Cybersecurity Legal Requirements for Local Governments

​​​​​Maryland Senate Bill 754

The Local Cybersecurity Support Act of 2022 (SB754) was enacted to establish specific obligations for units of local governments and introduce support programs to assist them. The bill enacted several programs designed to provide resources and assistance to local governments as well as created several requirements for Local Units of Government:

1. Incident Reporting

   Each local government must report any cybersecurity incident — including attacks on state systems used by the local government — using the Incident Reporting Form. Reports should be submitted to the appropriate local emergency manager, the State Security Operations Center within the Department of Information Technology, and the Maryland Joint Operations Center. Local governments are also required to comply with the Cybersecurity Incident Reporting Requirements for Local Governments.

2. networkMaryland^TM​
   

   By June 30, 2024, and annually thereafter, each unit of local government must certify their compliance with the State’s minimum cybersecurity standards for connecting to networkMaryland^TM. Learn about networkMaryland^TM services

3. Preparedness and Response Plan

   Each county government, local school system, and local health department shall, in consultation with the local emergency manager, create or update a cybersecurity preparedness and response plan and complete a cybersecurity preparedness assessment.

4. Certification

   On or before June 30, 2023, each unit of local government shall certify to the Office of Security Management compliance with State Minimum Cybersecurity Standards established by the Department of Information Technology, in accordance with the Guidance for Locals.

5. Unremediated Findings and OSM Guidance

   No later than July 1, 2024, the Office of Security Management​ shall provide guidance for the units of local government that have not remediated any findings pertaining to the State Minimum Cybersecurity Standards found by the independent audit to achieve compliance with the cybersecurity standards. Remediation Certification Form.

6. Public or Private Water or Wastewater System

   By December 1, 2023, a public or private water or wastewater system in Maryland that: A. has 10,000 or more users, and B. receives financial assistance from the state must: (1) assess its vulnerability to a cyberattack; (2) if appropriate, develop a cybersecurity plan; and (3) submit a report to the General Assembly on the findings of the assessment and any recommendations for statutory changes needed for the system to appropriately address its cybersecurity. Guidance regarding the Modernize Maryland Act can be found at Modernize Maryland Act of 2022 Guidance.
   

7. Public Disclosure

   Public disclosure of a cybersecurity incident will be posted on the Maryland Department of Information Technology website and will follow the guidelines for the public disclosure of cybersecurity incidents.