Sign In

Buy Maryland Cybersecurity (BMC) Tax Credit

Certain sellers have reached their statutory cap for tax year 2024 and Commerce is no longer able to award tax credits to buyers who made purchases from those sellers in tax year 2024. Please contact Cindy Zeng at cindy.zeng@maryland.gov before completing a buyer application.

The Buy Maryland Cybersecurity Tax Credit provides an incentive for Qualified Maryland Companies to purchase cybersecurity technologies and services from a Qualified Maryland Cybersecurity Seller. Qualified Maryland Companies may claim a tax credit for 50% of the net purchase price of cybersecurity technologies and services purchased from a Qualified Maryland Cybersecurity Seller. The tax credit must be claimed for the tax year in which a purchase is made.

The tax credit is awarded on a first come first served basis, and is subject to funding available to the Department of Commerce. 25% of the annual funding amount is earmarked for cybersecurity service purchases, and the remaining 75% is available for cybersecurity technology purchases.  

The tax credit was created in 2018. The Department of Commerce has $4.0 million available for tax credit for each tax year after 2018. This means $3.0 million is available for the purchase of cybersecurity technologies and $1.0 million is available for the purchase of cybersecurity services.

The Buy Maryland Cybersecurity Tax Credit is designed to promote the cybersecurity industry in Maryland by helping small businesses purchase cybersecurity technologies and services from Maryland cybersecurity companies to protect business information.  

The following resources will assist a business with identifying its cybersecurity needs.
 

BENEFIT

Benefit for Companies Purchasing Cybersecurity Technologies and Services

A Qualified Maryland Company that purchases cybersecurity technologies or services from a Qualified Maryland Cybersecurity Seller may claim up to $50,000 in tax credits in a single tax year. This means a Qualified Maryland Company may apply for the tax credit for up to $100,000 in cybersecurity purchases from Qualified Maryland Cybersecurity Sellers in a single tax year.

Benefit for Companies Selling Cybersecurity Technologies and Services

A single Qualified Maryland Cybersecurity Seller may have up to $400,000 in cybersecurity sales benefit from the tax credit in a single tax year. Once an aggregate of $200,000 in tax credits are claimed for the purchase of cybersecurity technologies or services from a single Qualified Maryland Cybersecurity Seller in a tax year, additional purchases from that Qualified Maryland Cybersecurity Seller in that tax year are not eligible for the tax credit. 

Qualified Maryland Cybersecurity Sellers are certified by the Department of Commerce. 

Cybersecurity purchases made from any company listed as a Qualified Maryland Cybersecurity Company on Commerce's website may be eligible for the tax credit.

A purchase of Qualified Maryland Cybersecurity Seller technologies or services from a third-party reseller are eligible for the tax credit. However, the purchase price of sales from a third-party reseller must be reduced by 20% before calculating the 50% tax credit. The 20% reduction to the purchase price from a third-party reseller is the Department of Commerce's estimate of the percentage added by third-party resellers.

A reseller is any company selling cybersecurity technologies or services which is not identified as a certified Qualified Maryland Cybersecurity Seller by the Department of Commerce. To be able to claim the tax credit for cybersecurity purchases from a third-party reseller, the cybersecurity technology or service being purchased must have originated from a Qualified Maryland Cybersecurity Seller. This requires that the name of the Qualified Maryland Cybersecurity Seller be identified on an invoice from a third-party seller along with a description of the cybersecurity technology or service that was purchased.


ELIGIBILITY

To be eligible for the tax credit a company must have fewer than 50 employees in Maryland and be required to file an income tax return in Maryland. A company is identified as a Qualified Maryland Company when applying for the tax credit by certifying the number of employees and that it is required to file a tax return in Maryland.

Eligible cybersecurity technologies are proprietary goods and products designed to protect information systems, electronically stored data or information, and electronic data and information transferred between information systems. This includes goods and products designed to detect and prevent:
  • Unauthorized access to information systems, stored data, and information, and the transfer of data and information;
  • Data exfiltration or extrusion; or
  • Manipulation or impairment to the integrity, confidentiality, or availability of data and information stored or transferred by an information system.

To be considered a qualified cybersecurity service, the Cybersecurity Seller must perform an activity identified by the National Institute of Standards and Technology's (NIST) most recent Cybersecurity Framework: Framework Core.  

APPLY

Apply Now

RESOURCES


CONTACT

For information about Buy Maryland Cybersecurity Tax Credit contact:

Cindy ZengTax Specialist
Office of Finance Programs
cindy.zeng@maryland.gov | 410-767-6351

FREQUENTLY ASKED QUESTIONS

Frequently Asked Questions for Sellers

  • What is a Qualified Maryland Cybersecurity Seller?
    • ​A Qualified Maryland Cybersecurity Seller is a for profit company that:

      • Is primarily engaged in the development of innovative and proprietary cybersecurity technology or the provision of cybersecurity service;
      • Has its headquarters and base of operations in Maryland;
      • Has less than $5 million in annual revenue; or is a minority-owned, woman-owned, veteran-owned, or service-disabled veteran-owned business; or is located in a Historically Underutilized Business (HUB) Zone; and
      • Provides proprietary cybersecurity technologies or services which it owns or has properly licensed.

      The Department of Commerce must certify a cybersecurity company as a Qualified Maryland Cybersecurity Seller for the sale of its cybersecurity technologies or services to be eligible for the tax credit. Apply Online to fill out an application on the portal. The Department must recertify the cybersecurity company as a Qualified Maryland Cybersecurity Seller each year.


  • What information does a cybersecurity company have to provide in its application for certification as a Qualified Maryland Cybersecurity Seller?
  • How long does the certification of a cybersecurity company as a Qualified Maryland Cybersecurity Seller last?
  • Is there a deadline for applying for certification as a Qualified Maryland Cybersecurity Seller?
  • Does a cybersecurity company need to provide both cybersecurity technologies and services to be certified as a Qualified Maryland Cybersecurity Seller?
  • What cybersecurity services are eligible for the tax credit?
  • Is a buyer eligible for the tax credit if it buys a cybersecurity technology or service from a third-party or reseller?

Frequently Asked Questions for Buyers

Close window
Close Disclaimer

Google Translate Disclaimer

The Maryland Department of Information Technology (“DoIT”) offers translations of the content through Google Translate. Because Google Translate is an external website, DoIT does not control the quality or accuracy of translated content. All DoIT content is filtered through Google Translate which may result in unexpected and unpredictable degradation of portions of text, images and the general appearance on translated pages. Google Translate may maintain unique privacy and use policies. These policies are not controlled by DoIT and are not associated with DoIT’s privacy and use policies. After selecting a translation option, users will be notified that they are leaving DoIT’s website. Users should consult the original English content on DoIT’s website if there are any questions about the translated content.

DoIT uses Google Translate to provide language translations of its content. Google Translate is a free, automated service that relies on data and technology ​​​to provide its translations. The Google Translate feature is provided for informational purposes only. Translations cannot be guaranteed as exact or without the inclusion of incorrect or inappropriate language. Google Translate is a third-party service and site users will be leaving DoIT to utilize translated content. As such, DoIT does not guarantee and does not accept responsibility for, the accuracy, reliability, or performance of this service nor the limitations provided by this service, such as the inability to translate specific files like PDFs and graphics (e.g. .jpgs, .gifs, etc.).

DoIT provides Google Translate as an online tool for its users, but DoIT does not directly endorse the website or imply that it is the only solution available to users. All site visitors may choose to use alternate tools for their translation needs. Any individuals or parties that use DoIT content in translated form, whether by Google Translate or by any other translation services, do so at their own risk. DoIT is not liable for any loss or damages arising out of, or issues related to, the use of or reliance on translated content. DoIT assumes no liability for any site visitor’s activities in connection with use of the Google Translate functionality or content.

The Google Translate service is a means by which DoIT offers translations of content and is meant solely for the convenience of non-English speaking users of the website. The translated content is provided directly and dynamically by Google; DoIT has no direct control over the translated content as it appears using this tool. Therefore, in all contexts, the English content, as directly provided by DoIT is to be held authoritative.