§3.5–316.

    (a)    (1)    In this section the following words have the meanings indicated.

        (2)    “Commission” means the Modernize Maryland Oversight Commission.

        (3)    “Critical system” means an information technology or cybersecurity system that is severely outdated, as determined by the Department.

    (b)    There is an independent Modernize Maryland Oversight Commission.

    (c)    The purpose of the Commission is to:

        (1)    ensure the confidentiality, integrity, and availability of information held by the State concerning State residents; and

        (2)    advise the Secretary and State Chief Information Security Officer on:

            (i)    the appropriate information technology and cybersecurity investments and upgrades;

            (ii)    the funding sources for the appropriate information technology and cybersecurity upgrades; and

            (iii)    future mechanisms for the procurement of appropriate information technology and cybersecurity upgrades, including ways to increase the efficiency of procurements made for information technology and cybersecurity upgrades.

    (d)    The Commission consists of the following members:

        (1)    the Secretary;

        (2)    the State Chief Information Security Officer;

        (3)    three chief information security officers representing different units of State government, appointed by the Governor;

        (4)    one information technology modernization expert with experience in the private sector, appointed by the Governor;

        (5)    one representative from the Maryland Chamber of Commerce with knowledge of cybersecurity issues;

        (6)    two individuals who are end users of State information technology systems, appointed by the Governor;

        (7)    one representative from the Cybersecurity Association of Maryland; and

        (8)    one individual who is either an instructor or a professional in the academic field of cybersecurity at a college or university in the State, appointed by the Governor.

    (e)    The cochairs of the Joint Committee on Cybersecurity, Information Technology, and Biotechnology shall serve as advisory, nonvoting members of the Commission.

    (f)    The Commission shall:

        (1)    advise the Secretary on a strategic roadmap with a timeline and budget that will:

            (i)    require the updates and investments of critical information technology and cybersecurity systems identified by the Commission in the first recommendations reported under paragraph (2) of this subsection to be completed on or before December 31, 2025; and

            (ii)    require all updates and investments of information technology and cybersecurity to be made on or before December 31, 2030;

        (2)    make periodic recommendations on investments in State information technology structures based on the assessments completed in accordance with the framework developed in § 3.5–317 of this subtitle;

        (3)    review and provide recommendations on the Department’s basic security standards for use of the network established under § 3.5–404(b) of this title; and

        (4)    each year, in accordance with § 2–1257 of the State Government Article, report its findings and recommendations to the Senate Budget and Taxation Committee, the Senate Education, Health, and Environmental Affairs Committee, the House Appropriations Committee, the House Health and Government Operations Committee, and the Joint Committee on Cybersecurity, Information Technology, and Biotechnology.

    (g)    The report submitted under subsection (f)(4) of this section may not contain information about the security of an information system.