§13–115.

    (a)    The Department of Information Technology shall require basic security requirements to be included in a contract:

        (1)    in which a third–party contractor will have access to and use State telecommunication equipment, systems, or services; or

        (2)    for systems or devices that will connect to State telecommunication equipment, systems, or services.

    (b)    The security requirements developed under subsection (a) of this section shall be consistent with a widely recognized security standard, including National Institute of Standards and Technology SP 800–171, ISO27001, or Cybersecurity Maturity Model Certification.