Skip to main content
Find a Lawyer

Maryland Code, Public Utilities § 5-306

Current as of January 01, 2025 | Updated by Findlaw Staff

(a) In this section, “zero-trust” means a cybersecurity approach:

(1) focused on cybersecurity resource protection; and

(2) based on the premise that trust is never granted implicitly but must be continually evaluated.

(b) This section does not apply to a public service company that is:

(1) a common carrier; or

(2) a telephone company.

(c) A public service company shall:

(1) adopt and implement cybersecurity standards that are equal to or exceed standards adopted by the Commission;

(2) adopt a zero-trust cybersecurity approach for on-premises services and cloud-based services;

(3) establish minimum security standards for each operational technology and information technology device based on the level of security risk for each device, including security risks associated with supply chains; and

(4)(i) on or before July 1, 2024, and on or before July 1 every other year thereafter, engage a third party to conduct an assessment of operational technology and information technology devices based on:

1. the Cybersecurity and Infrastructure Security Agency's Cross-Sector Cybersecurity Performance Goals; or

2. a more stringent standard that is based on the National Institute of Standards and Technology security frameworks; and

(ii) submit to the Commission certification of the public service company's compliance with standards used in the assessments under item (i) of this item.

(d)(1) Each public service company shall report, in accordance with the process established under paragraph (2) of this subsection, a cybersecurity incident, including an attack on a system being used by the public service company, to the State Security Operations Center in the Department of Information Technology.

(2) The State Chief Information Security Officer, in consultation with the Commission, shall establish a process for a public service company to report cybersecurity incidents under paragraph (1) of this subsection, including establishing:

(i) the criteria for determining the circumstances under which a cybersecurity incident must be reported;

(ii) the manner in which a cybersecurity incident must be reported; and

(iii) the time period within which a cybersecurity incident must be reported.

(3) The State Security Operations Center shall immediately notify appropriate State and local agencies of a cybersecurity incident reported under this subsection.

Previous Part of Code Next Part of Code
Back to Chapter List

Cite this article: FindLaw.com - Maryland Code, Public Utilities § 5-306 - last updated January 01, 2025 | https://codes.findlaw.com/md/public-utilities/md-code-public-util-sect-5-306/

FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature before relying on it for your legal needs.

Was this helpful?

Welcome to FindLaw's Cases & Codes

A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw’s Learn About the Law.

Go to Learn About the Law

Latest Blog Posts

For Legal Professionals

Learn About The Law

Get help with your legal needs

FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.

Go to Learn About the Law

Need to Find an Attorney?

Search our directory by legal issue

Enter information in one or both fields (Required)

Copied to clipboard