IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Cybersecurity

Maryland Sets ‘Zero-Trust’ Policy for State Agencies

The state has issued a new cybersecurity policy that calls for a move to zero-trust principles during the next 18 months. The new policy replaces "trust, but verify," according to officials.

March 04, 2026 • 
News Staff
digital lock on a computer chip
Adobe Stock/Media Srock
Maryland state government is embracing zero trust.

New cybersecurity standards from the Maryland Department of Information Technology call for agencies to adopt zero-trust principles over the next 18 months.

Zero trust refers to a cybersecurity philosophy and practice that seeks to limit exposure to hackers and other criminals by continuous verification of users, securing parts of networks to defend against widespread attacks, making sure individual and varied devices carry ample defenses, and other tactics.

Other states are taking a closer look at zero trust, and Maryland’s newest policy, detailed in the recently issued Cybersecurity and Privacy Policy Suite, aims to reduce cyber risk for state agencies.

Local governments, along with the state’s legislative and judicial branches, are not required to follow the new guides but are encouraged to do so, according to a statement from the information technology department.

“Cybersecurity threats are only getting more and more advanced. Our state needed a simple, unified approach to ensure our systems, services and data are fully protected in this modern environment," said Katie Savage, secretary of the Maryland Department of Information Technology, in the statement.

The new policy seeks to “shift the state away from the traditional ‘trust, but verify’ approach to a ‘never trust, always verify’ mindset, particularly for high value state systems, by requiring continuous validation of identities and security postures,” according to the document.

That means no device or user will earn trust based only on its network location, and that all users inside and outside an agency’s network will have to be “continuously authenticated, authorized and validated before being granted access to applications and data.”

The department says its crafted the new policy with input from state agencies, local governments and cybersecurity experts. More than 1,200 comments helped guide the policy to completion.

“Cybersecurity is a team sport, and we are all Team Maryland,” said James Saunders, Maryland’s chief information security officer, in the statement.

Tags:

State GovernmentCybersecurityMaryland
News Staff
See More Stories by News Staff
Related Content
Colorful icons linked by colored lines against a dark background represent a network and the people in it.
Cybersecurity
Meriden, Conn., Partially Restores Network After Cyber Event
March 04, 2026
Ransomware Article Image_CIS_Mar 2020
Cybersecurity
Trump’s CISA Nominee Exits Coast Guard, Stays Under Consideration
March 04, 2026
Cyber Security Online Safety Graphic Concept
Cybersecurity
Iran Strikes May Test U.S. Cybersecurity Strategy Abroad
March 02, 2026
hand on a big touchpad with icons of people connected by lines
Cybersecurity
Three Ways to Prepare Cybersecurity Teams to Navigate AI
Winter 2026
 · Dan Lohrmann
Security
Cybersecurity
After Cyber Issue, State Offers 911 Aid to Meriden, Conn.
February 26, 2026
Illustration of a set of scales in bright cyan blue surrounded by circles and technical readouts. Dark background.
Cybersecurity
Study: States Passed 99 Cybersecurity-Related Bills in 2025
February 26, 2026
 · Rae D. DeShong
gov-footer-logo-2024.png
GT-footer-logo.png
II-footer-logo.png
NAV-footer-logo.png
CDG-footer-logo.png
CDE-footer-logo.png
CPSAI-footer-logo.png
EM-footer-logo.png