MD
Maryland Senate Bill SB800

Maryland 2023 Regular Session

Maryland Senate Bill SB800 Compare Versions

OldNewDifferences
11
22
33 EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
44 [Brackets] indicate matter deleted from existing law.
5- Underlining indicates amendments to bill.
6- Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7-amendment.
85 *sb0800*
96
107 SENATE BILL 800
118 C5, S2 3lr1842
129 CF HB 969
1310 By: Senator Hester
1411 Introduced and read first time: February 6, 2023
1512 Assigned to: Education, Energy, and the Environment
16-Committee Report: Favorable with amendments
17-Senate action: Adopted
18-Read second time: March 26, 2023
1913
20-CHAPTER ______
14+A BILL ENTITLED
2115
2216 AN ACT concerning 1
2317
2418 Public Service Commission – Cybersecurity Staffing and Assessments 2
2519 (Critical Infrastructure Cybersecurity Act of 2023) 3
2620
2721 FOR the purpose of requiring the Public Service Commission to include on its staff a certain 4
2822 number of experts in cybersecurity to perform certain duties; requiring the 5
2923 Commission to establish, in coordination with the Office of Security Management, 6
3024 cybersecurity standards and best practices for regulated entities, share information 7
3125 on cybersecurity initiatives and best practices with certain entities, and conduct a 8
32-certain periodic assessment collect certain certifications, and submit a certain report; 9
33-requiring certain public service companies, including certain electric cooperatives, to 10
34-adopt and implement certain cybersecurity standards and a zero–trust cybersecurity 11
35-approach for certain services, establish certain minimum security standards, and 12
36-periodically contract engage with a third party to conduct a certain assessment and 13
37-submit certain information to the Commission beginning in a certain year; requiring 14
38-the Commission to conduct an evaluation on or before a certain date based on certain 15
39-assessments; requiring each public service company to report a cybersecurity 16
40-incident to certain entities; requiring the State Chief Information Security Officer, 17
41-in consultation with the Commission, to establish a certain reporting process; 18
42-requiring the State Security Operations Center to immediately notify certain 19
43-agencies of a cybersecurity incident reported under this Act; providing that, for a 20
44-certain fiscal year, funds from the Dedicated Purpose Account may be transferred by 21
45-budget amendment to the Department of Information Technology for a certain 22
46-purpose; and generally relating to cybersecurity standards and assessments for 23
47-public service companies and the Public Service Commission. 24
48- 2 SENATE BILL 800
26+certain periodic assessment; requiring certain public service companies, including 9
27+certain electric cooperatives, to adopt and implement certain cybersecurity 10
28+standards and a zero–trust cybersecurity approach for certain services, establish 11
29+certain minimum security standards, and periodically contract with a third party to 12
30+conduct a certain assessment and submit certain information to the Commission 13
31+beginning in a certain year; requiring the Commission to conduct an evaluation on 14
32+or before a certain date based on certain assessments; and generally relating to 15
33+cybersecurity standards and assessments for public service companies and the Public 16
34+Service Commission. 17
35+
36+BY repealing and reenacting, with amendments, 18
37+ Article – Corporations and Associations 19
38+Section 5–637 20
39+ Annotated Code of Maryland 21
40+ (2014 Replacement Volume and 2022 Supplement) 22
41+
42+BY repealing and reenacting, without amendments, 23
43+ Article – Public Utilities 24
44+Section 1–101(a) 25
45+ Annotated Code of Maryland 26
46+ (2020 Replacement Volume and 2022 Supplement) 27
47+
48+BY adding to 28 2 SENATE BILL 800
4949
5050
51-BY repealing and reenacting, with amendments, 1
52- Article – Corporations and Associations 2
53-Section 5–637 3
54- Annotated Code of Maryland 4
55- (2014 Replacement Volume and 2022 Supplement) 5
51+ Article – Public Utilities 1
52+Section 1–101(h–1) and 5–306 2
53+ Annotated Code of Maryland 3
54+ (2020 Replacement Volume and 2022 Supplement) 4
5655
57-BY repealing and reenacting, without amendments, 6
58- Article – Public Utilities 7
59-Section 1101(a) 8
60- Annotated Code of Maryland 9
61- (2020 Replacement Volume and 2022 Supplement) 10
56+BY repealing and reenacting, with amendments, 5
57+ Article – Public Utilities 6
58+Section 2108(d) and 2–113 7
59+ Annotated Code of Maryland 8
60+ (2020 Replacement Volume and 2022 Supplement) 9
6261
63-BY adding to 11
64- Article – Public Utilities 12
65-Section 1101(h–1) and 5–306 13
66- Annotated Code of Maryland 14
67- (2020 Replacement Volume and 2022 Supplement) 15
62+BY repealing and reenacting, without amendments, 10
63+ Article – State Finance and Procurement 11
64+Section 3.5301(a) and (b) 12
65+ Annotated Code of Maryland 13
66+ (2021 Replacement Volume and 2022 Supplement) 14
6867
69-BY repealing and reenacting, with amendments, 16
70- Article – Public Utilities 17
71-Section 2–108(d) and 2–113 18
72- Annotated Code of Maryland 19
73- (2020 Replacement Volume and 2022 Supplement) 20
68+ SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 15
69+That the Laws of Maryland read as follows: 16
7470
75-BY repealing and reenacting, without amendments, 21
76- Article – State Finance and Procurement 22
77-Section 3.5–301(a) and (b) 23
78- Annotated Code of Maryland 24
79- (2021 Replacement Volume and 2022 Supplement) 25
71+Article – Corporations and Associations 17
8072
81- SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 26
82-That the Laws of Maryland read as follows: 27
73+5–637. 18
8374
84-Article – Corporations and Associations 28
75+ (a) (1) Except as provided in paragraph (2) of this subsection, this subtitle 19
76+applies to the provision of broadband Internet service by a member–regulated cooperative. 20
8577
86-5–637. 29
78+ (2) A member–regulated cooperative may not, for the sole purpose of 21
79+providing broadband Internet service, exercise the power of condemnation under § 22
80+5–607(a)(16) of this subtitle. 23
8781
88- (a) (1) Except as provided in paragraph (2) of this subsection, this subtitle 30
89-applies to the provision of broadband Internet service by a member–regulated cooperative. 31
82+ (b) A member–regulated cooperative is subject to the following provisions of the 24
83+Public Utilities Article: 25
9084
91- (2) A member–regulated cooperative may not, for the sole purpose of 32
92-providing broadband Internet service, exercise the power of condemnation under § 33
93-5–607(a)(16) of this subtitle. 34
85+ (1) § 5–103; 26
9486
95- (b) A member–regulated cooperative is subject to the following provisions of the 35
96-Public Utilities Article: 36
97- SENATE BILL 800 3
87+ (2) § 5–201; 27
9888
89+ (3) § 5–202; 28
9990
100- (1) § 5–103; 1
91+ (4) § 5–303; 29
10192
102- (2) § 5–201; 2
93+ (5) § 5–304; 30
10394
104- (3) § 5–202; 3
95+ (6) § 5–306; 31
10596
106- (4) § 5–303; 4
107-
108- (5) § 5–304; 5
109-
110- (6) § 5–306; 6
111-
112- [(6)] (7) § 7–103; 7
113-
114- [(7)] (8) § 7–104; 8
115-
116- [(8)] (9) § 7–203; 9
117-
118- [(9)] (10) § 7–207; 10
119-
120- [(10)] (11) § 7–302; 11
121-
122- [(11)] (12) Title 7, Subtitle 5, Part I and Part II; 12
123-
124- [(12)] (13) Title 7, Subtitle 7; and 13
125-
126- [(13)] (14) § 13–101. 14
127-
128-Article – Public Utilities 15
129-
130-1–101. 16
131-
132- (a) In this division the following words have the meanings indicated. 17
133-
134- (H–1) “CYBERSECURITY ” HAS THE MEANING STATED IN § 3.5–301 OF THE 18
135-STATE FINANCE AND PROCUREMENT ARTICLE. 19
136-
137-2–108. 20
138-
139- (d) (1) The State budget shall provide sufficient money for the Commission to 21
140-hire, develop, and organize a staff to perform the functions of the Commission, including 22
141-analyzing data submitted to the Commission and participating in proceedings as provided 23
142-in § 3–104 of this article. 24
143- 4 SENATE BILL 800
144-
145-
146- (2) (i) As the Commission considers necessary, the Commission shall 1
147-hire experts including economists, cost of capital experts, rate design experts, accountants, 2
148-engineers, transportation specialists, and lawyers. 3
149-
150- (ii) To assist in the regulation of intrastate hazardous liquid 4
151-pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 5
152-at least one engineer who specializes in the storage of and the transportation of hazardous 6
153-liquid materials by pipeline. 7
154-
155- (3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 8
156-EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: 9
157-
158- (I) ADVISE THE CHAIRMAN OF THE COMMISSION AND T HE 10
159-COMMISSIONERS ON MEA SURES TO IMPROVE OVE RSIGHT OF THE CYBERS ECURITY 11
160-PRACTICES OF PUBLIC SERVICE COMPANIES ; 12
161-
162- (II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT 13
163-ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION ; 14
164-
165- (III) STUDY AND MONITOR CY BERSECURITY BEST PRACTI CES 15
166-FOR INFORMATION TECH NOLOGY AND OPERATION AL TECHNOLOGY ; 16
167-
168- (IV) ASSIST IN DRAFTING C YBERSECURITY –RELATED 17
169-REGULATIONS ; 18
170-
171- (V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM 19
172-SECURITY STANDARDS D EVELOPED UNDER § 5–306 OF THIS ARTICLE; 20
173-
174- (VI) (IV) PARTICIPATE IN BRIEF INGS TO DISCUSS 21
175-CYBERSECURITY PRACTI CES BASED ON: 22
176-
177- 1. APPLICABLE NATIONAL ASSOCIATION OF 23
178-REGULATORY UTILITY COMMISSIONERS GUIDANC E; AND 24
179-
180- 2. IMPROVEMENTS TO CYBE RSECURITY PRACTICES 25
181-RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 26
182-OF THIS ARTICLE; AND 27
183-
184- (V) CONVENE WORKSHOPS WI TH SUPPORT PUBLIC SERVICE 28
185-COMPANIES THAT DO NO T MEET MINIMUM SECUR ITY STANDARDS WITH 29
186-REMEDIATING VULNERAB ILITIES OR ADDRESSIN G CYBERSECURITY ASSE SSMENT 30
187-FINDINGS; AND. 31
188-
189- (VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , 32
190-INCLUDING REPORTS ON : 33 SENATE BILL 800 5
97+ [(6)] (7) § 7–103; 32 SENATE BILL 800 3
19198
19299
193100
194- 1. CYBERSECURITY THREATS AND SOURCES ; AND 1
101+ [(7)] (8) § 7–104; 1
195102
196- 2. THE EFFICACY OF CYBE RSECURITY PRACTICES OF 2
197-PUBLIC SERVICE COMPA NIES. 3
103+ [(8)] (9) § 7–203; 2
198104
199- (4) The Commission may retain on a case by case basis additional experts 4
200-as required for a particular matter. 5
105+ [(9)] (10) § 7–207; 3
201106
202- [(4)] (5) The lawyers who represent the Commission staff in proceedings 6
203-before the Commission shall be appointed by the Commission and shall be organized and 7
204-operate independently of the office of General Counsel. 8
107+ [(10)] (11) § 7–302; 4
205108
206- [(5)] (6) (i) As required, the Commission shall hire public utility law 9
207-judges. 10
109+ [(11)] (12) Title 7, Subtitle 5, Part I and Part II; 5
208110
209- (ii) Public utility law judges are a separate organizational unit and 11
210-shall report directly to the Commission. 12
111+ [(12)] (13) Title 7, Subtitle 7; and 6
211112
212- [(6)] (7) The Commission shall hire personal staff members for each 13
213-commissioner as required to provide advice, draft proposed orders and rulings, and perform 14
214-other personal staff functions. 15
113+ [(13)] (14) § 13–101. 7
215114
216- (8) (I) THE COMMISSION SHALL : 16
115+Article – Public Utilities 8
217116
218- (I) 1. COLLABORATE WITH THE OFFICE OF SECURITY 17
219-MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES 18
220-FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND 19
221-CAPABILITIES BASED O N SIZE; 20
117+1–101. 9
222118
223- (II) 2. PERIODICALLY SHARE I NFORMATION ON 21
224-CYBERSECURITY INITIA TIVES AND BEST PRACT ICES WITH MUNICIPAL ELECTRIC 22
225-UTILITIES; AND 23
119+ (a) In this division the following words have the meanings indicated. 10
226120
227- (III) 3. BEGINNING ON OR BEFO RE OCTOBER 1, 2023 24
228-JANUARY 1, 2025, AND EVERY 2 YEARS THEREAFTER ,: 25
121+ (H–1) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 3.5–301 OF THE 11
122+STATE FINANCE AND PROCUREMENT ARTICLE. 12
229123
230- A. EVALUATE COLLECT CERTIFICATIO NS OF A PUBLIC 26
231-SERVICE COMPANY ’S COMPLIANCE WITH ST ANDARDS USED IN THE ASSESSMENTS 27
232-SUBMITTED CONDUCTED UNDER § 5–306 OF THIS ARTICLE FOR 28
233-CYBERSECURITY –RELATED POLICIES AND PROCEDURES , INCLUDING 29
234-CYBERSECURITY AND DA TA PRIVACY THREAT PROTECTIONS ; AND 30
124+2–108. 13
235125
236- (IV) B. SUBMIT THE EVALUATION UNDER ITEM (III) OF THIS 31
237-PARAGRAPH A REPORT TO THE OFFICE OF SECURITY MANAGEMENT IN THE 32 6 SENATE BILL 800
126+ (d) (1) The State budget shall provide sufficient money for the Commission to 14
127+hire, develop, and organize a staff to perform the functions of the Commission, including 15
128+analyzing data submitted to the Commission and participating in proceedings as provided 16
129+in § 3–104 of this article. 17
130+
131+ (2) (i) As the Commission considers necessary, the Commission shall 18
132+hire experts including economists, cost of capital experts, rate design experts, accountants, 19
133+engineers, transportation specialists, and lawyers. 20
134+
135+ (ii) To assist in the regulation of intrastate hazardous liquid 21
136+pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 22
137+at least one engineer who specializes in the storage of and the transportation of hazardous 23
138+liquid materials by pipeline. 24
139+
140+ (3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 25
141+EMPLOYEES THAT ARE E XPERTS IN CYBERSECUR ITY TO: 26
142+
143+ (I) ADVISE THE CHAIRMAN OF THE COMMISSION AND THE 27
144+COMMISSIONERS ON MEASURES TO IMPROVE OVERSIGHT OF THE CYBERSECURITY 28
145+PRACTICES OF PUBLIC SERVICE COMPAN IES; 29 4 SENATE BILL 800
238146
239147
240-DEPARTMENT OF INFORMATION TECHNOLOGY AND THE MARYLAND DEPARTMENT 1
241-OF EMERGENCY MANAGEMENT STATE CHIEF INFORMATION SECURITY OFFICER, 2
242-OR THE OFFICER’S DESIGNEE. 3
243148
244- (II) THE REPORT REQUIRED U NDER SUBPARAGRAPH (I) OF 4
245-THIS PARAGRAPH SHALL INCLUDE: 5
149+ (II) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT 1
150+ON CYBERSECURITY ISS UES RELATED TO UTILI TY REGULATION ; 2
246151
247- 1. A GENERAL OVERVIEW O F CYBERSECURITY 6
248-TECHNOLOGY AND POLIC IES USED BY PUBLIC S ERVICE COMPANIES IN THE STATE, 7
249-GROUPED BY THE FOLLO WING TYPES: 8
152+ (III) STUDY AND MONITOR CYBERSECURITY BEST PRACTICES 3
153+FOR INFORMATION TECHNOLO GY AND OPERATIONAL T ECHNOLOGY ; 4
250154
251- A. INVESTOR–OWNED ELECTRIC COMPA NIES; 9
155+ (IV) ASSIST IN DRAFTING CY BERSECURITY –RELATED 5
156+REGULATIONS ; 6
252157
253- B. ELECTRIC COOPERATIVE S; 10
158+ (V) ASSIST THE COMMISSION IN MONITOR ING THE MINIMUM 7
159+SECURITY STANDARDS DEVELOPED UNDER § 5–306 OF THIS ARTICLE; 8
254160
255- C. MUNICIPAL ELECTRIC C OMPANIES; 11
161+ (VI) CONVENE WORKSHOPS WITH PUBLI C SERVICE COMPANIES 9
162+THAT DO NOT MEET MIN IMUM SECURITY STANDA RDS; AND 10
256163
257- D. GAS COMPANIES ; AND 12
164+ (VII) PREPARE REPORTS FOR THE COMMISSION TO REVIEW , 11
165+INCLUDING REPORTS ON: 12
258166
259- E. WATER COMPANIES ; 13
167+ 1. CYBERSECURITY THREAT S AND SOURCES ; AND 13
260168
261- 2. GENERAL RECOMMENDATI ONS FOR IMPROVING 14
262-CYBERSECURITY TECHNO LOGY AND POLICIES US ED BY PUBLIC SERVICE 15
263-COMPANIES IN THE STATE, GROUPED BY THE FOLLO WING TYPES: 16
169+ 2. THE EFFICACY OF CYBE RSECURITY PRACTICES OF 14
170+PUBLIC SERVICE COMPA NIES. 15
264171
265- A. INVESTOR–OWNED ELECTRIC COMPA NIES; 17
172+ (4) The Commission may retain on a case by case basis additional experts 16
173+as required for a particular matter. 17
266174
267- B. ELECTRIC COOPERATIVE S; 18
175+ [(4)] (5) The lawyers who represent the Commission staff in proceedings 18
176+before the Commission shall be appointed by the Commission and shall be organized and 19
177+operate independently of the office of General Counsel. 20
268178
269- C. MUNICIPAL ELECTRIC C OMPANIES; 19
179+ [(5)] (6) (i) As required, the Commission shall hire public utility law 21
180+judges. 22
270181
271- D. GAS COMPANIES; AND 20
182+ (ii) Public utility law judges are a separate organizational unit and 23
183+shall report directly to the Commission. 24
272184
273- E. WATER COMPANIES ; AND 21
185+ [(6)] (7) The Commission shall hire personal staff members for each 25
186+commissioner as required to provide advice, draft proposed orders and rulings, and perform 26
187+other personal staff functions. 27
274188
275- 3. FOR EACH CERTIFICATI ON COLLECTED : 22
189+ (8) THE COMMISSION SHALL : 28
190+ SENATE BILL 800 5
276191
277- A. THE NAME OF THE PUBL IC SERVICE COMPANY ; 23
278192
279- B. THE DATE OF THE PUBL IC SERVICE COMPANY ’S MOST 24
280-RECENT CYBERSECURITY ASSESSMENT; 25
193+ (I) COLLABORATE WITH THE OFFICE OF SECURITY 1
194+MANAGEMENT TO ESTABLI SH CYBERSECURITY STA NDARDS AND BEST PRAC TICES 2
195+FOR REGULATED ENTITI ES, TAKING INTO ACCOUNT UTILITY NEEDS AND 3
196+CAPABILITIES BASED O N SIZE; 4
281197
282- C. THE CYBERSECURITY FR AMEWORK USED IN THE 26
283-CYBERSECURITY ASSESS MENT OF THE PUBLIC S ERVICE COMPANY ; AND 27
198+ (II) PERIODICALLY SHARE IN FORMATION ON CYBERSE CURITY 5
199+INITIATIVES AND BEST PRACTICES WITH MUNICIPAL ELECTRIC UTILITIES; 6
200+
201+ (III) BEGINNING ON OR BEFORE OCTOBER 1, 2023, AND EVERY 2 7
202+YEARS THEREAFTER , EVALUATE THE ASSESSMENTS SUBMITTE D UNDER § 8
203+5–306 OF THIS ARTICLE FOR CYBERSECURITY –RELATED POLICIES AND 9
204+PROCEDURES , INCLUDING CYBERSECUR ITY AND DATA PRIVACY THREAT 10
205+PROTECTIONS ; AND 11
206+
207+ (IV) SUBMIT THE EVALUATION UNDER ITEM (III) OF THIS 12
208+PARAGRAPH TO THE OFFICE OF SECURITY MANAGEMENT IN THE DEPARTMENT OF 13
209+INFORMATI ON TECHNOLOGY AND THE MARYLAND DEPARTMENT OF EMERGENCY 14
210+MANAGEMENT . 15
211+
212+ [(7)] (9) Subject to § 3–104 of this article, the Commission may delegate 16
213+to a commissioner or personnel the authority to perform an administrative function 17
214+necessary to carry out a duty of the Commission. 18
215+
216+ [(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph 19
217+or otherwise by law, all personnel of the Commission are subject to the provisions of the 20
218+State Personnel and Pensions Article. 21
219+
220+ (ii) The following are in the executive service, management service, 22
221+or are special appointments in the State Personnel Management System: 23
222+
223+ 1. each commissioner of the Commission; 24
224+
225+ 2. the Executive Director; 25
226+
227+ 3. the General Counsel and each assistant general counsel; 26
228+
229+ 4. the Executive Secretary; 27
230+
231+ 5. the commissioners’ personal staff members; 28
232+
233+ 6. the chief public utility law judge; and 29
234+
235+ 7. each license hearing officer. 30
236+
237+2–113. 31 6 SENATE BILL 800
238+
239+
240+
241+ (a) (1) The Commission shall: 1
242+
243+ (i) supervise and regulate the public service companies subject to 2
244+the jurisdiction of the Commission to: 3
245+
246+ 1. ensure their operation in the interest of the public; and 4
247+
248+ 2. promote adequate, economical, and efficient delivery of 5
249+utility services in the State without unjust discrimination; and 6
250+
251+ (ii) enforce compliance with the requirements of law by public 7
252+service companies, including requirements with respect to financial condition, 8
253+capitalization, franchises, plant, manner of operation, rates, and service. 9
254+
255+ (2) In supervising and regulating public service companies, the 10
256+Commission shall consider: 11
257+
258+ (i) the public safety; 12
259+
260+ (ii) the economy of the State; 13
261+
262+ (iii) the maintenance of fair and stable labor standards for affected 14
263+workers; 15
264+
265+ (iv) the conservation of natural resources; 16
266+
267+ (v) the preservation of environmental quality, including protection 17
268+of the global climate from continued short–term and long–term warming based on the best 18
269+available scientific information recognized by the Intergovernmental Panel on Climate 19
270+Change; [and] 20
271+
272+ (vi) the achievement of the State’s climate commitments for reducing 21
273+statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 22
274+Environment Article; AND 23
275+
276+ (VII) THE PROTECTION OF A PUBLIC SERVICE COM PANY’S 24
277+INFRASTRUCTURE AGAINS T CYBERSECURITY THRE ATS. 25
278+
279+ (b) The powers and duties listed in this title do not limit the scope of the general 26
280+powers and duties of the Commission provided for by this division. 27
281+
282+5–306. 28
283+
284+ (A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBERSECURITY APPROA CH: 29
284285 SENATE BILL 800 7
285286
286287
287- D. THE NAME OF THE ENTI TY THAT COMPLETED TH E 1
288-CYBERSECURITY ASSESS MENT. 2
288+ (1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 1
289289
290- [(7)] (9) Subject to § 3–104 of this article, the Commission may delegate 3
291-to a commissioner or personnel the authority to perform an administrative function 4
292-necessary to carry out a duty of the Commission. 5
290+ (2) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 2
291+IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 3
293292
294- [(8)] (10) (i) Except as provided in subparagraph (ii) of this paragraph 6
295-or otherwise by law, all personnel of the Commission are subject to the provisions of the 7
296-State Personnel and Pensions Article. 8
293+ (B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 4
294+IS: 5
297295
298- (ii) The following are in the executive service, management service, 9
299-or are special appointments in the State Personnel Management System: 10
296+ (1) A COMMON CARRIER ; OR 6
300297
301- 1. each commissioner of the Commission; 11
298+ (2) A TELEPHONE COMPANY . 7
302299
303- 2. the Executive Director; 12
300+ (C) A PUBLIC SERVICE COMPA NY SHALL: 8
304301
305- 3. the General Counsel and each assistant general counsel; 13
302+ (1) ADOPT AND IMPLEMEN T CYBERSECURITY STAN DARDS THAT ARE 9
303+EQUAL TO OR EXCEED S TANDARDS ADOPTED BY THE COMMISSION; 10
306304
307- 4. the Executive Secretary; 14
305+ (2) ADOPT A ZERO–TRUST CYBERSECURITY APPROACH FOR 11
306+ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 12
308307
309- 5. the commissioners’ personal staff members; 15
308+ (3) ESTABLISH MINIMUM SECURITY STA NDARDS FOR EACH 13
309+OPERATIONAL TECHNOLO GY AND INFORMATION TECHNOLO GY DEVICE BASED ON 14
310+THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 15
311+ASSOCIATED WITH SUPPLY CHAI NS; AND 16
310312
311- 6. the chief public utility law judge; and 16
313+ (4) (I) BEGINNING IN 2024 AND AT LEAST ONCE EVERY OTHER 17
314+YEAR THEREAFTER , CONTRACT WITH A THIRD PARTY TO CONDUCT AN ASSESSMENT 18
315+OF OPERATIONAL TECHNOLO GY AND INFORMATION TECHNOLO GY DEVICES BASED 19
316+ON THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY 20
317+FRAMEWORK S; AND 21
312318
313- 7. each license hearing officer. 17
319+ (II) SUBMIT TO THE COMMISSION: 22
314320
315-2–113. 18
321+ 1. THE RESULTS AND RECO MMENDATIONS OF EACH 23
322+ASSESSMENT ; AND 24
316323
317- (a) (1) The Commission shall: 19
324+ 2. CERTIFICATION OF THE PUBLI C SERVICE COMPANY ’S 25
325+COMPLIANCE WITH STAND ARDS USED IN THE ASS ESSMENTS UNDE R ITEM (I) OF THIS 26
326+ITEM. 27
318327
319- (i) supervise and regulate the public service companies subject to 20
320-the jurisdiction of the Commission to: 21
328+Article – State Finance and Procurement 28
321329
322- 1. ensure their operation in the interest of the public; and 22
323-
324- 2. promote adequate, economical, and efficient delivery of 23
325-utility services in the State without unjust discrimination; and 24
326-
327- (ii) enforce compliance with the requirements of law by public 25
328-service companies, including requirements with respect to financial conditio n, 26
329-capitalization, franchises, plant, manner of operation, rates, and service. 27
330-
331- (2) In supervising and regulating public service companies, the 28
332-Commission shall consider: 29
330+3.5–301. 29
333331 8 SENATE BILL 800
334332
335333
336- (i) the public safety; 1
334+ (a) In this subtitle the following words have the meanings indicated. 1
337335
338- (ii) the economy of the State; 2
336+ (b) “Cybersecurity” means processes or capabilities wherein systems, 2
337+communications, and information are protected and defended against damage, 3
338+unauthorized use or modification, and exploitation. 4
339339
340- (iii) the maintenance of fair and stable labor standards for affected 3
341-workers; 4
340+ SECTION 2. AND BE IT FURTHER ENACTED, That , on or before October 1, 2024, 5
341+the Public Service Commission shall conduct an evaluation based on assessments 6
342+conducted on a public service company’s information technology devices conducted under 7
343+Section 1 of this Act. 8
342344
343- (iv) the conservation of natural resources; 5
344-
345- (v) the preservation of environmental quality, including protection 6
346-of the global climate from continued short–term and long–term warming based on the best 7
347-available scientific information recognized by the Intergovernmental Panel on Climate 8
348-Change; [and] 9
349-
350- (vi) the achievement of the State’s climate commitments for reducing 10
351-statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 11
352-Environment Article; AND 12
353-
354- (VII) THE PROTECTION OF A PUBLIC SERVICE COMPA NY’S 13
355-INFRASTRUCTURE AGAIN ST CYBERSECURITY THR EATS. 14
356-
357- (b) The powers and duties listed in this title do not limit the scope of the general 15
358-powers and duties of the Commission provided for by this division. 16
359-
360-5–306. 17
361-
362- (A) IN THIS SECTION, “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 18
363-
364- (1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 19
365-
366- (2) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 20
367-IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 21
368-
369- (B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 22
370-IS: 23
371-
372- (1) A COMMON CARRIER ; OR 24
373-
374- (2) A TELEPHONE COMPANY . 25
375-
376- (C) A PUBLIC SERVICE COMPA NY SHALL: 26
377-
378- (1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE 27
379-EQUAL TO OR EXCEED STAND ARDS ADOPTED BY THE COMMISSION; 28
380- SENATE BILL 800 9
381-
382-
383- (2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 1
384-ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 2
385-
386- (3) ESTABLISH MINIMUM SE CURITY STANDARDS FOR EACH 3
387-OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICE BASED ON 4
388-THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 5
389-ASSOCIATED WITH SUPP LY CHAINS; AND 6
390-
391- (4) (I) BEGINNING IN 2024 ON OR BEFORE JULY 1, 2024, AND AT 7
392-LEAST ONCE ON OR BEFORE JULY 1 EVERY OTHER YEAR THE REAFTER, CONTRACT 8
393-WITH ENGAGE A THIRD PARTY TO CON DUCT AN ASSESSMENT O F OPERATIONAL 9
394-TECHNOLOGY AND INFOR MATION TECHNOLOGY DE VICES BASED ON: 10
395-
396- 1. THE CYBERSECURITY AND INFRASTRUCTURE 11
397-SECURITY AGENCY’S CROSS–SECTOR CYBERSECURITY PERFORMANCE GOALS; OR 12
398-
399- 2. A MORE STRINGENT STANDARD THAT IS BAS ED ON 13
400-THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SECURITY 14
401-FRAMEWORKS ; AND 15
402-
403- (II) SUBMIT TO THE COMMISSION: 16
404-
405- 1. THE RESULTS AND RECO MMENDATIONS OF EACH 17
406-ASSESSMENT ; AND 18
407-
408- 2. CERTIFICATION OF THE PUBLIC SERVICE COMPA NY’S 19
409-COMPLIANCE WITH STAN DARDS USED IN THE AS SESSMENTS UNDER ITEM (I) OF THIS 20
410-ITEM. 21
411-
412- (D) (1) EACH PUBLIC SERVICE C OMPANY SHALL REPORT , IN 22
413-ACCORDANCE WITH THE PROCESS ESTABLISHED UNDER PARAGRAPH (2) OF THIS 23
414-SUBSECTION, A CYBERSECURITY INCI DENT, INCLUDING AN ATT ACK ON A SYSTEM 24
415-BEING USED BY THE PU BLIC SERVICE COMPANY , TO THE STATE SECURITY 25
416-OPERATIONS CENTER IN THE DEPARTMENT OF INFORMATION TECHNOLOGY . 26
417-
418- (2) THE STATE CHIEF INFORMATION SECURITY OFFICER, IN 27
419-CONSULTATION WITH TH E COMMISSION, SHALL ESTABLISH A PR OCESS FOR A 28
420-PUBLIC SERVICE COMPA NY TO REPORT CYBERSE CURITY INCIDENTS UND ER 29
421-PARAGRAPH (1) OF THIS SUBSECTION , INCLUDING ESTABLISHI NG: 30
422-
423- (I) THE CRITERIA FOR DET ERMINING THE CIRCUMS TANCES 31
424-UNDER WHICH A CYBERS ECURITY INCIDENT MUS T BE REPORTED ; 32
425- 10 SENATE BILL 800
426-
427-
428- (II) THE MANNER IN WHICH A CYBER SECURITY INCIDENT MU ST 1
429-BE REPORTED ; AND 2
430-
431- (III) THE TIME PERIOD WITH IN WHICH A CYBERSECU RITY 3
432-INCIDENT MUST BE REP ORTED. 4
433-
434- (3) THE STATE SECURITY OPERATIONS CENTER SHALL 5
435-IMMEDIATELY NOTIFY A PPROPRIATE STATE AND LOCAL AGENC IES OF A 6
436-CYBERSECURITY INCIDENT REPORTED UNDER THIS SUBSECTION. 7
437-
438-Article – State Finance and Procurement 8
439-
440-3.5–301. 9
441-
442- (a) In this subtitle the following words have the meanings indicated. 10
443-
444- (b) “Cybersecurity” means processes or capabilities wherein systems, 11
445-communications, and information are protected and defended against damage, 12
446-unauthorized use or modification, and exploitation. 13
447-
448- SECTION 2. AND BE IT FURTHER ENACTED, That , on or before October 1, 2024, 14
449-the Public Service Commission shall conduct an evaluation based on assessments 15
450-conducted on a public service company’s information technology devices conducted under 16
451-Section 1 of this Act for fiscal year 2024, funds from the Dedicated Purpose Account may 17
452-be transferred by budget amendment, in accordance with § 7–310 of the State Finance and 18
453-Procurement Article, to the Department of Information Technology for the purpose of 19
454-adding additional staffing and operational capacity for the Department to improve State 20
455-and local cybersecurity. 21
456-
457- SECTION 3. AND BE IT FURTHER ENACTED, That it is the intent of the General 22
458-Assembly that the Public Service Commission work with the Cybersecurity and 23
459-Infrastructure Security Agency and the Office of Security Management to improve the 24
460-Commission’s capacity to implement the provisions of this Act. 25
461-
462- SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 26
463-October July 1, 2023. 27
464-
345+ SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect 9
346+October 1, 2023. 10