Cybersecurity & Privacy Emergency & Binding Operational Directives

​​​​​​​​​The State issues mandatory instructions to address specific security needs, ranging from Emergency Directives (ED) for immediate, short-term threats to Binding Operational Directives (BOD) for long-term operational risk management.

While Emergency Directives require prompt action to mitigate urgent vulnerabilities or incidents, Binding Operational Directives establish the uniform, permanent practices necessary to safeguard Maryland’s information systems. Both types of directives are mandatory for identified State units and remain in effect until rescinded or superseded.

For additional guidance review DoIT’s cybersecurity services, or connect with a DoIT Information Security Officer.

If you experience a cybersecurity or privacy incident, please report it immediately through the Maryland Incident Reporting System​.

Explore​ the Broader Cybersecurity and Privacy Policy Suite

Please refer to the below for a list of all active Binding Operational Directives (BODs) and Emergency Directives (EDs) issued by the State.

Emergency Directives

• Cybersecurity Policy Emergency and Binding Operational Directives (Issued: 2022-10)
• Prohibited Technologies Policy (E.D.) (Last Revised: 2024-12)
• Prohibited Offshore Resources, Personnel, Contractors (E.D.) (Issued: 2025-05)
• Vendor Risk Assessment Questionnaire: Offshore Resource Utilization (Issued: 2025-05)
  

Binding Operational Directives

• Statewide Vulnerability Disclosure Program BOD (Issued: 2025-10)
• Vulnerability Disclosure Program (VDP) Frequently Asked Questions (FAQ's)
• Mandatory Enrollment in the Maryland Information Sharing and Analysis Center (MD-ISAC) BOD (Issued: 2025-10)