Maryland’s Department of Information Technology announced on Tuesday a new statewide cybersecurity and privacy policy that shifts the state away from its “trust but verify” model in favor of a zero trust framework.
According to the press release, the Cybersecurity & Privacy Governance Policy applies to all agencies in the executive branch. Governments outside the executive branch, including local governments and legislative and judicial agencies, are not required to follow the policy but are strongly encouraged to use it to guide their own efforts to secure systems.
“Cybersecurity threats are only getting more and more advanced. Our State needed a simple, unified approach to ensure our systems, services, and data are fully protected in this modern environment,” said Katie Savage, secretary of the Maryland Department of Information Technology.
Over the next 18 months, agencies across the state will implement modern controls based on zero trust principles, a cybersecurity approach designed to ensure state IT systems “never trust and always verify” user actions.
“The new Cybersecurity and Privacy Policy Suite will help reduce state-wide risk, simplify compliance, and protect our digital infrastructure from evolving cybersecurity threats,” Savage said.
The Department of Information Technology’s Office of Security Management developed the policy in collaboration with state agencies, local governments, and members of the Maryland Cybersecurity Coordinating Council.
Officials said 1,208 comments and suggestions were submitted during the drafting process, “ensuring the policy is practical and tailored to the State of Maryland.”
Notable policy elements
The policy requires the creation of an institutional cybersecurity risk profile to identify, assess, and maintain an acceptable level of operational risk across all agencies. It will also support transferring cybersecurity risk to individual agency authorizing officials, in line with each agency’s risk tolerance.
Agencies must also establish distinct cybersecurity roles and their responsibilities for carrying out cybersecurity and privacy policies.
The policy also calls for consistent application of the state’s cybersecurity and privacy standards across agencies. Privacy standards must also align with federal privacy practices. Cybersecurity policies will follow the National Institute of Standards and Technology Cybersecurity Framework categories: govern, identify, protect, detect, respond, and recover.
