EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0868*
SENATE BILL 868
S2 3lr2724
By: Senator Hester
Introduced and read first time: February 6, 2023
Assigned to: Education, Energy, and the Environment
A BILL ENTITLED
AN ACT concerning 1
State and Local Cybersecurity – Revisions 2
FOR the purpose of establishing the Director of Cybersecurity Preparedness in the Cyber 3
Preparedness Unit of the Maryland Department of Emergency Management; 4
establishing certain duties of the Director; specifying the amount of a certain annual 5
appropriation made by the Governor to the Unit; establishing that the State Chief 6
Information Security Officer in the Office of Security Management reports to the 7
Governor; altering certain qualifications and duties of the State Chief Information 8
Security Officer; altering certain duties of the Office; altering certain duties of the 9
Secretary of Information Technology; altering the membership of the Modernize 10
Maryland Oversight Commission and providing for the appointment of the chair and 11
vice chair of the Commission; altering the duties of certain independent contractors 12
hired by the Department of Information Technology; establishing that certain 13
information related to cybersecurity incidents reported by local governments may 14
not be used in a certain manner; authorizing the Office to ensure compliance of an 15
agency’s cybersecurity with cybersecurity standards in a certain manner; requiring 16
a certain independent contractor hired by the Department of Information Technology 17
to provide certain quarterly updates on its work; requiring a certain report by the 18
Commission to include a certain evaluation; requiring the Department of 19
Information Technology to hire an independent contractor to conduct a certain 20
review; and generally relating to State and local cybersecurity. 21
BY repealing and reenacting, with amendments, 22
Article – Public Safety 23
Section 14–104.1 24
Annotated Code of Maryland 25
(2022 Replacement Volume) 26
BY repealing and reenacting, without amendments, 27
Article – State Finance and Procurement 28
Section 3.5–2A–02 and 3.5–301(a) 29 2 SENATE BILL 868
Annotated Code of Maryland 1
(2021 Replacement Volume and 2022 Supplement) 2
BY repealing and reenacting, with amendments, 3
Article – State Finance and Procurement 4
Section 3.5–2A–03, 3.5–2A–04(b)(11), 3.5–301(i), 3.5–303(a) and (d), 3.5–316, 5
3.5–317(b)(1), and 3.5–407(d) 6
Annotated Code of Maryland 7
(2021 Replacement Volume and 2022 Supplement) 8
BY adding to 9
Article – State Finance and Procurement 10
Section 3.5–318 11
Annotated Code of Maryland 12
(2021 Replacement Volume and 2022 Supplement) 13
BY repealing and reenacting, with amendments, 14
Chapter 242 of the Acts of the General Assembly of 2022 15
Section 5 and 6 16
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 17
That the Laws of Maryland read as follows: 18
Article – Public Safety 19
14–104.1. 20
(a) (1) In this section the following words have the meanings indicated. 21
(2) “Local government” includes local school systems, local school boards, 22
and local health departments. 23
(3) “Unit” means the Cyber Preparedness Unit. 24
(b) (1) There is a Cyber Preparedness Unit in the Department. 25
(2) (I) THE HEAD OF THE UNIT IS THE DIRECTOR OF 26
CYBERSECURITY PREPAREDNESS . 27
(II) THE DIRECTOR SHALL WORK I N COORDINATIO N WITH THE 28
DIRECTOR OF LOCAL CYBERSECURITY IN THE OFFICE OF SECURITY MANAGEMENT 29
TO PROVIDE TECHNICAL ASSISTANCE, COORDINATE RESOURCES , AND IMPROVE 30
CYBERSECURITY PREPAR EDNESS FOR UNITS OF LOCAL GOVERNMENT . 31
[(2)] (3) In coordination with the State Chief Information Security 32
Officer, the Unit shall: 33 SENATE BILL 868 3
(i) support local governments in developing a vulnerability 1
assessment and cyber assessment, including providing local governments with the 2
resources and information on best practices to complete the assessments; 3
(ii) develop and regularly update an online database of cybersecurity 4
training resources for local government personnel, including technical training resources, 5
cybersecurity continuity of operations templates, consequence management plans, and 6
trainings on malware and ransomware detection; 7
(iii) assist local governments in: 8
1. the development of cybersecurity preparedness and 9
response plans; 10
2. implementing best practices and guidance developed by 11
the State Chief Information Security Officer; and 12
3. identifying and acquiring resources to complete 13
appropriate cybersecurity vulnerability assessments; 14
(iv) connect local governments to appropriate resources for any other 15
purpose related to cybersecurity preparedness and response; 16
(v) as necessary and in coordination with the National Guard, local 17
emergency managers, and other State and local entities, conduct regional cybersecurity 18
preparedness exercises; and 19
(vi) establish regional assistance groups to deliver and coordinate 20
support services to local governments, agencies, or regions. 21
[(3)] (4) The Unit shall support the Office of Security Management in the 22
Department of Information Technology during emergency response efforts. 23
(c) (1) Each local government shall report a cybersecurity incident, including 24
an attack on a State system being used by the local government, to the appropriate local 25
emergency manager and the State Security Operations Center in the Department of 26
Information Technology [and to the Maryland Joint Operations Center in the Department] 27
in accordance with paragraph (2) of this subsection. 28
(2) For the reporting of cybersecurity incidents under paragraph (1) of this 29
subsection, the State Chief Information Security Officer shall determine: 30
(i) the criteria for determining when an incident must be reported; 31
(ii) the manner in which to report; and 32
4 SENATE BILL 868
(iii) the time period within which a report must be made. 1
(3) The State Security Operations Center shall immediately notify 2
appropriate agencies of a cybersecurity incident reported under this subsection through the 3
State Security Operations Center. 4
(d) (1) Five Position Identification Numbers (PINs) shall be created for the 5
purpose of hiring staff to conduct the duties of the Maryland Department of Emergency 6
Management Cybersecurity Preparedness Unit. 7
(2) For fiscal year 2024 and each fiscal year thereafter, the Governor shall 8
include in the annual budget bill an appropriation [of at least: 9
(i) $220,335 for 3 PINs for Administrator III positions; and 10
(ii) $137,643 for 2 PINs for Administrator II positions] SUFFICIENT 11
FOR THE POSITIONS CR EATED UNDER PARAGRAP H (1) OF THIS SUBSECTION . 12
Article – State Finance and Procurement 13
3.5–2A–02. 14
There is an Office of Security Management within the Department. 15
3.5–2A–03. 16
(a) The head of the Office is the State Chief Information Security Officer. 17
(b) The State Chief Information Security Officer shall: 18
(1) be appointed by the Governor with the advice and consent of the Senate; 19
(2) serve at the pleasure of the Governor; AND 20
(3) be supervised by the [Secretary; and 21
(4) serve as the chief information security officer of the Department] 22
GOVERNOR. 23
(c) An individual appointed as the State Chief Information Security Officer under 24
subsection (b) of this section shall: 25
(1) [at a minimum, hold a bachelor’s degree; 26
(2)] hold appropriate information technology or cybersecurity certifications; 27
SENATE BILL 868 5
[(3)] (2) have experience: 1
(i) identifying, implementing, or assessing security controls; 2
(ii) in infrastructure, systems engineering, or cybersecurity; 3
(iii) managing highly technical security, security operations centers, 4
and incident response teams in a complex cloud environment and supporting multiple sites; 5
and 6
(iv) working with common information security management 7
frameworks; 8
[(4)] (3) have extensive knowledge of information technology and 9
cybersecurity field concepts, best practices, and procedures, with an understanding of 10
existing enterprise capabilities and limitations to ensure the secure integration and 11
operation of security networks and systems; and 12
[(5)] (4) have knowledge of current security regulations. 13
(d) The State Chief Information Security Officer shall: 14
(1) provide cybersecurity advice and recommendations to the Governor on 15
request; AND 16
(2) DEVELOP AND MAINTAIN A STATEWIDE CYBERSEC URITY 17
STRATEGY THAT WILL : 18
(I) CENTRALIZE THE MANAG EMENT AND DIRECTION OF 19
CYBERSECURITY STRATE GY WITHIN THE EXECUTIVE BRANCH OF STATE 20
GOVERNMENT UNDER THE CONTROL OF THE DEPARTMENT ; AND 21
(II) SERVE AS THE BASIS F OR BUDGET ALLOCATION S FOR 22
CYBERSECURITY PREPAR EDNESS FOR THE EXECUTIVE BRANCH OF STATE 23
GOVERNMENT . 24
(e) (1) (i) There is a Director of Local Cybersecurity, who shall be 25
appointed by the State Chief Information Security Officer. 26
(ii) The Director of Local Cybersecurity shall: 27
1. work in coordination with the Maryland Department of 28
Emergency Management to provide technical assistance, coordinate resources, and improve 29
cybersecurity preparedness for units of local government; AND 30
6 SENATE BILL 868
2. IN CONSULTATION WITH THE MARYLAND 1
CYBERSECURITY COORDINATING COUNCIL, DEVELOP GUIDANCE ON CONSISTENT 2
CYBERSECURITY STRATE GIES FOR COUNTIES , MUNICIPAL CORPORATIO NS, SCHOOL 3
SYSTEMS, AND ALL OTHER POLITI CAL SUBDIVISIONS OF THE STATE. 4
(2) (i) There is a Director of State Cybersecurity, who shall be 5
appointed by the State Chief Information Security Officer. 6
(ii) The Director of State Cybersecurity is responsible for 7
implementation of this section with respect to units of State government. 8
(III) IN CONSULTATION WITH THE MARYLAND CYBERSECURITY 9
COORDINATING COUNCIL, THE DIRECTOR OF STATE CYBERSECURITY SHALL 10
ADVISE AND OVERSEE A CONSISTENT CYBERSECU RITY STRATEGY FOR UN ITS OF 11
STATE GOVERNMENT , INCLUDING INSTITUT IONS UNDER THE CONTR OL OF THE 12
GOVERNING BOARDS OF THE PUBLIC INSTITUTI ONS OF HIGHER EDUCAT ION. 13
(f) The Department shall provide the Office with sufficient staff to perform the 14
functions of this subtitle. 15
(G) THE GOVERNOR SHALL INCLUD E AN APPROPRIATION IN THE ANNUAL 16
BUDGET BILL IN AN AM OUNT NECESSARY TO CO VER THE COSTS OF IMP LEMENTING 17
THE STATEWIDE CYBERS ECURITY STRATEGY DEV ELOPED UNDER SUBSECT ION (D) 18
OF THIS SECTION WITH OUT THE NEED FOR THE OFFICE TO OPERATE A 19
CHARGE–BACK MODEL FOR CYBER SECURITY SERVIC ES PROVIDED TO OTHER UNITS 20
OF STATE GOVERNMENT OR U NITS OF LOCAL GOVERN MENT. 21
3.5–2A–04. 22
(b) The Office shall: 23
(11) develop and maintain information technology security policy, 24
standards, and guidance documents, consistent with [best practices developed by the] A 25
WIDELY RECOGNIZED SE CURITY STANDARD , INCLUDING: 26
(I) National Institute of Standards and Technology (NIST) 27
CYBERSECURITY FRAMEWORK , NIST 800–53, OR INTERNATIONAL ORGANIZATION 28
FOR STANDARDIZATION (ISO) ISO 27001; OR 29
(II) IN THE CASE OF ORGANIZATIONS HANDLING CONTROLLED 30
UNCLASSIFIED INFORMA TION, NIST SP 800–171 OR THE CYBERSECURITY 31
MATURITY MODEL CERTIFICATION FROM TH E U.S. DEPARTMENT OF DEFENSE; 32
3.5–301. 33
SENATE BILL 868 7
(a) In this subtitle the following words have the meanings indicated. 1
(i) “Master plan” means the statewide information technology master plan [and 2
statewide cybersecurity strategy]. 3
3.5–303. 4
(a) The Secretary is responsible for carrying out the following duties: 5
(1) developing, maintaining, revising, and enforcing inform ation 6
technology policies, procedures, and standards; 7
(2) providing technical assistance, advice, and recommendations to the 8
Governor and any unit of State government concerning information technology matters; 9
(3) reviewing the annual project plan for each unit of State government to 10
make information and services available to the public over the Internet; 11
(4) developing and maintaining a statewide information technology master 12
plan that will: 13
(i) centralize the management and direction of information 14
technology policy within the Executive Branch of State government under the control of the 15
Department; 16
(ii) include all aspects of State information technology including 17
telecommunications, security, data processing, and information management; 18
(iii) consider interstate transfers as a result of federal legislation and 19
regulation; 20
(iv) ensure that the State information technology plan and related 21
policies and standards are consistent with State goals, objectives, and resources, and 22
represent a long–range vision for using information technology to improve the overall 23
effectiveness of State government; 24
(v) include standards to assure nonvisual access to the information 25
and services made available to the public over the Internet; and 26
(vi) allows a State agency to maintain the agency’s own information 27
technology unit that provides for information technology services to support the mission of 28
the agency; 29
(5) [developing and maintaining a statewide cybersecurity strategy that 30
will: 31
8 SENATE BILL 868
(i) centralize the management and direction of cybersecurity 1
strategy within the Executive Branch of State government under the control of the 2
Department; and 3
(ii) serve as the basis for budget allocations for cybersecurity 4
preparedness for the Executive Branch of State government; 5
(6)] adopting by regulation and enforcing nonvisual access standards to be 6
used in the procurement of information technology services by or on behalf of units of State 7
government in accordance with subsection (b) of this section; 8
[(7) in consultation with the Maryland Cybersecurity Coordinating Council, 9
advising and overseeing a consistent cybersecurity strategy for units of State government, 10
including institutions under the control of the governing boards of the public institutions 11
of higher education; 12
(8)] (6) advising and consulting with the Legislative and Judicial 13
branches of State government regarding a cybersecurity strategy; 14
[(9) in consultation with the Maryland Cybersecurity Coordinating Council, 15
developing guidance on consistent cybersecurity strategies for counties, municipal 16
corporations, school systems, and all other political subdivisions of the State; 17
(10)] (7) upgrading information technology and cybersecurity–related 18
State government infrastructure; and 19
[(11)] (8) annually evaluating: 20
(i) the feasibility of units of State government providing public 21
services using artificial intelligence, machine learning, commercial cloud computer 22
services, device–as–a–service procurement models, and other emerging technologies; and 23
(ii) the development of data analytics capabilities to enable 24
data–driven policymaking by units of State government. 25
(d) [(1) The Governor shall include an appropriation in the annual budget bill 26
in an amount necessary to cover the costs of implementing the statewide cybersecurity 27
master plan developed under subsection (a) of this section without the need for the 28
Department to operate a charge–back model for cybersecurity services provided to other 29
units of State government or units of local government. 30
(2)] On or before January 31 each year, in a separate report or included 31
within a general budget report, the Governor shall submit a report in accordance with § 32
2–1257 of the State Government Article to the Senate Budget and Taxation Committee and 33
the House Appropriations Committee that includes: 34
SENATE BILL 868 9
[(i)] (1) specific information on the information technology budget 1
and cybersecurity budget that the Governor has submitted to the General Assembly for the 2
upcoming fiscal year; and 3
[(ii)] (2) how the budgets listed under item [(i)] (1) of this 4
[paragraph] SUBSECTION compare to the annual overview of the U.S. President’s budget 5
submission on information technology and cybersecurity to Congress conducted by the U.S. 6
Office of Management and Budget. 7
3.5–316. 8
(a) (1) In this section the following words have the meanings indicated. 9
(2) “Commission” means the Modernize Maryland Oversight Commission. 10
(3) “Critical system” means an information technology or cybersecurity 11
system that is severely outdated, as determined by the Department. 12
(b) There is an independent Modernize Maryland Oversight Commission. 13
(c) The purpose of the Commission is to: 14
(1) ensure the confidentiality, integrity, and availability of information 15
held by the State concerning State residents; and 16
(2) advise the Secretary and State Chief Information Security Officer on: 17
(i) the appropriate information technology and cybersecurity 18
investments and upgrades; 19
(ii) the funding sources for the appropriate information technology 20
and cybersecurity upgrades; and 21
(iii) future mechanisms for the procurement of appropriate 22
information technology and cybersecurity upgrades, including ways to increase the 23
efficiency of procurements made for information technology and cybersecurity upgrades. 24
(d) The Commission consists of the following members: 25
(1) the Secretary; 26
(2) the State Chief Information Security Officer; 27
(3) three chief information security officers representing different units of 28
State government, appointed by the Governor; 29
10 SENATE BILL 868
(4) one information technology modernization expert with experience in 1
the private sector, appointed by the Governor; 2
(5) one representative from the Maryland Chamber of Commerce with 3
knowledge of cybersecurity issues; 4
(6) ONE REPRESENTATIVE F ROM THE MARYLAND CHAMBER OF 5
COMMERCE WITH EXPERTI SE IN INFORMATION TE CHNOLOGY MODERNIZATI ON IN 6
THE PRIVATE SECTOR ; 7
[(6)] (7) two individuals who are end users of State information 8
technology systems AND WHO ARE NOT STATE EMPLOYEES , appointed by the Governor; 9
[(7)] (8) one representative from the Cybersecurity Association of 10
Maryland; [and] 11
[(8)] (9) one individual who is either an instructor or a professional in the 12
academic field of cybersecurity OR INFORMATION TECHN OLOGY MODERNIZATION at a 13
college or university in the State, appointed by the Governor; AND 14
(10) ONE INDIVIDUAL WITH EXPERIENCE WORKI NG WITH THE STATE 15
BUDGET AND APPROPRIA TIONS, APPOINTED JOINTLY BY THE PRESIDENT OF THE 16
SENATE AND THE SPEAKER OF THE HOUSE. 17
(e) The cochairs of the Joint Committee on Cybersecurity, Information 18
Technology, and Biotechnology shall serve as advisory, nonvoting members of the 19
Commission. 20
(F) THE CHAIR OF THE COMMISSION MAY APPOIN T THREE ADDITIONAL 21
MEMBERS, AS NECESSARY. 22
(G) THE CHAIR AND VICE CH AIR OF THE COMMISSION SHALL BE ELECTED 23
FROM AMONG THE MEMBE RS OF THE COMMISSION WHO ARE NO T EMPLOYED BY 24
STATE OR LOCAL GOVERNMENT . 25
[(f)] (H) The Commission shall: 26
(1) advise the Secretary AND THE STATE CHIEF INFORMATION 27
SECURITY OFFICER on a strategic roadmap with a timeline and budget that will: 28
(i) require the updates and investments of critical information 29
technology and cybersecurity systems identified by the Commission in the first 30
recommendations reported under paragraph (2) of this subsection to be completed on or 31
before December 31, 2025; and 32
SENATE BILL 868 11
(ii) require all updates and investments of information technology 1
and cybersecurity to be made on or before December 31, 2030; 2
(2) make periodic recommendations on investments in State information 3
technology structures based on the assessments completed in accordance with the 4
framework developed in § 3.5–317 of this subtitle; 5
(3) review and provide recommendations on the Department’s basic 6
security standards for use of the network established under § 3.5–404(b) of this title; and 7
(4) each year, in accordance with § 2–1257 of the State Government Article, 8
report its findings and recommendations to the Senate Budget and Taxation Committee, 9
the Senate [Education, Health, and Environmental Affairs] EDUCATION, ENERGY, AND 10
THE ENVIRONMENT Committee, the House Appropriations Committee, the House Health 11
and Government Operations Committee, and the Joint Committee on Cybersecurity, 12
Information Technology, and Biotechnology. 13
[(g)] (I) The report submitted under subsection [(f)(4)] (H)(4) of this section 14
may not contain information about the security of an information system. 15
3.5–317. 16
(b) (1) The Department shall hire independent contractors to: 17
(i) develop a framework for investments in technology, INCLUDING 18
FOUNDATIONAL INFORMA TION TECHNOLOGY PROJ ECTS THAT IMPACT MUL TIPLE 19
UNITS OF STATE GOVERNMENT ; and 20
(ii) at least once every 2 years, in accordance with the framework, 21
assess the cybersecurity and information technology systems in each unit of State 22
government. 23
3.5–318. 24
(A) FOR FISCAL YEAR 2025 AND EACH FISCAL YEAR THEREAFTER , THE 25
GOVERNOR SHA LL INCLUDE IN THE AN NUAL BUDGET BILL AN APPROPRIATION IN 26
AN AMOUNT THAT IS NO T LESS THAN 20% OF THE AGGREGATED AM OUNT 27
APPROPRIATED FOR INF ORMATION TECHNOLOGY RESOURCES IN THE ANN UAL 28
BUDGET BILL FOR THE PRIOR FISCAL YEAR FO R THE DEDICATED PURPOSE 29
ACCOUNT FO R CYBERSECURITY . 30
(B) THE APPROPRIATIONS FO R EACH FISCAL YEAR U NDER SUBSECTION (A) 31
OF THIS SECTION SHAL L BE USED TO SUPPLEM ENT, NOT SUPPLANT , ANY EXISTING 32
FUNDS IN THE DEDICATED PURPOSE ACCOUNT FOR CYBERSECU RITY THAT MAY 33
HAVE ACCRUED FROM A PRIOR FISCAL YEAR. 34 12 SENATE BILL 868
3.5–407. 1
(d) (1) Each local government shall report a cybersecurity incident, including 2
an attack on a State system being used by the local government, to the appropriate local 3
emergency manager and the State Security Operations Center in the Department in 4
accordance with paragraph (2) of this subsection. 5
(2) For the reporting of cybersecurity incidents to local emergency 6
managers under subparagraph (i) of this paragraph, the State Chief Information Security 7
Officer shall determine: 8
(i) the criteria for determining when an incident must be reported; 9
(ii) the manner in which to report; and 10
(iii) the time period within which a report must be made. 11
(3) The State Security Operations Center shall immediately notify the 12
appropriate agencies of a cybersecurity incident reported under this subsection through the 13
State Security Operations Center. 14
(4) INFORMATION REPORTED BY A LOCAL GOVERNMEN T UNDER THIS 15
SUBSECTION MAY NOT B E USED BY THE STATE AS A BASIS FOR IMPOSING A FINE , 16
RESTRICTING FUNDING , OR OTHERWISE PENALIZ ING THE LOCAL GOVERN MENT. 17
Chapter 242 of the Acts of 2022 18
SECTION 5. AND BE IT FURTHE R ENACTED, That: 19
(a) (1) On or before June 30, 2023, each agency in the Executive Branch of 20
State government shall certify to the Office of Security Management compliance with State 21
minimum cybersecurity standards established by the Department of Infor mation 22
Technology. 23
(2) Except as provided in paragraph (3) of this subsection, certification 24
shall be reviewed by independent auditors, and any findings must be remediated. 25
(3) Certification for the Department of Public Safety and Correctional 26
Services and any State criminal justice agency shall be reviewed by the Office of Legislative 27
Audits, and any findings must be remediated. 28
(b) Except as provided in subsection (c) of this section, if an agency has not 29
remediated [any] THE findings pertaining to State cybersecurity standards found by the 30
independent audit required under subsection (a) of this section TO BECOME COMPLIANT 31
WITH STATE MINIMUM CYBERSE CURITY STANDARDS by July 1, 2024, the Office of 32 SENATE BILL 868 13
Security Management shall ensure compliance of an agency’s cybersecurity with 1
cybersecurity standards through a shared service agreement[, administrative privileges, or 2
access to Network Maryland] TO ONBOARD THE AGENC Y TO DEPARTMENT OF 3
INFORMATION TECHNOLOGY CYBERSECUR ITY SERVICES AND PRO VIDE OFFICE OF 4
SECURITY MANAGEMENT STAFF ADMI NISTRATIVE PRIVILEGE S TO THE AGENCY ’S 5
INFORMATION TECHNOLO GY ASSETS. 6
(c) Subsection (b) of this section does not apply if a federal law or regulation 7
forbids the Office of Security Management from managing a specific system. 8
SECTION 6. AND BE IT FURTHER ENACTED, That: 9
(a) The Department of Information Technology shall hire a contractor to conduct 10
a performance and capacity assessment of the Department to: 11
(1) evaluate the Department’s capacity to implement provisions of this Act; 12
and 13
(2) recommend additional resources necessary for the Department to 14
implement provisions of this title and meet future needs, including additional budget 15
appropriations, additional staff, altered contracting authority, and pay increases for staff. 16
(b) The contractor hired by the Department to complete the assessment and 17
report required by this section shall: 18
(1) PROVIDE QUARTERLY UP DATES ON ITS WORK UN DER THIS 19
SECTION TO THE COCHA IRS OF THE JOINT COMMITTEE ON CYBERSECURITY , 20
INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ; 21
[(1)] (2) on or before December 1, 2023, submit an interim report of its 22
findings and recommendations to the Governor and, in accordance with § 2–1257 of the 23
State Government Article, the General Assembly; and 24
[(2)] (3) on or before December 1, 2024, submit a final report of its 25
findings and recommendations to the Governor and, in accordance with § 2–1257 of the 26
State Government Article, the General Assembly. 27
SECTION 2. AND BE IT FURTHER ENACTED, That the report submitted by the 28
Modernize Maryland Oversight Commission under § 3.5–316(h) of the State Finance and 29
Procurement Article, as enacted by Section 1 of this Act, in calendar year 2024 shall include 30
an evaluation of services provided by the Department of Information Technology and an 31
assessment of whether those services meet the needs of the agencies being served. 32
SECTION 3. AND BE IT F URTHER ENACTED, That, on or before November 1, 33
2023, the Modernize Maryland Oversight Commission shall report to the General 34
Assembly, in accordance with § 2–1257 of the State Government Article, recommendations 35 14 SENATE BILL 868
to improve the format for the Secretary of Information Technology to report on major 1
information technology development projects under § 3.5–309 of the State Finance and 2
Procurement Article to meet the needs for strategic planning and investment. 3
SECTION 4. AND BE IT FURTHER ENACTED, That: 4
(1) the Department of Information Technology shall hire an independent 5
contractor to review the efficiency and effectiveness of foundational information technology 6
projects that impact multiple units of State government, including MDThink and OneStop, 7
according to the framework developed under § 3.5–317(b) of the State Finance and 8
Procurement Article, as enacted by Section 1 of this Act; and 9
(2) on or before November 1, 2023, the independent contractor hired under 10
item (1) of this section shall report its findings and recommendations to the General 11
Assembly, in accordance with § 2–1257 of the State Government Article. 12
SECTION 5. AND BE IT FURTHER ENACTED, That this Act shall take effect June 13
1, 2023. 14