EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0247*
SENATE BILL 247
P2 4lr0139
(PRE–FILED) CF 4lr0140
By: Chair, Education, Energy, and the Environment Committee (By Request –
Departmental – Information Technology)
Requested: September 13, 2023
Introduced and read first time: January 10, 2024
Assigned to: Education, Energy, and the Environment
A BILL ENTITLED
AN ACT concerning 1
Information Technology – Modernize Maryland Oversight Commission – 2
Membership, Responsibilities, and Staffing 3
FOR the purpose of altering the membership and responsibilities of the Modernize 4
Maryland Oversight Commission; requiring the Department of Information 5
Technology to provide staff for the Commission; and generally relating to the 6
Modernize Maryland Oversight Commission. 7
BY repealing and reenacting, with amendments, 8
Article – State Finance and Procurement 9
Section 3.5–316 10
Annotated Code of Maryland 11
(2021 Replacement Volume and 2023 Supplement) 12
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 13
That the Laws of Maryland read as follows: 14
Article – State Finance and Procurement 15
3.5–316. 16
(a) (1) In this section the following words have the meanings indicated. 17
(2) “Commission” means the Modernize Maryland Oversight Commission. 18
(3) “Critical system” means an information technology or cybersecurity 19
system that is severely outdated, as determined by the Department. 20
(b) There is an independent Modernize Maryland Oversight Commission. 21 2 SENATE BILL 247
(c) The purpose of the Commission is to ADVISE THE SECRETARY ON : 1
[(1) ensure the confidentiality, integrity, and availability of information 2
held by the State concerning State residents; and 3
(2) advise the Secretary and State Chief Information Security Officer on:] 4
[(i)] (1) [the appropriate] STRATEGIC information technology and 5
cybersecurity investments and upgrades BASED ON INDUSTRY BE ST PRACTICES; 6
[(ii)] (2) the funding sources for [the appropriate] STRATEGIC 7
information technology and cybersecurity upgrades BASED ON INDUSTRY BE ST 8
PRACTICES; and 9
[(iii)] (3) future mechanisms for the procurement of appropriate 10
information technology and cybersecurity upgrades, including ways to increase the 11
efficiency of procurements made for information technology and cybersecurity upgrades. 12
(d) The Commission consists of the following members: 13
(1) [the Secretary; 14
(2) the State Chief Information Security Officer; 15
(3) three chief information security officers representing different units of 16
State government, appointed by the Governor; 17
(4)] one information technology modernization expert with experience in 18
the private sector, appointed by the Governor; 19
[(5)] (2) [one representative] TWO REPRESENTATIVES from the 20
Maryland Chamber of Commerce, ONE with knowledge of cybersecurity issues AND ONE 21
WITH KNOWLEDGE OF IN FORMATION TECHNOLOGY ; 22
[(6)] (3) two individuals who are end users of State information 23
technology systems WHO ARE NOT STATE EMPLOYEES , appointed by the Governor; 24
[(7)] (4) one representative from the Cybersecurity Association of 25
Maryland; [and] 26
[(8)] (5) one individual who is either an instructor or a professional in the 27
academic field of cybersecurity at a college or university in the State, appointed by the 28
Governor; 29
SENATE BILL 247 3
(6) ONE INDIVIDUAL WHO I S EITHER AN INSTRUCT OR OR A 1
PROFESSIONAL IN THE ACADEMIC FIELD OF IN FORMATION TECHNOLOGY AT A 2
COLLEGE OR UNIVERSIT Y IN THE STATE, APPOINTED BY THE GOVERNOR; AND 3
(7) THE COCHAIRS OF THE JOINT COMMITTEE ON CYBERSECURITY , 4
INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY . 5
[(e) The cochairs of the Joint Committee on Cybersecurity, Information 6
Technology, and Biotechnology shall serve as advisory, nonvoting members of the 7
Commission.] 8
(E) THE DEPARTMENT SHALL PROV IDE STAFF FOR THE COMMISSION. 9
(f) The Commission shall: 10
(1) advise the Secretary on [a strategic roadmap with a timeline and 11
budget that will:] INFORMATION TECHNOLOG Y AND CYBERSECURITY INDUSTRY BEST 12
PRACTICES; 13
[(i) require the updates and investments of critical information 14
technology and cybersecurity systems identified by the Commission in the first 15
recommendations reported under paragraph (2) of this subsection to be completed on or 16
before December 31, 2025; and 17
(ii) require all updates and investments of information technology 18
and cybersecurity to be made on or before December 31, 2030;] 19
(2) make periodic recommendations on investments in State information 20
technology structures based on the assessments completed in accordance with the 21
framework developed in § 3.5–317 of this subtitle; AND 22
[(3) review and provide recommendations on the Department’s basic 23
security standards for use of the network established under § 3.5–404(b) of this title; and] 24
[(4)] (3) each year, in accordance with § 2–1257 of the State Government 25
Article, report its findings and recommendations to the SECRETARY, Senate Budget and 26
Taxation Committee, the Senate [Education, Health, and Environmental Affairs 27
Committee] COMMITTEE ON EDUCATION, ENERGY, AND THE ENVIRONMENT , the 28
House Appropriations Committee, the House Health and Government Operations 29
Committee, and the Joint Committee on Cybersecurity, Information Technology, and 30
Biotechnology. 31
(g) The report submitted under subsection [(f)(4)] (F)(3) of this section may not 32
contain information about the security of an information system. 33 4 SENATE BILL 247
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 1
October 1, 2024. 2