Skip to main content
Find a Lawyer

Maryland Code, State Finance and Procurement § 3.5-406

Current as of January 01, 2025 | Updated by Findlaw Staff

(a) On or before December 1 each year, each unit of State government shall:

(1) report the results of any cybersecurity preparedness assessments performed in the prior year to the Office of Security Management in accordance with guidelines developed by the Office; and

(2) submit a report to the Governor and the Office of Security Management that includes:

(i) an inventory of all information systems and applications used or maintained by the unit;

(ii) a full data inventory of the unit;

(iii) a list of all cloud or statistical analysis system solutions used by the unit;

(iv) a list of all permanent and transient vendor interconnections that are in place;

(v) the number of unit employees who have received cybersecurity training;

(vi) the total number of unit employees who use the network;

(vii) the number of information technology staff positions, including vacancies;

(viii) the number of noninformation technology staff positions, including vacancies;

(ix) the unit's information technology budget, itemized to include the following categories:

1. services;

2. equipment;

3. applications;

4. personnel;

5. software licensing;

6. development;

7. network projects;

8. maintenance; and

9. cybersecurity;

(x) any major information technology initiatives to modernize the unit's information technology systems or improve customer access to State and local services;

(xi) the unit's plans for future fiscal years to implement the unit's information technology goals;

(xii) compliance with timelines and metrics provided in the Department's master plan; and

(xiii) any other key performance indicators required by the Office of Security Management to track compliance or consistency with the Department's statewide information technology master plan.

(b)(1) Each unit of State government shall report a cybersecurity incident in accordance with paragraph (2) of this subsection to the State Chief Information Security Officer.

(2) For the reporting of cybersecurity incidents under paragraph (1) of this subsection, the State Chief Information Security Officer shall determine:

(i) the criteria for determining when an incident must be reported;

(ii) the manner in which to report; and

(iii) the time period within which a report must be made.

Previous Part of Code Next Part of Code
Back to Chapter List

Cite this article: FindLaw.com - Maryland Code, State Finance and Procurement § 3.5-406 - last updated January 01, 2025 | https://codes.findlaw.com/md/state-finance-and-procurement/md-code-state-fin-and-proc-sect-3-5-406/

FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature before relying on it for your legal needs.

Was this helpful?

Welcome to FindLaw's Cases & Codes

A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw’s Learn About the Law.

Go to Learn About the Law

Latest Blog Posts

For Legal Professionals

Learn About The Law

Get help with your legal needs

FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.

Go to Learn About the Law

Need to Find an Attorney?

Search our directory by legal issue

Enter information in one or both fields (Required)

Copied to clipboard