MD
Maryland House Bill HB1420

Maryland 2024 Regular Session

Maryland House Bill HB1420 Compare Versions

OldNewDifferences
11
22
33 EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTING LA W.
44 [Brackets] indicate matter deleted from existing law.
5- Underlining indicates amendments to bill.
6- Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7-amendment.
85 *hb1420*
96
107 HOUSE BILL 1420
118 S2, C5 4lr3277
129
1310 By: Delegate Kaiser
1411 Introduced and read first time: February 9, 2024
1512 Assigned to: Health and Government Operations
16-Reassigned: Economic Matters and Health and Government Operations, February 15, 2024
17-Committee Report: Favorable with amendments
18-House action: Adopted
19-Read second time: March 9, 2024
2013
21-CHAPTER ______
14+A BILL ENTITLED
2215
2316 AN ACT concerning 1
2417
2518 Cybersecurity – Office of People’s Counsel, Public Service Companies, Public 2
2619 Service Commission, and Maryland Cybersecurity Council 3
2720
28-FOR the purpose of requiring authorizing the Office of People’s Counsel to retain or hire at 4
29-least a certain number of assistant people’s counsel with cybersecurity expertise to 5
30-perform certain duties experts in the field of cybersecurity; requiring certain public 6
31-service companies to engage with a third party to conduct an assessment that 7
32-analyzes certain critical software; requiring a certain certification to be submitted to 8
33-the Office of People’s Counsel; requiring certain regulations adopted by the Public 9
34-Service Commission to include cyber resilience; defining “critical infrastructure” for 10
35-certain provisions relating to the Maryland Cybersecurity Council; and generally 11
36-relating to cybersecurity. 12
21+FOR the purpose of requiring the Office of People’s Counsel to hire at least a certain number 4
22+of assistant people’s counsel with cybersecurity expertise to perform certain duties; 5
23+requiring certain public service companies to engage with a third party to conduct 6
24+an assessment that analyzes certain critical software; requiring a certain 7
25+certification to be submitted to the Office of People’s Counsel; requiring certain 8
26+regulations adopted by the Public Service Commission to include cyber resilience; 9
27+defining “critical infrastructure” for certain provisions relating to the Maryland 10
28+Cybersecurity Council; and generally relating to cybersecurity. 11
3729
38-BY repealing and reenacting, with amendments, 13
39- Article – Public Utilities 14
40- Section 2–203(f), 5–306, and 7–213(a) and (e)(1) 15
41- Annotated Code of Maryland 16
42- (2020 Replacement Volume and 2023 Supplement) 17
30+BY repealing and reenacting, without amendments, 12
31+ Article – Public Utilities 13
32+Section 2–203(a)(1) and 7–213(d) 14
33+ Annotated Code of Maryland 15
34+ (2020 Replacement Volume and 2023 Supplement) 16
4335
44-BY repealing and reenacting, without amendments, 18
45- Article – Public Utilities 19
46-Section 2–203(a)(1) and 7–213(d) 20
47- Annotated Code of Maryland 21
48- (2020 Replacement Volume and 2023 Supplement) 22 2 HOUSE BILL 1420
36+BY repealing and reenacting, with amendments, 17
37+ Article – Public Utilities 18
38+Section 2–203(a)(2), 5–306, and 7–213(a) and (e)(1) 19
39+ Annotated Code of Maryland 20
40+ (2020 Replacement Volume and 2023 Supplement) 21
41+
42+BY repealing and reenacting, with amendments, 22
43+ Article – State Government 23
44+Section 9–2901(a) 24
45+ Annotated Code of Maryland 25
46+ (2021 Replacement Volume and 2023 Supplement) 26
47+
48+BY repealing and reenacting, without amendments, 27 2 HOUSE BILL 1420
49+
50+
51+ Article – State Government 1
52+Section 9–2901(b) and (j) 2
53+ Annotated Code of Maryland 3
54+ (2021 Replacement Volume and 2023 Supplement) 4
55+
56+ SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 5
57+That the Laws of Maryland read as follows: 6
58+
59+Article – Public Utilities 7
60+
61+2–203. 8
62+
63+ (a) (1) The State budget shall provide sufficient money for the Office of 9
64+People’s Counsel to hire necessary staff in addition to the staff assistance that is provided 10
65+under § 2–205(c)(2) of this subtitle. 11
66+
67+ (2) The Office of People’s Counsel shall hire: 12
68+
69+ (I) at least one assistant people’s counsel who will focus on 13
70+environmental issues; AND 14
71+
72+ (II) AT LEAST ONE ASSISTA NT PEOPLE ’S COUNSEL WITH 15
73+CYBERSECURITY EXPERTISE TO: 16
74+
75+ 1. ADVISE THE PEOPLE’S COUNSEL ON MEASURES TO 17
76+IMPROVE OVERSIGHT OF THE CYBERSECURITY PRACTICES OF PUBLIC SERVICE 18
77+COMPANIES; 19
78+
79+ 2. CONSULT WITH THE OFFICE OF SECURITY 20
80+MANAGEMENT ON CYBERSE CURITY ISSUES RELATE D TO UTILITY REGULAT ION; 21
81+
82+ 3. ASSIST THE OFFICE OF PEOPLE’S COUNSEL IN 22
83+MONITORING THE MINIM UM SECURITY STANDARD S DEVELOPED UNDER § 5–306 OF 23
84+THIS ARTICLE; 24
85+
86+ 4. PARTICIPATE IN BRIEF INGS TO DISCUSS 25
87+CYBERSECURITY PRACTI CES BASED ON: 26
88+
89+ A. APPLICABLE NATIONAL ASSOCIATION OF 27
90+REGULATORY UTILITY COMMISSIONERS GUIDANCE ; AND 28
91+
92+ B. IMPROVEMENTS TO CYBE RSECURITY PRACTICES 29
93+RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 30
94+OF THIS ARTICLE; AND 31
95+ HOUSE BILL 1420 3
96+
97+
98+ 5. SUPPORT PUBLIC SERVI CE COMPANIES THAT DO NOT 1
99+MEET MINIMUM SECURIT Y STANDARDS WITH REM EDIATING VULNERABILI TIES OR 2
100+ADDRESSING CYBERSECURITY A SSESSMENT FINDINGS . 3
101+
102+5–306. 4
103+
104+ (a) (1) In this section[, “zero–trust” means a cybersecurity approach: 5
105+
106+ (1) focused on cybersecurity resource protection; and 6
107+
108+ (2) based on the premise that trust is never granted implicitly but must be 7
109+continually evaluated.] THE FOLLOWING WORDS HAVE THE MEANINGS IN DICATED. 8
110+
111+ (2) “CRITICAL SOFTWARE ” MEANS ANY SOFTWARE THAT HA S, OR HAS 9
112+DIRECT SOFTWARE DEPE NDENCIES ON, ONE OR MORE COMPONEN TS WITH AT LEAST 10
113+ONE OF THE FOLLOWING ATTRIBUTES: 11
114+
115+ (I) THE ABILITY TO RUN WITH ELEVATED PRIVILEGE OR TO 12
116+MANAGE PRIVILEGES ; 13
117+
118+ (II) DIRECT OR PRIVILEGED ACCESS TO NETWORKING OR 14
119+COMPUTING RESOURCES ; 15
120+
121+ (III) THE ABILITY TO CONTROL ACCESS TO DATA OR 16
122+OPERATIONAL TECHNOLO GY; 17
123+
124+ (IV) THE ABILITY TO PERFORM A FUNCTION CRITICAL TO TRUST ; 18
125+OR 19
126+
127+ (V) THE ABILITY TO OPERA TE OUTSIDE NORMAL TR UST 20
128+BOUNDARIES WITH PRIV ILEGED ACCESS . 21
129+
130+ (3) “SUPPLY CHAIN RISK ” MEANS A RISK THAT AN ADVERSARY MAY 22
131+SABOTAGE, MALICIOUSLY INTRODUC E UNWANTED FUNCTION TO, EXTRACT DATA 23
132+FROM, OR OTHERWISE SUBVERT TH E DESIGN, INTEGRITY, MANUFACTURING , 24
133+PRODUCTION , DISTRIBUTION, INSTALLATION, OPERATION, MAINTENANCE , 25
134+DISPOSITION, OR RETIREMENT OF A S YSTEM OR ITEM OF SUP PLY SO AS TO SURVEIL , 26
135+DENY, DISRUPT, OR OTHERWISE MANIPUL ATE THE FUNCTION , USE, OR OPERATION 27
136+OF THE SYSTEM OR ITE M OF SUPPLY OR INFOR MATION STORED OR TRA NSMITTED 28
137+BY OR THROUGH THE SY STEM OR ITEM OF SUPP LY. 29
138+
139+ (4) “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 30
140+ 4 HOUSE BILL 1420
141+
142+
143+ (I) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; 1
144+AND 2
145+
146+ (II) BASED ON THE P REMISE THAT TRUST IS NEVER GRANTED 3
147+IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 4
148+
149+ (b) This section does not apply to a public service company that is: 5
150+
151+ (1) a common carrier; or 6
152+
153+ (2) a telephone company. 7
154+
155+ (c) A public service company shall: 8
156+
157+ (1) adopt and implement cybersecurity standards that are equal to or 9
158+exceed standards adopted by the Commission; 10
159+
160+ (2) adopt a zero–trust cybersecurity approach for on–premises services and 11
161+cloud–based services; 12
162+
163+ (3) establish minimum security standards for each operational technology 13
164+and information technology device based on the level of security risk for each device, 14
165+including [security risks associated with supply chains] SUPPLY CHAIN RISKS ; and 15
166+
167+ (4) (i) on or before July 1, 2024, and on or before July 1 every other year 16
168+thereafter, engage a third party to conduct an assessment of operational technology and 17
169+information technology devices THAT: 18
170+
171+ 1. IS based on: 19
172+
173+ [1.] A. the Cybersecurity and Infrastructure Security 20
174+Agency’s Cross–Sector Cybersecurity Performance Goals; or 21
175+
176+ [2.] B. a more stringent standard that is based on the 22
177+National Institute of Standards and Technology security frameworks; and 23
178+
179+ 2. ANALYZES CRITICAL SO FTWARE USED IN THE 24
180+OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICES ; AND 25
181+
182+ (ii) submit to the Commission AND THE OFFICE OF PEOPLE’S 26
183+COUNSEL certification of the public service company’s compliance with standards used in 27
184+the assessments under item (i) of this item. 28
185+
186+ (d) (1) Each public service company shall report, in accordance with the 29
187+process established under paragraph (2) of this subsection, a cybersecurity incident, 30 HOUSE BILL 1420 5
188+
189+
190+including an attack on a system being used by the public service company, to the State 1
191+Security Operations Center in the Department of Information Technology. 2
192+
193+ (2) The State Chief Information Security Officer, in consultation with the 3
194+Commission, shall establish a process for a public service company to report cybersecurity 4
195+incidents under paragraph (1) of this subsection, including establishing: 5
196+
197+ (i) the criteria for determining the circumstances under which a 6
198+cybersecurity incident must be reported; 7
199+
200+ (ii) the manner in which a cybersecurity incident must be reported; 8
201+and 9
202+
203+ (iii) the time period within which a cybersecurity incident must be 10
204+reported. 11
205+
206+ (3) The State Security Operations Center shall immediately notify 12
207+appropriate State and local agencies of a cybersecurity incident reported under this 13
208+subsection. 14
209+
210+7–213. 15
211+
212+ (a) (1) In this section the following words have the meanings indicated. 16
213+
214+ (2) “CYBER RESILIENCE ” MEANS THE ABILITY TO ANTICIPATE, 17
215+WITHSTAND, RECOVER FROM , AND ADAPT TO ADVERSE CONDITIONS, STRESSES, 18
216+ATTACKS, OR COMPROMISES ON SY STEMS THAT USE OR AR E ENABLED BY CYB ER 19
217+RESOURCES. 20
218+
219+ [(2)] (3) (i) “Eligible reliability measure” means a replacement of or 21
220+an improvement in existing infrastructure of an electric company that: 22
221+
222+ 1. is made on or after June 1, 2014; 23
223+
224+ 2. is designed to improve public safety or infrastructure 24
225+reliability; 25
226+
227+ 3. does not increase the revenue of an electric company by 26
228+connecting an improvement directly to new customers; and 27
229+
230+ 4. is not included in the current rate base of the electric 28
231+company as determined in the electric company’s most recent base rate proceeding. 29
232+
233+ (ii) “Eligible reliability measure” includes vegetation management 30
234+measures that are necessary to meet applicable service quality and reliability standards 31
235+under this section. 32
236+ 6 HOUSE BILL 1420
237+
238+
239+ [(3)] (4) “Fund” means the Electric Reliability Remediation Fund 1
240+established under subsection (j) of this section. 2
241+
242+ [(4)] (5) “System–average interruption duration index” or “SAIDI” means 3
243+the sum of the customer interruption hours divided by the total number of customers 4
244+served. 5
245+
246+ [(5)] (6) “System–average interruption frequency index” or “SAIFI” 6
247+means the sum of the number of customer interruptions divided by the total number of 7
248+customers served. 8
249+
250+ (d) On or before July 1, 2012, the Commission shall adopt regulations that 9
251+implement service quality and reliability standards relating to the delivery of electricity to 10
252+retail customers by electric companies through their distribution systems, using: 11
253+
254+ (1) SAIFI; 12
255+
256+ (2) SAIDI; and 13
257+
258+ (3) any other performance measurement that the Commission determines 14
259+to be reasonable. 15
260+
261+ (e) (1) The regulations adopted under subsection (d) of this section shall: 16
262+
263+ (i) include service quality and reliability standards, including 17
264+standards relating to: 18
265+
266+ 1. service interruption; 19
267+
268+ 2. downed wire response; 20
269+
270+ 3. customer communications; 21
271+
272+ 4. vegetation management; 22
273+
274+ 5. periodic equipment inspections; 23
275+
276+ 6. annual reliability reporting; [and] 24
277+
278+ 7. CYBER RESILIENCE ; AND 25
279+
280+ [7.] 8. any other standards established by the 26
281+Commission; 27
282+
283+ (ii) account for major outages caused by events outside the control of 28
284+an electric company; and 29 HOUSE BILL 1420 7
49285
50286
51287
52-BY repealing and reenacting, with amendments, 1
53- Article – Public Utilities 2
54-Section 2–203(a)(2), 5–306, and 7–213(a) and (e)(1) 3
55- Annotated Code of Maryland 4
56- (2020 Replacement Volume and 2023 Supplement) 5
288+ (iii) for an electric company that fails to meet the applicable service 1
289+quality and reliability standards, require the electric company to file a corrective action 2
290+plan that details specific actions the company will take to meet the standards. 3
57291
58-BY repealing and reenacting, with amendments, 6
59- Article – State Government 7
60-Section 9–2901(a) 8
61- Annotated Code of Maryland 9
62- (2021 Replacement Volume and 2023 Supplement) 10
292+Article – State Government 4
63293
64-BY repealing and reenacting, without amendments, 11
65- Article – State Government 12
66-Section 9–2901(b) and (j) 13
67- Annotated Code of Maryland 14
68- (2021 Replacement Volume and 2023 Supplement) 15
294+9–2901. 5
69295
70- SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 16
71-That the Laws of Maryland read as follows: 17
296+ (a) (1) In this subtitle the following words have the meanings indicated. 6
72297
73-Article – Public Utilities 18
298+ (2) “Council” means the Maryland Cybersecurity Council. 7
74299
75-2–203. 19
300+ (3) “CRITICAL INFRASTRUCTU RE” MEANS SYSTEMS AND ASSETS , 8
301+WHETHER PHYSICAL OR VIRTUAL, SO VITAL TO THE STATE THAT THE INCAPA CITY 9
302+OR DESTRUCTION OF SU CH SYSTEMS AND ASSET S WOULD HAVE A DEBIL ITATING 10
303+IMPACT ON SECURITY , ECONOMIC SECURITY , PUBLIC HEALTH OR SAFETY, OR ANY 11
304+COMBINATION OF THOSE MATTERS. 12
76305
77- (f) The Office of People’s Counsel may retain as necessary for a particular matter 20
78-or hire experts in the field of: 21
306+ [(3)] (4) “Executive Order” means Executive Order 13636 of the President 13
307+of the United States. 14
79308
80- (1) utility regulation, including cost of capital experts, rate design experts, 22
81-accountants, economists, engineers, transportation specialists, and lawyers; [and] 23
309+ (b) There is a Maryland Cybersecurity Council. 15
82310
83- (2) climate change, including meteorologists, oceanographers, ecologists, 24
84-foresters, geologists, seismologists, botanists, and experts in any other field of science that 25
85-the People’s Counsel determines is necessary; AND 26
311+ (j) The Council shall work with the National Institute of Standards and 16
312+Technology and other federal agencies, private sector businesses, and private cybersecurity 17
313+experts to: 18
86314
87- (3) CYBERSECURITY . 27
315+ (1) for critical infrastructure not covered by federal law or the Executive 19
316+Order, review and conduct risk assessments to determine which local infrastructure sectors 20
317+are at the greatest risk of cyber attacks and need the most enhanced cybersecurity 21
318+measures; 22
88319
89- (a) (1) The State budget shall provide sufficient money for the Office of 28
90-People’s Counsel to hire necessary staff in addition to the staff assistance that is provided 29
91-under § 2–205(c)(2) of this subtitle. 30
320+ (2) use federal guidance to identify categories of critical infrastructure as 23
321+critical cyber infrastructure if cyber damage or unauthorized cyber access to the 24
322+infrastructure could reasonably result in catastrophic consequences, including: 25
92323
93- (2) The Office of People’s Counsel shall hire: 31
324+ (i) interruption in the provision of energy, water, transportation, 26
325+emergency services, food, or other life–sustaining services sufficient to cause a mass 27
326+casualty event or mass evacuations; 28
94327
95- (I) at least one assistant people’s counsel who will focus on 32
96-environmental issues; AND 33 HOUSE BILL 1420 3
328+ (ii) catastrophic economic damage; or 29
97329
98-
99-
100- (II) AT LEAST ONE ASSISTANT PEOPLE’S COUNSEL WITH 1
101-CYBERSECURITY EXPERT ISE TO: 2
102-
103- 1. ADVISE THE PEOPLE’S COUNSEL ON MEASURES T O 3
104-IMPROVE OVERSIGHT OF THE CYBERSECURITY PR ACTICES OF PUBLIC SE RVICE 4
105-COMPANIES; 5
106-
107- 2. CONSULT WITH THE OFFICE OF SECURITY 6
108-MANAGEMENT ON CYBERSECURITY ISSUES RELATED TO UTILITY R EGULATION; 7
109-
110- 3. ASSIST THE OFFICE OF PEOPLE’S COUNSEL IN 8
111-MONITORING THE MINIM UM SECURITY STANDARD S DEVELOPED UNDER § 5–306 OF 9
112-THIS ARTICLE; 10
113-
114- 4. PARTICIPATE IN BRIEF INGS TO DISCUSS 11
115-CYBERSECURITY PRACTI CES BASED ON: 12
116-
117- A. APPLICABLE NATIONAL ASSOCIATION OF 13
118-REGULATORY UTILITY COMMISSIONERS GUIDANC E; AND 14
119-
120- B. IMPROVEMENTS TO CYBE RSECURITY PRACTICES 15
121-RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 16
122-OF THIS ARTICLE; AND 17
123-
124- 5. SUPPORT PUBLIC SERVICE COMPANIES TH AT DO NOT 18
125-MEET MINIMUM SECURIT Y STANDARDS WITH REM EDIATING VULNERABILI TIES OR 19
126-ADDRESSING CYBERSECU RITY ASSESSMENT FIND INGS. 20
127-
128-5–306. 21
129-
130- (a) (1) In this section[, “zero–trust” means a cybersecurity approach: 22
131-
132- (1) focused on cybersecurity resource protection; and 23
133-
134- (2) based on the premise that trust is never granted implicitly but must be 24
135-continually evaluated.] THE FOLLOWING WORDS HAVE THE MEANINGS IN DICATED. 25
136-
137- (2) “CRITICAL SOFTWARE ” MEANS ANY SOFTWARE T HAT HAS, OR HAS 26
138-DIRECT SOFTWAR E DEPENDENCIES ON , ONE OR MORE COMPONEN TS WITH AT LEAST 27
139-ONE OF THE FOLLOWING ATTRIBUTES: 28
140-
141- (I) THE ABILITY TO RUN W ITH ELEVATED PRIVILE GE OR TO 29
142-MANAGE PRIVILEGES ; 30
143- 4 HOUSE BILL 1420
144-
145-
146- (II) DIRECT OR PRIVILEGED ACCESS TO NETWORKING OR 1
147-COMPUTING RESOURCES ; 2
148-
149- (III) THE ABILITY TO CONTROL A CCESS TO DATA OR 3
150-OPERATIONAL TECHNOLO GY; 4
151-
152- (IV) THE ABILITY TO PERFO RM A FUNCTION CRITIC AL TO TRUST; 5
153-OR 6
154-
155- (V) THE ABILITY TO OPERA TE OUTSIDE NORMAL TR UST 7
156-BOUNDARIES WITH PRIV ILEGED ACCESS . 8
157-
158- (3) “SUPPLY CHAIN RISK ” MEANS A RISK THA T AN ADVERSARY MAY 9
159-SABOTAGE, MALICIOUSLY INTRODUC E UNWANTED FUNCTION TO, EXTRACT DATA 10
160-FROM, OR OTHERWISE SUBVERT THE DESIGN , INTEGRITY, MANUFACTURING , 11
161-PRODUCTION , DISTRIBUTION, INSTALLATION, OPERATION, MAINTENANCE , 12
162-DISPOSITION, OR RETIREMENT OF A S YSTEM OR ITEM OF SUPPLY SO AS TO SURVEIL, 13
163-DENY, DISRUPT, OR OTHERWISE MANIPUL ATE THE FUNCTION , USE, OR OPERATION 14
164-OF THE SYSTEM OR ITE M OF SUPPLY OR INFOR MATION STORED OR TRA NSMITTED 15
165-BY OR THROUGH THE SY STEM OR ITEM OF SUPP LY. 16
166-
167- (4) “ZERO–TRUST” MEANS A CYBERSECUR ITY APPROACH : 17
168-
169- (I) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; 18
170-AND 19
171-
172- (II) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 20
173-IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 21
174-
175- (b) This section does not apply to a public service company that is: 22
176-
177- (1) a common carrier; or 23
178-
179- (2) a telephone company. 24
180-
181- (c) A public service company shall: 25
182-
183- (1) adopt and implement cybersecurity standards that are equal to or 26
184-exceed standards adopted by the Commission; 27
185-
186- (2) adopt a zero–trust cybersecurity approach for on–premises services and 28
187-cloud–based services; 29
188- HOUSE BILL 1420 5
189-
190-
191- (3) establish minimum security standards for each operational technology 1
192-and information technology device based on the level of security risk for each device, 2
193-including [security risks associated with supply chains] SUPPLY CHAIN RISKS ; and 3
194-
195- (4) (i) on or before July 1, 2024, and on or before July 1 every other year 4
196-thereafter, engage a third party to conduct an assessment of operational technology and 5
197-information technology devices THAT: 6
198-
199- 1. IS based on: 7
200-
201- [1.] A. the Cybersecurity and Infrastructure Security 8
202-Agency’s Cross–Sector Cybersecurity Performance Goals; or 9
203-
204- [2.] B. a more stringent standard that is based on the 10
205-National Institute of Standards and Technology security frameworks; and 11
206-
207- 2. ANALYZES CRITICAL SO FTWARE USED IN THE 12
208-OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICES ; AND 13
209-
210- (ii) submit to the Commission AND THE OFFICE OF PEOPLE’S 14
211-COUNSEL certification of the public service company’s compliance with standards used in 15
212-the assessments under item (i) of this item. 16
213-
214- (d) (1) Each public service company shall report, in accordance with the 17
215-process established under paragraph (2) of this subsection, a cybersecurity incident, 18
216-including an attack on a system being used by the public service company, to the State 19
217-Security Operations Center in the Department of Information Technology. 20
218-
219- (2) The State Chief Information Security Officer, in consultation with the 21
220-Commission, shall establish a process for a public service company to report cybersecurity 22
221-incidents under paragraph (1) of this subsection, including establishing: 23
222-
223- (i) the criteria for determining the circumstances under which a 24
224-cybersecurity incident must be reported; 25
225-
226- (ii) the manner in which a cybersecurity incident must be reported; 26
227-and 27
228-
229- (iii) the time period within which a cybersecurity incident must be 28
230-reported. 29
231-
232- (3) The State Security Operations Center shall immediately notify 30
233-appropriate State and local agencies of a cybersecurity incident reported under this 31
234-subsection. 32
235-
236-7–213. 33 6 HOUSE BILL 1420
237-
238-
239-
240- (a) (1) In this section the following words have the meanings indicated. 1
241-
242- (2) “CYBER RESILIENCE ” MEANS THE ABILITY TO ANTICIPATE, 2
243-WITHSTAND, RECOVER FROM , AND ADAPT TO ADVERSE CONDITIONS, STRESSES, 3
244-ATTACKS, OR COMPROMISES ON S YSTEMS THAT USE OR A RE ENABLED BY CYBER 4
245-RESOURCES. 5
246-
247- [(2)] (3) (i) “Eligible reliability measure” means a replacement of or 6
248-an improvement in existing infrastructure of an electric company that: 7
249-
250- 1. is made on or after June 1, 2014; 8
251-
252- 2. is designed to improve public safety or infrastructure 9
253-reliability; 10
254-
255- 3. does not increase the revenue of an electric company by 11
256-connecting an improvement directly to new customers; and 12
257-
258- 4. is not included in the current rate base of the electric 13
259-company as determined in the electric company’s most recent base rate proceeding. 14
260-
261- (ii) “Eligible reliability measure” includes vegetation management 15
262-measures that are necessary to meet applicable service quality and reliability standards 16
263-under this section. 17
264-
265- [(3)] (4) “Fund” means the Electric Reliability Remediation Fund 18
266-established under subsection (j) of this section. 19
267-
268- [(4)] (5) “System–average interruption duration index” or “SAIDI” means 20
269-the sum of the customer interruption hours divided by the total number of customers 21
270-served. 22
271-
272- [(5)] (6) “System–average interruption frequency index” or “SAIFI” 23
273-means the sum of the number of customer interruptions divided by the total number of 24
274-customers served. 25
275-
276- (d) On or before July 1, 2012, the Commission shall adopt regulations that 26
277-implement service quality and reliability standards relating to the delivery of electricity to 27
278-retail customers by electric companies through their distribution systems, using: 28
279-
280- (1) SAIFI; 29
281-
282- (2) SAIDI; and 30
283- HOUSE BILL 1420 7
284-
285-
286- (3) any other performance measurement that the Commission determines 1
287-to be reasonable. 2
288-
289- (e) (1) The regulations adopted under subsection (d) of this section shall: 3
290-
291- (i) include service quality and reliability standards, including 4
292-standards relating to: 5
293-
294- 1. service interruption; 6
295-
296- 2. downed wire response; 7
297-
298- 3. customer communications; 8
299-
300- 4. vegetation management; 9
301-
302- 5. periodic equipment inspections; 10
303-
304- 6. annual reliability reporting; [and] 11
305-
306- 7. CYBER RESILIENCE ; AND 12
307-
308- [7.] 8. any other standards established by the Commission; 13
309-
310- (ii) account for major outages caused by events outside the control of 14
311-an electric company; and 15
312-
313- (iii) for an electric company that fails to meet the applicable service 16
314-quality and reliability standards, require the electric company to file a corrective action 17
315-plan that details specific actions the company will take to meet the standards. 18
316-
317-Article – State Government 19
318-
319-9–2901. 20
320-
321- (a) (1) In this subtitle the following words have the meanings indicated. 21
322-
323- (2) “Council” means the Maryland Cybersecurity Council. 22
324-
325- (3) “CRITICAL INFRASTRUCTU RE” MEANS SYSTEMS AND AS SETS, 23
326-WHETHER PHYSICAL OR VIRTUAL, SO VITAL TO THE STATE THAT THE INCAPA CITY 24
327-OR DESTRUCTION OF SU CH SYSTEMS AND ASSET S WOULD HAVE A DEBIL ITATING 25
328-IMPACT ON SECURI TY, ECONOMIC SECURITY , PUBLIC HEALTH OR SAF ETY, OR ANY 26
329-COMBINATION OF THOSE MATTERS. 27
330+ (iii) severe degradation of State or national security; 30
330331 8 HOUSE BILL 1420
331332
332333
333- [(3)] (4) “Executive Order” means Executive Order 13636 of the President 1
334-of the United States. 2
334+ (3) assist infrastructure entities that are not covered by the Executive 1
335+Order in complying with federal cybersecurity guidance; 2
335336
336- (b) There is a Maryland Cybersecurity Council. 3
337+ (4) assist private sector cybersecurity businesses in adopting, adapting, 3
338+and implementing the National Institute of Standards and Technology cybersecurity 4
339+framework of standards and practices; 5
337340
338- (j) The Council shall work with the National Institute of Standards and 4
339-Technology and other federal agencies, private sector businesses, and private cybersecurity 5
340-experts to: 6
341+ (5) examine inconsistencies between State and federal laws regarding 6
342+cybersecurity; 7
341343
342- (1) for critical infrastructure not covered by federal law or the Executive 7
343-Order, review and conduct risk assessments to determine which local infrastructure sectors 8
344-are at the greatest risk of cyber attacks and need the most enhanced cybersecurity 9
345-measures; 10
344+ (6) recommend a comprehensive State strategic plan to ensure a 8
345+coordinated and adaptable response to and recovery from cybersecurity attacks; and 9
346346
347- (2) use federal guidance to identify categories of critical infrastructure as 11
348-critical cyber infrastructure if cyber damage or unauthorized cyber access to the 12
349-infrastructure could reasonably result in catastrophic consequences, including: 13
347+ (7) recommend any legislative changes considered necessary by the 10
348+Council to address cybersecurity issues. 11
350349
351- (i) interruption in the provision of energy, water, transportation, 14
352-emergency services, food, or other life–sustaining services sufficient to cause a mass 15
353-casualty event or mass evacuations; 16
354-
355- (ii) catastrophic economic damage; or 17
356-
357- (iii) severe degradation of State or national security; 18
358-
359- (3) assist infrastructure entities that are not covered by the Executive 19
360-Order in complying with federal cybersecurity guidance; 20
361-
362- (4) assist private sector cybersecurity businesses in adopting, adapting, 21
363-and implementing the National Institute of Standards and Technology cybersecurity 22
364-framework of standards and practices; 23
365-
366- (5) examine inconsistencies between State and federal laws regarding 24
367-cybersecurity; 25
368-
369- (6) recommend a comprehensive State strategic plan to ensure a 26
370-coordinated and adaptable response to and recovery from cybersecurity attacks; and 27
371-
372- (7) recommend any legislative changes considered necessary by the 28
373-Council to address cybersecurity issues. 29
374-
375- SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 30
376-October 1, 2024. 31
377-
350+ SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 12
351+October 1, 2024. 13