(a) This section does not apply to: (1) the Maryland Port Administration; (2) the University System of Maryland; (3) St. Mary's College of Maryland; (4) Morgan State University; (5) the Maryland Stadium Authority; (6) Baltimore City Community College; (7) the State Board of Elections; (8) the Office of the Attorney General; (9) the Comptroller; or (10) the State Treasurer. (b) (1) The Department shall hire independent contractors to: (i) develop a framework for investments in technology; and (ii) at least once every 2 years, in accordance with the framework, assess the cybersecurity and information technology systems in each unit of State government. (2) The framework shall include the following criteria: (i) security risks to the system; (ii) system performance; (iii) the system's dependence on other information technology or cybersecurity systems and data; (iv) the system's ability to create an efficient and seamless experience for users; (v) the system's effectiveness in achieving unit objectives; (vi) the system's effectiveness in meeting the needs of citizens and customers; (vii) the costs to maintain and operate the system; (viii) the speed of government response time; (ix) the effectiveness of the system in regard to the unit's objectives; (x) improvements to the unit's relative audit findings attributable to the system; and (xi) an assessment of the system using the National Institute of Standards and Technology Cybersecurity Framework. (c) Each unit shall promptly provide a contractor employed under subsection (b) of this section with the information necessary to perform the assessments. (d) (1) Every 2 years, a contractor shall provide the results of the assessments to: (i) the Modernize Maryland Commission established under § 3.5-316 of this subtitle; and (ii) in accordance with § 2-1257 of the State Government Article, the Senate Budget and Taxation Committee, the Senate Committee on Education, Energy, and the Environment, and the House Health and Government Operations Committee. (2) The report submitted under paragraph (1)(ii) of this subsection may not contain information about the security of an information system. (e) The Department may use multiple contractors at a time to meet the requirements of this section.
‹ Prev All Maryland sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.