HOUSE BILL 1129
P1, L6, P4 1lr1564
CF 1lr2196
By: Delegate Krimm
Introduced and read first time: February 5, 2021
Assigned to: Health and Government Operations
A BILL ENTITLED
1 AN ACT concerning
2 Department of Information Technology – State and Local Government
3 Employees and Contractors – Cybersecurity Training
4 FOR the purpose of requiring the Department of Information Technology, in coordination
5 with the Maryland Cybersecurity Council, to develop criteria for the certification of
6 certain cybersecurity training programs for a certain purpose, certify at least a
7 certain number of programs, review and update certain certification standards at
8 certain times, and maintain a list of certain programs on its website; requiring the
9 certification criteria for certain programs to include certain requirements;
10 authorizing the Department to contract with a third party to certify certain
11 programs; requiring certain State and local government employees to complete a
12 certain certified program each year; authorizing a unit to specify which certified
13 program its employees are required to complete; specifying that a unit shall select a
14 certain certification program based on certain factors; authorizing a unit to set
15 different cybersecurity training requirements for different employees based on
16 certain factors; requiring a unit to report certain information to the Department each
17 year; requiring the Department to require certain periodic audits; requiring local
18 governments to require certain audits; requiring the Department to approve at least
19 one certified program to be used to train certain contractors; requiring certain
20 contracts to contain a certain clause; requiring certain contractors to complete a
21 certain certified program within a certain period of time; requiring a certain
22 contractor to verify completion of a certain cybersecurity training program to a
23 certain unit; requiring a unit to conduct certain periodic audits for a certain purpose;
24 requiring the Department to adopt certain regulations; defining certain terms; and
25 generally relating to cybersecurity training requirements for State and local
26 government employees and contractors.
27 BY adding to
28 Article – State Finance and Procurement
29 Section 3A–801 through 3A–805 to be under the new subtitle “Subtitle 8.
30 Cybersecurity Training”
EXPLANATION: CAPITALS INDICATE MATTER ADDED TO EXISTING LAW.
[Brackets] indicate matter deleted from existing law.
*hb1129*
2 HOUSE BILL 1129
1 Annotated Code of Maryland
2 (2015 Replacement Volume and 2020 Supplement)
3 SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
4 That the Laws of Maryland read as follows:
5 Article – State Finance and Procurement
6 SUBTITLE 8. CYBERSECURITY TRAINING.
7 3A–801.
8 (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
9 INDICATED.
10 (B) “CERTIFIED PROGRAM” MEANS A CYBERSECURITY TRAINING PROGRAM
11 CERTIFIED BY THE DEPARTMENT UNDER § 3A–802 OF THIS SUBTITLE.
12 (C) “CONTRACTOR” INCLUDES A CONTRACTOR, SUBCONTRACTOR, OFFICER
13 OF A CONTRACTOR OR SUBCONTRACTOR, OR AN EMPLOYEE OF A SUBCONTRACTOR
14 OR CONTRACTOR.
15 (D) “LOCAL GOVERNMENT” MEANS:
16 (1) A COUNTY;
17 (2) A MUNICIPAL CORPORATION; OR
18 (3) A UNIT OF A COUNTY OR A MUNICIPAL CORPORATION.
19 (E)“UNIT” MEANS AN AGENCY OR A UNIT OF STATE OR LOCAL
20 GOVERNMENT.
21 3A–802.
22 (A) THE DEPARTMENT, IN COORDINATION WITH THE MARYLAND
23 CYBERSECURITY COUNCIL, SHALL:
24 (1)DEVELOP CRITERIA FOR THE CERTIFICATION OF CYBERSECURITY
25 TRAINING PROGRAMS FOR USE BY STATE AND LOCAL GOVERNMENT EMPLOYEES
26 REQUIRED TO COMPLETE CYBERSECURITY TRAINING EACH YEAR;
27 (2) CERTIFY AT LEAST 20 CYBERSECURITY TRAINING PROGRAMS;
HOUSE BILL 1129 3
1 (3)EACH YEAR REVIEW AND UPDATE CERTIFICATION STANDARDS
2 FOR CYBERSECURITY TRAINING PROGRAMS; AND
3 (4) MAINTAIN ON ITS WEBSITE A LIST OF ALL CERTIFIED PROGRAMS.
4 (B) THE CERTIFICATION CRITERIA SHALL INCLUDE REQUIREMENTS THAT
5 EACH CYBERSECURITY TRAINING PROGRAM INCLUDE ACTIVITIES, CASE STUDIES,
6 HYPOTHETICAL SITUATIONS, AND OTHER METHODS THAT:
7 (1)FOCUS ON FORMING INFORMATION SECURITY HABITS AND
8 REASONABLE SECURITY PROCEDURES THAT PROTECT INFORMATION RESOURCES,
9 PERSONAL INFORMATION, AND RECORDS; AND
10 (2) TEACH BEST PRACTICES FOR DETECTING, ASSESSING,
11 REPORTING, AND ADDRESSING INFORMATION SECURITY THREATS.
12 (C) THE DEPARTMENT MAY CONTRACT WITH A THIRD PARTY TO CERTIFY
13 CYBERSECURITY TRAINING PROGRAMS UNDER THIS SECTION.
14 3A–803.
15 (A) (1) AT LEAST ONCE EACH YEAR, EACH UNIT EMPLOYEE SHALL
16 COMPLETE A CERTIFIED PROGRAM IF THAT EMPLOYEE’S JOB–RELATED DUTIES
17 INCLUDE ACCESSING GOVERNMENT COMPUTER SYSTEMS OR DATABASES.
18 (2) A UNIT MAY SPECIFY WHICH CERTIFIED PROGRAM ITS
19 EMPLOYEES ARE REQUIRED TO COMPLETE.
20 (3) IF A UNIT REQUIRES EMPLOYEES TO COMPLETE A PARTICULAR
21 CERTIFIED PROGRAM OR PROGRAMS, THE UNIT SHALL SELECT ONE OR MORE
22 CERTIFIED PROGRAMS BASED ON THE PROGRAMS’ RELEVANCE TO THE EMPLOYEE’S
23 WORK OR RESPONSIBILITIES.
24 (4) A UNIT MAY SET DIFFERENT CYBERSECURITY TRAINING
25 REQUIREMENTS FOR DIFFERENT EMPLOYEES BASED ON THEIR POSITIONS OR
26 TITLES.
27 (B) EACH UNIT SHALL REPORT TO THE DEPARTMENT EACH YEAR:
28 (1)THE CERTIFIED PROGRAM OR PROGRAMS THAT WERE SELECTED
29 TO BE COMPLETED BY ITS EMPLOYEES; AND
4 HOUSE BILL 1129
1 (2) THE PERCENTAGE OF EMPLOYEES THAT COMPLETED EACH
2 CERTIFIED PROGRAM.
3 (C) (1) THE DEPARTMENT SHALL REQUIRE PERIODIC AUDITS OF STATE
4 UNITS TO ENSURE COMPLIANCE WITH THIS SECTION.
5 (2) LOCAL GOVERNMENTS SHALL REQUIRE PERIODIC AUDITS OF
6 THEIR UNITS TO ENSURE COMPLIANCE WITH THIS SECTION.
7 3A–804.
8 (A) (1) THE DEPARTMENT SHALL APPROVE AT LEAST ONE CERTIFIED
9 PROGRAM TO BE USED TO TRAIN SAFE CYBERSECURITY PRACTICES TO
10 CONTRACTORS THAT HAVE ACCESS TO A UNIT’S COMPUTER SYSTEMS OR
11 DATABASES.
12 (2) EACH CONTRACT ENTERED INTO BY A UNIT SHALL CONTAIN A
13 CLAUSE REQUIRING EACH CONTRACTOR TO COMPLETE A CERTIFIED PROGRAM
14 APPROVED FOR CONTRACTORS UNDER THIS SUBSECTION IF, UNDER THE TERMS OF
15 THE CONTRACT, THE CONTRACTOR HAS ACCESS TO THE UNIT’S COMPUTER SYSTEMS
16 OR DATABASES.
17 (B) EACH CONTRACTOR REQUIRED TO COMPLETE A CERTIFIED PROGRAM
18 SHALL COMPLETE A CERTIFIED PROGRAM AT LEAST ONCE EACH YEAR DURING THE
19 TERM OF THE CONTRACT, INCLUDING ANY CONTRACT RENEWAL PERIOD.
20 (C) EACH CONTRACTOR REQUIRED TO COMPLETE A CERTIFIED PROGRAM
21 UNDER THIS SECTION SHALL VERIFY COMPLETION OF THE PROGRAM TO THE
22 CONTRACTING UNIT.
23 (D) EACH UNIT SHALL:
24 (1)REPORT EACH YEAR TO THE DEPARTMENT ON WHICH CERTIFIED
25 PROGRAM OR PROGRAMS EACH CONTRACTOR COMPLETED; AND
26 (2) CONDUCT PERIODIC AUDITS TO ENSURE COMPLIANCE WITH THIS
27 SECTION.
28 3A–805.
29 THE DEPARTMENT SHALL ADOPT REGULATIONS TO CARRY OUT THIS
30 SUBTITLE.
HOUSE BILL 1129 5
1 SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect
2 October 1, 2021.