New Hampshire

In plain terms. New Hampshire centralizes state IT and cybersecurity in its Department of Information Technology, with purchasing run through the Department of Administrative Services.

Who it applies to. State agencies and the vendors that supply their IT systems and services. New Hampshire also participates in StateRAMP for cloud vendors.

What it requires. The Department of Information Technology holds statewide authority over IT and information security, while Administrative Services manages purchasing and property. Acquisitions and security are governed by state IT security and privacy policies covering how system components are acquired, how the information-security and privacy program operates, and how information is shared.

Why it matters. Selling IT to New Hampshire means meeting the Department of Information Technology's security expectations; cloud vendors should also plan for StateRAMP, which the state uses to vet cloud security.

Citation. N.H. Rev. Stat. Ann. ch. 21-R (Department of Information Technology) and ch. 21-I (Department of Administrative Services); state IT policies NHS0244 (System Component Acquisition), NHS0267 (Information Security and Privacy Program), and NHS0268 (Information Sharing). State participates in StateRAMP.

In plain terms. New Hampshire relies on state IT security policies rather than separate cybersecurity regulations, and uses StateRAMP to assess cloud vendors.

Who it applies to. State agencies and their IT and cloud vendors.

What it requires. The state's information-security policies set the program and acquisition expectations agencies apply; cloud service providers are steered toward StateRAMP authorization as the state's cloud-security baseline.

Why it matters. Cloud vendors should pursue or hold StateRAMP status, and all IT vendors should expect the state's security-policy expectations in their contracts.

Citation. New Hampshire IT security policies (NHS0244, NHS0267, NHS0268); StateRAMP participation. (No dedicated cyber regulation.)