Maryland § 3.5-405

Maryland Statutes

§ 3.5-405

Maryland § 3.5-405

Article gsfState Finance and Procurement

This text of Maryland § 3.5-405 is published on Counsel Stack Legal Research, covering Maryland primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Md. Code Ann., State Finance and Procurement § 3.5-405 (2026).

Text

(a)On or before December 1 each year, each unit of State government shall:

(1)report the results of any cybersecurity preparedness assessments performed in the prior year to the Office of Security Management in accordance with guidelines developed by the Office; and

(2)submit a report to the Governor and the Office of Security Management that includes:

(i)an inventory of all information systems and applications used or maintained by the unit;

(ii)a full data inventory of the unit;

(iii)a list of all cloud or statistical analysis system solutions used by the unit;

(iv)a list of all permanent and transient vendor interconnections that are in place;

(v)the number of unit employee

Free access — add to your briefcase to read the full text and ask questions with AI

(a) On or before December 1 each year, each unit of State government shall:

(1) report the results of any cybersecurity preparedness assessments performed in the prior year to the Office of Security Management in accordance with guidelines developed by the Office; and

(2) submit a report to the Governor and the Office of Security Management that includes:

(i) an inventory of all information systems and applications used or maintained by the unit;

(ii) a full data inventory of the unit;

(iii) a list of all cloud or statistical analysis system solutions used by the unit;

(iv) a list of all permanent and transient vendor interconnections that are in place;

(v) the number of unit employees who have received cybersecurity training;

(vi) the total number of unit employees who use the network;

(vii) the number of information technology staff positions, including vacancies;

(viii) the number of noninformation technology staff positions, including vacancies;

(ix) the unit’s information technology budget, itemized to include the following categories:

1. services;

2. equipment;

3. applications;

4. personnel;

5. software licensing;

6. development;

7. network projects;

8. maintenance; and

9. cybersecurity;

(x) any major information technology initiatives to modernize the unit’s information technology systems or improve customer access to State and local services;

(xi) the unit’s plans for future fiscal years to implement the unit’s information technology goals;

(xii) compliance with timelines and metrics provided in the Department’s master plan; and

(xiii) any other key performance indicators required by the Office of Security Management to track compliance or consistency with the Department’s statewide information technology master plan.

(b) (1) Each unit of State government shall report a cybersecurity incident in accordance with paragraph (2) of this subsection to the State Chief Information Security Officer.

(2) For the reporting of cybersecurity incidents under paragraph (1) of this subsection, the State Chief Information Security Officer shall determine:

(i) the criteria for determining when an incident must be reported;

(ii) the manner in which to report; and

(iii) the time period within which a report must be made.

Nearby Sections

15

§ 3.5-101

§ 3.5-201

§ 3.5-202

§ 3.5-203

§ 3.5-204

§ 3.5-205

§ 3.5-2A-01

§ 3.5-2A-02

§ 3.5-2A-03

§ 3.5-2A-04

§ 3.5-2A-05

§ 3.5-2A-06

§ 3.5-301

§ 3.5-302

§ 3.5-303

View on official source ↗

Cite This Page — Counsel Stack

Bluebook (online)

Maryland § 3.5-405, Counsel Stack Legal Research, https://law.counselstack.com/statute/md/gsf/3.5-405.