WeVote

Bill

Bill

SB 907

Animal testing facility operated by a state agency; nonhuman primates, care and treatment.

2025 Regular Session Introduced by Bill Stanley

Maryland local school systems must meet state cybersecurity standards, perform biennial maturity assessments, certify to DoIT, plus expanded staffing/reporting and new local costs.

Acts of Assembly Chapter text (CHAP0437)
0
WeVote Research Nonpartisan
Bill Summary · SB 907

SB 907 — Cybersecurity: Standards, Compliance, and Audits — Summary

Status: Hearing scheduled 3/05 at 1:00 p.m. (Introduced Jan. 2025)
Primary subject: Education / Information Technology / Cybersecurity

Main purpose

Require Maryland local school systems to meet State cybersecurity standards, increase monitoring and reporting of school-system cybersecurity posture, and align fiscal reporting and audit activity with those standards. The bill centralizes expectations for local cybersecurity staffing, assessment, and certification and directs the Department of Information Technology (DoIT) to provide support.

Key provisions

  • Compliance and assessments

    • Beginning in 2026, each local school system must:
    • Comply with the State minimum cybersecurity standards established by DoIT.
    • Conduct a cybersecurity maturity assessment every two years.
    • Certify compliance to DoIT’s Office of Security Management (OSM) by June 30, 2026, and every two years thereafter.
    • OSM must annually review and update the State minimum cybersecurity standards. For the 2025–26 school year, DoIT will emphasize Standard 6.2 (Protect Controls).
  • Staffing and support

    • Each county board must provide sufficient cybersecurity staffing as determined by the State Chief Information Security Officer.
    • Local systems may share services, contract with vendors, or use regional DoIT support to satisfy staffing requirements.
    • DoIT must assign at least three information security officers to assist local school systems with compliance and remediation.
  • Reporting and budgeting

    • The deadline for local boards to report technology-related information to MSDE is moved to August 15 (first due Aug 15, 2025).
    • Required report content is expanded to disaggregate IT spending by:
    • Full‑time employees,
    • Vendor‑supported staff/contractors,
    • Dedicated cybersecurity professionals (e.g., CISO, cybersecurity specialists),
    • Cybersecurity expenditures tied to the State minimum cybersecurity standards.
    • The target per-pupil foundation funding (Blueprint) authorized uses are explicitly expanded to include cybersecurity; the bill repeals an existing requirement that local boards prioritize buying digital devices with that funding.
  • Audits

    • The Office of Legislative Audits (OLA) must reference the State minimum cybersecurity standards when conducting fiscal or compliance audits of local school systems.

Who is affected

  • Local school systems and county boards of education (new staffing, assessment, reporting obligations).
  • Department of Information Technology / Office of Security Management (standard-setting, support role).
  • Maryland State Department of Education (receives expanded reports).
  • Office of Legislative Audits (audit guidance).
  • State and local budgets (see fiscal impact).

Fiscal and timeline highlights

  • Effective date in bill text / fiscal analysis: July 1, 2025 (implementation steps begin thereafter).
  • Certification and compliance reporting: first certification due June 30, 2026.
  • DoIT estimated general‑fund cost: approximately $900,300 in FY2026 (staffing/contractual support to provide three information security officers plus DoIT planners), rising in subsequent years (FY2027+ estimates provided in fiscal note).
  • Local school systems will incur increased costs for cybersecurity personnel and biennial maturity assessments; the bill is a mandate on units of local government.
  • OLA expects to perform audits guided by the standards using existing resources; state revenues not affected.

Practical effect

The bill raises statewide minimum expectations for school cybersecurity, increases transparency of local cybersecurity spending and staffing, and provides dedicated DoIT resources to help local systems comply — while creating modest but indeterminate additional costs for local school systems to hire staff and perform regular assessments.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.