third party to conduct a certain assessment and 13
submit certain information to the Commission beginning in a certain year; requiring 14
the Commission to conduct an evaluation on or before a certain date based on certain 15
assessments; requiring each public service company to report a cybersecurity 16
incident to certain entities; requiring the State Chief Information Security Officer, 17
in consultation with the Commission, to establish a certain reporting process; 18
requiring the State Security Operations Center to immediately notify certain 19
agencies of a cybersecurity incident reported under this Act; providing that, for a 20
certain fiscal year, funds from the Dedicated Purpose Account may be transferred by 21
budget amendment to the Department of Information Technology for a certain 22
purpose; and generally relating to cybersecurity standards and assessments for 23
public service companies and the Public Service Commission. 24
2 SENATE BILL 800
BY repealing and reenacting, with amendments, 1
Article – Corporations and Associations 2
Section 5–637 3
Annotated Code of Maryland 4
(2014 Replacement Volume and 2022 Supplement) 5
BY repealing and reenacting, without amendments, 6
Article – Public Utilities 7
Section 1–101(a) 8
Annotated Code of Maryland 9
(2020 Replacement Volume and 2022 Supplement) 10
BY adding to 11
Article – Public Utilities 12
Section 1–101(h–1) and 5–306 13
Annotated Code of Maryland 14
(2020 Replacement Volume and 2022 Supplement) 15
BY repealing and reenacting, with amendments, 16
Article – Public Utilities 17
Section 2–108(d) and 2–113 18
Annotated Code of Maryland 19
(2020 Replacement Volume and 2022 Supplement) 20
BY repealing and reenacting, without amendments, 21
Article – State Finance and Procurement 22
Section 3.5–301(a) and (b) 23
Annotated Code of Maryland 24
(2021 Replacement Volume and 2022 Supplement) 25
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 26
That the Laws of Maryland read as follows: 27
Article – Corporations and Associations 28
5–637. 29
(a) (1) Except as provided in paragraph (2) of this subsection, this subtitle 30
applies to the provision of broadband Internet service by a member–regulated cooperative. 31
(2) A member–regulated cooperative may not, for the sole purpose of 32
providing broadband Internet service, exercise the power of condemnation under § 33
5–607(a)(16) of this subtitle. 34
(b) A member–regulated cooperative is subject to the following provisions of the 35
Public Utilities Article: 36
SENATE BILL 800 3
(1) § 5–103; 1
(2) § 5–201; 2
(3) § 5–202; 3
(4) § 5–303; 4
(5) § 5–304; 5
(6) § 5–306; 6
[(6)] (7) § 7–103; 7
[(7)] (8) § 7–104; 8
[(8)] (9) § 7–203; 9
[(9)] (10) § 7–207; 10
[(10)] (11) § 7–302; 11
[(11)] (12) Title 7, Subtitle 5, Part I and Part II; 12
[(12)] (13) Title 7, Subtitle 7; and 13
[(13)] (14) § 13–101. 14
Article – Public Utilities 15
1–101. 16
(a) In this division the following words have the meanings indicated. 17
(H–1) “CYBERSECURITY ” HAS THE MEANING STATED IN § 3.5–301 OF THE 18
STATE FINANCE AND PROCUREMENT ARTICLE. 19
2–108. 20
(d) (1) The State budget shall provide sufficient money for the Commission to 21
hire, develop, and organize a staff to perform the functions of the Commission, including 22
analyzing data submitted to the Commission and participating in proceedings as provided 23
in § 3–104 of this article. 24
4 SENATE BILL 800
(2) (i) As the Commission considers necessary, the Commission shall 1
hire experts including economists, cost of capital experts, rate design experts, accountants, 2
engineers, transportation specialists, and lawyers. 3
(ii) To assist in the regulation of intrastate hazardous liquid 4
pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 5
at least one engineer who specializes in the storage of and the transportation of hazardous 6
liquid materials by pipeline. 7
(3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 8
EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: 9
(I) ADVISE THE CHAIRMAN OF THE COMMISSION AND T HE 10
COMMISSIONERS ON MEA SURES TO IMPROVE OVE RSIGHT OF THE CYBERS ECURITY 11
PRACTICES OF PUBLIC SERVICE COMPANIES ; 12
(II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT 13
ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION ; 14
(III) STUDY AND MONITOR CY BERSECURITY BEST PRACTI CES 15
FOR INFORMATION TECH NOLOGY AND OPERATION AL TECHNOLOGY ; 16
(IV) ASSIST IN DRAFTING C YBERSECURITY –RELATED 17
REGULATIONS ; 18
(V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM 19
SECURITY STANDARDS D EVELOPED UNDER § 5–306 OF THIS ARTICLE; 20
(VI) (IV) PARTICIPATE IN BRIEF INGS TO DISCUSS 21
CYBERSECURITY PRACTI CES BASED ON: 22
1. APPLICABLE NATIONAL ASSOCIATION OF 23
REGULATORY UTILITY COMMISSIONERS GUIDANC E; AND 24
2. IMPROVEMENTS TO CYBE RSECURITY PRACTICES 25
RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 26
OF THIS ARTICLE; AND 27
(V) CONVENE WORKSHOPS WI TH SUPPORT PUBLIC SERVICE 28
COMPANIES THAT DO NO T MEET MINIMUM SECUR ITY STANDARDS WITH 29
REMEDIATING VULNERAB ILITIES OR ADDRESSIN G CYBERSECURITY ASSE SSMENT 30
FINDINGS; AND. 31
(VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , 32
INCLUDING REPORTS ON : 33 SENATE BILL 800 5
1. CYBERSECURITY THREATS AND SOURCES ; AND 1
2. THE EFFICACY OF CYBE RSECURITY PRACTICES OF 2
PUBLIC SERVICE COMPA NIES. 3
(4) The Commission may retain on a case by case basis additional experts 4
as required for a particular matter. 5
[(4)] (5) The lawyers who represent the Commission staff in proceedings 6
before the Commission shall be appointed by the Commission and shall be organized and 7
operate independently of the office of General Counsel. 8
[(5)] (6) (i) As required, the Commission shall hire public utility law 9
judges. 10
(ii) Public utility law judges are a separate organizational unit and 11
shall report directly to the Commission. 12
[(6)] (7) The Commission shall hire personal staff members for each 13
commissioner as required to provide advice, draft proposed orders and rulings, and perform 14
other personal staff functions. 15
(8) (I) THE COMMISSION SHALL : 16
(I) 1. COLLABORATE WITH THE OFFICE OF SECURITY 17
MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES 18
FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND 19
CAPABILITIES BASED O N SIZE; 20
(II) 2. PERIODICALLY SHARE I NFORMATION ON 21
CYBERSECURITY INITIA TIVES AND BEST PRACT ICES WITH MUNICIPAL ELECTRIC 22
UTILITIES; AND 23
(III) 3. BEGINNING ON OR BEFO RE OCTOBER 1, 2023 24
JANUARY 1, 2025, AND EVERY 2 YEARS THEREAFTER ,: 25
A. EVALUATE COLLECT CERTIFICATIO NS OF A PUBLIC 26
SERVICE COMPANY ’S COMPLIANCE WITH ST ANDARDS USED IN THE ASSESSMENTS 27
SUBMITTED CONDUCTED UNDER § 5–306 OF THIS ARTICLE FOR 28
CYBERSECURITY –RELATED POLICIES AND PROCEDURES , INCLUDING 29
CYBERSECURITY AND DA TA PRIVACY THREAT PROTECTIONS ; AND 30
(IV) B. SUBMIT THE EVALUATION UNDER ITEM (III) OF THIS 31
PARAGRAPH A REPORT TO THE OFFICE OF SECURITY MANAGEMENT IN THE 32 6 SENATE BILL 800
DEPARTMENT OF INFORMATION TECHNOLOGY AND THE MARYLAND DEPARTMENT 1
OF EMERGENCY MANAGEMENT STATE CHIEF INFORMATION SECURITY OFFICER, 2
OR THE OFFICER’S DESIGNEE. 3
(II) THE REPORT REQUIRED U NDER SUBPARAGRAPH (I) OF 4
THIS PARAGRAPH SHALL INCLUDE: 5
1. A GENERAL OVERVIEW O F CYBERSECURITY 6
TECHNOLOGY AND POLIC IES USED BY PUBLIC S ERVICE COMPANIES IN THE STATE, 7
GROUPED BY THE FOLLO WING TYPES: 8
A. INVESTOR–OWNED ELECTRIC COMPA NIES; 9
B. ELECTRIC COOPERATIVE S; 10
C. MUNICIPAL ELECTRIC C OMPANIES; 11
D. GAS COMPANIES ; AND 12
E. WATER COMPANIES ; 13
2. GENERAL RECOMMENDATI ONS FOR IMPROVING 14
CYBERSECURITY TECHNO LOGY AND POLICIES US ED BY PUBLIC SERVICE 15
COMPANIES IN THE STATE, GROUPED BY THE FOLLO WING TYPES: 16
A. INVESTOR–OWNED ELECTRIC COMPA NIES; 17
B. ELECTRIC COOPERATIVE S; 18
C. MUNICIPAL ELECTRIC C OMPANIES; 19
D. GAS COMPANIES; AND 20
E. WATER COMPANIES ; AND 21
3. FOR EACH CERTIFICATI ON COLLECTED : 22
A. THE NAME OF THE PUBL IC SERVICE COMPANY ; 23
B. THE DATE OF THE PUBL IC SERVICE COMPANY ’S MOST 24
RECENT CYBERSECURITY ASSESSMENT; 25
C. THE CYBERSECURITY FR AMEWORK USED IN THE 26
CYBERSECURITY ASSESS MENT OF THE PUBLIC S ERVICE COMPANY ; AND 27
SENATE BILL 800 7
D. THE NAME OF THE ENTI TY THAT COMPLETED TH E 1
CYBERSECURITY ASSESS MENT. 2
[(7)] (9) Subject to § 3–104 of this article, the Commission may delegate 3
to a commissioner or personnel the authority to perform an administrative function 4
necessary to carry out a duty of the Commission. 5
[(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph 6
or otherwise by law, all personnel of the Commission are subject to the provisions of the 7
State Personnel and Pensions Article. 8
(ii) The following are in the executive service, management service, 9
or are special appointments in the State Personnel Management System: 10
1. each commissioner of the Commission; 11
2. the Executive Director; 12
3. the General Counsel and each assistant general counsel; 13
4. the Executive Secretary; 14
5. the commissioners’ personal staff members; 15
6. the chief public utility law judge; and 16
7. each license hearing officer. 17
2–113. 18
(a) (1) The Commission shall: 19
(i) supervise and regulate the public service companies subject to 20
the jurisdiction of the Commission to: 21
1. ensure their operation in the interest of the public; and 22
2. promote adequate, economical, and efficient delivery of 23
utility services in the State without unjust discrimination; and 24
(ii) enforce compliance with the requirements of law by public 25
service companies, including requirements with respect to financial conditio n, 26
capitalization, franchises, plant, manner of operation, rates, and service. 27
(2) In supervising and regulating public service companies, the 28
Commission shall consider: 29
8 SENATE BILL 800
(i) the public safety; 1
(ii) the economy of the State; 2
(iii) the maintenance of fair and stable labor standards for affected 3
workers; 4
(iv) the conservation of natural resources; 5
(v) the preservation of environmental quality, including protection 6
of the global climate from continued short–term and long–term warming based on the best 7
available scientific information recognized by the Intergovernmental Panel on Climate 8
Change; [and] 9
(vi) the achievement of the State’s climate commitments for reducing 10
statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 11
Environment Article; AND 12
(VII) THE PROTECTION OF A PUBLIC SERVICE COMPA NY’S 13
INFRASTRUCTURE AGAIN ST CYBERSECURITY THR EATS. 14
(b) The powers and duties listed in this title do not limit the scope of the general 15
powers and duties of the Commission provided for by this division. 16
5–306. 17
(A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 18
(1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 19
(2) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 20
IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 21
(B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 22
IS: 23
(1) A COMMON CARRIER ; OR 24
(2) A TELEPHONE COMPANY . 25
(C) A PUBLIC SERVICE COMPA NY SHALL: 26
(1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE 27
EQUAL TO OR EXCEED STAND ARDS ADOPTED BY THE COMMISSION; 28
SENATE BILL 800 9
(2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 1
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 2
(3) ESTABLISH MINIMUM SE CURITY STANDARDS FOR EACH 3
OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICE BASED ON 4
THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 5
ASSOCIATED WITH SUPP LY CHAINS; AND 6
(4) (I) BEGINNING IN 2024 ON OR BEFORE JULY 1, 2024, AND AT 7
LEAST ONCE ON OR BEFORE JULY 1 EVERY OTHER YEAR THE REAFTER, CONTRACT 8
WITH ENGAGE A THIRD PARTY TO CON DUCT AN ASSESSMENT O F OPERATIONAL 9
TECHNOLOGY AND INFOR MATION TECHNOLOGY DE VICES BASED ON: 10
1. THE CYBERSECURITY AND INFRASTRUCTURE 11
SECURITY AGENCY’S CROSS–SECTOR CYBERSECURITY PERFORMANCE GOALS; OR 12
2. A MORE STRINGENT STANDARD THAT IS BAS ED ON 13
THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY 14
FRAMEWORKS ; AND 15
(II) SUBMIT TO THE COMMISSION: 16
1. THE RESULTS AND RECO MMENDATIONS OF EACH 17
ASSESSMENT ; AND 18
2. CERTIFICATION OF THE PUBLIC SERVICE COMPA NY’S 19
COMPLIANCE WITH STAN DARDS USED IN THE AS SESSMENTS UNDER ITEM (I) OF THIS 20
ITEM. 21
(D) (1) EACH PUBLIC SERVICE C OMPANY SHALL REPORT , IN 22
ACCORDANCE WITH THE PROCESS ESTABLISHED UNDER PARAGRAPH (2) OF THIS 23
SUBSECTION, A CYBERSECURITY INCI DENT, INCLUDING AN ATT ACK ON A SYSTEM 24
BEING USED BY THE PU BLIC SERVICE COMPANY , TO THE STATE SECURITY 25
OPERATIONS CENTER IN THE DEPARTMENT OF INFORMATION TECHNOLOGY . 26
(2) THE STATE CHIEF INFORMATION SECURITY OFFICER, IN 27
CONSULTATION WITH TH E COMMISSION, SHALL ESTABLISH A PR OCESS FOR A 28
PUBLIC SERVICE COMPA NY TO REPORT CYBERSE CURITY INCIDENTS UND ER 29
PARAGRAPH (1) OF THIS SUBSECTION , INCLUDING ESTABLISHI NG: 30
(I) THE CRITERIA FOR DET ERMINING THE CIRCUMS TANCES 31
UNDER WHICH A CYBERS ECURITY INCIDENT MUS T BE REPORTED ; 32
10 SENATE BILL 800
(II) THE MANNER IN WHICH A CYBER SECURITY INCIDENT MU ST 1
BE REPORTED ; AND 2
(III) THE TIME PERIOD WITH IN WHICH A CYBERSECU RITY 3
INCIDENT MUST BE REP ORTED. 4
(3) THE STATE SECURITY OPERATIONS CENTER SHALL 5
IMMEDIATELY NOTIFY A PPROPRIATE STATE AND LOCAL AGENC IES OF A 6
CYBERSECURITY INCIDENT REPORTED UNDER THIS SUBSECTION. 7
Article – State Finance and Procurement 8
3.5–301. 9
(a) In this subtitle the following words have the meanings indicated. 10
(b) “Cybersecurity” means processes or capabilities wherein systems, 11
communications, and information are protected and defended against damage, 12
unauthorized use or modification, and exploitation. 13
SECTION 2. AND BE IT FURTHER ENACTED, That , on or before October 1, 2024, 14
the Public Service Commission shall conduct an evaluation based on assessments 15
conducted on a public service company’s information technology devices conducted under 16
Section 1 of this Act for fiscal year 2024, funds from the Dedicated Purpose Account may 17
be transferred by budget amendment, in accordance with § 7–310 of the State Finance and 18
Procurement Article, to the Department of Information Technology for the purpose of 19
adding additional staffing and operational capacity for the Department to improve State 20
and local cybersecurity. 21
SECTION 3. AND BE IT FURTHER ENACTED, That it is the intent of the General 22
Assembly that the Public Service Commission work with the Cybersecurity and 23
Infrastructure Security Agency and the Office of Security Management to improve the 24
Commission’s capacity to implement the provisions of this Act. 25
SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 26
October July 1, 2023. 27