§9–2702.

    The Department shall:

        (1)    In coordination with the Department of Information Technology and the Maryland Department of Emergency Management, coordinate cybersecurity efforts within community water systems and community sewerage systems;

        (2)    Include cybersecurity awareness components for all new and renewing operator and superintendent certifications under Title 12 of this article; and

        (3)    In consultation with the Department of Information Technology:

            (i)    Update regulations governing community water systems and community sewerage systems to:

                1.    Include comprehensive sections regarding cybersecurity standards for water and wastewater treatment facilities; and

                2.    Require community water system and community sewerage system providers to report cyber incidents consistent with Department of Information Technology guidance in accordance with § 9–2707(b) of this subtitle;

            (ii)    Promulgate minimum cybersecurity standards for established community water systems and community sewerage systems that meet or exceed the federal Cybersecurity and Infrastructure Security Agency’s cross–sector cybersecurity performance goals;

            (iii)    Require community water systems and community sewerage systems to plan for disruptions of service due to cyber incidents, including ransomware attacks and other events resulting in root–level compromise;

            (iv)    Establish a list of approved cybersecurity training programs for staff responsible for maintaining or operating water and wastewater facilities; and

            (v)    Implement measures to protect the active certified operators list maintained on the Department’s website while ensuring legitimate access for necessary purposes.