Table of Contents
- Information Security Regulations across the United States
- A Guide to State Cybersecurity Requirements
- 50-State Information Security Regulations Reference Table
- State Framework Requirements
- Compliance Guide for State Regulations
- GRC Software for State Information Security Compliance
-
Frequently Asked Questions
- Which states have the most comprehensive information security requirements?
- Do federal cybersecurity requirements override state regulations?
- How do I determine which state regulations apply to my organization?
- Can compliance with NIST CSF satisfy state requirements?
- How often do state cybersecurity regulations change?
- What’s the relationship between state privacy laws and information security requirements?
Information Security Regulations across the United States
A Guide to State Cybersecurity Requirements
All fifty state governments have issued their own information security regulations across the U.S. in 2026. As a result, many organizations must navigate a patchwork of unique compliance requirements, often without practical guidance. This guide provides a clear overview of state-level information security regulations to help GRC (governance, risk, and compliance) professionals better understand the regulatory landscape, specific requirements, and how to comply.
What this guide includes:
- A 50-state reference table of information security statutes and policies
- Common requirements for regulations across states
- State-specific compliance guidance
50-State Information Security Regulations Reference Table
The following table provides a comprehensive reference of information security statutes, policies, and frameworks across all 50 U.S. states. Use this as the starting point for identifying which regulations may apply to your organization.
| State | Statute/Policy | Description | Guide |
|---|---|---|---|
| Alabama | Code of Alabama § 41-28 (Office of Information Technology) | Establishes the Office of Information Technology and grants the Secretary of Information Technology authority to adopt binding rules, policies, procedures, and standards for the management and operation of information technology by state agencies. | — |
| Alaska | Administrative Order No. 284 (2017) | Establishes the Office of Information Technology (OIT) within the Department of Administration as the centralized authority for IT and cybersecurity governance in the executive branch. | — |
| Arizona | Statewide Policy 8120 Information Security Program | Establishes state information security program and responsibilities for state agencies. | Arizona P8000 Guide → |
| Arkansas | Cybersecurity Policy (Shared Administrative Services/Office of State Technology) | Defines the operational framework, procedures, and standards for securing Arkansas state systems, aligned with NIST CSF, applying to all users of state IT systems including contractors and vendors. | — |
| California | SIMM 5300-A/B Information Security Standards | Statewide Information Management Manual establishing security standards for state agencies. | California SIMM 5300 Guide → |
| Colorado | 8 CCR 1501-5 (Rules in Support of the Colorado Information Security Act) | Implements the Colorado Information Security Act by requiring each public agency to develop, maintain, and annually submit a Cyber Security Plan to the State CISO. | — |
| Connecticut | Sec. 4d-8a (Information and telecommunications systems for state agencies) | Establishes the Office of Policy and Management as the statewide authority responsible for developing and implementing information security and telecommunications policies for executive branch agencies. | — |
| Delaware | State of Delaware Information Security Policy (Title 29 Chapter 90C §9004C) | Establishes mandatory information security standards for all state agencies and external users, requiring annual compliance certification to the DTI CSO. | — |
| Florida | Florida Cybersecurity Act (§ 282.318, F.S.) | Mandates statewide cybersecurity standards for state agencies, including risk assessments, incident reporting, NIST-aligned safeguards, and enterprise governance under the Florida Digital Service. | Florida Cybersecurity Act Guide → |
| Georgia | Enterprise Information Security Policy (PS-08-005) | Establishes a security governance structure requiring all executive branch agencies to develop and maintain an internal information security program compliant with GTA’s minimum standards. | — |
| Hawaii | Hawaii Revised Statutes § 27-43.5 | Authorizes the Office of Enterprise Technology Services to set and enforce mandatory security standards, conduct audits, and direct remedial actions for all Executive Branch departments. | — |
| Idaho | ITS Information Security Policy Manual v4.0 | Establishes a comprehensive, NIST-based Information Security Management System (ISMS) to protect the confidentiality, integrity, and availability of Idaho data and information systems. | — |
| Illinois | DoIT Overarching Enterprise Information Security Policy | Establishes the minimum security controls for all State of Illinois Information Systems, applying to all agencies, employees, contractors, and third parties utilizing state IT resources. | — |
| Indiana | Senate Enrolled Act 472 (SEA 472) | Establishes statewide requirements for public entities to adopt cybersecurity and technology resource policies by 12/31/2027, directing the Indiana Office of Technology to develop implementing standards. | — |
| Iowa | Information Security Standard (OCIO) | Establishes minimum computer security requirements for state systems and central units of state government. | — |
| Kansas | ITEC 7000-P IT Enterprise Security Policy | Statewide policy requiring all Executive Branch Entities to implement and maintain IT security policies at least as stringent as this policy, authorized by K.S.A. 75-7238 and 75-7203. | — |
| Kentucky | CIO-091: Enterprise Information Security Program Policy | Establishes the Commonwealth’s Enterprise Information Security Program, mandating security controls aligned with NIST SP 800-53 Rev 5 moderate baseline for executive branch agencies. | — |
| Louisiana | Louisiana Information Security Policy (DoA) | Sets forth information security policies for accessing, protecting, managing, storing, transmitting, and distributing data to ensure availability, integrity, authenticity, and confidentiality. | — |
| Maine | Maine OIT Information Security Policy | Establishes minimum benchmarks to protect the security of State Information Assets under the purview of the Chief Information Officer. | — |
| Maryland | Maryland Department of IT Security Manual (v 1.2) | Establishes mandatory information security requirements for executive departments and independent state agencies to protect Maryland Information Systems and state-owned data. | — |
| Massachusetts | Information Security Governance Policy (ISP.001) | Establishes mandatory minimum information security requirements for executive branch agencies under the authority of EOTSS pursuant to M.G.L. c. 7D. | — |
| Michigan | Policy 1340.00 Information Technology Information Security | Establishes mandatory, NIST-aligned information security requirements for Michigan Executive Branch departments, agencies, boards, and commissions. | — |
| Minnesota | Information Security Program Standard | Establishes a mandatory, enterprise-wide information security program for Minnesota executive branch entities, authorizing the State CISO to set policies and oversee incident response. | — |
| Mississippi | Enterprise Security Policy (Title 36 Part 1) | Establishes minimum, enterprise-wide cybersecurity requirements for Mississippi state agencies under the authority of the Mississippi Department of Information Technology Services. | — |
| Missouri | Office of Cyber Security (OCS) Information Security Policy | Provides statewide, enterprise-approved guidance defining the structure and minimum expectations for agency-level information security policies aligned with NIST standards. | — |
| Montana | Montana Operations Manual Information Security Policy | Statewide information security policy requiring Montana state agencies to implement NIST-aligned controls to protect state information and information systems. | — |
| Nebraska | Nebraska Information Technology Commission – Information Security Policy (Chapter 8) | Establishes mandatory, statewide information security requirements for Nebraska state agencies, aligned with NIST standards and enforced through the Office of the CIO and SISO. | — |
| Nevada | State Information Security Program Policy | Defines the State of Nevada’s enterprise information security program and mandatory baseline controls for Executive Branch agencies, enforced through EITS pursuant to NRS 242.101. | — |
| New Hampshire | Information Security and Privacy Program Policy | Establishes New Hampshire’s statewide information security and privacy program for Executive Branch agencies, requiring a risk-based, NIST-aligned approach. | — |
| New Jersey | Statewide Information Security Manual (SISM) | Statewide information security and privacy manual mandating NIST-aligned controls for Executive Branch agencies and authorized third parties. | — |
| New Mexico | Cybersecurity Act (NMSA 1978 §§ 9-27A-1 to 9-27A-5) | Establishes the Office of Cybersecurity as the statewide authority responsible for developing standards, coordinating cybersecurity efforts, and improving posture across state government. | — |
| New York | NYS ITS Information Security Policy (NYS-P03-002) | Defines mandatory minimum information security requirements for all state entities, employees, and third parties using or accessing IT resources for which the state has administrative responsibility. | — |
| North Carolina | Statewide Information Security Manual (SISM) | Foundation for IT security establishing statewide standards based on NIST SP 800-53, with optional adoption by local entities. | North Carolina SISM Guide → |
| North Dakota | N.D. Cent. Code § 54-59-09 (Information technology standards) | Requires the North Dakota Information Technology Department and Office of Management and Budget to establish statewide IT policies, standards, and guidelines. | — |
| Ohio | ITS-SEC-02 Enterprise Security Controls Framework | Sets statewide minimum information-security requirements for executive-branch agencies using NIST SP 800-53 Rev. 4 as the foundational control framework. | Ohio ORC 9.64 Guide → |
| Oklahoma | State of Oklahoma Information Security Policy, Procedures and Guidelines (PPG) | Compiles and enforces minimum mandatory standards for the protection of all state information assets across state agencies, as required by 62 O.S. sections §34.11.1 through 34.33. | — |
| Oregon | Cyber and Information Security Statewide Policy (107-004-052) | Establishes a unified statewide cyber and information security program requiring Oregon Executive Branch agencies to implement baseline security controls under the State CIO’s authority. | — |
| Pennsylvania | Executive Order 2016-06 – Enterprise Information Technology Governance | Establishes centralized statewide IT and cybersecurity governance by designating OA/OIT as the Commonwealth’s authority for security policy and enterprise standards. | Pennsylvania EO 2016-06 Guide → |
| Rhode Island | Security and Risk Program Management Policy (ETSS_PM-1) | Establishes a statewide information security program and standards framework for executive branch agencies, directing the CISO to implement consistent practices for IT assets and data protection. | — |
| South Carolina | Information Security Program Master Policy (v1.2) | Creates a statewide information security governance framework mandating agency security plans, risk management, and NIST-aligned controls under DIS oversight. | — |
| South Dakota | IT Security Policy (Bureau of Information and Technology) | Provides a comprehensive set of cyber security policies detailing acceptable practices for use of State of South Dakota IT resources, also applying to local governments and educational institutions. | — |
| Tennessee | Enterprise Information Security Policy — Strategic Technology Solutions (STS) | Establishes statewide minimum information-security requirements for all Tennessee executive-branch agencies and third parties handling state data, based on ISO 27000 standards. | — |
| Texas | TAC Title 1 Part 10 Chapter 202 | Texas Administrative Code establishing information security standards for state agencies. | Texas TAC 202 Guide → |
| Utah | Utah Code § 63A-16-205 – CIO Rulemaking and Security Policies | Authorizes the Chief Information Officer to establish mandatory statewide standards and policies for executive-branch state agencies. | — |
| Vermont | Vermont Information Security Foundations Policy | Defines baseline information-security requirements for executive-branch agencies, establishing a NIST-aligned framework and minimum safeguards for state systems. | — |
| Virginia | Commonwealth Information Security Standard (SEC530.01.1) | Commonwealth-wide information security standard defining minimum baseline controls for executive-branch agencies under the statewide program established by SEC519. | Virginia SEC530 Guide → |
| Washington | Washington State Cybersecurity Program Policy (SEC-01) | Outlines requirements for state agencies to manage cybersecurity risks and ensure compliance with WaTech policies, including agencies headed by separately elected officials. | — |
| West Virginia | WVOT-PO1001 Information Security Policy | Establishes objectives and responsibilities for state agencies regarding information security, issued by the West Virginia Office of Technology. | — |
| Wisconsin | IT Security Policy Handbook | Defines statewide information-security policies and mandates NIST SP 800-53 Rev. 5 aligned controls for all executive-branch state agencies. | Wisconsin IT Security Guide → |
| Wyoming | Wyoming Data Policies (W.S. 9-21-101) | Requires executive-branch agencies to adopt data-security policies addressing collection, access, safeguards, and incident response in accordance with CIO standards. | — |
State Framework Requirements
Earlier state regulations focused on technical controls — encryption, access controls, network security. More recent frameworks put greater weight on governance, risk management, and organizational accountability.
Specific requirements vary by state, but most comprehensive frameworks address the following areas:
| Requirement Area | Common Elements |
|---|---|
| Governance | Designated security officer, written policies, executive oversight |
| Risk Assessment | Periodic risk assessments, documented methodology, risk registers |
| Access Controls | Authentication requirements, least privilege, access reviews |
| Data Protection | Encryption standards, data classification, retention policies |
| Incident Response | Response plans, notification procedures, post-incident review |
| Vendor Management | Due diligence requirements, contractual provisions, ongoing monitoring |
| Training | Security awareness programs, role-based training, regular updates |
| Audit & Monitoring | Logging requirements, monitoring capabilities, periodic audits |
Compliance Guide for State Regulations
Most state regulations tell you what to do, but not how to do it. These guides break down specific state frameworks with practical compliance guidance for GRC teams.
Arizona P8000
Arizona’s P8000 Information Security Policy Series is a set of security, privacy and supply-chain risk policies and procedures that address the expanding threat landscape, protect sensitive state data and manage the risks introduced by modern digital services. Within this series, the P8120 Information Security Policy defines the statewide information security program that every agency must implement.
Read the Arizona P8000 guide →
California SIMM 5300
California’s Statewide Information Management Manual (SIMM) 5300 series establishes information security requirements for state agencies, while CCPA/CPRA create significant privacy and security obligations for businesses.
Read the California SIMM 5300 guide →
Florida Cybersecurity Act
Florida’s Cybersecurity Act, Chapter 282, Section 318 of the Florida Statutes (§ 282.318, F.S.), sets mandatory cybersecurity standards for state agencies with governance, operational requirements, and oversight structures aligned with the NIST Cybersecurity Framework. The Local Government Cybersecurity Act (§ 282.3185, F.S.) extends similar obligations to counties and municipalities. Together, with the Florida Cybersecurity Standards (Chapter 60GG-2, F.A.C.), these laws define how public sector organizations must manage cybersecurity risk.
Read the Florida Cybersecurity Act guide →
North Carolina SISM
North Carolina’s Statewide Information Security Manual (SISM) offers a framework for governance, accountability and continuous improvement that clearly defines the minimum cybersecurity requirements that every agency, department and institution must follow as part of the state’s digital government platform.
Read the North Carolina Statewide Information Security Manual guide →
Ohio ORC 9.64
Ohio’s ORC § 9.64, or Political Subdivision Cybersecurity statute, is Ohio’s first law to require local governments—including counties, municipalities, townships, and special districts—to establish and maintain formal cybersecurity programs. Its purpose is to safeguard public data and IT systems, ensuring the confidentiality, integrity, and availability of government information across the state.
Read the Ohio compliance guide →
Pennsylvania EO 2016-06
Pennsylvania’s information security governance under Executive Order 2016-06 operates through three core entities, each with a distinct role in defining, executing and enforcing enterprise IT strategy. Because it’s maintained through a Governor-issued Executive Order, the state can maintain a unified IT and cybersecurity approach and respond to evolving threats without delay.
Read the Pennsylvania Information Security Policy guide →
Texas TAC 202
Texas Administrative Code Title 1, Part 10, Chapter 202 establishes information security standards for state agencies and higher education institutions that establishes minimum standards to protect sensitive data, maintain the confidentiality, integrity, and availability of information resources, and effectively manage risks.
Read the Texas TAC 202 guide →
Virginia SEC530
Virginia’s SEC530 is an Information Security Standard that defines minimum baseline requirements for information security and risk management across state agencies. It outlines security controls, governance structures, and procedures that agencies must implement to protect the confidentiality, integrity, and availability of data and systems.
Read the Virginia SEC530 Cybersecurity Standard guide →
Wisconsin IT Security Standards
Wisconsin’s IT Security Policy Handbook and the IT Security Standards Handbook lays out who is accountable for cybersecurity activities, which policies they must implement and provides detailed instructions on how to translate those policies into security controls, assess vendors and respond to incidents.
Read the Wisconsin IT Security Standards guide →
GRC Software for State Information Security Compliance
Managing compliance across multiple state information security requirements demands systematic processes for risk assessment, control implementation, policy management, and continuous monitoring. Organizations subject to state cybersecurity regulations benefit from GRC (Governance, Risk, and Compliance) platforms that can:
- Map controls across frameworks: Align state-specific requirements with federal frameworks (NIST SP 800-53, NIST CSF, HIPAA, GLBA) to identify overlaps and gaps
- Automate risk assessments: Conduct and track periodic risk assessments required by state regulations
- Manage vendor risk: Document third-party due diligence and monitor ongoing vendor compliance
- Track policy compliance: Distribute, track acknowledgment, and manage updates to security policies
- Generate compliance evidence: Produce documentation and reports for audits and regulatory examinations
- Maintain a risk register: Track identified risks, remediation status, and exception tracking
Learn how Isora GRC supports state cybersecurity compliance →
Frequently Asked Questions
Which states have the most comprehensive information security requirements?
California SIMM 5300 and Florida’s Cybersecurity Act are particularly detailed frameworks. Typically, what’s considered “most comprehensive” depends on the sector—financial services, healthcare, and government entities all face different regulatory landscapes.
Do federal cybersecurity requirements override state regulations?
Generally, no. Organizations must comply with both federal and state requirements. In some cases, federal law may preempt specific state provisions, but this is the exception rather than the rule. Most organizations need to meet the most stringent applicable requirement across all jurisdictions.
How do I determine which state regulations apply to my organization?
Applicability typically depends on:
- Where your organization is physically located
- Where you have employees or operations
- Where your customers or clients reside
- What sectors you operate in (financial services, healthcare, government)
- What types of data you process
Can compliance with NIST CSF satisfy state requirements?
Many states reference or require alignment with NIST CSF, making it a strong foundation. However, you must verify specific state requirements—some states have additional or more specific requirements beyond NIST CSF. In fact many state regulations also borrow heavily from NIST 800-53.
How often do state cybersecurity regulations change?
State regulations are updated regularly. Major legislative sessions (typically annual or biennial) may introduce new requirements, while administrative agencies may update rules more frequently. Organizations should monitor changes at least quarterly.
What’s the relationship between state privacy laws and information security requirements?
State privacy laws (like CCPA, CPRA, and state consumer privacy acts) typically include security requirements as a component of data protection obligations. Organizations must address both the privacy and security provisions of applicable laws.
This reference guide is maintained by SaltyCloud and updated as state regulations evolve. Last updated: February 2026.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
