§3.5–2A–03.

    (a)    The head of the Office is the State Chief Information Security Officer.

    (b)    The State Chief Information Security Officer shall:

        (1)    be appointed by the Governor with the advice and consent of the Senate;

        (2)    serve at the pleasure of the Governor;

        (3)    be supervised by the Secretary; and

        (4)    serve as the chief information security officer of the Department.

    (c)    An individual appointed as the State Chief Information Security Officer under subsection (b) of this section shall:

        (1)    at a minimum, hold a bachelor’s degree;

        (2)    hold appropriate information technology or cybersecurity certifications;

        (3)    have experience:

            (i)    identifying, implementing, or assessing security controls;

            (ii)    in infrastructure, systems engineering, or cybersecurity;

            (iii)    managing highly technical security, security operations centers, and incident response teams in a complex cloud environment and supporting multiple sites; and

            (iv)    working with common information security management frameworks;

        (4)    have extensive knowledge of information technology and cybersecurity field concepts, best practices, and procedures, with an understanding of existing enterprise capabilities and limitations to ensure the secure integration and operation of security networks and systems; and

        (5)    have knowledge of current security regulations.

    (d)    The State Chief Information Security Officer shall provide cybersecurity advice and recommendations to the Governor on request.

    (e)    (1)    (i)    There is a Director of Local Cybersecurity, who shall be appointed by the State Chief Information Security Officer.

            (ii)    The Director of Local Cybersecurity shall work in coordination with the Maryland Department of Emergency Management to provide technical assistance, coordinate resources, and improve cybersecurity preparedness for units of local government.

        (2)    (i)    There is a Director of State Cybersecurity, who shall be appointed by the State Chief Information Security Officer.

            (ii)    The Director of State Cybersecurity is responsible for implementation of this section with respect to units of State government.

    (f)    The Department shall provide the Office with sufficient staff to perform the functions of this subtitle.