News Stories

Sponsored by Earth Etch. Regulatory insight and compliance solutions for today’s energy markets.

Commission Files Notice Of Statutory Requirement To Conduct Assessments And Submit Certifications To Commission In the Matter of Cyber-Security * Reporting of Maryland Utilities

By: MAGNIFYI Staff

Published April 10, 2024

Dockets: 9492
Category: Uncategorized

Re: In The Matter Of Cyber-Security Reporting Of Maryland Utilities

From Notice:

[ *** ] The Act imposes several requirements on public service companies, including the following: 

  • Adopt and implement cybersecurity standards;

    Adopt a zero–trust cybersecurity approach for on–premises services and cloud–based services;
  • Establish minimum security standards for each operational technology and information technology device based on the level of security risk for each device; 
  • On or before July 1, 2024 and on or before July 1 every other year thereafter (e.g., July 1, 2026), engage a third party to conduct an assessment of operational technology and information technology devices;
  • Submit to the Commission certification of the public service company’s compliance with standards used in the assessments; and 
  • Report any cybersecurity incident to the State Security Operations Center in the Department of Information Technology.

PUA § 5-306(c) provides the following language that relates to public service companies’ assessment and certification responsibilities: (4)(i) on or before July 1, 2024, and on or before July 1 every other year thereafter, engage a third party to conduct an assessment of operational technology and information technology devices based on: 1. the Cybersecurity and Infrastructure Security Agency’s Cross-Sector Cybersecurity Performance Goals; or 2. a more stringent standard that is based on the National Institute of Standards and Technology security frameworks; and (ii) submit to the Commission certification of the public service company’s compliance with standards used in the assessments under item (i) of this item. [ *** ]

In accordance with PUA § 5-306(c)(4), certification of the public service company’s compliance with standards shall be submitted to the Commission by July 1, 2024.4 These certifications shall include the date each assessment was completed, the name of each third party that performed an assessment, and their qualifications to conduct NIST or CPG cybersecurity framework-based assessments. If consistent with the requirements of PUA § 5-306(c), audits performed as required by the NERC CIP standards or TSA schedules may be used as a third-party assessment for purposes of PUA § 5-306(c). [ *** ] 

Notice (ML# 308885)
9492 (09/11/2018)

Copyright 2026 MAGNIFYI.com. Unauthorized copying, retransmission, or republication prohibited. You are not permitted to copy any work or text of MAGNIFYI.com without the separate and express written consent of MAGNIFYI.com.

Editor’s Picks

Legislation Energy Storage and Virtual Power Plant Bills to Watch
Ohio Petition for a Constitutional Amendment on the ‘Prohibition of Construction of a Data Center’ is filed by the Ohio Attorney General
Texas PUCT Staff Seeks Comments On Proposed Rules Re: Certification and Obligations of Retail Electric Providers
Pennsylvania Net Metering is Raising Power Costs for Business in Pennsylvania
Electric Power Supply Association (EPSA) ESPA Launches Energizing Tomorrow Website

Trending

Legislation Energy Storage and Virtual Power Plant Bills to Watch
Marketing The Real Reason Retail Energy Marketing Falls Short
Constellation Constellation Announces Collaboration To Launch AI-Powered Demand Response Program
Michigan Expansion of Retail C&I Power Markets Considered in Michigan
Texas PUCT Staff Seeks Comments On Proposed Rules Re: Certification and Obligations of Retail Electric Providers