MarylandSB 06012026 Regular SessionSenateWALLET

Cybersecurity - Standards and Compliance - Alterations

Sponsored By: Katie Fry Hester (Democratic)

Signed by Governor

CybersecurityPrimary and Secondary EducationCertificationsCommunications -see also- ElecComm; Intergov; etc.Education, Boards ofEvaluations and ReviewsInformation Technology, Department ofLocal Government MandatesPublic Schools -see also- Primary Schools; Secondary SchReportsRevenue and Taxes -see also- (specific tax)Standards and Best Practices

Your PRIA Score

Score Hidden

Personalized for You

How does this bill affect your finances?

Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.

Free to start

Bill Overview

Analyzed Economic Effects

3 provisions identified: 0 benefits, 0 costs, 3 mixed.

Faster cyber incident reporting for locals

Beginning July 1, 2026, counties, local school systems, and local health departments must report cyber incidents. They must notify the local emergency manager and the State Security Operations Center. The State Chief Information Security Officer sets what to report, how, and how fast. Municipal governments are not covered. The State Operations Center immediately alerts the right agencies when an incident is reported.

School funds can pay for cybersecurity

Beginning July 1, 2026, school systems can use target per‑pupil funds for cybersecurity, along with devices, broadband, and IT staff. These dollars are meant to supplement, not replace, existing educational technology funding. By August 15 each year, county boards report prior‑year spending on devices, connectivity, IT staff, and cybersecurity, plus device and home‑internet coverage rates. By December 15, DoIT sends a statewide compilation to the General Assembly. These steps help districts fund student devices, home connectivity, and cybersecurity while improving transparency.

School systems must meet state cyber standards

Starting July 1, 2026, each school system names a cybersecurity contact and tells the State Chief Information Security Officer. Beginning January 1, 2027, school systems must meet State minimum cybersecurity standards and do a maturity assessment every two years. They must certify compliance to DoIT’s Office of Security Management by June 30, 2027, and every two years after. DoIT defines and reviews these standards each year, and in 2026–2027 focuses on Protect (PR) controls. DoIT’s security officers help on request, but schools keep day-to-day responsibility.

Sponsors & Cosponsors

Sponsor

Katie Fry Hester
Democratic • Senate

Cosponsors

Dalya Attar
Democratic • Senate
Benjamin Brooks
Democratic • Senate
Brian J. Feldman
Democratic • Senate
Kevin M. Harris
Democratic • Senate
Cheryl C. Kagan
Democratic • Senate
Bryan W. Simonaire
Republican • Senate
Ron Watson
Democratic • Senate

Roll Call Votes

All Roll Calls

Yes: 173 • No: 0

House vote • 4/10/2026

Third Reading Passed

Yes: 134 • No: 0 • Other: 3

Senate vote • 3/20/2026