Maryland 2025 Regular Session

Maryland House Bill HB1309 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1
2	2
3	3	EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4	4	[Brackets] indicate matter deleted from existing law.
5	5	hb1309
6	6
7	7	HOUSE BILL 1309
8	8	F1, S2 5lr3329
9	9	CF SB 907
10	10	By: Delegate Wu
11	11	Introduced and read first time: February 7, 2025
12	12	Assigned to: Health and Government Operations and Ways and Means
13	13
14	14	A BILL ENTITLED
15	15
16	16	AN ACT concerning 1
17	17
18	18	Cybersecurity – Standards, Compliance, and Audits – Alterations 2
19	19
20	20	FOR the purpose of repealing the requirement that county boards of education prioritize 3
21	21	the purchase of digital devices with certain funds; requiring each local school system 4
22	22	to comply with, and certify compliance with, the State minimum cybersecurity 5
23	23	standards and to conduct a cybersecurity maturity assessment every 2 years; 6
24	24	requiring the Office of Security Management within the Department of Information 7
25	25	Technology to annually update the State minimum cybersecurity standards; 8
26	26	requiring the Department of Information Technology to provide a certain number of 9
27	27	information security officers to assist local school systems with certain functions and 10
28	28	to focus on a certain standard for a certain school year; requiring the Office of 11
29	29	Legislative Audits within the Department of Legislative Services to refer to the State 12
30	30	minimum cybersecurity standards when conducting certain audits; and generally 13
31	31	relating to cybersecurity. 14
32	32
33	33	BY repealing and reenacting, with amendments, 15
34	34	Article – Education 16
35	35	Section 5–212 17
36	36	Annotated Code of Maryland 18
37	37	(2022 Replacement Volume and 2024 Supplement) 19
38	38
39	39	BY adding to 20
40	40	Article – Education 21
41	41	Section 5–213(e) and (f) 22
42	42	Annotated Code of Maryland 23
43	43	(2022 Replacement Volume and 2024 Supplement) 24
44	44
45	45	BY repealing and reenacting, with amendments, 25
46	46	Article – State Finance and Procurement 26
47	47	Section 3.5–101, 3.5–2A–04(b), and 3.5–405 27
48	48	Annotated Code of Maryland 28 2 HOUSE BILL 1309
49	49
50	50
51	51	(2021 Replacement Volume and 2024 Supplement) 1
52	52
53	53	BY repealing and reenacting, without amendments, 2
54	54	Article – State Finance and Procurement 3
55	55	Section 3.5–2A–02 and 3.5–301(a) and (c) 4
56	56	Annotated Code of Maryland 5
57	57	(2021 Replacement Volume and 2024 Supplement) 6
58	58
59	59	BY repealing and reenacting, with amendments, 7
60	60	Article – State Government 8
61	61	Section 2–1221 9
62	62	Annotated Code of Maryland 10
63	63	(2021 Replacement Volume and 2024 Supplement) 11
64	64
65	65	SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 12
66	66	That the Laws of Maryland read as follows: 13
67	67
68	68	Article – Education 14
69	69
70	70	5–212. 15
71	71
72	72	(a) The target per pupil foundation amount includes costs associated with 16
73	73	implementing the Blueprint for Maryland’s Future including: 17
74	74
75	75	(1) Increasing salaries; 18
76	76
77	77	(2) Additional teachers to provide professional learning and collaborative 19
78	78	time for teachers; 20
79	79
80	80	(3) Career counseling; 21
81	81
82	82	(4) Behavioral health; 22
83	83
84	84	(5) Instructional opportunities for students who are college and career 23
85	85	ready and those who are not; 24
86	86
87	87	(6) Maintenance and operation of schools; 25
88	88
89	89	(7) Supplies and materials for teachers; and 26
90	90
91	91	(8) Educational technology including digital devices, broadband 27
92	92	connectivity, [and] information technology staff, AND CYBERSECURITY . 28
93	93
94	94	(b) Schools may use funds provided under this section to provide the programs 29
95	95	required under COMAR 13A.04.16.01. 30
96	96
97	97	(c) (1) [County boards of education and schools shall prioritize the purchase 31 HOUSE BILL 1309 3
98	98
99	99
100	100	of digital devices for using funds under subsection (a)(8) of this section. 1
101	101
102	102	(2)] Additional funds provided in the target per pupil foundation amount for 2
103	103	educational technology are intended to supplement and not supplant existing funding 3
104	104	provided for educational technology. 4
105	105
106	106	[(3)] (2) (i) On or before [November 15 each year] AUGUST 15, 2025, 5
107	107	AND EACH AUGUST 15 THEREAFTER , each county board shall submit a report to the 6
108	108	Department detailing, for the previous fiscal year: 7
109	109
110	110	1. The amount spent by the local school system on 8
111	111	[technology disaggregated by digital devices, connectivity, and] information technology 9
112	112	staff[; and] DISAGGREGATED BY : 10
113	113
114	114	A. FULL–TIME EMPLOYEES ; 11
115	115
116	116	B. VENDOR–SUPPORTED STAFF OR C ONTRACTORS ; AND 12
117	117
118	118	C. DEDICATED CYBERSECURI TY PROFESSIONALS BY 13
119	119	TYPE, INCLUDING CHIEF INFO RMATION SECURITY OFF ICERS AND CYBERSECUR ITY 14
120	120	SPECIALISTS; 15
121	121
122	122	2. The percentage of students, teachers, and staff with 16
123	123	digital devices and adequate connectivity in their homes in accordance with the Federal 17
124	124	Communications Commission standards for broadband; AND 18
125	125
126	126	3. CYBERSECURITY EXPENDI TURES RELATED TO THE 19
127	127	STATE MINIMUM CYBERSE CURITY STANDARDS EST ABLISHED BY THE DEPARTMENT 20
128	128	OF INFORMATION TECHNOLOGY . 21
129	129
130	130	(ii) On or before December 15 each year, the Department shall 22
131	131	submit to the General Assembly, in accordance with § 2–1257 of the State Government 23
132	132	Article, a compilation of the reports submitted to the Department under subparagraph (i) 24
133	133	of this paragraph. 25
134	134
135	135	(iii) On or before September 1, 2021, the Department shall establish 26
136	136	uniform reporting requirements, including definitions to ensure that consistent and 27
137	137	comparable reports are submitted under subparagraph (i) of this paragraph. 28
138	138
139	139	5–213. 29
140	140
141	141	(E) (1) EACH COUNTY BOARD SHA LL PROVIDE SUFFICIENT 30
142	142	CYBERSECURITY STAFFI NG AS DETERMINED BY THE STATE CHIEF INFORMATION 31
143	143	SECURITY OFFICER. 32
144	144	4 HOUSE BILL 1309
145	145
146	146
147	147	(2) LOCAL SCHOOL SYSTEMS MAY SHARE SERVICES , CONTRACTORS , 1
148	148	OR REGIONAL SUPPORT FROM THE DEPARTMENT TO MEET THE REQUIREMENTS OF 2
149	149	PARAGRAPH (1) OF THIS SUBSECTION, PROVIDED THAT EACH L OCAL SCHOOL 3
150	150	SYSTEM ENSURES TIMEL Y AND ADEQUATE SUPPO RT FOR CYBERSECURITY . 4
151	151
152	152	(F) (1) BEGINNING IN 2026, EACH LOCAL SCHOOL SY STEM SHALL: 5
153	153
154	154	(I) COMPLY WITH THE STATE MINIMUM CYBERSECURIT Y 6
155	155	STANDARDS; AND 7
156	156
157	157	(II) CONDUCT A CYBERSECURI TY MATURITY ASSESSME NT 8
158	158	EVERY 2 YEARS. 9
159	159
160	160	(2) ON OR BEFORE JUNE 30, 2026, AND EACH JUNE 30 EVERY 2 10
161	161	YEARS THEREAFTER , EACH LOCAL SCHOOL SY STEM SHALL CERTIFY T O THE OFFICE 11
162	162	OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT OF INFORMATION 12
163	163	TECHNOLOGY COMPLIANCE WITH THE STATE MINIMUM CYBERSE CURITY 13
164	164	STANDARDS. 14
165	165
166	166	Article – State Finance and Procurement 15
167	167
168	168	3.5–101. 16
169	169
170	170	(a) In this title the following words have the meanings indicated. 17
171	171
172	172	(b) “Cloud computing” means a service that enables on–demand self–service 18
173	173	network access to a shared pool of configurable computer resources, including data storage, 19
174	174	analytics, commerce, streaming, e–mail, document sharing, and document editing. 20
175	175
176	176	(c) “Department” means the Department of Information Technology. 21
177	177
178	178	(d) “Secretary” means the Secretary of Information Technology. 22
179	179
180	180	(E) “STATE MINIMUM CYBERSE CURITY STANDARDS ” MEANS THE STATE 23
181	181	MINIMUM CYBERSECURIT Y STANDARDS ESTABLIS HED BY THE DEPARTMENT OF 24
182	182	INFORMATION TECHNOLOGY . 25
183	183
184	184	[(e)] (F) “Telecommunication” means the transmission of information, images, 26
185	185	pictures, voice, or data by radio, video, or other electronic or impulse means. 27
186	186
187	187	[(f)] (G) “Unit of State government” means an agency or unit of the Executive 28
188	188	Branch of State government. 29
189	189
190	190	3.5–2A–02. 30
191	191	HOUSE BILL 1309 5
192	192
193	193
194	194	There is an Office of Security Management within the Department. 1
195	195
196	196	3.5–2A–04. 2
197	197
198	198	(b) The Office shall: 3
199	199
200	200	(1) establish standards to categorize all information collected or 4
201	201	maintained by or on behalf of each unit of State government; 5
202	202
203	203	(2) establish standards to categorize all information systems maintained 6
204	204	by or on behalf of each unit of State government; 7
205	205
206	206	(3) develop guidelines governing the types of information and information 8
207	207	systems to be included in each category; 9
208	208
209	209	(4) establish security requirements for information and information 10
210	210	systems in each category; 11
211	211
212	212	(5) assess the categorization of information and information systems and 12
213	213	the associated implementation of the security requirements established under item (4) of 13
214	214	this subsection; 14
215	215
216	216	(6) if the State Chief Information Security Officer determines that there 15
217	217	are security vulnerabilities or deficiencies in any information systems, determine and direct 16
218	218	or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which 17
219	219	may include requiring the information system to be disconnected; 18
220	220
221	221	(7) if the State Chief Information Security Officer determines that there is 19
222	222	a cybersecurity threat caused by an entity connected to the network established under § 20
223	223	3.5–404 of this title that introduces a serious risk to entities connected to the network or to 21
224	224	the State, take or direct actions required to mitigate the threat; 22
225	225
226	226	(8) manage security awareness training for all appropriate employees of 23
227	227	units of State government; 24
228	228
229	229	(9) assist in the development of data management, data governance, and 25
230	230	data specification standards to promote standardization and reduce risk; 26
231	231
232	232	(10) assist in the development of a digital identity standard and 27
233	233	specification applicable to all parties communicating, interacting, or conducting business 28
234	234	with or on behalf of a unit of State government; 29
235	235
236	236	(11) develop and maintain information technology security policy, 30
237	237	standards, and guidance documents, consistent with best practices developed by the 31
238	238	National Institute of Standards and Technology; 32
239	239
240	240	(12) to the extent practicable, seek, identify, and inform relevant 33 6 HOUSE BILL 1309
241	241
242	242
243	243	stakeholders of any available financial assistance provided by the federal government or 1
244	244	non–State entities to support the work of the Office; 2
245	245
246	246	(13) provide technical assistance to localities in mitigating and recovering 3
247	247	from cybersecurity incidents; [and] 4
248	248
249	249	(14) ANNUALLY REVIEW AND UPDATE THE STATE MINIMUM 5
250	250	CYBERSECURITY STANDA RDS; AND 6
251	251
252	252	(15) provide technical services, advice, and guidance to units of local 7
253	253	government to improve cybersecurity preparedness, prevention, response, and recovery 8
254	254	practices. 9
255	255
256	256	3.5–301. 10
257	257
258	258	(a) In this subtitle the following words have the meanings indicated. 11
259	259
260	260	(c) “Cybersecurity” means processes or capabilities wherein systems, 12
261	261	communications, and information are protected and defended against damage, 13
262	262	unauthorized use or modification, and exploitation. 14
263	263
264	264	3.5–405. 15
265	265
266	266	(a) This section does not apply to municipal governments. 16
267	267
268	268	(b) In a manner and frequency established in regulations adopted by the 17
269	269	Department, each county government, local school system, and local health department 18
270	270	shall, in consultation with the local emergency manager, create or update a cybersecurity 19
271	271	preparedness and response plan and complete a cybersecurity preparedness assessment. 20
272	272
273	273	(C) THE DEPARTMENT SHALL ASSI GN AT LEAST THREE IN FORMATION 21
274	274	SECURITY OFFICERS TO SUPPORT LOCAL SCHOOL SYSTEMS WITH : 22
275	275
276	276	(1) COMPLIANCE WITH THE STATE MINIMUM CYBERSE CURITY 23
277	277	STANDARDS; 24
278	278
279	279	(2) CONDUCTING CYBERSECU RITY MATURITY ASSESSMENTS EV ERY 2 25
280	280	YEARS; AND 26
281	281
282	282	(3) REMEDIATION EFFORTS . 27
283	283
284	284	(D) ON OR BEFORE JUNE 30, 2026, AND EACH JUNE 30 EVERY 2 YEARS 28
285	285	THEREAFTER , EACH LOCAL SCHOOL SY STEM SHALL CERTIFY T O THE OFFICE OF 29
286	286	SECURITY MANAGEMENT COMPLIANCE WITH THE STATE MINIMUM 30
287	287	CYBERSECURITY STANDARDS . 31 HOUSE BILL 1309 7
288	288
289	289
290	290
291	291	Article – State Government 1
292	292
293	293	2–1221. 2
294	294
295	295	(a) A fiscal/compliance audit conducted by the Office of Legislative Audits shall 3
296	296	include: 4
297	297
298	298	(1) examining financial transactions and records and internal controls; 5
299	299
300	300	(2) evaluating compliance with applicable laws and regulations; 6
301	301
302	302	(3) examining electronic data processing operations; and 7
303	303
304	304	(4) evaluating compliance with applicable laws and regulations relating to 8
305	305	the acquisition of goods and services from Maryland Correctional Enterprises. 9
306	306
307	307	(b) A performance audit conducted by the Office of Legislative Audits may 10
308	308	include: 11
309	309
310	310	(1) evaluating the efficiency, effectiveness, and economy with which 12
311	311	resources are used; 13
312	312
313	313	(2) determining whether desired program results are achieved; and 14
314	314
315	315	(3) determining the reliability of performance measures, as defined in § 15
316	316	3–1001(g) of the State Finance and Procurement Article, identified in: 16
317	317
318	318	(i) the managing for results agency strategic plan developed under 17
319	319	§ 3–1002(c) of the State Finance and Procurement Article; or 18
320	320
321	321	(ii) the StateStat agency strategic plan developed under § 3–1003(d) 19
322	322	of the State Finance and Procurement Article. 20
323	323
324	324	(c) The purpose of financial statement audits conducted by the Office of 21
325	325	Legislative Audits shall be to express an opinion regarding the fairness of the presentation 22
326	326	of a unit’s financial statements. 23
327	327
328	328	(d) (1) The audits referred to in subsections (a), (b), and (c) of this section shall 24
329	329	be conducted in accordance with generally accepted government auditing standards. 25
330	330
331	331	(2) FOR THE AUDITS REFERRE D TO IN SUBSECTIONS (A), (B), AND (C) 26
332	332	OF THIS SECTION, THE OFFICE OF LEGISLATIVE AUDITS SHALL BE GUIDE D BY THE 27
333	333	DEPARTMENT OF INFORMATION TECHNOLOGY ’S STATE MINIMUM CYBERSE CURITY 28
334	334	STANDARDS. 29
335	335	8 HOUSE BILL 1309
336	336
337	337
338	338	(e) (1) Upon approval of the Joint Audit and Evaluation Committee, the Office 1
339	339	of Legislative Audits shall develop and use a rating system that is based on the results of 2
340	340	a fiscal/compliance audit to determine an overall evaluation of a unit’s financial 3
341	341	transactions, records, and internal controls and compliance with applicable laws and 4
342	342	regulations as a means of comparing the various units of State government. 5
343	343
344	344	(2) When an evaluation is issued, it shall be provided to the unit and shall 6
345	345	be available to the Joint Audit and Evaluation Committee and the Budget Committees of 7
346	346	the Maryland General Assembly. 8
347	347
348	348	SECTION 2. AND BE IT FURTHER ENACTED, That, for the 2025 –2026 school 9
349	349	year, the Department of Information Technology shall focus on Standard 6.2 Protect (PR) 10
350	350	Controls of the State minimum cybersecurity standards. 11
351	351
352	352	SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect July 12
353	353	1, 2025. 13
354	354
355	355