§9–2707.

    (a)    Each community water system and community sewerage system shall report, in accordance with the process established under subsection (b) of this section, a cybersecurity incident, including an attack on an information technology system or operational technology system being used by the community water system or community sewerage system provider, to the State Security Operations Center in the Department of Information Technology.

    (b)    (1)    The State Chief Information Security Officer, in consultation with the Department, shall establish a process for community water system providers, community sewerage system providers, and other members of the water and wastewater sector to report cybersecurity incidents.

        (2)    The reporting process shall specify:

            (i)    The circumstances under which an incident must be reported;

            (ii)    The manner in which an entity must report an incident; and

            (iii)    The time period within which an entity must report an incident.

    (c)    The State Security Operations Center shall immediately notify the Department and the other appropriate State and local government agencies of a cybersecurity incident reported under this section.

    (d)    (1)    On or before January 1, 2027, and each year thereafter, the Office of Security Management in the Department of Information Technology shall publish a report that describes the number and type of incidents reported by community water systems and community sewerage systems in the preceding calendar year.

        (2)    The report required under this subsection may not identify the impacted community water systems or community sewerage systems.