Maryland has taken steps to beef up its cybersecurity defenses and raise the profile and importance of IT security in state government. The shift is happening following Maryland’s recent disclosure of a data breach at the state Department of Labor.
In June, Maryland Gov. Larry Hogan signed an executive order that created two new government entities to manage cybersecurity defenses and policies for the state. It also formalized the role of the state CISO.
Just weeks later, the state Department of Labor announced that two database systems it manages were potentially available to unauthorized users, potentially exposing the personally identifiable information of about 78,000 users. The disclosure underscores the importance of cybersecurity protections for the state.
Maryland Reinforces Critical Need for Cybersecurity Protections
Under the order, the state Department of Information Technology will house an Office of Security Management, which will be responsible for directing, coordinating and implementing cybersecurity policy for the state’s executive agencies.
The new office, which is being led by Maryland CISO John Evans, will develop standards for categorizing information and information systems collected or maintained on behalf of state agencies, as well as guidelines for data governance. It will also implement security requirements (such as management, operational and technical controls) for data. The office will manage security awareness training for all relevant government employees. And it will also develop a digital identity standard and specification for the government.
“The order aims to bring Maryland into line with the cybersecurity framework published by the National Institute of Standards and Technology, which is considered the gold standard for enterprise cybersecurity architecture,” StateScoop reports.
In addition to codifying the role of CISO, the order also establishes the Maryland Cybersecurity Coordinating Council, which will advise the CISO’s office on the strategy and implementation of cybersecurity initiatives and how the state can best identify IT security risks and respond to and recover from cyberattacks.
The council will be chaired by the state CISO and include the state’s secretaries of budget, general services, human services, public safety, health and transportation, as well as the heads of the Maryland Emergency Management Agency, Maryland National Guard and state police.
Just a few weeks after the executive order was signed, the state Department of Labor announced the results of an investigation undertaken earlier this year by the Department of Information Technology about the data breach.
It determined that files stored on the Literacy Works Information System and a legacy unemployment insurance service database “were subject to possible unauthorized access” through the internet, according to a press release.
“Upon notification of the possibility of unauthorized access, Maryland DoIT implemented countermeasures and initiated an investigation,” the release notes. “Working with the Department of Labor, Maryland DoIT also notified law enforcement and retained an independent expert to investigate how the information was accessed.”
The Department of Labor says it has completed a full review of its protocols and security measures to prevent future breaches. So far, the investigation has not found any evidence that any personally identifiable information was downloaded or extracted from the department’s servers.
Meanwhile, the National Governors Association announced in July that Maryland is one of seven states it is working with “to develop action plans to advance and refine key priorities in cybersecurity.”