Maine

In plain terms. Maine assigns state cybersecurity to its Chief Information Officer and protects critical infrastructure and personal data by statute.

Who it applies to. State agencies and their IT vendors. The state participates in StateRAMP, its baseline for vetting cloud-service security.

What it requires. State law sets the CIO's responsibilities, establishes cybersecurity and critical-infrastructure protection duties, and requires notice when personal data is put at risk.

Why it matters. Vendors serving Maine must support the CIO's security requirements and the state's personal-data risk-notice obligations.

Citation. Me. Stat. tit. 5, § 1973 (Responsibilities of the Chief Information Officer) and §§ 2021-2030-C (Cybersecurity and Protection of Critical Infrastructure); tit. 10, §§ 1346-1350-B (Notice of Risk to Personal Data).

In plain terms. Maine applies a structured information-security policy to agencies and their vendors.

Who it applies to. State agencies and their IT vendors.

What it requires. The state's information-security policy defines roles, responsibilities, compliance expectations, and procedures that govern how agencies and vendors handle state systems and data.

Why it matters. Expect Maine's information-security policy roles and compliance requirements to shape your contract obligations.

Citation. State of Maine information-security policy (roles, responsibilities, compliance, and procedures).