MD
Maryland Senate Bill SB981

Maryland 2024 Regular Session

Maryland Senate Bill SB981 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11
22
33 EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
44 [Brackets] indicate matter deleted from existing law.
55 *sb0981*
66
77 SENATE BILL 981
88 F1, S2, B1 4lr2477
99
1010 By: Senator Hester
1111 Introduced and read first time: February 2, 2024
1212 Assigned to: Education, Energy, and the Environment and Budget and Taxation
1313
1414 A BILL ENTITLED
1515
1616 AN ACT concerning 1
1717
1818 Local Cybersecurity Preparedness and Local Cybersecurity Support Fund – 2
1919 Alterations 3
2020
2121 FOR the purpose of authorizing the Governor to include in the annual budget bill a certain 4
2222 appropriation for certain fiscal years for the Local Cybersecurity Support Fund; 5
2323 requiring the Department of Information Technology to provide a certain number of 6
2424 regional information security officers to assist the Director of Local Cybersecurity; 7
2525 requiring, by a certain date, a local school system to implement certain practices 8
2626 regarding the network of the local school system; authorizing funds to be transferred 9
2727 by budget amendment from the Dedicated Purpose Account in certain fiscal years to 10
2828 implement this Act; and generally relating to local cybersecurity. 11
2929
3030 BY repealing and reenacting, with amendments, 12
3131 Article – Public Safety 13
3232 Section 14–104.2 14
3333 Annotated Code of Maryland 15
3434 (2022 Replacement Volume and 2023 Supplement) 16
3535
3636 BY repealing and reenacting, without amendments, 17
3737 Article – State Finance and Procurement 18
3838 Section 3.5–101(c), 3.5–2A–02, 3.5–301(a) and (b), and 3.5–407 19
3939 Annotated Code of Maryland 20
4040 (2021 Replacement Volume and 2023 Supplement) 21
4141
4242 BY repealing and reenacting, with amendments, 22
4343 Article – State Finance and Procurement 23
4444 Section 3.5–2A–03(e) and 3.5–405 24
4545 Annotated Code of Maryland 25
4646 (2021 Replacement Volume and 2023 Supplement) 26
4747
4848 SECTION 1. BE IT ENACTED BY THE GENERAL ASSE MBLY OF MARYLAND, 27 2 SENATE BILL 981
4949
5050
5151 That the Laws of Maryland read as follows: 1
5252
5353 Article – Public Safety 2
5454
5555 14–104.2. 3
5656
5757 (a) (1) In this section the following words have the meanings indicated. 4
5858
5959 (2) “Fund” means the Local Cybersecurity Support Fund. 5
6060
6161 (3) “Local government” includes local school systems, local school boards, 6
6262 and local health departments. 7
6363
6464 (b) (1) There is a Local Cybersecurity Support Fund. 8
6565
6666 (2) The purpose of the Fund is to: 9
6767
6868 (i) provide financial assistance to local governments to improve 10
6969 cybersecurity preparedness, including: 11
7070
7171 1. updating current devices and networks with the most 12
7272 up–to–date cybersecurity protections; 13
7373
7474 2. supporting the purchase of new hardware, software, 14
7575 devices, and firewalls to improve cybersecurity preparedness; 15
7676
7777 3. recruiting and hiring information technology staff focused 16
7878 on cybersecurity; 17
7979
8080 4. paying outside vendors for cybersecurity staff training; 18
8181
8282 5. conducting cybersecurity vulnerability assessments; 19
8383
8484 6. addressing high–risk cybersecurity vulnerabilities 20
8585 identified by vulnerability assessments; 21
8686
8787 7. implementing and maintaining integrators and other 22
8888 similar intelligence sharing infrastructure that enable connection with the Information 23
8989 Sharing and Analysis Center in the Department of Information Technology; and 24
9090
9191 8. supporting the security of local wastewater treatment 25
9292 plants, including bicounty, county, and municipal plants, by acquiring or implementing 26
9393 cybersecurity–related upgrades to the plants; and 27
9494
9595 (ii) assist local governments applying for federal cybersecurity 28
9696 preparedness grants. 29
9797 SENATE BILL 981 3
9898
9999
100100 (3) The Secretary shall administer the Fund. 1
101101
102102 (4) (i) The Fund is a special, nonlapsing fund that is not subject to § 2
103103 7–302 of the State Finance and Procurement Article. 3
104104
105105 (ii) The State Treasurer shall hold the Fund separately, and the 4
106106 Comptroller shall account for the Fund. 5
107107
108108 (5) The Fund consists of: 6
109109
110110 (i) money appropriated in the State budget to the Fund; 7
111111
112112 (ii) interest earnings; and 8
113113
114114 (iii) any other money from any other source accepted for the benefit 9
115115 of the Fund. 10
116116
117117 (6) The Fund may be used only: 11
118118
119119 (i) to provide financial assistance to local governments to improve 12
120120 cybersecurity preparedness, including: 13
121121
122122 1. updating current devices and networks with the most 14
123123 up–to–date cybersecurity protections; 15
124124
125125 2. supporting the purchase of new hardware, software, 16
126126 devices, and firewalls to improve cybersecurity preparedness; 17
127127
128128 3. recruiting and hiring information technology staff focused 18
129129 on cybersecurity; 19
130130
131131 4. paying outside vendors for cybersecurity staff training; 20
132132
133133 5. conducting cybersecurity vulnerability assessments; 21
134134
135135 6. addressing high–risk cybersecurity vulnerabilities 22
136136 identified by vulnerability assessments; 23
137137
138138 7. implementing or maintaining integrators and other 24
139139 similar intelligence sharing infrastructure that enable connection with the Information 25
140140 Sharing and Analysis Center in the Department of Information Technology; and 26
141141
142142 8. supporting the security of local wastewater treatment 27
143143 plants, including bicounty, county, and municipal plants, by acquiring or implementing 28
144144 cybersecurity–related upgrades to the plants; 29
145145
146146 (ii) to assist local governments applying for federal cybersecurity 30 4 SENATE BILL 981
147147
148148
149149 preparedness grants; and 1
150150
151151 (iii) for administrative expenses associated with providing the 2
152152 assistance described under item (i) of this paragraph. 3
153153
154154 (7) (i) The State Treasurer shall invest the money of the Fund in the 4
155155 same manner as other State money may be invested. 5
156156
157157 (ii) Any interest earnings of the Fund shall be credited to the Fund. 6
158158
159159 (8) Expenditures from the Fund may be made only in accordance with the 7
160160 State budget. 8
161161
162162 (c) To be eligible to receive assistance from the Fund, a local government shall: 9
163163
164164 (1) provide proof to the Department of Information Technology that the 10
165165 local government conducted a cybersecurity preparedness assessment in the previous 12 11
166166 months; or 12
167167
168168 (2) within 12 months undergo a cybersecurity preparedness assessment 13
169169 provided by, in accordance with the preference of the local government: 14
170170
171171 (i) the Department of Information Technology at a cost to the local 15
172172 government that does not exceed the cost to the Department of Information Technology of 16
173173 providing the assessment; or 17
174174
175175 (ii) a vendor authorized by the Department of Information 18
176176 Technology to complete cybersecurity preparedness assessments. 19
177177
178178 (D) FOR FISCAL YEARS 2026 AND 2027, THE GOVERNOR MAY INCLUDE IN 20
179179 THE ANNUAL BUDGET BI LL AN APPROPRIATION OF $10,000,000 FOR THE FUND. 21
180180
181181 Article – State Finance and Procurement 22
182182
183183 3.5–101. 23
184184
185185 (c) “Department” means the Department of Information Technology. 24
186186
187187 3.5–2A–02. 25
188188
189189 There is an Office of Security Management within the Department. 26
190190
191191 3.5–2A–03. 27
192192
193193 (e) (1) (i) There is a Director of Local Cybersecurity, who shall be 28
194194 appointed by the State Chief Information Security Officer. 29
195195 SENATE BILL 981 5
196196
197197
198198 (ii) The Director of Local Cybersecurity shall work in coordination 1
199199 with the Maryland Department of Emergency Management to provide technical assistance, 2
200200 coordinate resources, and improve cybersecurity preparedness for units of local 3
201201 government. 4
202202
203203 (III) THE DEPARTMENT SHALL PROVIDE SUFFICIENT 5
204204 INFORMATION SECURITY OFFICERS TO ASSIST THE DIRECTOR OF LOCAL 6
205205 CYBERSECURITY . 7
206206
207207 (2) (i) There is a Director of State Cybersecurity, who shall be 8
208208 appointed by the State Chief Information Security Officer. 9
209209
210210 (ii) The Director of State Cybersecurity is responsible for 10
211211 implementation of this section with respect to units of State government. 11
212212
213213 3.5–301. 12
214214
215215 (a) In this subtitle the following words have the meanings indicated. 13
216216
217217 (b) “Cybersecurity” means processes or capabilities wherein systems, 14
218218 communications, and information are protected and defended against damage, 15
219219 unauthorized use or modification, and exploitation. 16
220220
221221 3.5–405. 17
222222
223223 (a) This section does not apply to municipal governments. 18
224224
225225 (b) In a manner and frequency established in regulations adopted by the 19
226226 Department, each county government, local school system, and local health department 20
227227 shall in consultation with the local emergency manager, create or update a cybersecurity 21
228228 preparedness and response plan and complete a cybersecurity preparedness assessment. 22
229229
230230 (C) BY JULY 1, 2025, A LOCAL SCHOOL SYSTE M SHALL IMPLEMENT: 23
231231
232232 (1) MULTIFACTOR AUTHENTI CATION FOR ALL SCHOOL EMPLO YEES; 24
233233
234234 (2) ENDPOINT DETECTION A ND RESPONSE ON ALL SYSTEM –OWNED 25
235235 DEVICES ACCESSED BY EMPLOYEES; AND 26
236236
237237 (3) NETWORK MONITORING . 27
238238
239239 (D) EACH YEAR , A LOCAL SCHOOL SYSTEM SHALL REPORT IN A 28
240240 CYBERSECURITY ASSESS MENT REQUIRED UNDER § 3.5–407 OF THIS SUBTITLE THE 29
241241 PERCENTAGE OF EMPLOY EES THAT COMPLY WITH THE REQUIREMENTS OF EACH 30
242242 ITEM OF SUBSECTION (C) OF THIS SECTION. 31
243243 6 SENATE BILL 981
244244
245245
246246 3.5–407. 1
247247
248248 (a) This section does not apply to municipal governments. 2
249249
250250 (b) In a manner and frequency established in regulations adopted by the 3
251251 Department, each county government, local school system, and local health department 4
252252 shall: 5
253253
254254 (1) in consultation with the local emergency manager, create or update a 6
255255 cybersecurity preparedness and response plan; and 7
256256
257257 (2) complete a cybersecurity preparedness assessment. 8
258258
259259 (c) The assessment required under paragraph (b)(2) of this section may, in 9
260260 accordance with the preference of each county government, be performed by the 10
261261 Department or by a vendor authorized by the Department. 11
262262
263263 (d) (1) Each local government shall report a cybersecurity incident, including 12
264264 an attack on a State system being used by the local government, to the appropriate local 13
265265 emergency manager and the State Security Operations Center in the Department in 14
266266 accordance with paragraph (2) of this subsection. 15
267267
268268 (2) For the reporting of cybersecurity incidents to local emergency 16
269269 managers under subparagraph (i) of this paragraph, the State Chief Information Security 17
270270 Officer shall determine: 18
271271
272272 (i) the criteria for determining when an incident must be reported; 19
273273
274274 (ii) the manner in which to report; and 20
275275
276276 (iii) the time period within which a report must be made. 21
277277
278278 (3) The State Security Operations Center shall immediately notify the 22
279279 appropriate agencies of a cybersecurity incident reported under this subsection through the 23
280280 State Security Operations Center. 24
281281
282282 SECTION 2. AND BE IT FURTHER ENACTED, That , for fiscal years 2026 and 25
283283 2027, funds from the Dedicated Purpose Account may be transferred by budget 26
284284 amendment, in accordance with § 7–310 of the State Finance and Procurement Article, to 27
285285 implement this Act. 28
286286
287287 SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect July 29
288288 1, 2024. 30