(a) The Department of Information Technology shall require basic security requirements to be included in a contract: (1) in which a third–party contractor will have access to and use State telecommunication equipment, systems, or services; or (2) for systems or devices that will connect to State telecommunication equipment, systems, or services. (b) The security requirements developed under subsection (a) of this section shall be consistent with a widely recognized security standard, including National Institute of Standards and Technology SP 800–171, ISO27001, or Cybersecurity Maturity Model Certification.
Maryland Legal Code