Maryland governor reorganizes state’s cybersecurity policy

Gov. Larry Hogan used an executive order to codify the state's chief information security officer role and create a new statewide cybersecurity agency.
Maryland Gov. Larry Hogan (State of Maryland / Flickr)

Maryland Gov. Larry Hogan signed an executive order Tuesday creating two new organizations to manage the state’s cybersecurity policies and formalizing the role of the state’s chief information security officer.

Under the order, the state Department of Information Technology will create an Office of Security Management, which will be responsible for directing and implementing cybersecurity policy for Maryland’s executive branch. The new office will be tasked with creating standards for user access, data protection and identity management, as well as setting guidelines for Maryland’s 47,000 state employees. The order aims to bring Maryland into line with the cybersecurity framework published by the National Institute of Standards and Technology, which is considered the gold standard for enterprise cybersecurity architecture.

The Office of Security Management will be led by John Evans, Maryland’s chief information security officer, a position that Hogan’s order made a permanent part of the state government. Evans was hired as CISO last fall after several years as the deputy chief technology officer for the Maryland Department of Human Services, where he oversaw the early development of a cloud-based application to manage the state’s public benefit programs.

Along with leading the new security management office, Evans will also lead a new Maryland Cybersecurity Coordinating Council, which will develop policy recommendations and strategies for how the state can respond to cyberattacks.


A press release accompanying Hogan’s executive order made no mention of the recent ransomware attack in Baltimore, which has crippled the digital government services and internal networks in the state’s largest city. But the city was reportedly slow to accept the state’s assistance. According to a transcript of a recent meeting of the Maryland Cybersecurity Council — a separate group convened by the University of Maryland — Evans said state cybersecurity experts had been “kept at arm’s length” by Baltimore officials, the Baltimore Sun reported.

“The order was not spurred by any particular event and had been in the works for sometime,” Patrick Mulford, a spokesman for the Department of Information Technology, told StateScoop. “The Hogan administration is working closely to help with the restoration of Baltimore City’s systems and is providing state and contractual resources, including five employees detailed to the city.”

The new Cybersecurity Coordinating Council be comprised the secretaries of budget, general services, human services, public safety, health and transportation, as well as the heads of the Maryland Emergency Management Agency, National Guard and state police.

“In today’s world of emerging cyber threats, it is crucial that we work in unity to improve the processes and procedures designed to protect Marylanders and to manage and minimize the consequences of cyber events,” Hogan said.

Latest Podcasts