EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*hb0235*
HOUSE BILL 235
S2 5lr0198
(PRE–FILED) CF SB 244
By: Chair, Health and Government Operations Committee (By Request –
Departmental – Information Technology)
Requested: September 19, 2024
Introduced and read first time: January 8, 2025
Assigned to: Health and Government Operations
A BILL ENTITLED
AN ACT concerning 1
State Government – Information Technology – Cybersecurity Revisions 2
FOR the purpose of altering the duties of the Cyber Preparedness Unit in the Maryland 3
Department of Emergency Management; altering the duties of the Office of Security 4
Management in the Department of Information Technology; altering the content of 5
a certain report on the activities of the Office and the state of cybersecurity 6
preparedness in the State; altering the responsibilities of the Secretary of 7
Information Technology with regard to information technology policies and a 8
statewide cybersecurity strategy; and generally relating to State cybersecurity. 9
BY repealing and reenacting, without amendments, 10
Article – Public Safety 11
Section 14–104.1(a) 12
Annotated Code of Maryland 13
(2022 Replacement Volume and 2024 Supplement) 14
BY repealing and reenacting, with amendments, 15
Article – Public Safety 16
Section 14–104.1(b) 17
Annotated Code of Maryland 18
(2022 Replacement Volume and 2024 Supplement) 19
BY repealing and reenacting, with amendments, 20
Article – State Finance and Procurement 21
Section 3.5–2A–04 and 3.5–303(a)(1) and (5) 22
Annotated Code of Maryland 23
(2021 Replacement Volume and 2024 Supplement) 24
2 HOUSE BILL 235
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 1
That the Laws of Maryland read as follows: 2
Article – Public Safety 3
14–104.1. 4
(a) (1) In this section the following words have the meanings indicated. 5
(2) “Local government” includes local school systems, local school boards, 6
and local health departments. 7
(3) “Unit” means the Cyber Preparedness Unit. 8
(b) (1) There is a Cyber Preparedness Unit in the Department. 9
(2) In coordination with the State Chief Information Security Officer, the 10
Unit shall: 11
(i) [support local governments in developing a vulnerability 12
assessment and cyber assessment, including providing local governments with the 13
resources and information on best practices to complete the assessments; 14
(ii)] develop and regularly update an online database of cybersecurity 15
training resources for local government personnel, including technical training resources, 16
cybersecurity continuity of operations templates, AND consequence management plans[, 17
and trainings on malware and ransomware detection]; 18
[(iii)] (II) assist local governments in: 19
1. the development of cybersecurity preparedness and 20
response plans; 21
2. implementing best practices and guidance developed by 22
the State Chief Information Security Officer; and 23
3. identifying and acquiring resources to complete 24
appropriate cybersecurity vulnerability assessments; 25
[(iv)] (III) connect local governments to appropriate resources for 26
any other purpose related to cybersecurity preparedness and response; 27
[(v)] (IV) as necessary and in coordination with the National Guard, 28
local emergency managers, and other State and local entities , conduct regional 29
cybersecurity preparedness exercises; and 30
HOUSE BILL 235 3
[(vi)] (V) establish regional assistance groups to deliver and 1
coordinate support services to local governments, agencies, or regions. 2
(3) The Unit shall support the Office of Security Management in the 3
Department of Information Technology during emergency response efforts. 4
Article – State Finance and Procurement 5
3.5–2A–04. 6
(a) (1) The Office is responsible for: 7
(i) the direction, coordination, and implementation of the overall 8
cybersecurity strategy and policy for units of State government; and 9
(ii) supporting and coordinating with the Maryland Department of 10
Emergency Management Cyber Preparedness Unit during emergency response efforts. 11
(2) The Office is not responsible for the information technology installation 12
and maintenance operations normally conducted by a unit of State government, a unit of 13
local government, a local school board, a local school system, or a local health department. 14
(b) The Office shall: 15
(1) establish standards to categorize all information collected or 16
maintained by or on behalf of each unit of State government; 17
(2) establish standards to categorize all information systems maintained 18
by or on behalf of each unit of State government; 19
(3) develop guidelines governing the types of information and information 20
systems to be included in each category; 21
(4) establish security requirements for information and information 22
systems in each category; 23
(5) assess the categorization of information and information systems and 24
the associated implementation of the security requirements established under item (4) of 25
this subsection; 26
(6) if the State Chief Information Security Officer determines that there 27
are security vulnerabilities or deficiencies in any information systems, determine and direct 28
or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which 29
may include requiring the information system to be disconnected; 30
(7) if the State Chief Information Security Officer determines that there is 31
a cybersecurity threat caused by, AFFECTING, OR POTENTIALLY AFFEC TING an entity 32 4 HOUSE BILL 235
connected to the network established under § 3.5–404 of this title that introduces OR MAY 1
INTRODUCE a serious risk to entities connected to the network or to the State, take or 2
direct actions required to mitigate the threat; 3
(8) manage security awareness training for all appropriate employees of 4
units of State government; 5
(9) assist in the development of data management, data governance, and 6
data specification standards to promote standardization and reduce risk; 7
(10) assist in the development of a digital identity standard and 8
specification applicable to all parties communicating, interacting, or conducting business 9
with or on behalf of a unit of State government; 10
(11) develop and maintain information technology security policy, 11
standards, and guidance documents, consistent with best practices developed by the 12
National Institute of Standards and Technology; 13
(12) to the extent practicable, seek, identify, and inform relevant 14
stakeholders of any available financial assistance provided by the federal government or 15
non–State entities to support the work of the Office; 16
(13) provide technical assistance to localities in mitigating and recovering 17
from cybersecurity incidents; [and] 18
(14) provide technical services, advice, and guidance to units of local 19
government to improve cybersecurity preparedness, prevention, response, and recovery 20
practices; AND 21
(15) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A 22
VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT, INCLUDING PROVIDING 23
LOCAL GOVERNMENTS WI TH THE RESOURCES AND INFORMATION ON BEST 24
PRACTICES TO COMPLET E THE ASSESSMENTS . 25
(c) The Office, in coordination with the Maryland Department of Emergency 26
Management, shall: 27
(1) assist local political subdivisions, including counties, school systems, 28
school boards, and local health departments, in[: 29
(i) the development of cybersecurity preparedness and response 30
plans; and 31
(ii)] implementing best practices and guidance developed by the 32
Department; and 33
HOUSE BILL 235 5
(2) connect local entities to appropriate resources for any other purpose 1
related to cybersecurity preparedness and response. 2
(d) The Office, in coordination with the Maryland Department of Emergency 3
Management, may: 4
(1) conduct regional exercises, as necessary, in coordination with the 5
National Guard, local emergency managers, and other State and local entities; and 6
(2) establish regional assistance groups to deliver or coordinate support 7
services to local political subdivisions, agencies, or regions. 8
(e) (1) On or before December 31 each year, the Office shall report to the 9
Governor and, in accordance with § 2–1257 of the State Government Article, the Senate 10
Budget and Taxation Committee, the Senate [Education, Health, and Environmental 11
Affairs] Committee ON EDUCATION, ENERGY, AND THE ENVIRONMENT , the House 12
Appropriations Committee, the House Health and Government Operations Committee, and 13
the Joint Committee on Cybersecurity, Information Technology, and Biotechnology on the 14
activities of the Office and the state of cybersecurity preparedness in Maryland, including: 15
(i) the activities and accomplishments of the Office during the 16
previous 12 months at the State and local levels; and 17
(ii) a compilation and analysis of the data from the information 18
contained in the reports received by the Office under § 3.5–405 of this title, including: 19
1. a summary of the issues identified by the cybersecurity 20
preparedness assessments conducted that year; 21
2. the status of vulnerability assessments of all units of State 22
government and a timeline for completion and cost to remediate any vulnerabilities 23
exposed; 24
3. recent audit findings of all units of State government and 25
options to improve findings in future audits, including recommendations for staff, budget, 26
and timing; 27
4. [analysis of the State’s expenditure on cybersecurity 28
relative to overall information technology spending for the prior 3 years and 29
recommendations for changes to the budget, including amount, purpose, and timing to 30
improve State and local cybersecurity preparedness; 31
5.] efforts to secure financial support for cyber risk mitigation 32
from federal or other non–State resources; 33
6 HOUSE BILL 235
[6.] 5. key performance indicators on the cybersecurity strategies 1
in the Department’s information technology master plan, including time, budget, and staff 2
required for implementation; and 3
[7.] 6. any additional recommendations for improving State and 4
local cybersecurity preparedness. 5
(2) A report submitted under this subsection may not contain information 6
that reveals cybersecurity vulnerabilities and risks in the State. 7
3.5–303. 8
(a) The Secretary is responsible for carrying out the following duties: 9
(1) developing, IMPLEMENTING , maintaining, revising, and enforcing 10
information technology policies, procedures, and standards; 11
(5) developing, IMPLEMENTING , and maintaining a statewide 12
cybersecurity strategy that will: 13
(i) centralize the management and direction of cybersecurity 14
strategy within the Executive Branch of State government under the control of the 15
Department; and 16
(ii) serve as the basis for budget allocations for cybersecurity 17
preparedness for the Executive Branch of State government; 18
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 19
October 1, 2025. 20