§3.5–407.

    (a)    This section does not apply to municipal governments.

    (b)    In a manner and frequency established in regulations adopted by the Department, each county government, local school system, and local health department shall:

        (1)    in consultation with the local emergency manager, create or update a cybersecurity preparedness and response plan; and

        (2)    complete a cybersecurity preparedness assessment.

    (c)    The assessment required under paragraph (b)(2) of this section may, in accordance with the preference of each county government, be performed by the Department or by a vendor authorized by the Department.

    (d)    (1)    Each local government shall report a cybersecurity incident, including an attack on a State system being used by the local government, to the appropriate local emergency manager and the State Security Operations Center in the Department in accordance with paragraph (2) of this subsection.

        (2)    For the reporting of cybersecurity incidents to local emergency managers under subparagraph (i) of this paragraph, the State Chief Information Security Officer shall determine:

            (i)    the criteria for determining when an incident must be reported;

            (ii)    the manner in which to report; and

            (iii)    the time period within which a report must be made.

        (3)    The State Security Operations Center shall immediately notify the appropriate agencies of a cybersecurity incident reported under this subsection through the State Security Operations Center.