§ 5-306. Cybersecurity

West's Annotated Code of MarylandPublic UtilitiesEffective: July 1, 2023

West's Annotated Code of Maryland
Public Utilities (Refs & Annos)
Division I. Public Services and Utilities [Titles 1-15] (Refs & Annos)
Title 5. Powers, Duties, and Prohibitions (Refs & Annos)
Subtitle 3. Duties of Public Service Companies (Refs & Annos)
Effective: July 1, 2023
MD Code, Public Utilities, § 5-306
§ 5-306. Cybersecurity
Currentness
Zero-trust defined
(a) In this section, “zero-trust” means a cybersecurity approach:
(1) focused on cybersecurity resource protection; and
(2) based on the premise that trust is never granted implicitly but must be continually evaluated.
Application of section
(b) This section does not apply to a public service company that is:
(1) a common carrier; or
(2) a telephone company.
Cybersecurity standards and assessment
(c) A public service company shall:
(1) adopt and implement cybersecurity standards that are equal to or exceed standards adopted by the Commission;
(2) adopt a zero-trust cybersecurity approach for on-premises services and cloud-based services;
(3) establish minimum security standards for each operational technology and information technology device based on the level of security risk for each device, including security risks associated with supply chains; and
(4)(i) on or before July 1, 2024, and on or before July 1 every other year thereafter, engage a third party to conduct an assessment of operational technology and information technology devices based on:
1. the Cybersecurity and Infrastructure Security Agency's Cross-Sector Cybersecurity Performance Goals; or
2. a more stringent standard that is based on the National Institute of Standards and Technology security frameworks; and
(ii) submit to the Commission certification of the public service company's compliance with standards used in the assessments under item (i) of this item.
Reports of cybersecurity incidents
(d)(1) Each public service company shall report, in accordance with the process established under paragraph (2) of this subsection, a cybersecurity incident, including an attack on a system being used by the public service company, to the State Security Operations Center in the Department of Information Technology.
(2) The State Chief Information Security Officer, in consultation with the Commission, shall establish a process for a public service company to report cybersecurity incidents under paragraph (1) of this subsection, including establishing:
(i) the criteria for determining the circumstances under which a cybersecurity incident must be reported;
(ii) the manner in which a cybersecurity incident must be reported; and
(iii) the time period within which a cybersecurity incident must be reported.
(3) The State Security Operations Center shall immediately notify appropriate State and local agencies of a cybersecurity incident reported under this subsection.

Credits

Added by Acts 2023, c. 499, § 1, eff. July 1, 2023.
MD Code, Public Utilities, § 5-306, MD PUBLIC UTIL § 5-306
Current through legislation effective through April 9, 2023, from the 2024 Regular Session of the General Assembly. Some statute sections may be more current, see credits for details.
End of Document