Cybersecurity statutes (background)
In plain terms. North Carolina centralizes IT in its Department of Information Technology and regulates IT purchases by statute, building on NIST standards.
Who it applies to. State agencies and their IT vendors. North Carolina has adopted NIST SP 800-37 and 800-53. The state participates in StateRAMP, its baseline for vetting cloud-service security.
What it requires. State law establishes the Department of Information Technology and governs the purchase of IT goods and services; the state has formally adopted NIST risk-management and security-control standards.
Why it matters. Vendors selling IT to North Carolina must align with the state's NIST-based security framework and its IT-procurement rules.
Citation. N.C. Gen. Stat. §§ 143B Art. 15 (Department of Information Technology) and 143-129.8 (Purchase of Information Technology Goods and Services); adoption of NIST SP 800-37 Rev. 2 and SP 800-53 Rev. 5.
Regulations & policies (background)
In plain terms. North Carolina's procurement and data-handling rules sit in the Administrative Code and DIT policy.
Who it applies to. State agencies and their IT vendors.
What it requires. Administrative Code procurement rules for the Office of Information Technology Services and DIT's data-classification and handling policy set how IT is bought and how data is protected and shared.
Why it matters. Expect North Carolina's data-classification and handling requirements to apply to data you touch.
Citation. 09 N.C. Admin. Code 06 (Procurement - Office of Information Technology Services); DIT Data Classification and Handling Policy.