The State of Maryland has launched a cybersecurity initiative aimed at improving resilience and coordination across all levels of government. The Office of Security Management has rolled out a Statewide Vulnerability Disclosure Policy (VDP), alongside a mandatory enrollment directive for the Maryland Information Sharing and Analysis Center (MD-ISAC).
Both efforts, issued under new Binding Operational Directives, are designed to strengthen the state’s cybersecurity ecosystem through collaboration, transparency, and faster threat response.
The Vulnerability Disclosure Policy establishes a formal process for external security researchers to report potential vulnerabilities in state-owned or managed systems. In essence, it’s Maryland’s version of a “see something, say something” approach for cybersecurity, inviting external security researchers to find and report security vulnerabilities in their systems.
The policy sets out clear procedures for how reported vulnerabilities are reviewed, verified, and remediated. The statewide adoption of a VDP aligns Maryland with best practices recommended by the Cybersecurity and Infrastructure Security Agency (CISA), which requires federal agencies to maintain similar programs.
At the same time, the MD-ISAC is now open to all state and local government entities, critical infrastructure operators, and private industry partners that support Maryland’s operations. Under a directive issued October 16, all state agencies are required to join the program.
Maryland (Acting) State CISO James Saunders posted the following, explaining the new policy:
(AI was used in part to facilitate this article.)
