North Dakota

In plain terms. North Dakota runs IT through its Information Technology Department, with a cybersecurity incident-reporting law and a personal-data breach-notice law.

Who it applies to. State agencies and their IT vendors. The state participates in StateRAMP, its baseline for vetting cloud-service security.

What it requires. State law establishes the Information Technology Department, sets an information-security program, requires cybersecurity incident reporting, and mandates notice of security breaches involving personal information.

Why it matters. Vendors serving North Dakota must support the state's incident-reporting and breach-notice obligations.

Citation. N.D. Cent. Code §§ 54-59 (Information Technology Department), 54-59.1 (Cybersecurity Incident Reporting Requirements), and 51-30 (Notice of Security Breach for Personal Information).

In plain terms. North Dakota applies IT procurement and supply-chain risk standards to vendors.

Who it applies to. State agencies and their IT vendors.

What it requires. DIT's IT procurement standard and supply-chain risk-management standard set requirements for how IT is bought and how vendor supply-chain risk is managed.

Why it matters. Expect North Dakota's supply-chain risk-management standard to apply to your products and subcontractors.

Citation. North Dakota DIT POL0020208 (Information Technology Procurement Standard) and DIT Supply Chain Risk Management Standard.