KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Maryland

SB0601 • 2026

Cybersecurity - Standards and Compliance - Alterations

Cybersecurity - Standards and Compliance - Alterations

Education Taxes Technology
Enacted

This bill passed the Legislature and reached final enactment based on the latest official action.

Sponsor
Senators Hester , Attar , Brooks , Feldman , Harris , Kagan , Simonaire , and Watson
Last action
2026-04-14
Official status
Approved by the Governor - Chapter 35
Effective date
2026-07-01

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Cybersecurity - Standards and Compliance - Alterations

Requiring each local school system to designate a local point of contact for certain communications, to comply with, and certify compliance with, the State minimum cybersecurity standards, and to conduct a cybersecurity maturity assessment every 2 years; requiring the Office of Security Management within the Department of Information Technology to annually review and, if necessary, update the State minimum cybersecurity standards; requiring the Department to advise local school systems on certain functions; etc.

What This Bill Does

  • Requiring each local school system to designate a local point of contact for certain communications, to comply with, and certify compliance with, the State minimum cybersecurity standards, and to conduct a cybersecurity maturity assessment every 2 years; requiring the Office of Security Management within the Department of Information Technology to annually review and, if necessary, update the State minimum cybersecurity standards; requiring the Department to advise local school systems on certain functions; etc.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

183320/1

None

Favorable with Amendments { 183320/1 Adopted

Plain English: AMENDMENTS TO SENATE BILL 601 (First Reading File Bill) AMENDMENT NO.

  • AMENDMENTS TO SENATE BILL 601 (First Reading File Bill) AMENDMENT NO.
  • 1 On page 1, in the sponsor line, strike “ Senator Hester ” and substitute “Senators Hester, Attar, Brooks, Feldman, Harris, Kagan, Simonaire, and Watson”; strike beginning with “repealing” in line 6 down through “funds;” in line 7; in line 9, after “and” insert “ , i f necessary,”; in line 10, strike “support” and substitute “advise”; in the same line, strike “with” and substitute “on”; strike beginning with “and” in line 10 down through “year” in line 11; and strike in their entirety lines 17 through 21, inclusive.
  • AMENDMENT NO.
  • 2 On page 2, in line 9, strike “ COUNTY BOARD” and substitute “ LOCAL SCHOOL SYSTEM”.

Bill History

  1. 2026-04-14 Post Passage

    Approved by the Governor - Chapter 35

  2. 2026-04-08 House

    Favorable Report by Government, Labor, and Elections

  3. 2026-03-26 House

    Hearing 4/02 at 1:00 p.m.

  4. 2026-03-26 House

    Third Reading Passed (134-0)

  5. 2026-03-24 Senate

    Returned Passed

  6. 2026-03-21 House

    Favorable Adopted Second Reading Passed

  7. 2026-03-19 Senate

    Favorable with Amendments Report by Education, Energy, and the Environment

  8. 2026-03-09 House

    Referred Government, Labor, and Elections

  9. 2026-03-05 Senate

    Third Reading Passed (39-0)

  10. 2026-03-03 Senate

    Favorable with Amendments { 183320/1 Adopted

  11. 2026-03-03 Senate

    Second Reading Passed with Amendments

  12. 2026-02-11 Senate

    Hearing 2/26 at 1:00 p.m.

  13. 2026-02-05 Senate

    First Reading Education, Energy, and the Environment

  14. Maryland General Assembly

    Text - First - Cybersecurity - Standards and Compliance - Alterations

  15. Maryland General Assembly

    Vote - Senate - Committee - Education, Energy, and the Environment

  16. Maryland General Assembly

    Text - Third - Cybersecurity - Standards and Compliance - Alterations

  17. Maryland General Assembly

    Vote - House - Committee - Government, Labor, and Elections

  18. Maryland General Assembly

    Text - Chapter - Cybersecurity - Standards and Compliance - Alterations

Official Summary Text

Requiring each local school system to designate a local point of contact for certain communications, to comply with, and certify compliance with, the State minimum cybersecurity standards, and to conduct a cybersecurity maturity assessment every 2 years; requiring the Office of Security Management within the Department of Information Technology to annually review and, if necessary, update the State minimum cybersecurity standards; requiring the Department to advise local school systems on certain functions; etc.

Current Bill Text

Read the full stored bill text 
EXPLANATION: CAPITALS INDICATE MATTER ADDED TO EXISTING LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*sb0601*

SENATE BILL 601
S2, F1 6lr2103
CF HB 957
By: Senator Hester Senators Hester, Attar, Brooks, Feldman, Harris, Kagan,
Simonaire, and Watson
Introduced and read first time: February 5, 2026
Assigned to: Education, Energy, and the Environment
Committee Report: Favorable with amendments
Senate action: Adopted
Read second time: March 3, 2026

CHAPTER ______

AN ACT concerning 1

Cybersecurity – Standards and Compliance – Alterations 2

FOR the purpose of requiring each local school system to designate a local point of contact 3
for certain communications, to comply with, and certify compliance with, the State 4
minimum cybersecurity standards, and to conduct a cy bersecurity maturity 5
assessment periodically; repealing the requirement that county boards of education 6
prioritize the purchase of digital devices with certain funds; requiring the Office of 7
Security Management within the Department of Information Technology to annually 8
review and , if necessary, update the State minimum cybersecurity standards; 9
requiring the Department to support advise local school systems with on certain 10
functions and to focus on a certain standard for a certain school year ; and generally 11
relating to cybersecurity. 12

BY adding to 13
Article – Education 14
Section 4–148 15
Annotated Code of Maryland 16
(2025 Replacement Volume and 2025 Supplement) 17

BY repealing and reenacting, with amendments, 18
Article – Education 19
Section 5–212 20
Annotated Code of Maryland 21
(2025 Replacement Volume and 2025 Supplement) 22
2 SENATE BILL 601

BY repealing and reenacting, with amendments, 1
Article – State Finance and Procurement 2
Section 3.5–101, 3.5–2A–04(b), and 3.5–406 3
Annotated Code of Maryland 4
(2021 Replacement Volume and 2025 Supplement) 5

BY repealing and reenacting, without amendments, 6
Article – State Finance and Procurement 7
Section 3.5–2A–02 8
Annotated Code of Maryland 9
(2021 Replacement Volume and 2025 Supplement) 10

SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 11
That the Laws of Maryland read as follows: 12

Article – Education 13

4–148. 14

(A) EACH COUNTY BOARD LOCAL SCHOOL SYSTEM SHALL: 15

(1) DESIGNATE A LOCAL POI NT OF CONTACT FOR AL L 16
CYBERSECURITY–RELATED COMMUNICATIONS; AND 17

(2) NOTIFY THE STATE CHIEF INFORMATION SECURITY OFFICER OF: 18

(I) THE DESIGNATION; AND 19

(II) ANY SUBSEQUENT UPDATE TO THE DESIGNATION. 20

(B) (1) BEGINNING IN 2027, EACH LOCAL SCHOOL SYSTEM SHALL: 21

(I) COMPLY WITH THE STATE MINIMUM CYBERSE CURITY 22
STANDARDS ESTABLISHED BY THE DEPARTMENT OF INFORMATION TECHNOLOGY; 23
AND 24

(II) CONDUCT A CYBERSECURI TY MATURITY ASSESSME NT 25
EVERY 2 YEARS. 26

(2) ON OR BEFORE JUNE 30, 2027, AND EACH JUNE 30 EVERY 2 27
YEARS THEREAFTER, EACH LOCAL SCHOOL SYSTEM SHALL CERTIFY TO THE OFFICE 28
OF SECURITY MANAGEMENT WITHIN THE DEPARTMENT OF INFORMATION 29
TECHNOLOGY COMPLIANCE WITH THE STATE MINIMUM CYBERSE CURITY 30
STANDARDS ESTABLISHED BY THE DEPARTMENT OF INFORMATION TECHNOLOGY. 31
SENATE BILL 601 3

5–212. 1

(a) The target per pupil foundation amount includes costs associated with 2
implementing the Blueprint for Maryland’s Future including: 3

(1) Increasing salaries; 4

(2) Additional teachers to provide professional learning and collaborative 5
time for teachers; 6

(3) Career counseling; 7

(4) Behavioral health; 8

(5) Instructional opportunities for students who are college and career 9
ready and those who are not; 10

(6) Maintenance and operation of schools; 11

(7) Supplies and materials for teachers; and 12

(8) Educational technology including digital devices, broadband 13
connectivity, [and] information technology staff, AND CYBERSECURITY. 14

(b) Schools may use funds provided under this section to provide the programs 15
required under COMAR 13A.04.16.01. 16

(c) (1) [County boards of education and schools shall prioritize the purchase 17
of digital devices for using funds under subsection (a)(8) of this section. 18

(2)] Additional funds provided in the target per pupil foundation amount for 19
educational technology are intended to supplement and not supplant existing funding 20
provided for educational technology. 21

[(3)] (2) (i) On or before [November 15 each year] AUGUST 15, 2026, 22
AND EACH AUGUST 15 THEREAFTER, each county board shall submit a report to the 23
Department detailing, for the previous fiscal year: 24

1. The amount spent by the local school system on technology 25
disaggregated by digital devices, connectivity, and information technology staff; [and] 26

2. The percentage of students, teachers, and staff with 27
digital devices and adequate connectivity in their homes in accordance with the Federal 28
Communications Commission standards for broadband; AND 29

4 SENATE BILL 601

3. CYBERSECURITY EXPENDI TURES RELATED TO THE 1
STATE MINIMUM CYBERSECURITY STANDARDS ESTABLISHED BY THE DEPARTMENT 2
OF INFORMATION TECHNOLOGY. 3

(ii) On or before December 15 each year, the Department shall 4
submit to the General Assembly, in accordance with § 2 –1257 of the State Government 5
Article, a compilation of the reports submitted to the Department under su bparagraph (i) 6
of this paragraph. 7

(iii) On or before September 1, 2021, the Department shall establish 8
uniform reporting requirements, including definitions to ensure that consistent and 9
comparable reports are submitted under subparagraph (i) of this paragraph. 10

Article – State Finance and Procurement 11

3.5–101. 12

(a) In this title the following words have the meanings indicated. 13

(b) “Cloud computing” means a service that enables on –demand self –service 14
network access to a shared pool of configurable computer resources, including data storage, 15
analytics, commerce, streaming, e–mail, document sharing, and document editing. 16

(c) “Department” means the Department of Information Technology. 17

(d) (1) “Oversight of implementation” means management of the p rocess to 18
implement a new technology, system, or product into practice and use by a unit. 19

(2) “Oversight of implementation” includes: 20

(i) planning and preparation to implement the product or practice; 21
and 22

(ii) ongoing monitoring and support of t he implementation team to 23
ensure successful execution and that the project goals are met. 24

(3) “Oversight of implementation” does not include: 25

(i) responsibility for day –to–day management of any individual 26
projects or products; or 27

(ii) responsibility for implementing individual –level process 28
requirements for a project or product. 29

(e) “Secretary” means the Secretary of Information Technology. 30

SENATE BILL 601 5

(F) “STATE MINIMUM CYBERSE CURITY STANDARDS ” MEANS THE STATE 1
MINIMUM CYBERSECURIT Y STANDARDS ESTABLIS HED BY THE DEPARTMENT OF 2
INFORMATION TECHNOLOGY. 3

[(f)] (G) “Telecommunication” means the transmission of information, images, 4
pictures, voice, or data by radio, video, or other electronic or impulse means. 5

[(g)] (H) “Unit of State government” means an agency or unit of the Executive 6
Branch of State government. 7

3.5–2A–02. 8

There is an Office of Security Management within the Department. 9

3.5–2A–04. 10

(b) The Office shall: 11

(1) establish standards to categorize all information collected or 12
maintained by or on behalf of each unit of State government; 13

(2) establish standards to categorize all information systems maintained 14
by or on behalf of each unit of State government; 15

(3) develop guidelines governing the types of information and information 16
systems to be included in each category; 17

(4) establish security requirements for information and information 18
systems in each category; 19

(5) assess the categorization of information and information systems and 20
the associated implementation of the security requirements established under item (4) of 21
this subsection; 22

(6) if the State Chief Information Security Officer determines that there 23
are security vulnerabilities or deficiencies in any information systems, determine and direct 24
or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which 25
may include requiring the information system to be disconnected; 26

(7) if the State Chief Information Security Officer determines that there is 27
a cybersecurity threat caused by, affectin g, or potentially affecting an entity connected to 28
the network established under § 3.5 –404 of this title that introduces or may introduce a 29
serious risk to entities connected to the network or to the State, take or direct actions 30
required to mitigate the threat; 31

(8) manage security awareness training for all appropriate employees of 32
units of State government; 33
6 SENATE BILL 601

(9) assist in the development of data management, data governance, and 1
data specification standards to promote standardization and reduce risk; 2

(10) assist in the development of a digital identity standard and 3
specification applicable to all parties communicating, interacting, or conducting business 4
with or on behalf of a unit of State government; 5

(11) develop and maintain information techno logy security policy, 6
standards, and guidance documents, consistent with best practices developed by the 7
National Institute of Standards and Technology; 8

(12) to the extent practicable, seek, identify, and inform relevant 9
stakeholders of any available fi nancial assistance provided by the federal government or 10
non–State entities to support the work of the Office; 11

(13) provide technical assistance to localities in mitigating and recovering 12
from cybersecurity incidents; 13

(14) ANNUALLY REVIEW AND , IF NEC ESSARY, UPDATE THE STATE 14
MINIMUM CYBERSECURITY STANDARDS; 15

[(14)] (15) provide technical services, advice, and guidance to units of local 16
government to improve cybersecurity preparedness, prevention, response, and recovery 17
practices; and 18

[(15)] (16) support local governments in developing a vulnerability 19
assessment and cyber assessment, including providing local governments with the 20
resources and information on best practices to complete the assessments. 21

3.5–406. 22

(a) This section does not apply to municipal governments. 23

(b) In a manner and frequency established in regulations adopted by the 24
Department, each county government, local school system, and local health department 25
shall: 26

(1) in consultation with the local emergency manager, create or u pdate a 27
cybersecurity preparedness and response plan; and 28

(2) complete a cybersecurity preparedness assessment. 29

(c) The assessment required under paragraph (b)(2) of this section may, in 30
accordance with the preference of each county government, be per formed by the 31
Department or by a vendor authorized by the Department. 32
SENATE BILL 601 7

(D) (1) THE DEPARTMENT’S INFORMATION SECURI TY OFFICERS ON 1
REQUEST, THE DEPARTMENT SHALL SUPPORT ADVISE LOCAL SCHOOL SYSTEMS 2
WITH ON: 3

(1) (I) COMPLIANCE WITH THE STATE MINIMUM CYBERSECURITY 4
STANDARDS; 5

(2) (II) CONDUCTING CYBERSECU RITY MATURITY ASSESS MENTS 6
EVERY 2 YEARS; AND 7

(3) (III) REMEDIATION EFFORTS. 8

(2) THE DEPARTMENT IS NOT RES PONSIBLE FOR THE SUC CESSFUL 9
PERFORMANCE OF OR DA Y–TO–DAY MANAGEMENT OF TH E DUTIES OF A LOCAL 10
SCHOOL SYSTEM DESCRIBED IN PARAGRAPH (1) OF THIS SUBSECTION. 11

[(d)] (E) (1) Each local government shall report a cybersecurity incident, 12
including an attack on a State system being used by the local government, to the 13
appropriate local emergency man ager and the State Security Operations Center in the 14
Department in accordance with paragraph (2) of this subsection. 15

(2) For the reporting of cybersecurity incidents to local emergency 16
managers under [subparagraph (i) of this paragraph ] PARAGRAPH (1) OF THIS 17
SUBSECTION, the State Chief Information Security Officer shall determine: 18

(i) the criteria for determining when an incident must be reported; 19

(ii) the manner in which to report; and 20

(iii) the time period within which a report must be made. 21

(3) The State Security Operations Center shall immediately notify the 22
appropriate agencies of a cybersecurity incident reported under this subsection through the 23
State Security Operations Center. 24

SECTION 2. AND BE IT FURTHER ENACTED, That , for the 2 026–2027 school 25
year, the Department of Information Technology shall focus on Standard 6.2 Protect (PR) 26
Controls of the State minimum cybersecurity standards. 27

SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect July 28
1, 2026. 29