Accomplishments for Core Goal #6: Cybersecurity and Critical Infrastructure Protection
Cybersecurity and Critical Infrastructure Protection
Maryland’s critical infrastructure program was expanded and integrated into the State’s intelligence fusion center to improve information sharing between law enforcement and the private sector. The State’s efforts have focused on developing a common set of definitions for critical infrastructure, a standardized site Critical Infrastructure Protection tool, and a common database accessible to all critical stakeholders. In recognition of the emerging threats from cyberattacks, we updated Maryland’s Strategic Goals and Objectives for Homeland Security to include new goals for securing the State’s critical computer and information networks from loss or disruption of services due to cyber intrusions and attacks.
- Maryland has a National model partnership that leverages the cybersecurity capabilities of the Maryland Air National Guard 175th Network Warfare Squadron to support its cybersecurity assessments. State agencies participate in collaborative Web penetration training exercises with the Maryland Air Guard Squadron. The exercises that feature simulated attacks from malicious outsiders or insidious insiders are useful in evaluating the security of selected state websites and portals. Security issues uncovered through the penetration tests lead to technical and procedural countermeasures to reduce risks. The Guard also provides network vulnerability assessment services to various state agencies while, in return, it receives beneficial training for the squadron’s members.
- Conduct regular Cabinet-level cybersecurity tabletop exercises to raise the awareness and response capabilities of key state actors. Maryland has held two cybersecurity focused Cabinet-level exercises since 2011. The first tabletop exercise was conducted in August 2011 and the second exercise was conducted on May 28, 2014. Both exercises were planned via a partnership between the U.S. Department of Homeland Security’s Cyber Exercise team, the Maryland National Guard’s 175th Network Warfare Squadron, and the Maryland’s Emergency Management Agency. The exercises focused solely on cybersecurity and assessing vulnerabilities in state agency networks. The May 2014 exercise identified areas for statewide improvement of network security, workforce training, securing portable devices, and continuity planning in the event of a cyber attack.
- New Cybersecurity Legislation. New Maryland legislation, SB-0676: Governmental Procedures – Security and Protection of Information, which went into effect on July 1, 2014, requires State and local government units that collect personally identifiable information to implement and maintain specified security practices, and take reasonable steps to protect against unauthorized access or use of personal information.
- Starting in January 2014, Maryland provided a refundable tax credit to Qualified Maryland Cybersecurity Companies (QMCCs) that seek and secure investment from an in-state or out-of-state investor. The purpose of this new program is to incentivize and attract cybersecurity companies to start-up in or move to Maryland; and to attract investment to cybersecurity companies in order to help them grow, create jobs and retain intellectual property in Maryland.
- Maryland ranks among the nation’s leaders in cybersecurity jobs and cyber-related degree and certificate programs according to the Cyber Jobs Report. Baltimore City placed third among major cyber hot beds, behind only Palo Alto, Calif., and San Francisco in the number of available cybersecurity positions. The Cyber Jobs Report also cited the state’s educational and training options, including cyber-related degree and certificate programs offered in Maryland’s educational institutions. Fifteen Maryland colleges and universities – more than in any other state – have been designated by the National Security Agency as Centers of Academic Excellence in Information Assurance.
- In October 2013, DoIT began a new training program to increase staff awareness of cybersecurity related issues and policy. The training format will be a link sent to individuals that will direct users to a 10 minute training tool once a month. DoIT made it a goal to have 85% of State employees trained by the second quarter of 2014. By the end of the second quarter, 94% of employees had been trained.
- New Cybersecurity Plan Requirement. Since July 1, 2013, DoIT has required all agencies to submit a Cybersecurity Plan for their critical systems with their annual Information Technology Master Plan (ITMP) submissions. The new requirement instructs agencies to inventory any information systems containing personally identifiable information, provide evidence of measures to demonstrate compliance with IT security common controls, identify an agency cyber security POC, and complete a Common Controls Matrix.