Legal Requirements for Locals
Main_Content
Maryland Senate Bill 754
The Local Cybersecurity Support Act of 2022 (SB754) was enacted to establish specific obligations for units of local governments and introduce support programs to assist them. The bill enacted several programs designed to provide resources and assistance to local governments as well as created several requirements for Local Units of Government:
Incident Reporting
Each local government shall report a cybersecurity incident via the
Incident Reporting Form, including an attack on a state system being used by the local government, to the appropriate local emergency manager and the state security operations center in the department of information technology to the Maryland joint operations center in the department. Local governments are required to adhere to the
Cybersecurity Incident Reporting Requirements for Local Governments.
Network Maryland
By June 30, 2024, and annually thereafter, each unit of local government must certify their compliance with the State’s
minimum cybersecurity standards for connecting to network Maryland.
Each county government, local school system, and local health department shall, in consultation with the local emergency manager, create or update a cybersecurity preparedness and response plan and complete a cybersecurity preparedness assessment.
On or before June 30, 2023, each unit of local government shall certify to the Office of Security Management compliance with
State Minimum Cybersecurity Standards established by the Department of Information Technology, in accordance with the
Guidance for Locals.
No later than July 1, 2024, the Office of Security Management shall
provide guidance for the units of local government that have not remediated any findings pertaining to the State Minimum Cybersecurity Standards found by the independent audit to achieve compliance with the cybersecurity standards.
Remediation Certification Form
By December 1, 2023, a public or private water or wastewater system in Maryland that: A. has 10,000 or more users, and B. receives financial assistance from the state must: (1) assess its vulnerability to a cyberattack; (2) if appropriate, develop a cybersecurity plan; and (3) submit a report to the General Assembly on the findings of the assessment and any recommendations for statutory changes needed for the system to appropriately address its cybersecurity. Guidance regarding the Modernize Maryland Act can be found at
Modernize Maryland Act of 2022 Guidance
Public disclosure of a cybersecurity incident will be posted on the Maryland Department of Information Technology website and will follow the
guidelines for the public disclosure of cybersecurity incidents
1.
https://mgaleg.maryland.gov/2022RS/bills/sb/sb0754E.pdf