Maryland Gov. Hogan signs three cybersecurity bills

The new laws solidify the position of the state's CISOs, establish new offices and set new requirements for critical infrastructure.
Maryland Gov. Larry Hogan
Maryland Gov. Larry Hogan visits a vaccination clinic at Baltimore's M&T Bank Stadium in May 2021. (Saul Loeb/AFP / Getty Images)

Maryland’s cybersecurity activities are poised to get a significant boost following Gov. Larry Hogan’s signature Thursday of three bills that will fund new technology purchases and staff positions and solidify the state’s cyber policy structure.

The bills, which were signed alongside more than 100 other pieces of legislation, come in the still-lingering wake of several high-profile cyberattacks in the state. These included a ransomware attack last December that interrupted the Maryland Department of Health’s ability to publish COVID-19 data and a November 2020 incident at Baltimore County Public Schools. States are also preparing for a new federal cybersecurity grant program.

During a signing ceremony in Annapolis, Hogan, who’s in his final year as governor, said the bills will “further strengthen Maryland’s standing as the cyber capital of America.”

One of the new laws, SB812, further solidifies the position of the state chief information security officer and the Office of Security Management, a division of the Maryland Department of Information Technology that Hogan created in 2019 with an executive order.


Under the new law, the CISO is now a permanent role in state government, to be nominated by the governor and confirmed by the state Senate. It also empowers the CISO to set statewide cybersecurity policies, including incident reporting requirements for agencies and local governments. The IT department is also directed to create an information sharing and analysis center for sharing intelligence across state and local entities.

Another bill, SB754, instructs the Maryland Department of Emergency Management to create a cybersecurity preparedness unit to work with local governments on their network defenses. That office is getting a budget of about $455,000, with five full-time employees.

The final measure, HB1205, sets planning and incident reporting requirements for water and sewer systems, both publicly and privately operated. Under the new law, any system serving at least 10,000 customers that receives financial support from the state will be required to conduct vulnerability assessments and file cybersecurity plans with Maryland officials.

Latest Podcasts