EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0981*
SENATE BILL 981
F1, S2, B1 4lr2477
By: Senator Hester
Introduced and read first time: February 2, 2024
Assigned to: Education, Energy, and the Environment and Budget and Taxation
A BILL ENTITLED
AN ACT concerning 1
Local Cybersecurity Preparedness and Local Cybersecurity Support Fund – 2
Alterations 3
FOR the purpose of authorizing the Governor to include in the annual budget bill a certain 4
appropriation for certain fiscal years for the Local Cybersecurity Support Fund; 5
requiring the Department of Information Technology to provide a certain number of 6
regional information security officers to assist the Director of Local Cybersecurity; 7
requiring, by a certain date, a local school system to implement certain practices 8
regarding the network of the local school system; authorizing funds to be transferred 9
by budget amendment from the Dedicated Purpose Account in certain fiscal years to 10
implement this Act; and generally relating to local cybersecurity. 11
BY repealing and reenacting, with amendments, 12
Article – Public Safety 13
Section 14–104.2 14
Annotated Code of Maryland 15
(2022 Replacement Volume and 2023 Supplement) 16
BY repealing and reenacting, without amendments, 17
Article – State Finance and Procurement 18
Section 3.5–101(c), 3.5–2A–02, 3.5–301(a) and (b), and 3.5–407 19
Annotated Code of Maryland 20
(2021 Replacement Volume and 2023 Supplement) 21
BY repealing and reenacting, with amendments, 22
Article – State Finance and Procurement 23
Section 3.5–2A–03(e) and 3.5–405 24
Annotated Code of Maryland 25
(2021 Replacement Volume and 2023 Supplement) 26
SECTION 1. BE IT ENACTED BY THE GENERAL ASSE MBLY OF MARYLAND, 27 2 SENATE BILL 981
That the Laws of Maryland read as follows: 1
Article – Public Safety 2
14–104.2. 3
(a) (1) In this section the following words have the meanings indicated. 4
(2) “Fund” means the Local Cybersecurity Support Fund. 5
(3) “Local government” includes local school systems, local school boards, 6
and local health departments. 7
(b) (1) There is a Local Cybersecurity Support Fund. 8
(2) The purpose of the Fund is to: 9
(i) provide financial assistance to local governments to improve 10
cybersecurity preparedness, including: 11
1. updating current devices and networks with the most 12
up–to–date cybersecurity protections; 13
2. supporting the purchase of new hardware, software, 14
devices, and firewalls to improve cybersecurity preparedness; 15
3. recruiting and hiring information technology staff focused 16
on cybersecurity; 17
4. paying outside vendors for cybersecurity staff training; 18
5. conducting cybersecurity vulnerability assessments; 19
6. addressing high–risk cybersecurity vulnerabilities 20
identified by vulnerability assessments; 21
7. implementing and maintaining integrators and other 22
similar intelligence sharing infrastructure that enable connection with the Information 23
Sharing and Analysis Center in the Department of Information Technology; and 24
8. supporting the security of local wastewater treatment 25
plants, including bicounty, county, and municipal plants, by acquiring or implementing 26
cybersecurity–related upgrades to the plants; and 27
(ii) assist local governments applying for federal cybersecurity 28
preparedness grants. 29
SENATE BILL 981 3
(3) The Secretary shall administer the Fund. 1
(4) (i) The Fund is a special, nonlapsing fund that is not subject to § 2
7–302 of the State Finance and Procurement Article. 3
(ii) The State Treasurer shall hold the Fund separately, and the 4
Comptroller shall account for the Fund. 5
(5) The Fund consists of: 6
(i) money appropriated in the State budget to the Fund; 7
(ii) interest earnings; and 8
(iii) any other money from any other source accepted for the benefit 9
of the Fund. 10
(6) The Fund may be used only: 11
(i) to provide financial assistance to local governments to improve 12
cybersecurity preparedness, including: 13
1. updating current devices and networks with the most 14
up–to–date cybersecurity protections; 15
2. supporting the purchase of new hardware, software, 16
devices, and firewalls to improve cybersecurity preparedness; 17
3. recruiting and hiring information technology staff focused 18
on cybersecurity; 19
4. paying outside vendors for cybersecurity staff training; 20
5. conducting cybersecurity vulnerability assessments; 21
6. addressing high–risk cybersecurity vulnerabilities 22
identified by vulnerability assessments; 23
7. implementing or maintaining integrators and other 24
similar intelligence sharing infrastructure that enable connection with the Information 25
Sharing and Analysis Center in the Department of Information Technology; and 26
8. supporting the security of local wastewater treatment 27
plants, including bicounty, county, and municipal plants, by acquiring or implementing 28
cybersecurity–related upgrades to the plants; 29
(ii) to assist local governments applying for federal cybersecurity 30 4 SENATE BILL 981
preparedness grants; and 1
(iii) for administrative expenses associated with providing the 2
assistance described under item (i) of this paragraph. 3
(7) (i) The State Treasurer shall invest the money of the Fund in the 4
same manner as other State money may be invested. 5
(ii) Any interest earnings of the Fund shall be credited to the Fund. 6
(8) Expenditures from the Fund may be made only in accordance with the 7
State budget. 8
(c) To be eligible to receive assistance from the Fund, a local government shall: 9
(1) provide proof to the Department of Information Technology that the 10
local government conducted a cybersecurity preparedness assessment in the previous 12 11
months; or 12
(2) within 12 months undergo a cybersecurity preparedness assessment 13
provided by, in accordance with the preference of the local government: 14
(i) the Department of Information Technology at a cost to the local 15
government that does not exceed the cost to the Department of Information Technology of 16
providing the assessment; or 17
(ii) a vendor authorized by the Department of Information 18
Technology to complete cybersecurity preparedness assessments. 19
(D) FOR FISCAL YEARS 2026 AND 2027, THE GOVERNOR MAY INCLUDE IN 20
THE ANNUAL BUDGET BI LL AN APPROPRIATION OF $10,000,000 FOR THE FUND. 21
Article – State Finance and Procurement 22
3.5–101. 23
(c) “Department” means the Department of Information Technology. 24
3.5–2A–02. 25
There is an Office of Security Management within the Department. 26
3.5–2A–03. 27
(e) (1) (i) There is a Director of Local Cybersecurity, who shall be 28
appointed by the State Chief Information Security Officer. 29
SENATE BILL 981 5
(ii) The Director of Local Cybersecurity shall work in coordination 1
with the Maryland Department of Emergency Management to provide technical assistance, 2
coordinate resources, and improve cybersecurity preparedness for units of local 3
government. 4
(III) THE DEPARTMENT SHALL PROVIDE SUFFICIENT 5
INFORMATION SECURITY OFFICERS TO ASSIST THE DIRECTOR OF LOCAL 6
CYBERSECURITY . 7
(2) (i) There is a Director of State Cybersecurity, who shall be 8
appointed by the State Chief Information Security Officer. 9
(ii) The Director of State Cybersecurity is responsible for 10
implementation of this section with respect to units of State government. 11
3.5–301. 12
(a) In this subtitle the following words have the meanings indicated. 13
(b) “Cybersecurity” means processes or capabilities wherein systems, 14
communications, and information are protected and defended against damage, 15
unauthorized use or modification, and exploitation. 16
3.5–405. 17
(a) This section does not apply to municipal governments. 18
(b) In a manner and frequency established in regulations adopted by the 19
Department, each county government, local school system, and local health department 20
shall in consultation with the local emergency manager, create or update a cybersecurity 21
preparedness and response plan and complete a cybersecurity preparedness assessment. 22
(C) BY JULY 1, 2025, A LOCAL SCHOOL SYSTE M SHALL IMPLEMENT: 23
(1) MULTIFACTOR AUTHENTI CATION FOR ALL SCHOOL EMPLO YEES; 24
(2) ENDPOINT DETECTION A ND RESPONSE ON ALL SYSTEM –OWNED 25
DEVICES ACCESSED BY EMPLOYEES; AND 26
(3) NETWORK MONITORING . 27
(D) EACH YEAR , A LOCAL SCHOOL SYSTEM SHALL REPORT IN A 28
CYBERSECURITY ASSESS MENT REQUIRED UNDER § 3.5–407 OF THIS SUBTITLE THE 29
PERCENTAGE OF EMPLOY EES THAT COMPLY WITH THE REQUIREMENTS OF EACH 30
ITEM OF SUBSECTION (C) OF THIS SECTION. 31
6 SENATE BILL 981
3.5–407. 1
(a) This section does not apply to municipal governments. 2
(b) In a manner and frequency established in regulations adopted by the 3
Department, each county government, local school system, and local health department 4
shall: 5
(1) in consultation with the local emergency manager, create or update a 6
cybersecurity preparedness and response plan; and 7
(2) complete a cybersecurity preparedness assessment. 8
(c) The assessment required under paragraph (b)(2) of this section may, in 9
accordance with the preference of each county government, be performed by the 10
Department or by a vendor authorized by the Department. 11
(d) (1) Each local government shall report a cybersecurity incident, including 12
an attack on a State system being used by the local government, to the appropriate local 13
emergency manager and the State Security Operations Center in the Department in 14
accordance with paragraph (2) of this subsection. 15
(2) For the reporting of cybersecurity incidents to local emergency 16
managers under subparagraph (i) of this paragraph, the State Chief Information Security 17
Officer shall determine: 18
(i) the criteria for determining when an incident must be reported; 19
(ii) the manner in which to report; and 20
(iii) the time period within which a report must be made. 21
(3) The State Security Operations Center shall immediately notify the 22
appropriate agencies of a cybersecurity incident reported under this subsection through the 23
State Security Operations Center. 24
SECTION 2. AND BE IT FURTHER ENACTED, That , for fiscal years 2026 and 25
2027, funds from the Dedicated Purpose Account may be transferred by budget 26
amendment, in accordance with § 7–310 of the State Finance and Procurement Article, to 27
implement this Act. 28
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect July 29
1, 2024. 30