- (a) This section applies to a community water system or community sewerage system in the State that serves over 3,300 customers.
(b) Each community water system and community sewerage system provider shall:
- (1) Adopt and implement cybersecurity standards that are equal to or exceed the standards adopted by the Department under § 9-2702(3)(ii) of this subtitle;
- (2) Commit to adopting a zero-trust cybersecurity approach and begin planning and implementing the zero-trust approach, as appropriate for each system, modeled after the federal Cybersecurity and Infrastructure Security Agency's zero-trust maturity model, for on-premises services and cloud-based services; and
- (3) On or before July 1, 2026, and every 2 years thereafter, conduct a maturity assessment of its cybersecurity program for operational technology and information technology, based on the minimum cybersecurity standards established under § 9-2702(3)(ii) of this subtitle.
Added by Acts 2025, c. 495, § 1, eff. Oct. 1, 2025.