Section 3.5-317 - Independent contractors to develop framework for investments in technology(a) This section does not apply to: (1) the Maryland Port Administration;(2) the University System of Maryland;(3) St. Mary's College of Maryland;(4) Morgan State University;(5) the Maryland Stadium Authority;(6) Baltimore City Community College;(7) the State Board of Elections;(8) the Office of the Attorney General;(10) the State Treasurer.(b)(1) The Department shall hire independent contractors to:(i) develop a framework for investments in technology; and(ii) at least once every 2 years, in accordance with the framework, assess the cybersecurity and information technology systems in each unit of State government.(2) The framework shall include the following criteria: (i) security risks to the system;(iii) the system's dependence on other information technology or cybersecurity systems and data;(iv) the system's ability to create an efficient and seamless experience for users;(v) the system's effectiveness in achieving unit objectives;(vi) the system's effectiveness in meeting the needs of citizens and customers;(vii) the costs to maintain and operate the system;(viii) the speed of government response time;(ix) the effectiveness of the system in regard to the unit's objectives;(x) improvements to the unit's relative audit findings attributable to the system; and(xi) an assessment of the system using the National Institute of Standards and Technology Cybersecurity Framework.(c) Each unit shall promptly provide a contractor employed under subsection (b) of this section with the information necessary to perform the assessments.(d)(1) Every 2 years, a contractor shall provide the results of the assessments to: (i) the Modernize Maryland Commission established under § 3.5-316 of this subtitle; and(ii) in accordance with § 2-1257 of the State Government Article, the Senate Budget and Taxation Committee, the Senate Education, Health, and Environmental Affairs Committee, and the House Health and Government Operations Committee.(2) The report submitted under paragraph (1)(ii) of this subsection may not contain information about the security of an information system.(e) The Department may use multiple contractors at a time to meet the requirements of this section.