Statutes, codes, and regulations
Maryland Administrative code
Title 20 - PUBLIC SERVICE COMMISSIONSubtitle 06 - CYBERSECURITY
Chapter 20.06.01 - General
Section 20.06.01.02 - Definitions

Md. Code Regs. 20.06.01.02

Download
PDF
Current through Register Vol. 52, No. 1, January 10, 2025
Section 20.06.01.02 - Definitions
A. In this subtitle, the following terms have the meanings indicated.
B. Terms Defined.
(1) "Chief information security officer (CISO)" means a senior-level executive who oversees an organization's information, cyber, and technology security. The CISO's responsibilities include developing, implementing, and enforcing security policies to protect critical data.
(2) "Commission" means the Public Service Commission of Maryland.
(3) "Compliance order" means a document issued by the Commission's Office of Cybersecurity to a public service company directing compliance.
(4) "Consent order" means a document executed jointly by the Commission's Office of Cybersecurity and a public service company for the disposition of a case.
(5) "Cybersecurity" means processes or capabilities wherein systems, communications, and information are protected and defended against damage, unauthorized use or modification, and exploitation.
(6) "Cybersecurity device" means any combination of hardware, software, and related services, including informational technology systems, operational technology systems, and smart grid systems used for delivery of electricity, gas, or water, or systems that store customer information.
(7) "Cybersecurity Director" means the Director of the Commission's Office of Cybersecurity.
(8) "Cybersecurity framework" means a common mechanism for organizations to:
(a) Describe their current cybersecurity posture;
(b) Describe their target state for cybersecurity;
(c) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
(d) Assess progress toward the target state; and
(e) Communicate among internal and external stakeholders about cybersecurity risk.
(9) "Cybersecurity incident" means a malicious act or suspicious event that compromises, or was an attempt to compromise, a public service company's cybersecurity device.
(10) "Cybersecurity maturity" is a quantitative and qualitative assessment of an organization's cybersecurity posture using a cybersecurity framework.
(11) "Cybersecurity standard" means a mandatory federal or state cybersecurity requirement to protect the cybersecurity devices of an organization.
(12) "Good cybersecurity practice" means cybersecurity plans that are designed, implemented, maintained, and operated in accordance with applicable industry cybersecurity standards and with the Cybersecurity and Infrastructure Security Agency's Cross-Sector Cybersecurity Performance Goals (CPG), or a more stringent standard that is based on the National Institute of Standards and Technology (NIST) security frameworks.
(13) "Information technology system" means hardware and software related to electronic processing, and storage, retrieval, transmittal, and manipulation of data.
(14) "NOPV" means a notice of probable violation issued upon finding good cause to believe a violation of this subtitle or cybersecurity requirements in Public Utilities Article, §5-306, Annotated Code of Maryland.
(15) "Office of Cybersecurity" means the organization in the Commission responsible for implementing oversight of cybersecurity requirements in Public Utilities Article, §§ 2-108 and 5-306, Annotated Code of Maryland.
(16) "Operations technology system" means a system or network that monitors or controls electric, gas, or water system infrastructure used for utility operations.
(17) "Public service company" has the meaning stated in Public Utilities Article, § 1-101, Annotated Code of Maryland, including investor-owned electric companies, electric cooperatives, municipal electric companies, gas companies, and water companies, but excluding public service companies that are a common carrier or a telephone company per Public Utilities Article, §5-306(b), Annotated Code of Maryland.
(18) "Smart grid system" means a system or network that enables a utility to gather and store personally identifiable customer information from customer devices or allows for the control of customer devices.
(19) "Zero trust" means a cybersecurity approach that is focused on cybersecurity resource protection, is based on the premise that trust is never granted implicitly but shall be continually evaluated, and is aligned with the tenets of the latest revised version of the National Institute of Standards Special Publication 800-207.

Md. Code Regs. 20.06.01.02

Regulation .02 adopted effective 49:15 Md. R. 739, eff. 7/25/2022; amended effective 51:24 Md. R. 1081, eff. 12/12/2024.