Statutes, codes, and regulations
Maryland Administrative code
Title 20 - PUBLIC SERVICE COMMISSIONSubtitle 06 - CYBERSECURITY
Chapter 20.06.01 - General
Section 20.06.01.06 - Zero Trust Implementation

Md. Code Regs. 20.06.01.06

Download
PDF
Current through Register Vol. 52, No. 1, January 10, 2025
Section 20.06.01.06 - Zero Trust Implementation
A. Public service companies shall implement a zero trust cybersecurity approach that is focused on cybersecurity resource protection and adopts and implements cybersecurity standards that meet or exceed regulations in this chapter.
B. A public service company shall adopt a zero trust cybersecurity approach for on-premises services and cloud-based services.
C. Levels of cybersecurity device risk and supply chain risk shall be defined by each public service company, consistent with industry standard practices, unless superseded by applicable federal or State cybersecurity standards.
D. The process by which cybersecurity device risk and supply chain risk is determined shall be documented and subject to inspection by the Office of Cybersecurity unless such processes are superseded by applicable federal cybersecurity standards and regulations that prohibit such disclosures.
E. A public service company shall establish minimum security standards for each cybersecurity device or grouping of cyber security devices, including security risks with supply chains based on the level of security risk each device or group of devices presents to the public service company's ability to deliver utility services or protect customer information necessary for the adequate, economical, and efficient delivery of public service company services in Maryland.
F. Public service companies shall provide evidence that they already or, where technically feasible, are planning to implement zero trust approaches in their Information Technology (IT) and Operational Technology (OT) devices and provide timelines or industry roadmaps for implementing zero trust approaches. Evidence of planning shall consist of the following:
(1) A documented good faith analysis to determine where public service companies can expand implementation of zero trust approaches;
(2) An overview of a specific utility's approaches to zero trust;
(3) The incorporation of zero trust approaches as a criterion in IT and OT asset design and procurement policy as supported by industry;
(4) The existence of auditable asset investments demonstrably compliant with zero trust approaches; and
(5) Documented company plans with zero trust approach implementation timelines and dedicated resources.

Md. Code Regs. 20.06.01.06

Regulations .06 adopted effective 51:24 Md. R. 1081, eff. 12/12/2024.