MarylandHB 09572026 Regular SessionHouseWALLET

Cybersecurity - Standards and Compliance - Alterations

Your PRIA Score

Score Hidden

Personalized for You

How does this bill affect your finances?

Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.

Free to start

Bill Overview

Analyzed Economic Effects

5 provisions identified: 3 benefits, 0 costs, 2 mixed.

Stronger cybersecurity rules for schools

Starting in 2027, every local school system follows the State minimum cybersecurity standards and completes a maturity check every two years. By June 30, 2027, and every two years after, each system must certify it meets the standards. Beginning July 1, 2026, each school system names a local cybersecurity contact and tells the State CISO. The Department of Information Technology helps on request, but it does not manage schools’ daily IT work. For the 2026–2027 school year, the State focuses on Protect controls. The State reviews the minimum standards every year and updates them as needed.

Local cyber incident reporting and alerts

Starting July 1, 2026, local governments must report cybersecurity incidents, including attacks on State systems they use, to the local emergency manager and the State Security Operations Center. The State CISO sets what must be reported, how to report it, and the deadlines. The State Security Operations Center must immediately notify the right agencies when it gets a report. This speeds response and coordination.

Local cyber preparedness plans and assessments

Beginning July 1, 2026, each county government, local school system, and local health department must create or update a cyber preparedness and response plan with the local emergency manager and complete a preparedness assessment. Assessments can be done by the State or a State‑authorized vendor, based on the county’s preference. Some municipal governments are excluded where the law specifies. The Department sets how often and how to do these steps.

Annual school tech and internet reporting

By August 15, 2026, and each August 15 after, every county board reports last year’s spending on devices, connectivity, IT staff, and cybersecurity. The report also shows what share of students, teachers, and staff have devices and adequate home broadband. This improves transparency on where tech and cybersecurity money goes.

Schools: cybersecurity allowed, device priority ends

Beginning July 1, 2026, schools can use per‑pupil educational technology funds for cybersecurity costs. The law also ends the rule that these funds must first go to buying digital devices. Districts have more flexibility to balance devices, connectivity, IT staff, and cybersecurity.

Sponsors & Cosponsors

Sponsor

Chao Wu
Democratic • House

Cosponsors

Kris Fair
Democratic • House
Anne R. Kaiser
Democratic • House
April Rose
Republican • House
Ryan Spiegel
Democratic • House

Roll Call Votes

All Roll Calls

Yes: 172 • No: 0

Senate vote • 4/8/2026

Third Reading Passed

Yes: 43 • No: 0 • Other: 3

House vote • 3/21/2026