Skip to main content
govconCyber
State profile

Maryland

Responsible agency: Dep't of Gen. Servs.; Bd. of Public Works

Last reviewedJune 7, 2026Version v1

Cybersecurity statutes (background)

In plain terms. Maryland has built out a detailed state cybersecurity structure in statute, including a basic cybersecurity requirement that attaches directly to state contracts.

Who it applies to. State agencies and, importantly, contractors — Maryland law sets baseline cybersecurity requirements for state contracts. Maryland also references NIST/FIPS standards.

What it requires. State law creates an Office of Security Management, gives the Secretary of Information Technology cybersecurity authority, establishes a State Information Sharing and Analysis Center and a State Cybersecurity Framework, and — most directly for vendors — sets basic cybersecurity requirements for state contracts. Agencies follow these when buying IT, and contractors must meet the contract-level cybersecurity baseline.

Why it matters. If you contract with Maryland, the statutory "basic cybersecurity requirements" can apply to you by law, not just by negotiated terms — making compliance a condition of doing business.

Citation. Md. Code Ann., State Fin. & Proc., including § 3.5-2A-04 (Office of Security Management), § 3.5-301 to -7 (Secretary of Information Technology), § 3.5-315 (Information Sharing and Analysis Center), § 3.5-317 (State Cybersecurity Framework), and § 13-115 (State Contracts Basic Cybersecurity Requirements). References NIST/FIPS.

Regulations & policies (background)

In plain terms. Maryland backs its cyber statutes with regulations, including a breach-reporting rule and procedures for IT procurement and cyber-modernization buys.

Who it applies to. State agencies and their IT and cybersecurity vendors.

What it requires. State regulations address cybersecurity breach reporting and IT-unit functions, and Maryland uses procedures for major IT development projects and for cybersecurity-infrastructure modernization procurements under $1 million. Standard state contract terms address information confidentiality and loss.

Why it matters. Vendors should expect formal breach-reporting obligations and defined procurement procedures, plus confidentiality terms in standard Maryland contracts.

Citation. Md. Code Regs. 20.06.01.05 (Cybersecurity Breach Reporting) and 16.03.05.03 (IT Unit Functions); MITDP 20-02 (Major IT Development Projects Procedures); DGS OSP cyber-infrastructure modernization procurements under $1M; State Contract Standard Terms (Information Confidentiality and Loss).