MD
Maryland Senate Bill SB244

Maryland 2025 Regular Session

Maryland Senate Bill SB244 Compare Versions

OldNewDifferences
11
22
33 EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
44 [Brackets] indicate matter deleted from existing law.
5- Underlining indicates amendments to bill.
6- Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7-amendment.
85 *sb0244*
96
107 SENATE BILL 244
118 S2 5lr0197
129 (PRE–FILED) CF HB 235
1310 By: Chair, Education, Energy, and the Environment Committee (By Request –
1411 Departmental – Information Technology)
1512 Requested: September 19, 2024
1613 Introduced and read first time: January 8, 2025
1714 Assigned to: Education, Energy, and the Environment
18-Committee Report: Favorable with amendments
19-Senate action: Adopted
20-Read second time: February 16, 2025
2115
22-CHAPTER ______
16+A BILL ENTITLED
2317
2418 AN ACT concerning 1
2519
2620 State Government – Information Technology – Cybersecurity Revisions 2
2721
2822 FOR the purpose of altering the duties of the Cyber Preparedness Unit in the Maryland 3
2923 Department of Emergency Management; altering the duties of the Office of Security 4
3024 Management in the Department of Information Technology; altering the content of 5
3125 a certain report on the activities of the Office and the state of cybersecurity 6
3226 preparedness in the State; altering the responsibilities of the Secretary of 7
3327 Information Technology with regard to information technology policies and a 8
3428 statewide cybersecurity strategy; and generally relating to State cybersecurity. 9
3529
3630 BY repealing and reenacting, without amendments, 10
3731 Article – Public Safety 11
3832 Section 14–104.1(a) 12
3933 Annotated Code of Maryland 13
4034 (2022 Replacement Volume and 2024 Supplement) 14
4135
4236 BY repealing and reenacting, with amendments, 15
4337 Article – Public Safety 16
4438 Section 14–104.1(b) 17
4539 Annotated Code of Maryland 18
4640 (2022 Replacement Volume and 2024 Supplement) 19
4741
48-BY repealing and reenacting, with amendments, 20 2 SENATE BILL 244
42+BY repealing and reenacting, with amendments, 20
43+ Article – State Finance and Procurement 21
44+ Section 3.5–2A–04 and 3.5–303(a)(1) and (5) 22
45+ Annotated Code of Maryland 23
46+ (2021 Replacement Volume and 2024 Supplement) 24
47+ 2 SENATE BILL 244
4948
5049
51- Article – State Finance and Procurement 1
52- Section 3.5–2A–04 and 3.5–303(a)(1) and (5) 2
53- Annotated Code of Maryland 3
54- (2021 Replacement Volume and 2024 Supplement) 4
50+ SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 1
51+That the Laws of Maryland read as follows: 2
5552
56- SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMB LY OF MARYLAND, 5
57-That the Laws of Maryland read as follows: 6
53+Article – Public Safety 3
5854
59-Article – Public Safety 7
55+14–104.1. 4
6056
61-14–104.1. 8
57+ (a) (1) In this section the following words have the meanings indicated. 5
6258
63- (a) (1) In this section the following words have the meanings indicated. 9
59+ (2) “Local government” includes local school systems, local school boards, 6
60+and local health departments. 7
6461
65- (2) “Local government” includes local school systems, local school boards, 10
66-and local health departments. 11
62+ (3) “Unit” means the Cyber Preparedness Unit. 8
6763
68- (3) “Unit” means the Cyber Preparedness Unit. 12
64+ (b) (1) There is a Cyber Preparedness Unit in the Department. 9
6965
70- (b) (1) There is a Cyber Preparedness Unit in the Department. 13
66+ (2) In coordination with the State Chief Information Security Officer, the 10
67+Unit shall: 11
7168
72- (2) In coordination with the State Chief Information Security Officer, the 14
73-Unit shall: 15
69+ (i) [support local governments in developing a vulnerability 12
70+assessment and cyber assessment, including providing local governments with the 13
71+resources and information on best practices to complete the assessments; 14
7472
75- (i) [support local governments in developing a vulnerability 16
76-assessment and cyber assessment, including providing local governments with the 17
77-resources and information on best practices to complete the assessments; 18
73+ (ii)] develop and regularly update an online database of cybersecurity 15
74+training resources for local government personnel, including technical training resources, 16
75+cybersecurity continuity of operations templates, AND consequence management plans[, 17
76+and trainings on malware and ransomware detection]; 18
7877
79- (ii)] develop and regularly update an online database of cybersecurity 19
80-training resources for local government personnel, including technical training resources, 20
81-cybersecurity continuity of operations templates, AND consequence management plans[, 21
82-and trainings on malware and ransomware detection]; 22
78+ [(iii)] (II) assist local governments in: 19
8379
84- [(iii)] (II) assist local governments in: 23
80+ 1. the development of cybersecurity preparedness and 20
81+response plans; 21
8582
86- 1. the development of cybersecurity preparedness and 24
87-response plans; 25
83+ 2. implementing best practices and guidance developed by 22
84+the State Chief Information Security Officer; and 23
8885
89- 2. implementing best practices and guidance developed by 26
90-the State Chief Information Security Officer; and 27
86+ 3. identifying and acquiring resources to complete 24
87+appropriate cybersecurity vulnerability assessments; 25
9188
92- 3. identifying and acquiring resources to complete 28
93-appropriate cybersecurity vulnerability assessments; 29
89+ [(iv)] (III) connect local governments to appropriate resources for 26
90+any other purpose related to cybersecurity preparedness and response; 27
9491
95- [(iv)] (III) connect local governments to appropriate resources for 30
96-any other purpose related to cybersecurity preparedness and response; 31 SENATE BILL 244 3
92+ [(v)] (IV) as necessary and in coordination with the National Guard, 28
93+local emergency managers, and other State and local entitie s, conduct regional 29
94+cybersecurity preparedness exercises; and 30
95+ SENATE BILL 244 3
9796
9897
98+ [(vi)] (V) establish regional assistance groups to deliver and 1
99+coordinate support services to local governments, agencies, or regions. 2
99100
100- [(v)] (IV) as necessary and in coordination with the National Guard, 1
101-local emergency managers, and other State and local entities, conduct regional 2
102-cybersecurity preparedness exercises; and 3
101+ (3) The Unit shall support the Office of Security Management in the 3
102+Department of Information Technology during emergency response efforts. 4
103103
104- [(vi)] (V) establish regional assistance groups to deliver and 4
105-coordinate support services to local governments, agencies, or regions. 5
104+Article – State Finance and Procurement 5
106105
107- (3) The Unit shall support the Office of Security Management in the 6
108-Department of Information Technology during emergency response efforts. 7
106+3.5–2A–04. 6
109107
110-Article – State Finance and Procurement 8
108+ (a) (1) The Office is responsible for: 7
111109
112-3.5–2A–04. 9
110+ (i) the direction, coordination, and implementation of the overall 8
111+cybersecurity strategy and policy for units of State government; and 9
113112
114- (a) (1) The Office is responsible for: 10
113+ (ii) supporting and coordinating with the Maryland Department of 10
114+Emergency Management Cyber Preparedness Unit during emergency response efforts. 11
115115
116- (i) the direction, coordination, and implementation of the overall 11
117-cybersecurity strategy and policy for units of State government; and 12
116+ (2) The Office is not responsible for the information technology installation 12
117+and maintenance operations normally conducted by a unit of State government, a unit of 13
118+local government, a local school board, a local school system, or a local health department. 14
118119
119- (ii) supporting and coordinating with the Maryland Department of 13
120-Emergency Management Cyber Preparedness Unit during emergency response efforts. 14
120+ (b) The Office shall: 15
121121
122- (2) The Office is not responsible for the information technology installation 15
123-and maintenance operations normally conducted by a unit of State government, a unit of 16
124-local government, a local school board, a local school system, or a local health department. 17
122+ (1) establish standards to categorize all information collected or 16
123+maintained by or on behalf of each unit of State government; 17
125124
126- (b) The Office shall: 18
125+ (2) establish standards to categorize all information systems maintained 18
126+by or on behalf of each unit of State government; 19
127127
128- (1) establish standards to categorize all information collected or 19
129-maintained by or on behalf of each unit of State government; 20
128+ (3) develop guidelines governing the types of information and information 20
129+systems to be included in each category; 21
130130
131- (2) establish standards to categorize all information systems maintained 21
132-by or on behalf of each unit of State government; 22
131+ (4) establish security requirements for information and information 22
132+systems in each category; 23
133133
134- (3) develop guidelines governing the types of information and information 23
135-systems to be included in each category; 24
134+ (5) assess the categorization of information and information systems and 24
135+the associated implementation of the security requirements established under item (4) of 25
136+this subsection; 26
136137
137- (4) establish security requirements for information and information 25
138-systems in each category; 26
138+ (6) if the State Chief Information Security Officer determines that there 27
139+are security vulnerabilities or deficiencies in any information systems, determine and direct 28
140+or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which 29
141+may include requiring the information system to be disconnected; 30
139142
140- (5) assess the categorization of information and information systems and 27
141-the associated implementation of the security requirements established under item (4) of 28
142-this subsection; 29
143-
144- (6) if the State Chief Information Security Officer determines that there 30
145-are security vulnerabilities or deficiencies in any information systems, determine and direct 31 4 SENATE BILL 244
143+ (7) if the State Chief Information Security Officer determines that there is 31
144+a cybersecurity threat caused by, AFFECTING, OR POTENTIALLY AFFECTING an entity 32 4 SENATE BILL 244
146145
147146
148-or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which 1
149-may include requiring the information system to be disconnected; 2
147+connected to the network established under § 3.5–404 of this title that introduces OR MAY 1
148+INTRODUCE a serious risk to entities connected to the network or to the State, take or 2
149+direct actions required to mitigate the threat; 3
150150
151- (7) if the State Chief Information Security Officer determines that there is 3
152-a cybersecurity threat caused by, AFFECTING, OR POTENTIALLY AFFEC TING an entity 4
153-connected to the network established under § 3.5–404 of this title that introduces OR MAY 5
154-INTRODUCE a serious risk to entities connected to the network or to the State, take or 6
155-direct actions required to mitigate the threat; 7
151+ (8) manage security awareness training for all appropriate employees of 4
152+units of State government; 5
156153
157- (8) manage security awareness training for all appropriate employees of 8
158-units of State government; 9
154+ (9) assist in the development of data management, data governance, and 6
155+data specification standards to promote standardization and reduce risk; 7
159156
160- (9) assist in the development of data management, data governance, and 10
161-data specification standards to promote standardization and reduce risk; 11
157+ (10) assist in the development of a digital identity standard and 8
158+specification applicable to all parties communicating, interacting, or conducting business 9
159+with or on behalf of a unit of State government; 10
162160
163- (10) assist in the development of a digital identity standard and 12
164-specification applicable to all parties communicating, interacting, or conducting business 13
165-with or on behalf of a unit of State government; 14
161+ (11) develop and maintain information technology security policy, 11
162+standards, and guidance documents, consistent with best practices developed by the 12
163+National Institute of Standards and Technology; 13
166164
167- (11) develop and maintain information technology security policy, 15
168-standards, and guidance documents, consistent with best practices developed by the 16
169-National Institute of Standards and Technology; 17
165+ (12) to the extent practicable, seek, identify, and inform relevant 14
166+stakeholders of any available financial assistance provided by the federal government or 15
167+non–State entities to support the work of the Office; 16
170168
171- (12) to the extent practicable, seek, identify, and inform relevant 18
172-stakeholders of any available financial assistance provided by the federal government or 19
173-non–State entities to support the work of the Office; 20
169+ (13) provide technical assistance to localities in mitigating and recovering 17
170+from cybersecurity incidents; [and] 18
174171
175- (13) provide technical assistance to localities in mitigating and recovering 21
176-from cybersecurity incidents; [and] 22
172+ (14) provide technical services, advice, and guidance to units of local 19
173+government to improve cybersecurity preparedness, prevention, response, and recovery 20
174+practices; AND 21
177175
178- (14) provide technical services, advice, and guidance to units of local 23
179-government to improve cybersecurity preparedness, prevention, response, and recovery 24
180-practices; AND 25
176+ (15) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A 22
177+VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT, INCLUDING PROVIDING 23
178+LOCAL GOVERNMENTS WI TH THE RESOURCES AND INFORMATION ON BEST 24
179+PRACTICES TO COMPLET E THE ASSESSMENTS . 25
181180
182- (15) SUPPORT LOCAL GOVERN MENTS IN DEVELOPING A 26
183-VULNERABILITY ASSESS MENT AND CYBER ASSES SMENT, INCLUDING PROVIDING 27
184-LOCAL GOVERNMENTS WI TH THE RESOURCES AND INFORMATION ON B EST 28
185-PRACTICES TO COMPLET E THE ASSESSMENTS . 29
181+ (c) The Office, in coordination with the Maryland Department of Emergency 26
182+Management, shall: 27
186183
187- (c) The Office, in coordination with the Maryland Department of Emergency 30
188-Management, shall: 31
184+ (1) assist local political subdivisions, including counties, school systems, 28
185+school boards, and local health departments, in[: 29
189186
190- (1) assist local political subdivisions, including counties, school systems, 32
191-school boards, and local health departments, in[: 33
187+ (i) the development of cybersecurity preparedness and response 30
188+plans; and 31
189+
190+ (ii)] implementing best practices and guidance developed by the 32
191+Department; and 33
192192 SENATE BILL 244 5
193193
194194
195- (i) the development of cybersecurity preparedness and response 1
196-plans; and 2
195+ (2) connect local entities to appropriate resources for any other purpose 1
196+related to cybersecurity preparedness and response. 2
197197
198- (ii)] implementing best practices and guidance developed by the 3
199-Department; and 4
198+ (d) The Office, in coordination with the Maryland Department of Emergency 3
199+Management, may: 4
200200
201- (2) connect local entities to appropriate resources for any other purpose 5
202-related to cybersecurity preparedness and response. 6
201+ (1) conduct regional exercises, as necessary, in coordination with the 5
202+National Guard, local emergency managers, and other State and local entities; and 6
203203
204- (d) The Office, in coordination with the Maryland Department of Emergency 7
205-Management, may: 8
204+ (2) establish regional assistance groups to deliver or coordinate support 7
205+services to local political subdivisions, agencies, or regions. 8
206206
207- (1) conduct regional exercises, as necessary, in coordination with the 9
208-National Guard, local emergency managers, and other State and local entities; and 10
207+ (e) (1) On or before December 31 each year, the Office shall report to the 9
208+Governor and, in accordance with § 2–1257 of the State Government Article, the Senate 10
209+Budget and Taxation Committee, the Senate [Education, Health, and Environmental 11
210+Affairs] Committee ON EDUCATION, ENERGY, AND THE ENVIRONMENT , the House 12
211+Appropriations Committee, the House Health and Government Operations Committee, and 13
212+the Joint Committee on Cybersecurity, Information Technology, and Biotechnology on the 14
213+activities of the Office and the state of cybersecurity preparedness in Maryland, including: 15
209214
210- (2) establish regional assistance groups to deliver or coordinate support 11
211-services to local political subdivisions, agencies, or regions. 12
215+ (i) the activities and accomplishments of the Office during the 16
216+previous 12 months at the State and local levels; and 17
212217
213- (e) (1) On or before December 31 each year, the Office shall report to the 13
214-Governor and, in accordance with § 2–1257 of the State Government Article, the Senate 14
215-Budget and Taxation Committee, the Senate [Education, Health, and Environmental 15
216-Affairs] Committee ON EDUCATION, ENERGY, AND THE ENVIRONMENT , the House 16
217-Appropriations Committee, the House Health and Government Operations Committee, and 17
218-the Joint Committee on Cybersecurity, Information Technology, and Biotechnology on the 18
219-activities of the Office and the state of cybersecurity preparedness in Maryland, including: 19
218+ (ii) a compilation and analysis of the data from the information 18
219+contained in the reports received by the Office under § 3.5–405 of this title, including: 19
220220
221- (i) the activities and accomplishments of the Office during the 20
222-previous 12 months at the State and local levels; and 21
221+ 1. a summary of the issues identified by the cybersecurity 20
222+preparedness assessments conducted that year; 21
223223
224- (ii) a compilation and analysis of the data from the information 22
225-contained in the reports received by the Office under § 3.5–405 of this title, including: 23
224+ 2. the status of vulnerability assessments of all units of State 22
225+government and a timeline for completion and cost to remediate any vulnerabilities 23
226+exposed; 24
226227
227- 1. a summary of the issues identified by the cybersecurity 24
228-preparedness assessments conducted that year; 25
228+ 3. recent audit findings of all units of State government and 25
229+options to improve findings in future audits, including recommendations for staff, budget, 26
230+and timing; 27
229231
230- 2. the status of vulnerability assessments of all units of State 26
231-government and a timeline for completion and cost to remediate any vulnerabilities 27
232-exposed; 28
232+ 4. [analysis of the State’s expenditure on cybersecurity 28
233+relative to overall information technology spending for the prior 3 years and 29
234+recommendations for changes to the budget, including amount, purpose, and timing to 30
235+improve State and local cybersecurity preparedness; 31
233236
234- 3. recent audit findings of all units of State government and 29
235-options to improve findings in future audits, including recommendations for staff, budget, 30
236-and timing; 31
237-
238- 4. [analysis of the State’s expenditure on cybersecurity 32
239-relative to overall information technology spending for the prior 3 years and 33
240-recommendations for changes to the budget, including amount, purpose, and timing to 34
241-improve State and local cybersecurity preparedness; 35 6 SENATE BILL 244
237+ 5.] efforts to secure financial support for cyber risk mitigation 32
238+from federal or other non–State resources; 33
239+ 6 SENATE BILL 244
242240
243241
242+ [6.] 5. key performance indicators on the cybersecurity strategies 1
243+in the Department’s information technology master plan, including time, budget, and staff 2
244+required for implementation; and 3
244245
245- 5.] efforts to secure financial support for cyber risk mitigation 1
246-from federal or other non–State resources; 2
246+ [7.] 6. any additional recommendations for improving State and 4
247+local cybersecurity preparedness. 5
247248
248- [6.] 5. key performance indicators on the cybersecurity 3
249-strategies in the Department’s information technology master plan, including time, budget, 4
250-and staff required for implementation; and 5
249+ (2) A report submitted under this subsection may not contain information 6
250+that reveals cybersecurity vulnerabilities and risks in the State. 7
251251
252- [7.] 6. any additional recommendations for improving 6
253-State and local cybersecurity preparedness. 7
252+3.5–303. 8
254253
255- (2) A report submitted under this subsection may not contain information 8
256-that reveals cybersecurity vulnerabilities and risks in the State. 9
254+ (a) The Secretary is responsible for carrying out the following duties: 9
257255
258- (F) (1) EXCEPT AS PROVIDED IN PARAGRAPH (2) OF THIS SUBSECTION , 10
259-ON OR BEFORE THE THI RD WEDNESDAY IN JANUARY EACH YEAR , THE OFFICE 11
260-SHALL REPORT TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE 12
261-STATE GOVERNMEN T ARTICLE, THE SENATE BUDGET AND TAXATION COMMITTEE, 13
262-THE SENATE COMMITTEE ON EDUCATION, ENERGY, AND THE ENVIRONMENT , THE 14
263-HOUSE APPROPRIATIONS COMMITTEE, THE HOUSE HEALTH AND GOVERNMENT 15
264-OPERATIONS COMMITTEE, AND THE JOINT COMMITTEE ON CYBERSECURITY , 16
265-INFORMATION TECHNOLOGY , AND BIOTECHNOLOGY ON : 17
256+ (1) developing, IMPLEMENTING , maintaining, revising, and enforcing 10
257+information technology policies, procedures, and standards; 11
266258
267- (I) THE STATE’S EXPENDITURE ON CYB ERSECURITY RELATIVE 18
268-TO OVERALL INFORMATI ON TECHNOLOGY SPENDI NG FOR THE PRIOR 3 YEARS; AND 19
259+ (5) developing, IMPLEMENTING , and maintaining a statewide 12
260+cybersecurity strategy that will: 13
269261
270- (II) RECOMMENDATIONS FOR CHANGES TO THE BUDGE T, 20
271-INCLUDING THE AMOUNT , PURPOSE, AND TIMING OF FUNDING TO I MPROVE STATE 21
272-AND LOCAL CYBERSECUR ITY PREPAREDNESS . 22
262+ (i) centralize the management and direction of cybersecurity 14
263+strategy within the Executive Branch of State government under the control of the 15
264+Department; and 16
273265
274- (2) IN A YEAR WITH A NEWL Y ELECTED GOVERNOR, THE REPORT 23
275-REQUIRED UNDER PARAG RAPH (1) OF THIS SUBSECTION S HALL BE SUBMITTED ON 24
276-OR BEFORE THE THIRD FRIDAY OF JANUARY. 25
266+ (ii) serve as the basis for budget allocations for cybersecurity 17
267+preparedness for the Executive Branch of State government; 18
277268
278-3.5–303. 26
279-
280- (a) The Secretary is responsible for carrying out the following duties: 27
281-
282- (1) developing, IMPLEMENTING , maintaining, revising, and enforcing 28
283-information technology policies, procedures, and standards; 29
284-
285- (5) developing, IMPLEMENTING , and maintaining a statewi de 30
286-cybersecurity strategy that will: 31
287- SENATE BILL 244 7
288-
289-
290- (i) centralize the management and direction of cybersecurity 1
291-strategy within the Executive Branch of State government under the control of the 2
292-Department; and 3
293-
294- (ii) serve as the basis for budget allocations for cybersecurity 4
295-preparedness for the Executive Branch of State government; 5
296-
297- SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 6
298-October 1, 2025. 7
299-
300-
301-
302-
303-Approved:
304-________________________________________________________________________________
305- Governor.
306-________________________________________________________________________________
307- President of the Senate.
308-________________________________________________________________________________
309- Speaker of the House of Delegates.
269+ SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 19
270+October 1, 2025. 20