State IT leadership is focused on improving cybersecurity in 2026. A significant cyber incident in August, in which some data was moved outside of the state’s network, illuminated some security needs. But cybersecurity was a priority even before this event, as demonstrated by the 2025 creation of a new Office of Information Security and Cyber Defense.
The new policy, approved Feb. 2 by the CIO and chief data officer, took effect Tuesday. It creates a uniform framework for data-handling expectations, which is expected to support more efficient data sharing across agencies.
The policy has a wide-reaching scope. It applies to all executive branch agencies, departments, divisions, boards and commissions, as well as all state employees, contractors, vendors and third parties who access or manage state data. It also applies to all the information systems, applications and platforms on which state data is stored or processed.
The framework applies to all information assets created, collected, processed, stored, transmitted or disposed of by, or on behalf of, state government. Notably, this policy defines information assets more broadly than previous data privacy approaches, to include paper records, emails, system configurations, images and intellectual property.
The framework uses a four-tier classification system for information assets. The first is public data, which is information that is approved for unrestricted disclosure, like public meeting agendas or press releases. The second is sensitive data, which is internal information that, while not confidential, is intended for operational use, like internal communications and budget working documents.
The third is confidential data, which includes legally protected data in which unauthorized disclosure could cause substantial harm, such as Social Security numbers or unemployment claims. Finally, the fourth is restricted data, which covers information that is subject to federal security requirements or critical state operations; this could include cybersecurity defense plans or tax records. If there is uncertainty about the appropriate classification tier, the more restrictive tier is the default classification pending a definitive state determination.
“Data classification serves as the foundation for all downstream governance decisions,” the policy states, citing retention schedules, data-sharing agreement terms, transmission and storage requirements and incident response procedures as examples.
The new policy also enacts accountability measures. Specifically, it calls on the State Data Governance Committee (SDGC) to maintain this framework and support agencies if they have questions about the document. It also calls on the committee to maintain a statewide registry of designated “data stewards” and “data owners.” The stewards are decision-makers for data classification within their organizations, and the owners are authorized and accountable for documenting these decisions and ensuring appropriate handling. SDGC is also charged with recommending policy updates as needed.
The state CIO, Timothy Galluzi, is charged with implementing this framework through formal policy guidance, and overseeing statewide compliance. The state’s CISO, a position now under recruitment, will develop and maintain technical control standards and support agencies in implementing protections.
All personnel will be required to handle information assets according to assigned classification, report suspected misclassification or inappropriate handling, and complete the required training.
Exceptions to this policy may be requested, and those asks must be documented in writing with business justification, submitted to the SDGC and approved by the CIO. This policy does not change the public’s right to access government information under the Nevada Public Records Act, but rather, applies only to internal handling requirements.
The Governor’s Technology Office released a video explaining this new policy, to educate members of the government and of the public about how state data will be sorted and protected.
