Maryland’s three new cybersecurity laws will affect local government offices and agencies within the State as well as any public or private company that operates water or sewer systems in the State. Together, these laws solidify the State’s Office of Security Management and the position of a State Chief Information Security Officer, they introduce a cybersecurity preparedness unit for local governments and establish cybersecurity reporting requirements for water and sewer system as well as a plan to upgrade legacy security requirements. Here is a look at the laws and what to expect. All of these are currently in effect.
Establishes an independent Modernize Maryland Oversight Commission.
Expands cybersecurity requirements for State agencies and water and sewer systems.
Makes related changes to cybersecurity funding and procurement by the State and local governments.
For fiscal 2023, funds from the Dedicated Purpose Account (DPA) may be transferred to implement the bill. For fiscal 2024, the Governor must include in the annual budget bill an appropriation of at least 20% of the aggregated amount appropriated for information technology (IT) and cybersecurity resources in the annual budget bill for fiscal 2023.
This bill significantly expands and enhances the State’s regulatory framework for cybersecurity:
(1) codifies and expands the Maryland Cyber Defense Initiative.
(2) establishes various assessment and reporting requirements for State and local governments.
(3) requires DoIT to ensure each agency’s compliance with cybersecurity standards under certain circumstances.
(4) requires DoIT to develop a centralization transition strategy and conduct a self-performance and capacity assessment.
This emergency bill makes numerous changes to the State’s cybersecurity infrastructure, practices, and procedures, primarily for local governments:
(1) codifying (in part) and expanding the executive order that established the Maryland Cyber Defense Initiative.
(2) establishing the Cybersecurity Preparedness Unit in the Maryland Department of Emergency Management (MDEM) and the Information Sharing and Analysis Center (ISAC) within the Department of Information Technology (DoIT).
(3) requiring specified local government entities to create or update cybersecurity preparedness and response plans and complete cybersecurity preparedness assessments, as specified.
(4) requiring MD Department of Information Technology (DoIT) to provide guidance to local governments to bring their cybersecurity practices into compliance with cybersecurity standards.
ATS assists organizations with Cybersecurity Assessments and regulatory compliance while using industry best practices, methodologies and standards. We recommend that organizations begin with a Risk Assessment and then look towards follow up assessments depending on those results.
Conduct an external Security Risk Assessment on an annual basis
Include a Vulnerability Assessment
Include a PII Data Scan Assessment
Risk Assessment, Vulnerability Assessment, Security Control Assessment, Penetration Testing Assessment, Compliance Assessment, Configuration Assessment, Identity and Access Management, Code Review and Testing
Remediation and Mitigation Strategies
SOC 24x7 Monitoring with partners such as Deepwatch and Secureworks
Our Certifications and Experience
Certified (ISC)2 Cybersecurity Professionals
13 years as a Master Contractor on the MEEC Security Services Contracts
Experience with Cybersecurity assessments Enterprise and SMB customers in State and Local government throughout the Mid-Atlantic region, including in Water and Sewer