Funding & Incentives

Buy Maryland Cybersecurity (BMC) Tax Credit

Certain sellers have reached their statutory cap for tax year 2024 and Commerce is no longer able to award tax credits to buyers who made purchases from those sellers in tax year 2024. Please contact Cindy Zeng at cindy.zeng@maryland.gov before completing a buyer application.

The Buy Maryland Cybersecurity Tax Credit provides an incentive for Qualified Maryland Companies to purchase cybersecurity technologies and services from a Qualified Maryland Cybersecurity Seller. Qualified Maryland Companies may claim a tax credit for 50% of the net purchase price of cybersecurity technologies and services purchased from a Qualified Maryland Cybersecurity Seller. The tax credit must be claimed for the tax year in which a purchase is made.

The tax credit is awarded on a first come first served basis, and is subject to funding available to the Department of Commerce. 25% of the annual funding amount is earmarked for cybersecurity service purchases, and the remaining 75% is available for cybersecurity technology purchases.

The tax credit was created in 2018. The Department of Commerce has $4.0 million available for tax credit for each tax year after 2018. This means $3.0 million is available for the purchase of cybersecurity technologies and $1.0 million is available for the purchase of cybersecurity services.

The Buy Maryland Cybersecurity Tax Credit is designed to promote the cybersecurity industry in Maryland by helping small businesses purchase cybersecurity technologies and services from Maryland cybersecurity companies to protect business information.

The following resources will assist a business with identifying its cybersecurity needs.

Stop.Think.Connect. Small Business Resources (Homeland Security)
Small Business Information Security: The Fundamentals (NIST)

BENEFIT

Benefit for Companies Purchasing Cybersecurity Technologies and Services

A Qualified Maryland Company that purchases cybersecurity technologies or services from a Qualified Maryland Cybersecurity Seller may claim up to $50,000 in tax credits in a single tax year. This means a Qualified Maryland Company may apply for the tax credit for up to $100,000 in cybersecurity purchases from Qualified Maryland Cybersecurity Sellers in a single tax year.

Benefit for Companies Selling Cybersecurity Technologies and Services

A single Qualified Maryland Cybersecurity Seller may have up to $400,000 in cybersecurity sales benefit from the tax credit in a single tax year. Once an aggregate of $200,000 in tax credits are claimed for the purchase of cybersecurity technologies or services from a single Qualified Maryland Cybersecurity Seller in a tax year, additional purchases from that Qualified Maryland Cybersecurity Seller in that tax year are not eligible for the tax credit.

Qualified Maryland Cybersecurity Sellers are certified by the Department of Commerce.

View the current list of Qualified Maryland Cybersecurity Sellers

Cybersecurity purchases made from any company listed as a Qualified Maryland Cybersecurity Company on Commerce's website may be eligible for the tax credit.

A purchase of Qualified Maryland Cybersecurity Seller technologies or services from a third-party reseller are eligible for the tax credit. However, the purchase price of sales from a third-party reseller must be reduced by 20% before calculating the 50% tax credit. The 20% reduction to the purchase price from a third-party reseller is the Department of Commerce's estimate of the percentage added by third-party resellers.

A reseller is any company selling cybersecurity technologies or services which is not identified as a certified Qualified Maryland Cybersecurity Seller by the Department of Commerce. To be able to claim the tax credit for cybersecurity purchases from a third-party reseller, the cybersecurity technology or service being purchased must have originated from a Qualified Maryland Cybersecurity Seller. This requires that the name of the Qualified Maryland Cybersecurity Seller be identified on an invoice from a third-party seller along with a description of the cybersecurity technology or service that was purchased.

ELIGIBILITY

To be eligible for the tax credit a company must have fewer than 50 employees in Maryland and be required to file an income tax return in Maryland. A company is identified as a Qualified Maryland Company when applying for the tax credit by certifying the number of employees and that it is required to file a tax return in Maryland.

Eligible cybersecurity technologies are proprietary goods and products designed to protect information systems, electronically stored data or information, and electronic data and information transferred between information systems. This includes goods and products designed to detect and prevent:

Unauthorized access to information systems, stored data, and information, and the transfer of data and information;
Data exfiltration or extrusion; or
Manipulation or impairment to the integrity, confidentiality, or availability of data and information stored or transferred by an information system.

To be considered a qualified cybersecurity service, the Cybersecurity Seller must perform an activity identified by the National Institute of Standards and Technology's (NIST) most recent Cybersecurity Framework: Framework Core.

APPLY

RESOURCES

Statute

CONTACT

For information about Buy Maryland Cybersecurity Tax Credit contact:

Cindy Zeng, Tax Specialist
Office of Finance Programs
cindy.zeng@maryland.gov | 410-767-6351

FREQUENTLY ASKED QUESTIONS

Frequently Asked Questions for Sellers

What is a Qualified Maryland Cybersecurity Seller?
- A Qualified Maryland Cybersecurity Seller is a for profit company that:
  Is primarily engaged in the development of innovative and proprietary cybersecurity technology or the provision of cybersecurity service;
  Has its headquarters and base of operations in Maryland;
  Has less than $5 million in annual revenue; or is a minority-owned, woman-owned, veteran-owned, or service-disabled veteran-owned business; or is located in a Historically Underutilized Business (HUB) Zone; and
  Provides proprietary cybersecurity technologies or services which it owns or has properly licensed.
  The Department of Commerce must certify a cybersecurity company as a Qualified Maryland Cybersecurity Seller for the sale of its cybersecurity technologies or services to be eligible for the tax credit. Apply Online to fill out an application on the portal. The Department must recertify the cybersecurity company as a Qualified Maryland Cybersecurity Seller each year.
What information does a cybersecurity company have to provide in its application for certification as a Qualified Maryland Cybersecurity Seller?
- To be certified as a Qualified Maryland Cybersecurity Seller, a cybersecurity company must:
  Demonstrate it is in good standing with the Maryland Department of Assessment and Taxation (SDAT);
  Demonstrate that it is current with its tax obligations;
  Provide evidence that is a for profit business with at least 51% of its business is the development of innovative and proprietary cybersecurity technology or the provision of cybersecurity service;
  Demonstrate that its headquarters and base of operations are located in Maryland;
  Provide evidence that the company has less than $5 million in annual revenue, or is a minority-owned, woman-owned, veteran-owned, or service-disabled veteran- owned business, or is located in a Historically Underutilized Business (HUB) Zone; and
  Provide evidence that the company owns or licenses proprietary cybersecurity technology or provides a cybersecurity service.
  Each of these requirements are explained below:
  a) SDAT Good Standing: A cybersecurity company may provide the Department of Commerce with a Certificate of Status (also called a Good Standing Certificate) from SDAT. To avoid the $20 cost for a Certificate of Status, a cybersecurity company may instead submit a screen shot from the SDAT website stating that the cybersecurity company is in good standing. A screen shot may be obtained by following these steps:
  Visit the Maryland Business Express website.
  Enter the name of the business in the search engine;
  Click on “View Business Detail” once the name of the business is found in the search results. Print the screen showing that the business is in good standing.
  b) Current with Tax Obligations: A cybersecurity company must provide a Good Standing Certificate from the Comptroller of Maryland to show that it is current in all of its Maryland tax obligations.
  c) Primarily engaged in cybersecurity activities: A cybersecurity company must submit a business plan and complete financial statement to determine that it meets the minimum threshold for a cybersecurity company and to verify that it has its headquarters and base of operations in Maryland.
  At a minimum, a business plan should include:
  Executive Summary
  History of Entity
  Description of Technologies or Services
  Intellectual Property
  Market Analysis
  Product Development
  Pricing Strategy
  Competition
  Company Leadership
  Financials
  Historical Revenues and Expenses
  Present and Projected Revenues and Expenses
  Segregate Research and Development Expenses from Sales, General and Administrative Expenses
  Appendices as necessary
  d) Owns or licenses a cybersecurity technology or provides a cybersecurity service:A cybersecurity company must submit documentation showing it has patented or patent pending intellectual property, a license, copyright, trademark, or other evidence that the company possess trade secrets.
  A company’s business plan is used to certify companies that provide an eligible cybersecurity service consistent with the NIST cybersecurity framework.e) Applications for Cybersecurity Companies Owned by a Minority, Woman, Veteran, or Service-Disabled Veteran
  Minority and Women-Owned Businesses: Cybersecurity companies must submit a copy of their Minority Business Enterprise (MBE) certification from the Maryland Department of Transportation.
  Veteran or Service-Disabled Veteran-Owned Businesses: Cybersecurity companies must provide either: (1) a copy the veteran owner’s DD 214 and attest that a veteran has principal ownership of the cybersecurity company; or (2) a copy of the United States Department of Veteran’s Affairs certification as a Veteran Owned-Small Business or Service-Disabled Veteran Owned-Small Business.
  Applications for Cybersecurity Companies Located in a Historically Underutilized Business (HUB) Zone: Cybersecurity companies must submit a copy of its HUB Zone certification from the United States Small Business Administration (SBA). A company can determine if it is located in a HUB Zone by using the SBA’s HUB Zone Map.
How long does the certification of a cybersecurity company as a Qualified Maryland Cybersecurity Seller last?
- The certification as a Qualified Maryland Cybersecurity Seller is good for one year, and the company must apply for recertification every year.
Is there a deadline for applying for certification as a Qualified Maryland Cybersecurity Seller?
- No. A cybersecurity company may apply for certification as a Qualified Maryland Cybersecurity Seller at any time during the year.
Does a cybersecurity company need to provide both cybersecurity technologies and services to be certified as a Qualified Maryland Cybersecurity Seller?
- No, the cybersecurity company may sell technologies alone, services alone, or both.
What cybersecurity services are eligible for the tax credit?
- To be eligible for the Buy Maryland Cybersecurity tax credit a cybersecurity service company must primarily perform an activity identified by the National Institute of Standards and Technology’s (NIST) most recent Cybersecurity Framework: Framework Core.
Is a buyer eligible for the tax credit if it buys a cybersecurity technology or service from a third-party or reseller?
- A buyer is eligible for the tax credit if it buys the cybersecurity technology or service of the Qualified Maryland Cybersecurity Seller through a third party reseller. However, the tax credit will not be 50% of the full purchase price of the cybersecurity technology or service purchased from the third-party reseller. The Department of Commerce will deduct 20% from the net purchase price before calculating the tax credit.
  When applying for the tax credit, the buyer must be able to demonstrate that it purchased the cybersecurity technology or service of the Qualified Maryland Cybersecurity Seller from the third-party reseller. The invoice must include the name of the Qualified Maryland Cybersecurity Seller as well as a description of the cybersecurity technology or service that was purchased.

Frequently Asked Questions for Buyers

How does a company that purchased cybersecurity technologies and services from a Qualified Maryland Cybersecurity Seller claim the tax credit?
- A Qualified Maryland Company that wishes to claim the tax credit needs to submit an application online. Commerce will not accept applications in any other format.
  Companies approved for the tax credit will receive A Certificate of Approval from the Department of Commerce. The Certificate of Approval must be attached to the company’s Maryland income tax return that is filed with the Comptroller of Maryland.
What records does a company need to maintain for the tax credit? Are there any reporting requirements for a company that makes a purchase from a Qualified Maryland Cybersecurity Seller?
- In order to apply for the tax credit, a company must provide a copy of the invoice for the cybersecurity technology or service purchased from a Qualified Maryland Cybersecurity Seller, and proof of payment. A company does not need to maintain any records other than an invoice and proof of payment. There are no reporting requirements.
How does a company know it is buying from a Qualified Maryland Cybersecurity Seller?
- Qualified Maryland Cybersecurity Sellers are certified by the Department of Commerce. Click here for a current list of Qualified Maryland Cybersecurity Companies.
  Eligible purchases made from any company listed as Qualified Maryland Cybersecurity Company on Commerce’s website may be eligible for the tax credit.
How is the tax credit amount calculated for extended service contracts?
- If the cost of an extended cybersecurity service contract is paid in full at the beginning of the contract, then the amount of the tax credit will be the amount paid for the contract up to $50,000 in tax credits. If the cost of an extended service contract is paid in installments or on a monthly basis, then only the actual amounts paid will be eligible for the tax credit.
  For example, if a company enters into a one-year cybersecurity service contract on July 1, 2020 requiring monthly installment payments, then only the months for which payments were made in 2020 are eligible for the tax credit in 2020. Assuming the monthly cost of the contract is $1,000, a company will be eligible for $3,000 in tax credits in 2020. A company may be eligible to apply for a tax credit in 2021 for monthly payments made in 2021.
If a company purchases a cybersecurity technology and service from a Qualified Maryland Cybersecurity Seller, can the company claim a tax credit for the product and service?
- Yes, provided the technology and service are eligible cybersecurity purchases. Each qualified buyer has an annual cap limiting the tax credit amounts which may be awarded. The credit awarded to a qualified buyer may not exceed $50,000 each year. As a result, if the combined cost of the technology and service exceeds $100,000, the tax credit award will be capped at $50,000.
Are taxes and fees included in the purchase price when calculating the amount of the tax credit?
- No. Taxes and fees must be subtracted from the purchase price before calculating the amount of the tax credit.