Baltimore Contractor Cybersecurity Checklist

Baltimore, Maryland requires contractors who access city data to follow specific cybersecurity practices as part of procurement and contract compliance. This checklist summarizes the key obligations, who enforces them, likely penalties, and the practical steps contractors should take before, during, and after handling municipal data. Use this guide to confirm required safeguards, where to submit plans or incident reports, and how appeals or reviews are handled under city processes. It is written for vendors, subcontractors, and city contract managers who need clear, actionable requirements for secure data access and handling.

Scope & Key Definitions

This checklist covers contractors, vendors, consultants and subcontractors granted access to Baltimore City systems or city-held personal or operational data. "Contractor" means any party with an executed agreement that permits access to city information assets. "City data" includes any non-public data produced, received, or stored under a city contract.

Minimum Security Controls

• Implement role-based access control and least-privilege access to city systems.
• Maintain asset inventories and logs showing access to city data for audit retention periods.
• Use strong multi-factor authentication for all accounts accessing city resources.
• Encrypt data at rest and in transit according to industry standards.
• Provide a written incident response plan and notify the city promptly of any breach.

Penalties & Enforcement

Enforcement of cybersecurity and data-access obligations is handled through contract remedies and administrative oversight tied to procurement and information-technology governance. Specific monetary fines for contractor cybersecurity violations are not listed on the cited municipal procurement or code pages; see the cited sources for enforcement framework and contract remedies.Baltimore City Code^[1]

• Monetary fines: not specified on the cited page; contract remedies typically address damages and cost recovery.
• Escalation: first and repeat violations handled through contract termination, withholding payments, or litigation when warranted; specific per-offence ranges not specified on the cited page.
• Non-monetary sanctions: corrective action plans, suspension or termination of contract, revocation of access, and court enforcement.
• Enforcer: Baltimore City procurement officials and the Mayor's Office of Information and Technology (or designated IT security officer) oversee compliance and inspections; complaints and incident reports are routed to those offices.
• Appeals/review: contractual dispute processes, administrative protests in procurement, and judicial review where permitted; time limits for protests and appeals are set by procurement rules or contract terms and are not specified on the cited procurement pages.

Applications & Forms

Security plans, data-sharing agreements, and any required vendor attestations are typically submitted during procurement or as contract deliverables. The City of Baltimore posts procurement requirements and contract terms that specify submission methods and required documents; see the procurement guidance for details.Procurement - City of Baltimore^[2]

• Security plan or data protection addendum: name depends on solicitation; submission via the city procurement portal or as set in the contract.
• Incident notification form or email: follow contact instructions in the contract and the city IT policies.
• Fees: not specified on the cited pages for security attestations; any fees will be in procurement documents.

Compliance & Practical Steps

• Before contract start: submit required security attestations and proof of controls.
• During the contract: maintain logs, perform periodic vulnerability scans, and provide evidence of remediation.
• On suspected breach: preserve systems, notify the city per contract instructions, and cooperate with city incident response.
• If disputed: use procurement protest processes or contract-based dispute resolution within stated timeframes.

FAQ

What rules apply to contractors accessing Baltimore City data?

Contractual cybersecurity requirements, city IT policies, and any data-sharing agreements specified in the solicitation or contract apply; see the Baltimore City Code and procurement guidance.^[1]

Do contractors need a written incident response plan?

Yes, contractors are expected to provide incident response and notification procedures as required by contract terms; the procurement pages list deliverable expectations for solicitations where applicable.^[2]

How do I report a suspected data breach involving city data?

Report immediately to the contract manager and the Mayor's Office of Information and Technology per the contract’s incident reporting instructions; preserve logs and evidence.

How-To

1. Review the solicitation and contract for cybersecurity clauses and required deliverables.
2. Prepare a written security plan addressing access controls, encryption, logging, and incident response.
3. Submit required attestations and documentation via the procurement portal or as directed in the contract.
4. Maintain audit logs and perform periodic security checks; remediate findings promptly.
5. If an incident occurs, notify city contacts immediately, preserve evidence, and follow the city’s incident response directions.

Key Takeaways

• In-contract cybersecurity obligations are enforceable through procurement remedies and access controls.
• Maintain documentation and logs to demonstrate compliance during audits.

Help and Support / Resources

• Mayor's Office of Information and Technology - Contact
• City of Baltimore Procurement
• Baltimore City Code of Ordinances (Municode)

1. [1] Baltimore City Code of Ordinances - Municode
2. [2] City of Baltimore Procurement