Maryland Cybersecurity Policies

Policies and guidelines allow State agencies to operate under a common framework aligned with the strategic objectives of the State Information Technology Master Plan.

The framework fosters efficient and appropriate planning, procurement, development and use of State information technology and telecommunications systems.​


Acceptable Use Policy
Maryland DOIT Acceptable Use Policy v1.0.pdf    
Effective: 1/31/2017

Effective security is a team effort involving the participation and support of every information system user who deals with information and Information Technology (IT) assets. Defining acceptable use sets boundaries and guidance on how these IT resources are to be used. Appropriate use of Information Technology (IT) resources and effective security are integral to protecting the confidentiality, integrity, and availability of IT systems and assets.


Account Management Policy
Maryland DOIT Account Management Policy v1.0.pdf    
Effective: 1/31/2017

This document establishes the DoIT account management policy and requires all agencies not under the direct management of DoIT to develop a process for documenting, managing, and maintaining all user and system accounts authenticating to the IT infrastructure.


Asset Management Policy
Maryland DOIT Asset Management Policy v1.0.pdf    
Effective: 1/31/2017

​​Compiling and maintaining inventory and accountability of assets is an important aspect of risk management. According to the Security Assessment Policy, each asset must be assigned a security category based on its perceived level of confidentiality, integrity, and availability, and it is the role of asset management to inventory, account for, and track these assets.


Auditing and Compliance Policy
Auditing-and-Compliance-v1.1.pdf    
Effective: 1/1/2017

To ensure DoIT continues to maintain the confidentiality, integrity, and availability of the information systems and the data contained on them, DoIT must audit State-owned assets and connections to ensure: (1) secure configurations are implemented, (2) agencies are managing change across the network, and (3) discover and mitigate vulnerabilities within the IT architecture. This is a critical part of risk management and helps to ensure agencies comply with established policies, regulations, laws, directives, and orders.​​


Authority to Operate Policy
Maryland DOIT Authority to Operate Policy v1.0.pdf    
Effective: 1/31/2017

The State of Maryland Department of Information Technology (DoIT) is responsible for, and committed to managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This includes ensuring that all devices and networks comply with security policies and configuration standards before they are approved to operate in agency IT environments. This policy defines the requirements for granting an Authority to Operate (ATO) or Interim Authority to Operate (IATO) certification to an information system.


Boundary Protection and Internet Access Policy
Maryland DOIT Boundary Protection and Internet Access Policy v1.0.pdf    
Effective: 1/31/2017

The establishment of perimeter defense mechanisms is an important part of minimizing exposure to security threats. The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of State information technology networks, systems and applications (IT Systems). This includes establishing security controls for the boundaries between the DoIT Enterprise and subordinate agency networks, or between the DoIT Enterprise and 3rd party networks including the Internet.​​


Cloud Services Security Policy
Cloud-Services-Security-Policy-v1.1.pdf    
Effective: 1/1/2017

Executive Branch agencies are beginning to implement cloud technology to provide important information and services to internal staff and Maryland customers. Cloud Service Providers (CSP) must be adequately assessed and meet minimum security requirements before any State of Maryland information, system, or infrastructure can be hosted outside of a State-owned or managed environment. This policy identifies the minimum controls CSPs must meet to ensure the security posture of the State is not adversely affected.


Configuration Management Policy
Maryland DOIT Configuration Management Policy v1.0.pdf    
Effective: 1/31/2017

Configuration management is critical to establishing an initial baseline of hardware, software, and firmware components of Enterprise information systems and subsequently controlling and maintaining an accurate inventory of any changes to those systems. The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of their information technology (IT) networks, systems, and applications (IT Systems) by establishing and enforcing standard baselines within the Enterprise. This allows DoIT to document, authorize, manage, and control system changes and prevent deviation from the established accepted risk.


Contingency Planning Policy
Contingency-Planningv1.1.pdf    
Effective: 1/1/2017

​​The Executive Branch agencies offer many important services to Maryland residents, employees, and partners. Efficient and effective contingency planning and disaster recovery creates resilient agencies that can continue essential operations in the event of unplanned service-interrupting events. This policy contains the requirements for Contingency Planning and Disaster Recovery capabilities within DoIT and other Maryland Executive Branch agencies.


Continuous Monitoring Policy
Maryland DOIT Continuous Monitoring Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of the executive branch of Maryland State government Information Technology (IT) networks, systems, applications, and data. To provide this level of security within the DoIT Cybersecurity Program, a key component protecting systems and data is the implementation of a continuous monitoring capability.


Cybersecurity Incident Response Policy
Maryland DOIT Incident Response Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of information technology (IT) networks, systems, applications (IT systems), and data owned and/or operated by the Executive Branch of the State of Maryland, including vendors, contractors, and/or other affiliated entities providing services to the Executive Branch of the State of Maryland. This includes providing timely, efficient, and effective response to cybersecurity incidents.


Cybersecurity Program Policy
cybersecurity-program-policy-v1.0 (Updated with Sigs).pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of Information Technology (IT) networks, systems, and applications for the Executive Branch of Maryland State Government. This document establishes the DoIT Cybersecurity Program by implementing information security policy initiatives across all IT Systems supported by, or under the policy authority of, DoIT as directed within the scope of its authority under the 2013 Maryland Code §§ 3A-303 and 3A-305. Pursuant to its authority, DoIT will ensure the information security of State IT resources by enacting this policy, which serves as the foundation for this program by establishing the minimum requirements to be observed by all reporting agencies.


Data Security Policy
Data-Security-Policy-v1.1.pdf    
Effective: 1/1/2017

Protecting the confidentiality of the information entrusted to the State of Maryland by its residents is vitally important to maintaining that trust. Effective data classification is paramount to controlling access to information, which ultimately allows the State to ensure confidential data is only accessed by those personnel whose duties require it and utilize technologies to track and control the flow of data. This policy establishes the baseline requirements for managing access to data and incorporating data loss prevention tools.​​


Email Security Policy
Email-Security-Policy-v1.1.pdf    
Effective: 1/31/2017

Official correspondence must be exchanged securely to ensure all confidential data, such as PII, sensitive, and protected data is safeguarded. This policy defines acceptable guidelines for the secure configuration and use of State-issued email services and helps to ensure that correspondence is exchanged securely and protects confidential data.


Endpoint Protection Policy
Maryland DOIT Endpoint Protection Policy v1.0.pdf    
Effective: 1/31/2017

Endpoint security management is an approach to network security that requires, and ensures, endpoint devices comply with specific criteria before being granted access to the network. Endpoint protection is an important aspect of maintaining the confidentiality, integrity, and availability of information. The increasing ease and prevalence of a mobile-enabled workforce makes it more important than ever to protect endpoint devices and the security posture of IT systems.


HIPAA Security Rule Policy
Maryland DOIT HIPAA Security Rule Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology is committed to managing the confidentiality, integrity, and availability of electronic protected health information (ePHI) created, stored, processed, and transmitted electronically via State government Information Technology (IT) networks, systems, and applications (IT Systems). Agencies considered covered entities (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must comply with the requirements of HIPAA.


Media Protection Policy
Media-Protection-Policy-v1.1.pdf    
Effective: 1/1/2017

This policy directs DoIT and agencies to control portable and writeable media assets, such as external hard drives, DVDs, and USB flash drives, to minimize the risk of confidential data loss and to reduce the risk of unauthorized disclosure and possible data breach. Agencies must be protected against information loss by ensuring data is tracked and that access to data and media resources is limited to only those personnel with need-to-know.


Mobile Device Security Policy
Mobile-Device-Security-Policy-v1.1.pdf    
Effective: 1/1/2017

The State’s use of mobile technology offers employees and contractors new options for work performance and environment, including location, but creates security challenges in protecting the confidential information that may be accessed by mobile devices. This policy contains the requirements of Mobile Device Security and Management throughout DoIT and other Maryland Executive Branch Agencies to ensure that data and information systems accessed via mobile devices are protected from the latest threats.The document also contains user agreement forms for State-issued devices and Bring Your Own Device (BYOD) deployments.


Network Documentation and Access Policy
Maryland DOIT Network Documentation and Access Policy v1.0.pdf    
Effective: 1/31/2017

Network documentation is critical to efficient troubleshooting, onboarding personnel, and recovery in the event of a data loss or an integrity-impacting event. Network documentation should be created and updated regularly to ensure accuracy. Additionally, the establishment of network access controls protects both the network and data when a policy is not met by a user or device. The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This includes ensuring that networks are properly documented, configured, and accessed by Maryland agencies and users.


Patch Management Policy
Maryland DOIT Patch Management Policy v1.0.pdf    
Effective: 1/31/2017

Patch Management is a proactive practice designed to prevent exploitation of known vulnerabilities within an organization’s IT infrastructure. An effective patch management process helps mitigate the costs of time and effort expended defending against vulnerabilities known to the information security field at large. Timely patching of known security issues is recognized as a best practice critical to maintaining the confidentiality, availability, and integrity of information systems. The time immediately after the release of a patch is a particularly vulnerable moment for organizations because the window of time between obtaining, testing, and deploying a patch to the vulnerable IT Systems is sufficient for malicious entities to attempt various exploitation strategies.


PCI DSS Compliance Policy
Maryland DOIT PCI DSS Compliance Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of payment card account data that is stored, processed, and transmitted electronically via State government Information Technology (IT) networks, systems, and applications (IT Systems).


Physical and Environmental Protection Policy
Physical-and-Environmental-v1.1.pdf    
Effective: 1/1/2017

Personnel safety is paramount to the Department of Information Technology and the State of Maryland. Along with personnel safety, agencies must implement security measures to protect data, equipment, and the facilities housing State resources. These physical and environmental security controls are established within agencies to promote the security posture of the State and prevent, detect, and minimize the effects of unauthorized or unintended access to these areas.​​


Public and Confidential Information Policy
Maryland DOIT Public and Confidential Information Policy v1.0.pdf    
Effective: 1/31/2017

The establishment of data classification levels is an important part of ensuring the protection and dissemination of potentially confidential data. The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of information processed, stored, or transmitted by its information technology (IT) networks, systems, and applications (IT Systems).


Remote Access Policy
Remote-Access-v1.1.pdf    
Effective: 1/31/2017

The use of technology to work from remote locations, such as employees in the field or on-call staff accessing the network from home, are becoming more common. Remote access increases the risk of compromise or data loss – therefore, effective security implementation is necessary. This policy ensures security procedures are integrated into remote connections to protect the information systems and the data that reside on them.


Security Assessment Policy
Maryland DOIT Security Assessment Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This policy sets standards for Risk Assessment, Vulnerability Assessment, and Penetration Testing as an overall approach to mitigating exploitation and data compromise posed by cyber attackers and vulnerabilities.


Social Media Policy
Maryland DOIT Official Use of Social Media Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of the Executive Branch of Maryland State government Information Technology (IT) networks, systems, and applications.​​


Third Party Interconnection Policy
Maryland DOIT Third Party Interconnection Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This includes ensuring that acceptable security measures are in place, and that acceptable risk levels are maintained, when new network connections are made between Maryland agencies and third party entities.


Virtualization Policy
Virtualization-Policy-v1.1.pdf    
Effective: 1/1/2017

Organizations, including government agencies, are increasingly reliant upon virtualized environments, including networking, servers, and desktops, to gain efficiency and maximize the use of limited resources. The State’s use of virtualization technology creates security challenges that must be addressed when deploying, migrating, and administering virtual machines. This policy establishes the information security requirements for virtualization to ensure consistent and secure deployment of virtualized systems.


Wireless Access Policy
Wireless-Access-v1.1.pdf    
Effective: 1/31/2017

Implementation of wireless technologies offers new challenges in balancing access to information and ensuring security is properly designed and integrated into the devices and connections that support it. This policy establishes the use of wireless technologies and the baseline requirements for proper implementation within Executive Agencies.