Agency Cyber Preparedness Act

Summary: The Agency Cyber Preparedness Act creates a state office of cybersecurity and directs it to work with state and local government agencies to establish and implement standards for the security of all information and information systems.

Based on Maryland SB 754 (2022).

SECTION 1. SHORT TITLE

This Act shall be called the “Agency Cyber Preparedness Act.”

SECTION 2. FINDINGS AND PURPOSE

(A)  FINDINGS—The legislature/council finds that:

1) State and local governments and their agencies are currently the entities most under cyberattack in the United States.

2) The most common cyberattack begins with “phishing,” when a hacker sends fraudulent emails or other messages pretending to be from a reliable source in order to deceive people into revealing sensitive information or installing malware.

3) Very often, it takes the mistake of only one inadequately trained staff member to endanger an entire agency’s database. Because there are so many different state and local government agencies—school systems, police departments, water authorities—many are simply not prepared.

4) It is essential for state authorities to assist both state and local agencies to establish standards and implement technology and employee rules to maximize cybersecurity for all government information and information systems.

(B)   PURPOSE—This law is enacted to protect government security and the privacy of individual records.

SECTION 3.  CYBERSECURITY FOR STATES AND LOCALITIES

In section XXX, the following new paragraphs shall be inserted:

(A) OFFICE OF CYBERSECURITY

1) There is an Office of Cybersecurity within in the [Department of General Services], headed by a Chief Information Security Officer. The Office of Cybersecurity shall:

a) Establish cybersecurity standards for the security of all state and local government information and information systems.

b) Create, direct, coordinate, and implement the overall cybersecurity strategy and policy for agencies of state government; and

c) Working with local governments, ensure that all local government agencies implement cybersecurity strategies and policies that are consistent with statewide standards.

2) The Office of Cybersecurity is not responsible for information technology installation and maintenance operations normally conducted by an agency of state or local government.

3) Within the Office of Cybersecurity there is a Director of State Cybersecurity, appointed by the Chief Information Security Officer. The director and staff for state cybersecurity shall:

a) Establish standards to categorize all information, and information systems, collected or maintained by or on behalf of each agency of state government;

b) Establish security requirements for information and information systems in each category;

c) If the Chief Information Security Officer determines that there are security vulnerabilities or deficiencies in any state information system or network, determine and direct or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which may include requiring an information system to be disconnected;

d) Manage security awareness training for all appropriate employees of state government agencies;

e) Assist state agencies in the development of data management, data governance, and data specification standards to promote standardization and reduce risk;

f) Assist state agencies in the development of a digital identity standards and specifications applicable to all parties communicating, interacting, or conducting business with or on behalf of a state government agency;

g) Develop and maintain information technology security policy, standards, and guidance documents, consistent with best practices developed by the National Institute of Standards and Technology; and

h) To the extent practicable, seek, identify, and inform relevant stakeholders of any available financial assistance provided by the federal government or non-state entities to support the work of cybersecurity.

4) Within the Office of Cybersecurity there is an Director of Local Cybersecurity, appointed by the Chief Information Security Officer. The director and staff for local cybersecurity shall:

a) Establish standards to categorize all information, and information systems, collected or maintained by or on behalf of each agency of local government;

b) Establish security requirements for information and information systems in each category;

c) If the Chief Information Security Officer determines that there are security vulnerabilities or deficiencies in any local agency information system or network, direct local agencies to take actions necessary to correct or remediate the vulnerabilities or deficiencies, which may include requiring an information system to be disconnected;

d) Require and assist in security awareness training for all appropriate employees of local government agencies;

e) Assist local agencies in the development of data management, data governance, and data specification standards to promote standardization and reduce risk;

f) Assist local government agencies in the development of a digital identity standards and specifications applicable to all parties communicating, interacting, or conducting business with or on behalf of a local government agency;

g) Assist local government agencies to develop and maintain information technology security policy, standards, and guidance documents, consistent with best practices developed by the National Institute of Standards and Technology; and

h) To the extent practicable, seek, identify, and inform relevant stakeholders of any available financial assistance provided by the federal government or non-state entities to support the work of cybersecurity.

(B) CYBERSECURITY REPORTS

1) On or before December 31 of each year, the Office of Cybersecurity shall report to the Governor, the Senate [Budget] Committee and the House [Budget] Committee on the activities of the Office and the condition of cybersecurity preparedness in state and local government agencies, including:

a) The activities and accomplishments of the Office during the previous 12 months at the state and local levels;

b) A summary of the cybersecurity issues identified and the status of vulnerability assessments of all state government agencies and a timeline for completion and cost to remediate any vulnerabilities exposed;

c) A summary of the cybersecurity issues and the status of vulnerability assessments of local government agencies and an estimated timeline for completion and cost to remediate any vulnerabilities exposed; and

d) Any additional recommendations for improving state and local cybersecurity preparedness.

2) A report submitted under this subsection shall not contain information that would reveal any specifics of cybersecurity vulnerabilities which could be useful to hackers seeking to attack state or local systems.

(C) FUNDING

For fiscal year 2024, [$XX,XXX,XXX] from the [General Fund] may be transferred by budget amendment to fund the Office of Cybersecurity and its operations.

SECTION 4. EFFECTIVE DATE

This law shall become effective on XXXX 1, 202X.

SHARE