Bill > SB907

This bill strengthens cybersecurity requirements for local school systems in Maryland by implementing several key provisions. Starting in 2026, each local school system will be required to comply with the State minimum cybersecurity standards (SMCS) established by the Department of Information Technology and conduct a cybersecurity maturity assessment every two years. By June 30, 2026, and every two years thereafter, school systems must certify their compliance with these standards to the Office of Security Management. The bill removes the previous requirement that county boards prioritize purchasing digital devices and instead mandates that each local school system provide sufficient cybersecurity staffing as determined by the State Chief Information Security Officer. Local school systems may share services, contractors, or regional support to meet these requirements. The Department of Information Technology will assign at least three information security officers to support local school systems in achieving compliance, conducting assessments, and implementing remediation efforts. Additionally, the Office of Legislative Audits will be guided by the State minimum cybersecurity standards when conducting various types of audits. For the 2025-2026 school year, the Department will specifically focus on the Protect (PR) Controls standard, with the entire act taking effect on July 1, 2025.

Education

https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/SB0907?ys=2025RS