Md. Code Regs. 20.06.01.07

Current through Register Vol. 52, No. 1, January 10, 2025

Section 20.06.01.07 - Periodic Assessments of Cybersecurity Devices and Supply Chain Risk

A. On or before July 1, 2024, and on or before July 1 every other year thereafter, public service companies shall engage a third party to conduct an assessment of cybersecurity devices and supply chain risk based on either of the following cybersecurity frameworks:

(1) The Cybersecurity and Infrastructure Security Agency's Cross-Sector Cybersecurity Performance Goals (CPG); or

(2) A more stringent standard that is based on the National Institute of Standards and Technology (NIST) security frameworks.

B. The third party conducting the assessment of cybersecurity devices and supply chain risk shall be any non-affiliated entity that is qualified to perform an assessment based on applicable certifications, expertise, or past experience to conduct NIST and CPG cybersecurity framework-based assessments.

C. Multiple third-party assessments of cybersecurity devices and supply chain risk using applicable cybersecurity frameworks shall be used, if necessary, to cover all cybersecurity devices and supply chain risk under the scope of this chapter.

D. All cybersecurity assessments shall be anytime within a 2-year assessment cycle, with the first assessment cycle ending July 1, 2024, and subsequent assessment cycles ending on or before July 1 every other year thereafter.

E. A public service company shall confidentially e-file to the Commission, or alternatively submit to the Office of Cybersecurity, an attestation letter by the public service company CISO, or equivalent, on or before July 1, 2024, and on or before July 1 every other year thereafter. This attestation letter shall include the following information:

(1) The name of the public service company;

(2) The date of the public service company's most recent cybersecurity assessments;

(3) The cybersecurity framework used in each cybersecurity assessment of the public service company;

(4) The name of the third-party entity that completed each cybersecurity assessment and their qualifications to conduct NIST or CPG cybersecurity framework-based assessments;

(5) A certification of the public service company's compliance with the standards for the cybersecurity frameworks used in these cybersecurity assessments; and

(6) If applicable, an attestation that a North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) audit has been performed and the dates the last assessment was performed, or an inspection by the Transportation Security Administration (TSA) pursuant to TSA's Gas Pipeline Security Directives, or TSA regulations that supersede the security directives.

F. A public service company may develop a consolidated assessment of all third-party assessments in a cybersecurity assessment report. At a minimum, a third-party or consolidated public service company cybersecurity assessment report shall include:

(1) An executive summary that includes a general overview of cybersecurity technology and policies used by the public service company;

(2) A description of how the cybersecurity frameworks used in each third-party assessment is based on NIST or CPG;

(3) A description of the scope of the cybersecurity devices and supply chain risk assessed and the applicable cybersecurity framework used for each third-party assessment;

(4) The completion date of each third-party assessment;

(5) A description of the cybersecurity standards to which the public service company shall comply for the cybersecurity devices and supply chain risk included in the assessment;

(6) The assessment results for each third-party assessment, including a description of cybersecurity maturity and trends of cybersecurity maturity since the previous assessment, if applicable; and

(7) Conclusions and recommendations from each third-party assessor for corrective actions.

G. A public service company shall arrange an in-person meeting with the Office of Cybersecurity at Commission offices or at another mutually agreeable location to review all individual third-party cybersecurity assessments or alternatively a public service company's consolidated cybersecurity assessment report, within 90 days of the date of the certification of a public service company's compliance attestation letter.

H. A public service company shall maintain all consolidated cybersecurity assessment reports and all third-party assessments of cybersecurity devices under the scope of this regulation a minimum of two, 2-year assessment cycles, except for applicable North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) audits, or an inspection by the Transportation Security Administration (TSA) pursuant to TSA's Gas Pipeline Security Directives, or TSA regulations that supersede the security directives which are performed on a 3-year cycle. These assessment reports shall be made available at Commission offices or at another mutually agreeable location for inspection by the Office of Cybersecurity, upon request.

I. The details of a public service company's cybersecurity assessments may not be divulged except as directed by the Commission, or a court, as authorized by law. The Office of Cybersecurity shall promptly notify a public service company upon the discovery of any unauthorized access, compromise, loss, or exfiltration of the public service company's periodic assessment information.

Md. Code Regs. 20.06.01.07

Regulations .07 adopted effective 51:24 Md. R. 1081, eff. 12/12/2024.