The state’s central IT shop recently released a 31‑module, zero-trust framework that 22 Cabinet agencies are slated to adopt over the next year and a half. State technology leaders said that trust, transparency, ease of use and collaboration were considerations when building out the policies, which also support timeliness, flexibility, security and compliance.
Chief Information Security Officer James Saunders, who joined the state in 2025 while the policy work was in progress, said Maryland previously had a 200-plus page document that dated back to June 2019. The refreshed governance is not only timely, he said, but it can be used as a model by others. In all, Maryland encompasses about 78 independent agencies, about 40 boards and commissions, 24 counties, and more than 150 towns and cities.
“So much has changed in cybersecurity … in privacy, just in that six-, seven-year window,” Saunders said. “It was highly necessary for us to update and refresh the guidance [for] our state agency partners, as well as it being a signal to our local government partners, who can utilize the policy suite as an example to guide their specific organizations.”
‘ARCHITECTURE OF TRUST’
“Policy isn’t just paperwork. It’s the architecture of trust,” said Miheer Khona, the state’s director of governance, risk and compliance.
He also noted that there was a significant level of collaboration on this project, and that people tapped into expertise, agency missions and vantage points to help build a relevant and applicable policy suite.
While considering this feedback, the suite reflects a shift to zero-trust architecture, emphasizing continuous verification and data-centric security rather than perimeter defenses. The suite is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and NIST 800-53 Rev. 5, introducing changes including stronger authentication standards, faster incident reporting requirements, and expanded vulnerability management and security training practices.
Saunders said it sets appropriately high expectations.
“We want people to know and to see this is our ideal state for protecting the systems that provide [resident services],” he said. “I wanted to make it extremely clear that we’re leaning into zero trust. … It is one of the best ways, from an architectural perspective, to minimize the impact of cyber attacks and breaches.”
The policy addresses a wide spectrum of concerns including data protection, privacy regulations and the people who interact with technology systems across the state ecosystem.
“I think that looking at privacy as being very foundational, because privacy is a right,” said Chief Privacy Officer Caterina Pangilinan. “When it comes down to it, it’s ensuring that our residents understand that we are here to protect their privacy. We might, if we are transparent about how we use their data, let them know that we were only going to use their data for the stated purposes for which they’ve given it. That’s what these standards and procedure are all about.”
EASE OF USE
The documentation is structured in three levels — a 100-level overview, 200-level policies and 300-level technical standards — for a total of 31 modules. This modular design allows updates to be made without revising the entire framework.
For example, the Acceptable Use Policy outlines expectations for how employees log into systems, store passwords and use social media on state-issued devices. Meanwhile, the Access Control Standard details technical and operational requirements for managing system and data access at a granular level.
“The framework essentially utilizes this peered structure that cascades from strategic governance policies to tactical implementation standards; it ensures high-level missions are translated into actionable agency-level procedures,” Khona said. “It’s about enabling and allowing people to understand what cybersecurity and privacy requirements are at their level of perspective.”
PACING CHANGE
The state’s IT department has made multiple changes over the past years to enhance cybersecurity. It spearheaded the consolidation of disparate Active Directory domains from various agencies and hired 15 information security officers to assist state agencies. Within the last year, Saunders said they have also added a statewide vulnerability disclosure program, expanded the Maryland Information Sharing and Analysis Center, and added several new working groups.
“That’s a lot of change in a really short time,” Saunders said. “I have to remind myself: Pace yourself. This is a half-marathon, not a 5K and you’ve got to let some of these changes settle before you’re on to the next.”
