Sign In

Buy Maryland Cybersecurity (BMC) Tax Credit

Certain sellers have reached their statutory cap for tax year 2024 and Commerce is no longer able to award tax credits to buyers who made purchases from those sellers in tax year 2024. Please contact Cindy Zeng at cindy.zeng@maryland.gov before completing a buyer application.

The Buy Maryland Cybersecurity Tax Credit provides an incentive for Qualified Maryland Companies to purchase cybersecurity technologies and services from a Qualified Maryland Cybersecurity Seller. Qualified Maryland Companies may claim a tax credit for 50% of the net purchase price of cybersecurity technologies and services purchased from a Qualified Maryland Cybersecurity Seller. The tax credit must be claimed for the tax year in which a purchase is made.

The tax credit is awarded on a first come first served basis, and is subject to funding available to the Department of Commerce. 25% of the annual funding amount is earmarked for cybersecurity service purchases, and the remaining 75% is available for cybersecurity technology purchases.  

The tax credit was created in 2018. The Department of Commerce has $4.0 million available for tax credit for each tax year after 2018. This means $3.0 million is available for the purchase of cybersecurity technologies and $1.0 million is available for the purchase of cybersecurity services.

The Buy Maryland Cybersecurity Tax Credit is designed to promote the cybersecurity industry in Maryland by helping small businesses purchase cybersecurity technologies and services from Maryland cybersecurity companies to protect business information.  

The following resources will assist a business with identifying its cybersecurity needs.
 

BENEFIT

Benefit for Companies Purchasing Cybersecurity Technologies and Services

A Qualified Maryland Company that purchases cybersecurity technologies or services from a Qualified Maryland Cybersecurity Seller may claim up to $50,000 in tax credits in a single tax year. This means a Qualified Maryland Company may apply for the tax credit for up to $100,000 in cybersecurity purchases from Qualified Maryland Cybersecurity Sellers in a single tax year.

Benefit for Companies Selling Cybersecurity Technologies and Services

A single Qualified Maryland Cybersecurity Seller may have up to $400,000 in cybersecurity sales benefit from the tax credit in a single tax year. Once an aggregate of $200,000 in tax credits are claimed for the purchase of cybersecurity technologies or services from a single Qualified Maryland Cybersecurity Seller in a tax year, additional purchases from that Qualified Maryland Cybersecurity Seller in that tax year are not eligible for the tax credit. 

Qualified Maryland Cybersecurity Sellers are certified by the Department of Commerce. 

Cybersecurity purchases made from any company listed as a Qualified Maryland Cybersecurity Company on Commerce's website may be eligible for the tax credit.

A purchase of Qualified Maryland Cybersecurity Seller technologies or services from a third-party reseller are eligible for the tax credit. However, the purchase price of sales from a third-party reseller must be reduced by 20% before calculating the 50% tax credit. The 20% reduction to the purchase price from a third-party reseller is the Department of Commerce's estimate of the percentage added by third-party resellers.

A reseller is any company selling cybersecurity technologies or services which is not identified as a certified Qualified Maryland Cybersecurity Seller by the Department of Commerce. To be able to claim the tax credit for cybersecurity purchases from a third-party reseller, the cybersecurity technology or service being purchased must have originated from a Qualified Maryland Cybersecurity Seller. This requires that the name of the Qualified Maryland Cybersecurity Seller be identified on an invoice from a third-party seller along with a description of the cybersecurity technology or service that was purchased.


ELIGIBILITY

To be eligible for the tax credit a company must have fewer than 50 employees in Maryland and be required to file an income tax return in Maryland. A company is identified as a Qualified Maryland Company when applying for the tax credit by certifying the number of employees and that it is required to file a tax return in Maryland.

Eligible cybersecurity technologies are proprietary goods and products designed to protect information systems, electronically stored data or information, and electronic data and information transferred between information systems. This includes goods and products designed to detect and prevent:
  • Unauthorized access to information systems, stored data, and information, and the transfer of data and information;
  • Data exfiltration or extrusion; or
  • Manipulation or impairment to the integrity, confidentiality, or availability of data and information stored or transferred by an information system.

To be considered a qualified cybersecurity service, the Cybersecurity Seller must perform an activity identified by the National Institute of Standards and Technology's (NIST) most recent Cybersecurity Framework: Framework Core.  

APPLY

Apply Now

RESOURCES


CONTACT

For information about Buy Maryland Cybersecurity Tax Credit contact:

Cindy ZengTax Specialist
Office of Finance Programs
cindy.zeng@maryland.gov | 410-767-6351

FREQUENTLY ASKED QUESTIONS

Frequently Asked Questions for Sellers

  • What is a Qualified Maryland Cybersecurity Seller?
    • ​A Qualified Maryland Cybersecurity Seller is a for profit company that:

      • Is primarily engaged in the development of innovative and proprietary cybersecurity technology or the provision of cybersecurity service;
      • Has its headquarters and base of operations in Maryland;
      • Has less than $5 million in annual revenue; or is a minority-owned, woman-owned, veteran-owned, or service-disabled veteran-owned business; or is located in a Historically Underutilized Business (HUB) Zone; and
      • Provides proprietary cybersecurity technologies or services which it owns or has properly licensed.

      The Department of Commerce must certify a cybersecurity company as a Qualified Maryland Cybersecurity Seller for the sale of its cybersecurity technologies or services to be eligible for the tax credit. Apply Online to fill out an application on the portal. The Department must recertify the cybersecurity company as a Qualified Maryland Cybersecurity Seller each year.


  • What information does a cybersecurity company have to provide in its application for certification as a Qualified Maryland Cybersecurity Seller?
    • To be certified as a Qualified Maryland Cybersecurity Seller, a cybersecurity company must:

      • Demonstrate it is in good standing with the Maryland Department of Assessment and Taxation (SDAT);
      • Demonstrate that it is current with its tax obligations;
      • Provide evidence that is a for profit business with at least 51% of its business is the development of innovative and proprietary cybersecurity technology or the provision of cybersecurity service;
      • Demonstrate that its headquarters and base of operations are located in Maryland;
      • Provide evidence that the company has less than $5 million in annual revenue, or is a minority-owned, woman-owned, veteran-owned, or service-disabled veteran- owned business, or is located in a Historically Underutilized Business (HUB) Zone; and
      • Provide evidence that the company owns or licenses proprietary cybersecurity technology or provides a cybersecurity service.

      Each of these requirements are explained below:

      a) SDAT Good Standing: A cybersecurity company may provide the Department of Commerce with a Certificate of Status (also called a Good Standing Certificate) from SDAT. To avoid the $20 cost for a Certificate of Status, a cybersecurity company may instead submit a screen shot from the SDAT website stating that the cybersecurity company is in good standing. A screen shot may be obtained by following these steps:

      • Visit the Maryland Business Express website.
      • Enter the name of the business in the search engine;
      • Click on “View Business Detail” once the name of the business is found in the search results. Print the screen showing that the business is in good standing.

      b) Current with Tax Obligations: A cybersecurity company must provide a Good Standing Certificate from the Comptroller of Maryland to show that it is current in all of its Maryland tax obligations.

      c) Primarily engaged in cybersecurity activities: A cybersecurity company must submit a business plan and complete financial statement to determine that it meets the minimum threshold for a cybersecurity company and to verify that it has its headquarters and base of operations in Maryland.

      At a minimum, a business plan should include:

      • Executive Summary
      • History of Entity
      • Description of Technologies or Services
      • Intellectual Property
      • Market Analysis
      • Product Development
      • Pricing Strategy
      • Competition
      • Company Leadership
      • Financials
        • Historical Revenues and Expenses
        • Present and Projected Revenues and Expenses
          • Segregate Research and Development Expenses from Sales, General and Administrative Expenses
        • Appendices as necessary

      d) Owns or licenses a cybersecurity technology or provides a cybersecurity service:A cybersecurity company must submit documentation showing it has patented or patent pending intellectual property, a license, copyright, trademark, or other evidence that the company possess trade secrets.

      A company’s business plan is used to certify companies that provide an eligible cybersecurity service consistent with the NIST cybersecurity framework.e) Applications for Cybersecurity Companies Owned by a Minority, Woman, Veteran, or Service-Disabled Veteran

  • How long does the certification of a cybersecurity company as a Qualified Maryland Cybersecurity Seller last?
    • ​The certification as a Qualified Maryland Cybersecurity Seller is good for one year, and the company must apply for recertification every year.

  • Is there a deadline for applying for certification as a Qualified Maryland Cybersecurity Seller?
    • ​No. A cybersecurity company may apply for certification as a Qualified Maryland Cybersecurity Seller at any time during the year.

  • Does a cybersecurity company need to provide both cybersecurity technologies and services to be certified as a Qualified Maryland Cybersecurity Seller?
    • ​No, the cybersecurity company may sell technologies alone, services alone, or both.

  • What cybersecurity services are eligible for the tax credit?
    • ​To be eligible for the Buy Maryland Cybersecurity tax credit a cybersecurity service company must primarily perform an activity identified by the National Institute of Standards and Technology’s (NIST) most recent Cybersecurity Framework: Framework Core.

  • Is a buyer eligible for the tax credit if it buys a cybersecurity technology or service from a third-party or reseller?
    • ​A buyer is eligible for the tax credit if it buys the cybersecurity technology or service of the Qualified Maryland Cybersecurity Seller through a third party reseller. However, the tax credit will not be 50% of the full purchase price of the cybersecurity technology or service purchased from the third-party reseller. The Department of Commerce will deduct 20% from the net purchase price before calculating the tax credit.

      When applying for the tax credit, the buyer must be able to demonstrate that it purchased the cybersecurity technology or service of the Qualified Maryland Cybersecurity Seller from the third-party reseller. The invoice must include the name of the Qualified Maryland Cybersecurity Seller as well as a description of the cybersecurity technology or service that was purchased.


Frequently Asked Questions for Buyers