EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0907*
SENATE BILL 907
F1, S2 5lr2152
CF 5lr3329
By: Senator Hester
Introduced and read first time: January 28, 2025
Assigned to: Education, Energy, and the Environment
A BILL ENTITLED
AN ACT concerning 1
Cybersecurity – Standards, Compliance, and Audits – Alterations 2
FOR the purpose of repealing the requirement that county boards of education prioritize 3
the purchase of digital devices with certain funds; requiring each local school system 4
to comply with, and certify compliance with, the State minimum cybersecurity 5
standards and to conduct a cybersecurity maturity assessment every 2 years; 6
requiring the Office of Security Management within the Department of Information 7
Technology to annually update the State minimum cybersecurity standards; 8
requiring the Department of Information Technology to provide a certain number of 9
information security officers to assist local school systems with certain functions and 10
to focus on a certain standard for a certain school year; requiring the Office of 11
Legislative Audits within the Department of Legislative Services to refer to the State 12
minimum cybersecurity standards when conducting certain audits; and generally 13
relating to cybersecurity. 14
BY repealing and reenacting, with amendments, 15
Article – Education 16
Section 5–212 17
Annotated Code of Maryland 18
(2022 Replacement Volume and 2024 Supplement) 19
BY adding to 20
Article – Education 21
Section 5–213(e) and (f) 22
Annotated Code of Maryland 23
(2022 Replacement Volume and 2024 Supplement) 24
BY repealing and reenacting, with amendments, 25
Article – State Finance and Procurement 26
Section 3.5–101, 3.5–2A–04(b), and 3.5–405 27
Annotated Code of Maryland 28 2 SENATE BILL 907
(2021 Replacement Volume and 2024 Supplement) 1
BY repealing and reenacting, without amendments, 2
Article – State Finance and Procurement 3
Section 3.5–2A–02 and 3.5–301(a) and (c) 4
Annotated Code of Maryland 5
(2021 Replacement Volume and 2024 Supplement) 6
BY repealing and reenacting, with amendments, 7
Article – State Government 8
Section 2–1221 9
Annotated Code of Maryland 10
(2021 Replacement Volume and 2024 Supplement) 11
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 12
That the Laws of Maryland read as follows: 13
Article – Education 14
5–212. 15
(a) The target per pupil foundation amount includes costs associated with 16
implementing the Blueprint for Maryland’s Future including: 17
(1) Increasing salaries; 18
(2) Additional teachers to provide professional learning and collaborative 19
time for teachers; 20
(3) Career counseling; 21
(4) Behavioral health; 22
(5) Instructional opportunities for students who are college and career 23
ready and those who are not; 24
(6) Maintenance and operation of schools; 25
(7) Supplies and materials for teachers; and 26
(8) Educational technology including digital devices, broadband 27
connectivity, [and] information technology staff, AND CYBERSECURITY . 28
(b) Schools may use funds provided under this section to provide the programs 29
required under COMAR 13A.04.16.01. 30
(c) (1) [County boards of education and schools shall prioritize the purchase 31 SENATE BILL 907 3
of digital devices for using funds under subsection (a)(8) of this section. 1
(2)] Additional funds provided in the target per pupil foundation amount for 2
educational technology are intended to supplement and not supplant existing funding 3
provided for educational technology. 4
[(3)] (2) (i) On or before [November 15 each year] AUGUST 15, 2025, 5
AND EACH AUGUST 15 THEREAFTER , each county board shall submit a report to the 6
Department detailing, for the previous fiscal year: 7
1. The amount spent by the local school system on 8
[technology disaggregated by digital devices, connectivity, and] information technology 9
staff[; and] DISAGGREGATED BY : 10
A. FULL–TIME EMPLOYEES; 11
B. VENDOR–SUPPORTED STAFF OR C ONTRACTORS ; AND 12
C. DEDICATED CYBERSECURI TY PROFESSIONALS BY 13
TYPE, INCLUDING CHIEF INFORMATION SE CURITY OFFICERS AND CYBERSECURITY 14
SPECIALISTS; 15
2. The percentage of students, teachers, and staff with 16
digital devices and adequate connectivity in their homes in accordance with the Federal 17
Communications Commission standards for broadband; AND 18
3. CYBERSECURITY EXPENDI TURES RELATED TO THE 19
STATE MINIMUM CYBERSE CURITY STANDARDS EST ABLISHED BY THE DEPARTMENT 20
OF INFORMATION TECHNOLOGY . 21
(ii) On or before December 15 each year, the Department shall 22
submit to the General Assembly, in accordance with § 2–1257 of the State Government 23
Article, a compilation of the reports submitted to the Department under subparagraph (i) 24
of this paragraph. 25
(iii) On or before September 1, 2021, the Department shall establish 26
uniform reporting requirements, including definitions to ensure that consistent and 27
comparable reports are submitted under subparagraph (i) of this paragraph. 28
5–213. 29
(E) (1) EACH COUNTY BOARD SHA LL PROVIDE SUFFICIENT 30
CYBERSECURITY STAFFI NG AS DETERMINED BY THE STATE CHIEF INFORMATION 31
SECURITY OFFICER. 32
4 SENATE BILL 907
(2) LOCAL SCHOOL SYSTEMS MAY SHARE SERVICES , CONTRACTORS , 1
OR REGIONAL SUPPORT FROM THE DEPARTMENT TO MEET THE REQUIREMENT S OF 2
SUBPARAGRAPH (I) OF THIS PARAGRAPH , PROVIDED THAT EACH L OCAL SCHOOL 3
SYSTEM ENSURES TI MELY AND ADEQUATE SU PPORT FOR CYBERSECUR ITY. 4
(F) (1) BEGINNING IN 2026, EACH LOCAL SCHOOL SY STEM SHALL: 5
(I) COMPLY WITH THE STATE MINIMUM CYBERSE CURITY 6
STANDARDS; AND 7
(II) CONDUCT A CYBERSECURI TY MATURITY ASSESSME NT 8
EVERY 2 YEARS. 9
(2) ON OR BEFORE JUNE 30, 2026, AND EACH JUNE 30 EVERY 2 10
YEARS THEREAFTER , EACH LOCAL SCHOOL SY STEM SHALL CERTIFY T O THE OFFICE 11
OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT OF INFORMATION 12
TECHNOLOGY COMPLIANCE WITH THE STATE MINIMUM CYBERSE CURITY 13
STANDARDS. 14
Article – State Finance and Procurement 15
3.5–101. 16
(a) In this title the following words have the meanings indicated. 17
(b) “Cloud computing” means a service that enables on–demand self–service 18
network access to a shared pool of configurable computer resources, including data storage, 19
analytics, commerce, streaming, e–mail, document sharing, and document editing. 20
(c) “Department” means the Department of Information Technology. 21
(d) “Secretary” means the Secretary of Information Technology. 22
(E) “STATE MINIMUM CYBERSECURITY STANDARDS” MEANS THE STATE 23
MINIMUM CYBERSECURITY STANDARDS ESTABLISHED BY THE DEPARTMENT OF 24
INFORMATION TECHNOLOGY . 25
[(e)] (F) “Telecommunication” means the transmission of information, images, 26
pictures, voice, or data by radio, video, or other electronic or impulse means. 27
[(f)] (G) “Unit of State government” means an agency or unit of the Executive 28
Branch of State government. 29
3.5–2A–02. 30
SENATE BILL 907 5
There is an Office of Security Management within the Department. 1
3.5–2A–04. 2
(b) The Office shall: 3
(1) establish standards to categorize all information collected or 4
maintained by or on behalf of each unit of State government; 5
(2) establish standards to categorize all information systems maintained 6
by or on behalf of each unit of State government; 7
(3) develop guidelines governing the types of information and information 8
systems to be included in each category; 9
(4) establish security requirements for information and information 10
systems in each category; 11
(5) assess the categorization of information and information systems and 12
the associated implementation of the security requirements established under item (4) of 13
this subsection; 14
(6) if the State Chief Information Security Officer determines that there 15
are security vulnerabilities or deficiencies in any information systems, determine and direct 16
or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which 17
may include requiring the information system to be disconnected; 18
(7) if the State Chief Information Security Officer determines that there is 19
a cybersecurity threat caused by an entity connected to the network established under § 20
3.5–404 of this title that introduces a serious risk to entities connected to the network or to 21
the State, take or direct actions required to mitigate the threat; 22
(8) manage security awareness training for all appropriate employees of 23
units of State government; 24
(9) assist in the development of data management, data governance, and 25
data specification standards to promote standardization and reduce risk; 26
(10) assist in the development of a digital identity standard and 27
specification applicable to all parties communicating, interacting, or conducting business 28
with or on behalf of a unit of State government; 29
(11) develop and maintain information technology security policy, 30
standards, and guidance documents, consistent with best practices developed by the 31
National Institute of Standards and Technology; 32
(12) to the extent practicable, seek, identify, and inform relevant 33 6 SENATE BILL 907
stakeholders of any available financial assistance provided by the federal government or 1
non–State entities to support the work of the Office; 2
(13) provide technical assistance to localities in mitigating and recovering 3
from cybersecurity incidents; [and] 4
(14) ANNUALLY REVIEW AND UPDATE THE STATE MINIMUM 5
CYBERSECURITY STANDA RDS; AND 6
(15) provide technical services, advice, and guidance to units of local 7
government to improve cybersecurity preparedness, prevention, response, and recovery 8
practices. 9
3.5–301. 10
(a) In this subtitle the following words have the meanings indicated. 11
(c) “Cybersecurity” means processes or capabilities wherein systems, 12
communications, and information are protected and defended against damage, 13
unauthorized use or modification, and exploitation. 14
3.5–405. 15
(a) This section does not apply to municipal governments. 16
(b) In a manner and frequency established in regulations adopted by the 17
Department, each county government, local school system, and local health department 18
shall, in consultation with the local emergency manager, create or update a cybersecurity 19
preparedness and response plan and complete a cybersecurity preparedness assessment. 20
(C) THE DEPARTMENT SHALL ASSI GN AT LEAST THREE IN FORMATION 21
SECURITY OFFICERS TO SUPPORT LOCAL SCHOOL SYSTEMS WITH : 22
(1) COMPLIANCE WITH THE STATE MINIMUM CYBERSE CURITY 23
STANDARDS; 24
(2) CONDUCTING CY BERSECURITY MATURITY ASSESSMENTS EVERY 2 25
YEARS; AND 26
(3) REMEDIATION EFFORTS . 27
(D) ON OR BEFORE JUNE 30, 2026, AND EACH JUNE 30 EVERY 2 YEARS 28
THEREAFTER , EACH LOCAL SCHOOL SY STEM SHALL CERTIFY T O THE OFFICE OF 29
SECURITY MANAGEMENT COMPLIANCE WITH THE STATE MINIMUM 30
CYBERSECURITY STANDA RDS. 31 SENATE BILL 907 7
Article – State Government 1
2–1221. 2
(a) A fiscal/compliance audit conducted by the Office of Legislative Audits shall 3
include: 4
(1) examining financial transactions and records and internal controls; 5
(2) evaluating compliance with applicable laws and regulations; 6
(3) examining electronic data processing operations; and 7
(4) evaluating compliance with applicable laws and regulations relating to 8
the acquisition of goods and services from Maryland Correctional Enterprises. 9
(b) A performance audit conducted by the Office of Legislative Audits may 10
include: 11
(1) evaluating the efficiency, effectiveness, and economy with which 12
resources are used; 13
(2) determining whether desired program results are achieved; and 14
(3) determining the reliability of performance measures, as defined in § 15
3–1001(g) of the State Finance and Procurement Article, identified in: 16
(i) the managing for results agency strategic plan developed under 17
§ 3–1002(c) of the State Finance and Procurement Article; or 18
(ii) the StateStat agency strategic plan developed under § 3–1003(d) 19
of the State Finance and Procurement Article. 20
(c) The purpose of financial statement audits conducted by the Office of 21
Legislative Audits shall be to express an opinion regarding the fairness of the presentation 22
of a unit’s financial statements. 23
(d) (1) The audits referred to in subsections (a), (b), and (c) of this section shall 24
be conducted in accordance with generally accepted government auditing standards. 25
(2) FOR THE AUDITS REFERRED TO IN SUBSECTIONS (A), (B), AND (C) 26
OF THIS SECTION, THE OFFICE OF LEGISLATIVE AUDITS SHALL BE GUIDED BY THE 27
DEPARTMENT OF INFORMATION TECHNOLOGY ’S STATE MINIMUM CYBERSE CURITY 28
STANDARDS. 29
(e) (1) Upon approval of the Joint Audit and Evaluation Committee, the Office 30 8 SENATE BILL 907
of Legislative Audits shall develop and use a rating system that is based on the results of 1
a fiscal/compliance audit to determine an overall evaluation of a unit’s financial 2
transactions, records, and internal controls and compliance with applicable laws and 3
regulations as a means of comparing the various units of State government. 4
(2) When an evaluation is issued, it shall be provided to the unit and shall 5
be available to the Joint Audit and Evaluation Committee and the Budget Committees of 6
the Maryland General Assembly. 7
SECTION 2. AND BE IT FURTHER ENACTED, That, for the 2025–2026 school 8
year, the Department of Information Technology shall focus on Standard 6.2 Protect (PR) 9
Controls of the State minimum cybersecurity standards. 10
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect July 11
1, 2025. 12