Mandatory Enrollment in the Maryland Information Sharing and Analysis Center (MD-ISAC) BOD 25-01

Revision History

Date Issued: 10/16/2025
Expiration Date: This Directive remains in effect until officially modified or revoked.
Version 1.0
Approved by James Saunders, State Chief Information Security Officer (State CISO)

Purpose

This directive requires all entities of the State of Maryland to become members of the Maryland Information Sharing and Analysis Center (MD-ISAC). The objective is to significantly enhance the velocity and efficacy of cyber threat information sharing across the whole of State government, thereby improving our collective defense posture against evolving cyber threats and mitigating risk following a cybersecurity incident. This directive aims to establish and maintain uniform practices in critical cyber threat intelligence (CTI) sharing.

Background

Recent critical cybersecurity incidents have highlighted a significant vulnerability in the State's cybersecurity ecosystem: the absence of a singular, secure, and universally adopted channel for the timely dissemination of sensitive cyber threat information and incident details. This lack of streamlined communication impedes rapid response, limits proactive defense measures, and exposes State data and State information systems to unnecessary risk. The MD-ISAC provides a vital platform designed to bridge this gap, facilitating secure exchange of CTI.

State data is defined as all data created or in any way originating with a Unit of State government, and all data that is the output of computer processing or other electronic manipulation of any data that was created by or in any way originated with the State, whether such data or output is stored on the State’s hardware, a service provider’s hardware, or exists in any system owned, maintained or otherwise controlled by the State or by a service provider.

State information system means an information system used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency. These systems include those used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency. This definition encompasses a broad range of systems, from simple computer systems to complex networks and databases, used to manage and process information for State government operations and applies to any system used to collect, process, store, transmit, or disseminate digital information for State purposes.

MD-ISAC Overview:

The MD-ISAC program is a trusted source for cyber threat intelligence, empowering State of Maryland entities to proactively prevent attacks and speed up threat detection and response.

By providing timely, accurate, and actionable information, the program helps safeguard data and protect your reputation. Subscribers receive additional benefits from gaining access to:

Threat Indicators Repository: Cyber threat indicators are similar to physical descriptions of criminal perpetrators and activities and are important in helping security teams identify potentially malicious activity not detectable by traditional security tools. Access to the repository allows security teams to research malicious activity and build prevention and/or detection rules to protect your organization.

Maryland state-specific cyber threat data: MD-ISAC shares threat data such as patterns, trends and anomalies specifically being seen on State of Maryland systems. Sharing this information with our membership aids in determining imminence of an attack that could impact your organization.

Continuous threat exchange collaborative: Member entities can also share their own intelligence back to the MD-ISAC where that intelligence can be used to hunt for broader state-wide impact. Intelligence shared with MD-ISAC, can help with protecting all state entities and even broader multi-state partners if the original sharer authorizes such dissemination.

Scope & Applicability

This Directive applies to all Executive, Legislative and Judicial Units of the State Government, including the principal departments, independent agencies, and local agencies, departments, boards, commissions, and offices. Furthermore, this Directive applies to all Maryland local government entities including counties, municipalities, K-12 school systems, boards, commissions, and other political subdivisions of the State. State higher education organizations are highly encouraged to participate.

Directives

All State entities subject to this directive shall take the following actions:

4.1. Mandatory Enrollment in MD-ISAC: All entities outlined in Section 3, "Scope & Applicability," must initiate the enrollment process by sending an email requesting enrollment to [email protected] within 90 days of this BOD's effective date. This includes:

All Units of State Government: All principal departments, independent agencies, local agencies, departments, boards, commissions, and offices.
Local Government Entities: All Maryland counties, municipalities, K-12 school systems, boards, commissions, and other political subdivisions of the State.

4.2. Update to Maryland Minimum Standards for networkMaryland^™ Connection: The Office of Security Management (OSM) within the Department of Information Technology (DoIT) will update the Maryland Minimum Standards for Information Technology, specifically where it pertains to connection to networkMaryland^™. OSM shall publish the updated standard within 90 days of the effective date of this Directive.

4.3 Vendors, Contractors, and Third-Party Providers
OSM is instructed to partner with the Department of General Services (DGS) to incorporate the MD-ISAC requirement for vendors, contractors, and other third-party providers who support or supply information technology, critical infrastructure, or related services into the State's IT Supplemental agreement within one hundred eighty (180) days of the effective date of this BOD.

In the interim, while not mandatory, we strongly encourage our private sector partners, including vendors, contractors, and other third-party providers who support or supply information technology, critical infrastructure, or related services join the MD-ISAC.

Roles and Responsibilities

State CISO: Responsible for the issuance, oversight, and enforcement of this Directive.

Chief Information Officers (CIOs), Agency Heads: Responsible for ensuring their respective Units, contract holders, vendors, and third-party service providers that have access to State Data and/or State Information Systems comply with all mandates of this Directive, including timely enrollment and active participation in MD-ISAC.

Office of Security Management (OSM): Responsible for updating the Maryland Minimum Standards as directed in Section 4.2.

MD-ISAC: Responsible for facilitating the enrollment process, providing necessary training, and managing the secure exchange of cyber threat information. Email [email protected] to enroll or to learn more.

Compliance & Reporting

Compliance with this Directive is mandatory for all applicable entities. The State CISO may request evidence of MD-ISAC enrollment and participation from any in-scope entity at any time. Non-compliance may result in further action as deemed appropriate by the State CISO.

Effective Date and Duration

This Binding Operational Directive is effective upon signature and remains in effect until rescinded or superseded.

Contact Information

For technical interpretation or procedural requirements of this BOD, please contact DoIT Office of Security Management at: [email protected].

For compliance questions regarding BOD, please contact the Governance, Risk & Compliance (GRC) Directorate in the Office of Security Management at: [email protected].

Learn more about the Maryland Information Sharing and Analysis Center (MD-ISAC).