Cybersecurity and Privacy Policy Suite FAQ's

​​​​​​​​This resource provides additional guidance and requirements for the Maryland Cybersecurity and Privacy Policy Suite. Below is a list of Policy FAQs. The Modernizing Maryland’s Security Standards: From Legacy Manual to Policy Suite fact sheet provides additional information on the policy suite framework and key differences from the legacy DoIT IT Security Manual, to learn more about the new framework and the key differences from the legacy IT Security Manual​.

For additional guidance review DoIT’s cybersecurity services, or connect with a DoIT Information Security Officer.

If you experience a cybersecurity or privacy incident, please report it immediately through the Maryland Incident Reporting System​.
​​

Explore​ the Broader Cybersecurity and Privacy Policy Suite

Overview and Purpose FAQ's

1. ​ What is the Cybersecurity and Privacy Policy Suite?

It is a comprehensive and modernized framework designed to unify Maryland’s security standards, enhance protection of sensitive data, and ensure alignment with today's digital threats. It includes a tiered structure: State CS Governance Policy, State CS Functional Policies, State CS Standards, and Agency-Level Procedures & Guidelines. It replaces the legacy IT Security Manual v1.2 with a modular architecture that separates high-level strategy from technical implementation.

2. How is the Policy Suite structured?

The suite uses a three-tier taxonomy to ensure agility:

• 100-Series (Governance): Overarching mandates and leadership roles.
• 200-Series (Functional): Policies aligned to the NIST Cybersecurity Framework (CSF) 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover).
• 300-Series (Technical Standards): Minimum technical standards for implementation of the 200-level policies.​
  
3. ​​​​ Why are these policies necessary and why now?

The last major update to the IT Security Manual was based on the outdated set of standards NIST SP 800-53 Revision 4. These policies are critical to move the State to the current industry baselines that aligns with NIST SP 800-53 Revision 5 and NIST CSF 2.0, providing clearer guardrails and better tools for State personnel to perform their work securely, and strengthening Maryland's digital posture.

4. What is the foundation of the standards?

The 300-Level Standards are aligned with NIST Security and Privacy Controls. The 200-Level Policies are aligned with the NIST Cybersecurity Framework.

5. What is the difference between a "Policy" and a "Standard"?

A Policy (MD-POL) defines the mandatory high-level requirement (i.e., the “what”), and a Standard (MD-STD) defines the minimum technical implementation required to meet the higher-level policies (i.e., the “How”). For example, Policy mandates robust authentication methods, while the Standard specifies the use of MFA on both privileged and non-privileged accounts.

6. How does the suite address data privacy?

Privacy is no longer an afterthought. MD-POL-205​ (Data Protection & Privacy) integrates Privacy by Design. The policy suite addresses both cybersecurity and privacy throughout. As an example, it includes requirements for Data Minimization and Privacy Threshold Analysis (PTA) for all systems to ensure PII/PHI is identified and protected from the start.

7. As an agency trying to make sure we are aligned to the policy suite - where do I start?

The 300-Level Standards are the best place to begin, as the 300-Level standards, when implemented, fully satisfy the higher level 200-Level policies.

8. How are DoIT-managed services addressed in the policy suite?

The policy suite does not differentiate between agency vs. DoIT responsibility. Because each DoIT‑managed service differs in scope, architecture, maturity, and adoption, coupled with the fact that every agency consumes those services in different ways, the policy suite cannot define uniform control expectations for them. Instead, the policies establish that when an agency uses a DoIT‑managed service, the agency inherits the controls that DoIT implements and maintains for that service.

Implementation and Release FAQ's​

9. When will guidance on implementation be available?

The Office of Security Management (OSM) will provide detailed guidance on the implementation and adoption path immediately following the policy release to IT leads across Executive agencies. This guidance will include a clear phasing schedule.

10. What happened to the old IT Security Manual v1.2?

The legacy manual is officially superseded by this suite. While v1.2 was a static, 200-page document, the suite is modular, allowing the Office of Security Management (OSM) to update individual standards (like password lengths) without needing to republish the entire body of policy.

Compliance and Support FAQ's​

11. ​​​ Who is required to comply with the Policy Suite?

Compliance is mandatory for all Executive Branch agencies. Other governing documents (such as networkMaryland^™ connectivity) remain in effect and apply to local governments and partners who utilize the State’s shared infrastructure.

12. ​ Where do we get help to meet the standards?

DoIT will assist agencies in identifying the security controls within each standards that are being either fully or partially satisfied by the DoIT-managed services being used. The DoIT Information Security Officers will assist agencies in establishing agency procedures for the security controls that fall solely on the agency to meet. The Office of Security Management (OSM) will also host dedicated GRC and ISO "Office Hours" for continuous support and Q&A.

13. ​ Who is my first point of contact for questions?

Your department’s ISO or lead IT representative should be the first point of contact. The designated Information Security Officer (ISO) for your agency will be able to assist and will reach back to the ​Office of Security Management (OSM) for questions or issues that cannot be resolved without OSM participation.

​