Maryland 2023 Regular Session

Maryland Senate Bill SB868 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1
2	2
3	3	EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4	4	[Brackets] indicate matter deleted from existing law.
5	5	sb0868
6	6
7	7	SENATE BILL 868
8	8	S2 3lr2724
9	9
10	10	By: Senator Hester
11	11	Introduced and read first time: February 6, 2023
12	12	Assigned to: Education, Energy, and the Environment
13	13
14	14	A BILL ENTITLED
15	15
16	16	AN ACT concerning 1
17	17
18	18	State and Local Cybersecurity – Revisions 2
19	19
20	20	FOR the purpose of establishing the Director of Cybersecurity Preparedness in the Cyber 3
21	21	Preparedness Unit of the Maryland Department of Emergency Management; 4
22	22	establishing certain duties of the Director; specifying the amount of a certain annual 5
23	23	appropriation made by the Governor to the Unit; establishing that the State Chief 6
24	24	Information Security Officer in the Office of Security Management reports to the 7
25	25	Governor; altering certain qualifications and duties of the State Chief Information 8
26	26	Security Officer; altering certain duties of the Office; altering certain duties of the 9
27	27	Secretary of Information Technology; altering the membership of the Modernize 10
28	28	Maryland Oversight Commission and providing for the appointment of the chair and 11
29	29	vice chair of the Commission; altering the duties of certain independent contractors 12
30	30	hired by the Department of Information Technology; establishing that certain 13
31	31	information related to cybersecurity incidents reported by local governments may 14
32	32	not be used in a certain manner; authorizing the Office to ensure compliance of an 15
33	33	agency’s cybersecurity with cybersecurity standards in a certain manner; requiring 16
34	34	a certain independent contractor hired by the Department of Information Technology 17
35	35	to provide certain quarterly updates on its work; requiring a certain report by the 18
36	36	Commission to include a certain evaluation; requiring the Department of 19
37	37	Information Technology to hire an independent contractor to conduct a certain 20
38	38	review; and generally relating to State and local cybersecurity. 21
39	39
40	40	BY repealing and reenacting, with amendments, 22
41	41	Article – Public Safety 23
42	42	Section 14–104.1 24
43	43	Annotated Code of Maryland 25
44	44	(2022 Replacement Volume) 26
45	45
46	46	BY repealing and reenacting, without amendments, 27
47	47	Article – State Finance and Procurement 28
48	48	Section 3.5–2A–02 and 3.5–301(a) 29 2 SENATE BILL 868
49	49
50	50
51	51	Annotated Code of Maryland 1
52	52	(2021 Replacement Volume and 2022 Supplement) 2
53	53
54	54	BY repealing and reenacting, with amendments, 3
55	55	Article – State Finance and Procurement 4
56	56	Section 3.5–2A–03, 3.5–2A–04(b)(11), 3.5–301(i), 3.5–303(a) and (d), 3.5–316, 5
57	57	3.5–317(b)(1), and 3.5–407(d) 6
58	58	Annotated Code of Maryland 7
59	59	(2021 Replacement Volume and 2022 Supplement) 8
60	60
61	61	BY adding to 9
62	62	Article – State Finance and Procurement 10
63	63	Section 3.5–318 11
64	64	Annotated Code of Maryland 12
65	65	(2021 Replacement Volume and 2022 Supplement) 13
66	66
67	67	BY repealing and reenacting, with amendments, 14
68	68	Chapter 242 of the Acts of the General Assembly of 2022 15
69	69	Section 5 and 6 16
70	70
71	71	SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 17
72	72	That the Laws of Maryland read as follows: 18
73	73
74	74	Article – Public Safety 19
75	75
76	76	14–104.1. 20
77	77
78	78	(a) (1) In this section the following words have the meanings indicated. 21
79	79
80	80	(2) “Local government” includes local school systems, local school boards, 22
81	81	and local health departments. 23
82	82
83	83	(3) “Unit” means the Cyber Preparedness Unit. 24
84	84
85	85	(b) (1) There is a Cyber Preparedness Unit in the Department. 25
86	86
87	87	(2) (I) THE HEAD OF THE UNIT IS THE DIRECTOR OF 26
88	88	CYBERSECURITY PREPAREDNESS . 27
89	89
90	90	(II) THE DIRECTOR SHALL WORK I N COORDINATIO N WITH THE 28
91	91	DIRECTOR OF LOCAL CYBERSECURITY IN THE OFFICE OF SECURITY MANAGEMENT 29
92	92	TO PROVIDE TECHNICAL ASSISTANCE, COORDINATE RESOURCES , AND IMPROVE 30
93	93	CYBERSECURITY PREPAR EDNESS FOR UNITS OF LOCAL GOVERNMENT . 31
94	94
95	95	[(2)] (3) In coordination with the State Chief Information Security 32
96	96	Officer, the Unit shall: 33 SENATE BILL 868 3
97	97
98	98
99	99
100	100	(i) support local governments in developing a vulnerability 1
101	101	assessment and cyber assessment, including providing local governments with the 2
102	102	resources and information on best practices to complete the assessments; 3
103	103
104	104	(ii) develop and regularly update an online database of cybersecurity 4
105	105	training resources for local government personnel, including technical training resources, 5
106	106	cybersecurity continuity of operations templates, consequence management plans, and 6
107	107	trainings on malware and ransomware detection; 7
108	108
109	109	(iii) assist local governments in: 8
110	110
111	111	1. the development of cybersecurity preparedness and 9
112	112	response plans; 10
113	113
114	114	2. implementing best practices and guidance developed by 11
115	115	the State Chief Information Security Officer; and 12
116	116
117	117	3. identifying and acquiring resources to complete 13
118	118	appropriate cybersecurity vulnerability assessments; 14
119	119
120	120	(iv) connect local governments to appropriate resources for any other 15
121	121	purpose related to cybersecurity preparedness and response; 16
122	122
123	123	(v) as necessary and in coordination with the National Guard, local 17
124	124	emergency managers, and other State and local entities, conduct regional cybersecurity 18
125	125	preparedness exercises; and 19
126	126
127	127	(vi) establish regional assistance groups to deliver and coordinate 20
128	128	support services to local governments, agencies, or regions. 21
129	129
130	130	[(3)] (4) The Unit shall support the Office of Security Management in the 22
131	131	Department of Information Technology during emergency response efforts. 23
132	132
133	133	(c) (1) Each local government shall report a cybersecurity incident, including 24
134	134	an attack on a State system being used by the local government, to the appropriate local 25
135	135	emergency manager and the State Security Operations Center in the Department of 26
136	136	Information Technology [and to the Maryland Joint Operations Center in the Department] 27
137	137	in accordance with paragraph (2) of this subsection. 28
138	138
139	139	(2) For the reporting of cybersecurity incidents under paragraph (1) of this 29
140	140	subsection, the State Chief Information Security Officer shall determine: 30
141	141
142	142	(i) the criteria for determining when an incident must be reported; 31
143	143
144	144	(ii) the manner in which to report; and 32
145	145	4 SENATE BILL 868
146	146
147	147
148	148	(iii) the time period within which a report must be made. 1
149	149
150	150	(3) The State Security Operations Center shall immediately notify 2
151	151	appropriate agencies of a cybersecurity incident reported under this subsection through the 3
152	152	State Security Operations Center. 4
153	153
154	154	(d) (1) Five Position Identification Numbers (PINs) shall be created for the 5
155	155	purpose of hiring staff to conduct the duties of the Maryland Department of Emergency 6
156	156	Management Cybersecurity Preparedness Unit. 7
157	157
158	158	(2) For fiscal year 2024 and each fiscal year thereafter, the Governor shall 8
159	159	include in the annual budget bill an appropriation [of at least: 9
160	160
161	161	(i) $220,335 for 3 PINs for Administrator III positions; and 10
162	162
163	163	(ii) $137,643 for 2 PINs for Administrator II positions] SUFFICIENT 11
164	164	FOR THE POSITIONS CR EATED UNDER PARAGRAP H (1) OF THIS SUBSECTION . 12
165	165
166	166	Article – State Finance and Procurement 13
167	167
168	168	3.5–2A–02. 14
169	169
170	170	There is an Office of Security Management within the Department. 15
171	171
172	172	3.5–2A–03. 16
173	173
174	174	(a) The head of the Office is the State Chief Information Security Officer. 17
175	175
176	176	(b) The State Chief Information Security Officer shall: 18
177	177
178	178	(1) be appointed by the Governor with the advice and consent of the Senate; 19
179	179
180	180	(2) serve at the pleasure of the Governor; AND 20
181	181
182	182	(3) be supervised by the [Secretary; and 21
183	183
184	184	(4) serve as the chief information security officer of the Department] 22
185	185	GOVERNOR. 23
186	186
187	187	(c) An individual appointed as the State Chief Information Security Officer under 24
188	188	subsection (b) of this section shall: 25
189	189
190	190	(1) [at a minimum, hold a bachelor’s degree; 26
191	191
192	192	(2)] hold appropriate information technology or cybersecurity certifications; 27
193	193	SENATE BILL 868 5
194	194
195	195
196	196	[(3)] (2) have experience: 1
197	197
198	198	(i) identifying, implementing, or assessing security controls; 2
199	199
200	200	(ii) in infrastructure, systems engineering, or cybersecurity; 3
201	201
202	202	(iii) managing highly technical security, security operations centers, 4
203	203	and incident response teams in a complex cloud environment and supporting multiple sites; 5
204	204	and 6
205	205
206	206	(iv) working with common information security management 7
207	207	frameworks; 8
208	208
209	209	[(4)] (3) have extensive knowledge of information technology and 9
210	210	cybersecurity field concepts, best practices, and procedures, with an understanding of 10
211	211	existing enterprise capabilities and limitations to ensure the secure integration and 11
212	212	operation of security networks and systems; and 12
213	213
214	214	[(5)] (4) have knowledge of current security regulations. 13
215	215
216	216	(d) The State Chief Information Security Officer shall: 14
217	217
218	218	(1) provide cybersecurity advice and recommendations to the Governor on 15
219	219	request; AND 16
220	220
221	221	(2) DEVELOP AND MAINTAIN A STATEWIDE CYBERSEC URITY 17
222	222	STRATEGY THAT WILL : 18
223	223
224	224	(I) CENTRALIZE THE MANAG EMENT AND DIRECTION OF 19
225	225	CYBERSECURITY STRATE GY WITHIN THE EXECUTIVE BRANCH OF STATE 20
226	226	GOVERNMENT UNDER THE CONTROL OF THE DEPARTMENT ; AND 21
227	227
228	228	(II) SERVE AS THE BASIS F OR BUDGET ALLOCATION S FOR 22
229	229	CYBERSECURITY PREPAR EDNESS FOR THE EXECUTIVE BRANCH OF STATE 23
230	230	GOVERNMENT . 24
231	231
232	232	(e) (1) (i) There is a Director of Local Cybersecurity, who shall be 25
233	233	appointed by the State Chief Information Security Officer. 26
234	234
235	235	(ii) The Director of Local Cybersecurity shall: 27
236	236
237	237	1. work in coordination with the Maryland Department of 28
238	238	Emergency Management to provide technical assistance, coordinate resources, and improve 29
239	239	cybersecurity preparedness for units of local government; AND 30
240	240	6 SENATE BILL 868
241	241
242	242
243	243	2. IN CONSULTATION WITH THE MARYLAND 1
244	244	CYBERSECURITY COORDINATING COUNCIL, DEVELOP GUIDANCE ON CONSISTENT 2
245	245	CYBERSECURITY STRATE GIES FOR COUNTIES , MUNICIPAL CORPORATIO NS, SCHOOL 3
246	246	SYSTEMS, AND ALL OTHER POLITI CAL SUBDIVISIONS OF THE STATE. 4
247	247
248	248	(2) (i) There is a Director of State Cybersecurity, who shall be 5
249	249	appointed by the State Chief Information Security Officer. 6
250	250
251	251	(ii) The Director of State Cybersecurity is responsible for 7
252	252	implementation of this section with respect to units of State government. 8
253	253
254	254	(III) IN CONSULTATION WITH THE MARYLAND CYBERSECURITY 9
255	255	COORDINATING COUNCIL, THE DIRECTOR OF STATE CYBERSECURITY SHALL 10
256	256	ADVISE AND OVERSEE A CONSISTENT CYBERSECU RITY STRATEGY FOR UN ITS OF 11
257	257	STATE GOVERNMENT , INCLUDING INSTITUT IONS UNDER THE CONTR OL OF THE 12
258	258	GOVERNING BOARDS OF THE PUBLIC INSTITUTI ONS OF HIGHER EDUCAT ION. 13
259	259
260	260	(f) The Department shall provide the Office with sufficient staff to perform the 14
261	261	functions of this subtitle. 15
262	262
263	263	(G) THE GOVERNOR SHALL INCLUD E AN APPROPRIATION IN THE ANNUAL 16
264	264	BUDGET BILL IN AN AM OUNT NECESSARY TO CO VER THE COSTS OF IMP LEMENTING 17
265	265	THE STATEWIDE CYBERS ECURITY STRATEGY DEV ELOPED UNDER SUBSECT ION (D) 18
266	266	OF THIS SECTION WITH OUT THE NEED FOR THE OFFICE TO OPERATE A 19
267	267	CHARGE–BACK MODEL FOR CYBER SECURITY SERVIC ES PROVIDED TO OTHER UNITS 20
268	268	OF STATE GOVERNMENT OR U NITS OF LOCAL GOVERN MENT. 21
269	269
270	270	3.5–2A–04. 22
271	271
272	272	(b) The Office shall: 23
273	273
274	274	(11) develop and maintain information technology security policy, 24
275	275	standards, and guidance documents, consistent with [best practices developed by the] A 25
276	276	WIDELY RECOGNIZED SE CURITY STANDARD , INCLUDING: 26
277	277
278	278	(I) National Institute of Standards and Technology (NIST) 27
279	279	CYBERSECURITY FRAMEWORK , NIST 800–53, OR INTERNATIONAL ORGANIZATION 28
280	280	FOR STANDARDIZATION (ISO) ISO 27001; OR 29
281	281
282	282	(II) IN THE CASE OF ORGANIZATIONS HANDLING CONTROLLED 30
283	283	UNCLASSIFIED INFORMA TION, NIST SP 800–171 OR THE CYBERSECURITY 31
284	284	MATURITY MODEL CERTIFICATION FROM TH E U.S. DEPARTMENT OF DEFENSE; 32
285	285
286	286	3.5–301. 33
287	287	SENATE BILL 868 7
288	288
289	289
290	290	(a) In this subtitle the following words have the meanings indicated. 1
291	291
292	292	(i) “Master plan” means the statewide information technology master plan [and 2
293	293	statewide cybersecurity strategy]. 3
294	294
295	295	3.5–303. 4
296	296
297	297	(a) The Secretary is responsible for carrying out the following duties: 5
298	298
299	299	(1) developing, maintaining, revising, and enforcing inform ation 6
300	300	technology policies, procedures, and standards; 7
301	301
302	302	(2) providing technical assistance, advice, and recommendations to the 8
303	303	Governor and any unit of State government concerning information technology matters; 9
304	304
305	305	(3) reviewing the annual project plan for each unit of State government to 10
306	306	make information and services available to the public over the Internet; 11
307	307
308	308	(4) developing and maintaining a statewide information technology master 12
309	309	plan that will: 13
310	310
311	311	(i) centralize the management and direction of information 14
312	312	technology policy within the Executive Branch of State government under the control of the 15
313	313	Department; 16
314	314
315	315	(ii) include all aspects of State information technology including 17
316	316	telecommunications, security, data processing, and information management; 18
317	317
318	318	(iii) consider interstate transfers as a result of federal legislation and 19
319	319	regulation; 20
320	320
321	321	(iv) ensure that the State information technology plan and related 21
322	322	policies and standards are consistent with State goals, objectives, and resources, and 22
323	323	represent a long–range vision for using information technology to improve the overall 23
324	324	effectiveness of State government; 24
325	325
326	326	(v) include standards to assure nonvisual access to the information 25
327	327	and services made available to the public over the Internet; and 26
328	328
329	329	(vi) allows a State agency to maintain the agency’s own information 27
330	330	technology unit that provides for information technology services to support the mission of 28
331	331	the agency; 29
332	332
333	333	(5) [developing and maintaining a statewide cybersecurity strategy that 30
334	334	will: 31
335	335	8 SENATE BILL 868
336	336
337	337
338	338	(i) centralize the management and direction of cybersecurity 1
339	339	strategy within the Executive Branch of State government under the control of the 2
340	340	Department; and 3
341	341
342	342	(ii) serve as the basis for budget allocations for cybersecurity 4
343	343	preparedness for the Executive Branch of State government; 5
344	344
345	345	(6)] adopting by regulation and enforcing nonvisual access standards to be 6
346	346	used in the procurement of information technology services by or on behalf of units of State 7
347	347	government in accordance with subsection (b) of this section; 8
348	348
349	349	[(7) in consultation with the Maryland Cybersecurity Coordinating Council, 9
350	350	advising and overseeing a consistent cybersecurity strategy for units of State government, 10
351	351	including institutions under the control of the governing boards of the public institutions 11
352	352	of higher education; 12
353	353
354	354	(8)] (6) advising and consulting with the Legislative and Judicial 13
355	355	branches of State government regarding a cybersecurity strategy; 14
356	356
357	357	[(9) in consultation with the Maryland Cybersecurity Coordinating Council, 15
358	358	developing guidance on consistent cybersecurity strategies for counties, municipal 16
359	359	corporations, school systems, and all other political subdivisions of the State; 17
360	360
361	361	(10)] (7) upgrading information technology and cybersecurity–related 18
362	362	State government infrastructure; and 19
363	363
364	364	[(11)] (8) annually evaluating: 20
365	365
366	366	(i) the feasibility of units of State government providing public 21
367	367	services using artificial intelligence, machine learning, commercial cloud computer 22
368	368	services, device–as–a–service procurement models, and other emerging technologies; and 23
369	369
370	370	(ii) the development of data analytics capabilities to enable 24
371	371	data–driven policymaking by units of State government. 25
372	372
373	373	(d) [(1) The Governor shall include an appropriation in the annual budget bill 26
374	374	in an amount necessary to cover the costs of implementing the statewide cybersecurity 27
375	375	master plan developed under subsection (a) of this section without the need for the 28
376	376	Department to operate a charge–back model for cybersecurity services provided to other 29
377	377	units of State government or units of local government. 30
378	378
379	379	(2)] On or before January 31 each year, in a separate report or included 31
380	380	within a general budget report, the Governor shall submit a report in accordance with § 32
381	381	2–1257 of the State Government Article to the Senate Budget and Taxation Committee and 33
382	382	the House Appropriations Committee that includes: 34
383	383	SENATE BILL 868 9
384	384
385	385
386	386	[(i)] (1) specific information on the information technology budget 1
387	387	and cybersecurity budget that the Governor has submitted to the General Assembly for the 2
388	388	upcoming fiscal year; and 3
389	389
390	390	[(ii)] (2) how the budgets listed under item [(i)] (1) of this 4
391	391	[paragraph] SUBSECTION compare to the annual overview of the U.S. President’s budget 5
392	392	submission on information technology and cybersecurity to Congress conducted by the U.S. 6
393	393	Office of Management and Budget. 7
394	394
395	395	3.5–316. 8
396	396
397	397	(a) (1) In this section the following words have the meanings indicated. 9
398	398
399	399	(2) “Commission” means the Modernize Maryland Oversight Commission. 10
400	400
401	401	(3) “Critical system” means an information technology or cybersecurity 11
402	402	system that is severely outdated, as determined by the Department. 12
403	403
404	404	(b) There is an independent Modernize Maryland Oversight Commission. 13
405	405
406	406	(c) The purpose of the Commission is to: 14
407	407
408	408	(1) ensure the confidentiality, integrity, and availability of information 15
409	409	held by the State concerning State residents; and 16
410	410
411	411	(2) advise the Secretary and State Chief Information Security Officer on: 17
412	412
413	413	(i) the appropriate information technology and cybersecurity 18
414	414	investments and upgrades; 19
415	415
416	416	(ii) the funding sources for the appropriate information technology 20
417	417	and cybersecurity upgrades; and 21
418	418
419	419	(iii) future mechanisms for the procurement of appropriate 22
420	420	information technology and cybersecurity upgrades, including ways to increase the 23
421	421	efficiency of procurements made for information technology and cybersecurity upgrades. 24
422	422
423	423	(d) The Commission consists of the following members: 25
424	424
425	425	(1) the Secretary; 26
426	426
427	427	(2) the State Chief Information Security Officer; 27
428	428
429	429	(3) three chief information security officers representing different units of 28
430	430	State government, appointed by the Governor; 29
431	431	10 SENATE BILL 868
432	432
433	433
434	434	(4) one information technology modernization expert with experience in 1
435	435	the private sector, appointed by the Governor; 2
436	436
437	437	(5) one representative from the Maryland Chamber of Commerce with 3
438	438	knowledge of cybersecurity issues; 4
439	439
440	440	(6) ONE REPRESENTATIVE F ROM THE MARYLAND CHAMBER OF 5
441	441	COMMERCE WITH EXPERTI SE IN INFORMATION TE CHNOLOGY MODERNIZATI ON IN 6
442	442	THE PRIVATE SECTOR ; 7
443	443
444	444	[(6)] (7) two individuals who are end users of State information 8
445	445	technology systems AND WHO ARE NOT STATE EMPLOYEES , appointed by the Governor; 9
446	446
447	447	[(7)] (8) one representative from the Cybersecurity Association of 10
448	448	Maryland; [and] 11
449	449
450	450	[(8)] (9) one individual who is either an instructor or a professional in the 12
451	451	academic field of cybersecurity OR INFORMATION TECHN OLOGY MODERNIZATION at a 13
452	452	college or university in the State, appointed by the Governor; AND 14
453	453
454	454	(10) ONE INDIVIDUAL WITH EXPERIENCE WORKI NG WITH THE STATE 15
455	455	BUDGET AND APPROPRIA TIONS, APPOINTED JOINTLY BY THE PRESIDENT OF THE 16
456	456	SENATE AND THE SPEAKER OF THE HOUSE. 17
457	457
458	458	(e) The cochairs of the Joint Committee on Cybersecurity, Information 18
459	459	Technology, and Biotechnology shall serve as advisory, nonvoting members of the 19
460	460	Commission. 20
461	461
462	462	(F) THE CHAIR OF THE COMMISSION MAY APPOIN T THREE ADDITIONAL 21
463	463	MEMBERS, AS NECESSARY. 22
464	464
465	465	(G) THE CHAIR AND VICE CH AIR OF THE COMMISSION SHALL BE ELECTED 23
466	466	FROM AMONG THE MEMBE RS OF THE COMMISSION WHO ARE NO T EMPLOYED BY 24
467	467	STATE OR LOCAL GOVERNMENT . 25
468	468
469	469	[(f)] (H) The Commission shall: 26
470	470
471	471	(1) advise the Secretary AND THE STATE CHIEF INFORMATION 27
472	472	SECURITY OFFICER on a strategic roadmap with a timeline and budget that will: 28
473	473
474	474	(i) require the updates and investments of critical information 29
475	475	technology and cybersecurity systems identified by the Commission in the first 30
476	476	recommendations reported under paragraph (2) of this subsection to be completed on or 31
477	477	before December 31, 2025; and 32
478	478	SENATE BILL 868 11
479	479
480	480
481	481	(ii) require all updates and investments of information technology 1
482	482	and cybersecurity to be made on or before December 31, 2030; 2
483	483
484	484	(2) make periodic recommendations on investments in State information 3
485	485	technology structures based on the assessments completed in accordance with the 4
486	486	framework developed in § 3.5–317 of this subtitle; 5
487	487
488	488	(3) review and provide recommendations on the Department’s basic 6
489	489	security standards for use of the network established under § 3.5–404(b) of this title; and 7
490	490
491	491	(4) each year, in accordance with § 2–1257 of the State Government Article, 8
492	492	report its findings and recommendations to the Senate Budget and Taxation Committee, 9
493	493	the Senate [Education, Health, and Environmental Affairs] EDUCATION, ENERGY, AND 10
494	494	THE ENVIRONMENT Committee, the House Appropriations Committee, the House Health 11
495	495	and Government Operations Committee, and the Joint Committee on Cybersecurity, 12
496	496	Information Technology, and Biotechnology. 13
497	497
498	498	[(g)] (I) The report submitted under subsection [(f)(4)] (H)(4) of this section 14
499	499	may not contain information about the security of an information system. 15
500	500
501	501	3.5–317. 16
502	502
503	503	(b) (1) The Department shall hire independent contractors to: 17
504	504
505	505	(i) develop a framework for investments in technology, INCLUDING 18
506	506	FOUNDATIONAL INFORMA TION TECHNOLOGY PROJ ECTS THAT IMPACT MUL TIPLE 19
507	507	UNITS OF STATE GOVERNMENT ; and 20
508	508
509	509	(ii) at least once every 2 years, in accordance with the framework, 21
510	510	assess the cybersecurity and information technology systems in each unit of State 22
511	511	government. 23
512	512
513	513	3.5–318. 24
514	514
515	515	(A) FOR FISCAL YEAR 2025 AND EACH FISCAL YEAR THEREAFTER , THE 25
516	516	GOVERNOR SHA LL INCLUDE IN THE AN NUAL BUDGET BILL AN APPROPRIATION IN 26
517	517	AN AMOUNT THAT IS NO T LESS THAN 20% OF THE AGGREGATED AM OUNT 27
518	518	APPROPRIATED FOR INF ORMATION TECHNOLOGY RESOURCES IN THE ANN UAL 28
519	519	BUDGET BILL FOR THE PRIOR FISCAL YEAR FO R THE DEDICATED PURPOSE 29
520	520	ACCOUNT FO R CYBERSECURITY . 30
521	521
522	522	(B) THE APPROPRIATIONS FO R EACH FISCAL YEAR U NDER SUBSECTION (A) 31
523	523	OF THIS SECTION SHAL L BE USED TO SUPPLEM ENT, NOT SUPPLANT , ANY EXISTING 32
524	524	FUNDS IN THE DEDICATED PURPOSE ACCOUNT FOR CYBERSECU RITY THAT MAY 33
525	525	HAVE ACCRUED FROM A PRIOR FISCAL YEAR. 34 12 SENATE BILL 868
526	526
527	527
528	528
529	529	3.5–407. 1
530	530
531	531	(d) (1) Each local government shall report a cybersecurity incident, including 2
532	532	an attack on a State system being used by the local government, to the appropriate local 3
533	533	emergency manager and the State Security Operations Center in the Department in 4
534	534	accordance with paragraph (2) of this subsection. 5
535	535
536	536	(2) For the reporting of cybersecurity incidents to local emergency 6
537	537	managers under subparagraph (i) of this paragraph, the State Chief Information Security 7
538	538	Officer shall determine: 8
539	539
540	540	(i) the criteria for determining when an incident must be reported; 9
541	541
542	542	(ii) the manner in which to report; and 10
543	543
544	544	(iii) the time period within which a report must be made. 11
545	545
546	546	(3) The State Security Operations Center shall immediately notify the 12
547	547	appropriate agencies of a cybersecurity incident reported under this subsection through the 13
548	548	State Security Operations Center. 14
549	549
550	550	(4) INFORMATION REPORTED BY A LOCAL GOVERNMEN T UNDER THIS 15
551	551	SUBSECTION MAY NOT B E USED BY THE STATE AS A BASIS FOR IMPOSING A FINE , 16
552	552	RESTRICTING FUNDING , OR OTHERWISE PENALIZ ING THE LOCAL GOVERN MENT. 17
553	553
554	554	Chapter 242 of the Acts of 2022 18
555	555
556	556	SECTION 5. AND BE IT FURTHE R ENACTED, That: 19
557	557
558	558	(a) (1) On or before June 30, 2023, each agency in the Executive Branch of 20
559	559	State government shall certify to the Office of Security Management compliance with State 21
560	560	minimum cybersecurity standards established by the Department of Infor mation 22
561	561	Technology. 23
562	562
563	563	(2) Except as provided in paragraph (3) of this subsection, certification 24
564	564	shall be reviewed by independent auditors, and any findings must be remediated. 25
565	565
566	566	(3) Certification for the Department of Public Safety and Correctional 26
567	567	Services and any State criminal justice agency shall be reviewed by the Office of Legislative 27
568	568	Audits, and any findings must be remediated. 28
569	569
570	570	(b) Except as provided in subsection (c) of this section, if an agency has not 29
571	571	remediated [any] THE findings pertaining to State cybersecurity standards found by the 30
572	572	independent audit required under subsection (a) of this section TO BECOME COMPLIANT 31
573	573	WITH STATE MINIMUM CYBERSE CURITY STANDARDS by July 1, 2024, the Office of 32 SENATE BILL 868 13
574	574
575	575
576	576	Security Management shall ensure compliance of an agency’s cybersecurity with 1
577	577	cybersecurity standards through a shared service agreement[, administrative privileges, or 2
578	578	access to Network Maryland] TO ONBOARD THE AGENC Y TO DEPARTMENT OF 3
579	579	INFORMATION TECHNOLOGY CYBERSECUR ITY SERVICES AND PRO VIDE OFFICE OF 4
580	580	SECURITY MANAGEMENT STAFF ADMI NISTRATIVE PRIVILEGE S TO THE AGENCY ’S 5
581	581	INFORMATION TECHNOLO GY ASSETS. 6
582	582
583	583	(c) Subsection (b) of this section does not apply if a federal law or regulation 7
584	584	forbids the Office of Security Management from managing a specific system. 8
585	585
586	586	SECTION 6. AND BE IT FURTHER ENACTED, That: 9
587	587
588	588	(a) The Department of Information Technology shall hire a contractor to conduct 10
589	589	a performance and capacity assessment of the Department to: 11
590	590
591	591	(1) evaluate the Department’s capacity to implement provisions of this Act; 12
592	592	and 13
593	593
594	594	(2) recommend additional resources necessary for the Department to 14
595	595	implement provisions of this title and meet future needs, including additional budget 15
596	596	appropriations, additional staff, altered contracting authority, and pay increases for staff. 16
597	597
598	598	(b) The contractor hired by the Department to complete the assessment and 17
599	599	report required by this section shall: 18
600	600
601	601	(1) PROVIDE QUARTERLY UP DATES ON ITS WORK UN DER THIS 19
602	602	SECTION TO THE COCHA IRS OF THE JOINT COMMITTEE ON CYBERSECURITY , 20
603	603	INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ; 21
604	604
605	605	[(1)] (2) on or before December 1, 2023, submit an interim report of its 22
606	606	findings and recommendations to the Governor and, in accordance with § 2–1257 of the 23
607	607	State Government Article, the General Assembly; and 24
608	608
609	609	[(2)] (3) on or before December 1, 2024, submit a final report of its 25
610	610	findings and recommendations to the Governor and, in accordance with § 2–1257 of the 26
611	611	State Government Article, the General Assembly. 27
612	612
613	613	SECTION 2. AND BE IT FURTHER ENACTED, That the report submitted by the 28
614	614	Modernize Maryland Oversight Commission under § 3.5–316(h) of the State Finance and 29
615	615	Procurement Article, as enacted by Section 1 of this Act, in calendar year 2024 shall include 30
616	616	an evaluation of services provided by the Department of Information Technology and an 31
617	617	assessment of whether those services meet the needs of the agencies being served. 32
618	618
619	619	SECTION 3. AND BE IT F URTHER ENACTED, That, on or before November 1, 33
620	620	2023, the Modernize Maryland Oversight Commission shall report to the General 34
621	621	Assembly, in accordance with § 2–1257 of the State Government Article, recommendations 35 14 SENATE BILL 868
622	622
623	623
624	624	to improve the format for the Secretary of Information Technology to report on major 1
625	625	information technology development projects under § 3.5–309 of the State Finance and 2
626	626	Procurement Article to meet the needs for strategic planning and investment. 3
627	627
628	628	SECTION 4. AND BE IT FURTHER ENACTED, That: 4
629	629
630	630	(1) the Department of Information Technology shall hire an independent 5
631	631	contractor to review the efficiency and effectiveness of foundational information technology 6
632	632	projects that impact multiple units of State government, including MDThink and OneStop, 7
633	633	according to the framework developed under § 3.5–317(b) of the State Finance and 8
634	634	Procurement Article, as enacted by Section 1 of this Act; and 9
635	635
636	636	(2) on or before November 1, 2023, the independent contractor hired under 10
637	637	item (1) of this section shall report its findings and recommendations to the General 11
638	638	Assembly, in accordance with § 2–1257 of the State Government Article. 12
639	639
640	640	SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect June 13
641	641	1, 2023. 14
642	642