What is North Carolina’s SISM? Complete Compliance Guide (2025)
North Carolina’s digital government is built on one of the most coordinated IT ecosystems in the country. The State’s digital government platform provides its citizens with a single, integrated access point to hundreds of online services, from tax filing and professional licensing to transportation renewals, health services and education resources.
Every agency, department and institution in this ecosystem connects through shared infrastructure and enterprise governance led by the North Carolina Department of Information Technology (NCDIT) under the State Chief Information Officer (CIO).
For agency technology leaders, this centralized model provides both opportunity and responsibility. NCDIT’s enterprise platforms enable efficiency, interoperability and faster service delivery, but they also expand the surface area of risk.
As systems, applications and data become increasingly interconnected, safeguarding the confidentiality, integrity and availability of state information assets demands a unified approach.
North Carolina’s Statewide Information Security Manual (SISM) serves as the foundation to that approach, establishing consistent information security governance and risk management across all agencies. It clearly defines the minimum cybersecurity requirements that every agency must follow as a framework for governance, accountability and continuous improvement.
This comprehensive guide defines what must be protected, why it matters and how agencies can apply the principles outlined in North Carolina’s Statewide Information Security Manual (SISM). It translates statewide policy into actionable practices and implementation guidelines, helping agencies interpret SISM requirements to stay compliant with State and federal mandates.
What is the Statewide Information Security Manual (SISM)?
North Carolina’s SISM is the foundation of information security governance for the state. It sets the minimum security requirements that all state agencies, departments and institutions in North Carolina must follow when they access, store or process state government information.
In simple terms, it defines how state agencies need to design, implement and maintain their information systems, along with rules, roles and responsibilities for how state agencies must secure data, manage risks and respond to cyber threats.
Specifically, the SISM aims to:
- Protect North Carolina’s IT infrastructure and citizens’ data from internal and external threats.
- Establish a consistent, repeatable framework that ensures all IT assets are securely connected to the State network.
- Strengthen statewide standards for managing technology, mitigating risks and promoting uniform practices across agencies.
- Improve accessibility and interoperability of State systems while maintaining strong security controls.
- Support a cohesive, enterprise-wide approach that aligns technology management with the State’s strategic and cybersecurity objectives.
In addition to that, the SISM aligns with the Governor’s cybersecurity directives, federal cybersecurity grant requirements and the National Cybersecurity Strategy Implementation Plan (NCSIP).
This alignment ensures that information security governance across North Carolina is consistent, measurable and accountable. This enables agencies to make informed security decisions, demonstrate compliance and maintain operational resilience in line with State and federal mandates.
Statutory Authority and Governance Framework
North Carolina’s cybersecurity governance is built on the legal foundation established in Article 15 of Chapter 143B of the North Carolina General Statutes.
This statutory article, essentially, does three main things:
- Creates the Department of Information Technology (DIT) and the office of the State Chief Information Officer (State CIO).
- Gives the State CIO statutory authority over statewide IT and cybersecurity policy.
- Requires the establishment of standards and policies to protect state information systems.
The statute directs the CIO to establish, maintain and annually review statewide standards for protecting, managing and monitoring State information systems. These standards need to define how data is classified, communications are secured and encryption and system management controls are applied across all agencies.
Each agency is then responsible for implementing these standards within its operations and for reporting compliance to the Department of Information Technology (DIT).
The Statewide Information Security Manual (SISM) is the instrument through which the State CIO fulfills these statutory responsibilities, translating legislative authority into operational cybersecurity policy. In other words, the framework gives the CIO the power and mandate and the SISM is how that power is implemented in practice.
Enterprise Oversight (CIO / ESRMO)
The Enterprise Security and Risk Management Office (ESRMO) operates within the NCDIT as the implementation and oversight arm for statewide cybersecurity.
Acting under the delegated authority of the State CIO, the ESRMO oversees compliance with the SISM and related State Chief Information Officer – Security (SCIO-SEC) policies, ensuring that agencies align with established security standards, submit risk assessments and maintain ongoing reporting through the Enterprise Governance, Risk and Compliance (EGRC) system.
The ESRMO carries the majority of operational responsibility for implementing, coordinating and enforcing North Carolina’s statewide cybersecurity program.
Core Responsibilities of the ESRMO
- Translates statewide policy mandates into actionable, measurable programs.
- Develops implementation frameworks, technical standards and risk-management processes defined in the Statewide Information Security Manual (SISM) and supporting SCIO-SEC policies.
- Coordinates cybersecurity implementation across all executive-branch agencies to ensure consistency.
- Ensures consistent statewide application of NIST SP 800-37 (Risk Management Framework) and NIST SP 800-53 Rev. 5 (Security and Privacy Controls).
- Conducts direct oversight of agency compliance with statewide standards.
- Reviews agency risk assessments, approves treatment and mitigation plans and validates compliance through the EGRC system.
- Provides the State CIO with a unified, enterprise-level view of risk posture and compliance status.
- Offers agencies guidance, training and operational tools to meet statewide security obligations.
- Supports ongoing continuous monitoring and risk mitigation efforts across the executive branch.
Agency Level Compliance Responsibilities
Each agency’s senior leadership, including the Agency Head, Chief Information Officer (CIO) and Chief Information Security Officer (CISO) is responsible for applying statewide security policies within their own operational environments. They must report all risk-mitigation activities and compliance efforts to ESRMO for centralized oversight.
Agencies are required to submit risk assessment results and continuous-monitoring data to ESRMO within 30 days of completion and maintain these records in the EGRC system. This process ensures enterprise-wide visibility into each agency’s risk posture, remediation progress and overall security compliance.
Who Must Comply with the Statewide Information Security Standards
The Statewide Information Security Manual (SISM) applies to all information, systems, personnel and third-parties that handle or support North Carolina’s executive-branch technology operations. It defines who is covered, what environments it governs and where the standards apply.
Covered Entities
| Agency |
Description |
| Executive Branch Agencies and Departments |
All North Carolina executive-branch agencies, departments, boards and commissions are subject to SISM requirements. They include those managing systems or services that store, process or transmit State information. |
| Constitutional Offices |
Offices established under the North Carolina Constitution that operate within the executive branch are covered under SISM, consistent with statewide information security policy. |
| State Universities and Colleges |
The University of North Carolina (UNC) System and the North Carolina Community College System fall under SISM when operating systems connected to State networks or processing State data.
Some institutions may maintain autonomous security programs, provided those programs meet or exceed SISM standards and remain interoperable with State systems. |
| Third-Party Vendors and Contractors |
Any external organization, including vendors, consultants or service providers, that accesses, processes, stores or transmits State information or operates technology systems on behalf of a State agency, must comply with SISM standards and contractually maintain security plans subject to ESRMO review. |
| Agency Employees and Authorized Users |
All State employees, contractors and users with access to State systems or data are bound by SISM policies and procedures, including remote and telework users. |
Extended Applicability
Local Governments and Education Entities
Local governments, Local Education Agencies (LEAs), community colleges and the UNC system are encouraged to adopt these standards when doing so supports interoperability, consistent statewide practices or shared infrastructure security.
Industry Partners and Affected Sectors
SISM influences multiple industry sectors that interact with the State, including:
- Technology and cloud service providers
- Healthcare organizations interfacing with State health systems
- Educational institutions handling State data or funding
- Financial entities managing State transactions
- Consulting and professional service firms working under State contracts
Scope based on Geographic Coverage
SISM applies to:
- All operations within North Carolina’s State government
- Remote or telework arrangements involving State employees or contractors
- Out-of-state data centers or cloud providers hosting State information
- Vendors or subcontractors, regardless of physical location, when they handle State data or connect to State systems.
Entity Size
SISM applies regardless of agency or vendor size.
Small boards or commissions with limited IT resources have the same baseline security obligations as large cabinet-level agencies, though implementation methods may differ according to risk and resource capacity.
Exemptions and Special Conditions
When agencies or entities seek to operate outside the default scope of SISM, they typically need to go through a formal exception or exemption process administered by the State CIO / NCDIT (often facilitated through ESRMO).
Limited exemptions may apply for the following entities:
- Legislative and Judicial Branches: These branches usually maintain separate security frameworks.
- Institutional Autonomy: Some universities may operate independent programs if they demonstrate equivalent or superior security posture.
- National Security or Federal Operations: Law enforcement or emergency management systems subject to federal requirements may follow alternate frameworks approved by the State CIO.
Even when exemptions apply, affected entities are expected to:
- Maintain security controls that are comparable to SISM requirements; and
- Coordinate with the State CIO at NCDIT and ESRMO to ensure secure data exchange and infrastructure interoperability.
Foundational Frameworks of North Carolina’s SISM
To ensure consistency, accountability and interoperability across all State entities, North Carolina’s information security program is aligned with nationally recognized standards. This alignment ensures compatibility with federal cybersecurity standards, supports compliance with national grant and reporting requirements and promotes a consistent, risk-based approach across all State agencies.
The SISM adopts two NIST publications as the core of its statewide security program.
North Carolina Governing Process: NIST SP 800-37 (Risk Management Framework – RMF)
North Carolina has formally adopted the NIST Special Publication 800-37, Guide for Applying the Risk Management Framework (RMF) as the statewide standard for managing information-security risk within State IT resources.
The RMF provides a disciplined, structured process that integrates security and risk-management activities into every stage of the system development lifecycle.
Under this model, all executive-branch agencies must follow the full RMF sequence: categorization → control selection → implementation → assessment → authorization → continuous monitoring.
Control Catalog: NIST SP 800-53 Revision 5 (Security and Privacy Controls)
To operationalize the RMF, the State employs NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations as the foundation for identifying, selecting and implementing safeguards.
These controls are organized into 18 families, which together form the structural framework of the SISM and all companion SCIO-SEC policies. These controls are further tailored within the SISM to address the specific operational, legal and risk contexts of North Carolina’s State government environment.
Each policy domain corresponds directly to a control family, ensuring that technical, administrative and procedural safeguards are applied consistently across all executive-branch entities.
System Categorization and Baselines
The North Carolina SISM applies a two-tier baseline model to standardize control implementation across executive-branch systems. These baselines are derived from NIST SP 800-53 Rev. 5 control families and calibrated for the State’s enterprise risk tolerance, ensuring proportional protection based on data sensitivity and system criticality.
System categories are determined by the system’s data classification and operational dependency:
Low Systems
Applies to systems that contain only public data or information that is publicly accessible through authorized mechanisms such as open data portals or public websites. Workstations and devices used for public data access fall into this category unless they store, process or transmit restricted information.
Moderate Systems:
Applies to systems that store, process or transmit Restricted or Highly Restricted data, such as personally identifiable information (PII), financial data or health information or to systems that directly depend on another Moderate system for operation.
Agencies may tailor baseline controls only to strengthen their posture. Any deviation, reduction or exception must be formally approved by the NCDIT through the established Exception Process.
Control Implementation and Ownership
North Carolina implements NIST SP 800-53 controls through a three-tier ownership model that clearly defines how NCDIT and executive agencies share security responsibilities.
| Control Type |
Description |
| Common Controls |
Enterprise-wide safeguards managed centrally by DIT or other statewide service providers.
Examples include State policies, enterprise firewalls, security monitoring and cloud infrastructure controls. |
| System-Specific Controls |
Protect a particular information system and address risks unique to its mission or operating environment. |
| Hybrid Controls |
Shared responsibilities between NCDIT and agencies. |
These control types are implemented through statewide information-security policies and standards that translate NIST SP 800-53 requirements into North Carolina’s enterprise environment. The ESRMO develops, maintains and monitors these policies on behalf of the State CIO.
Statewide Information Security Policies
The Statewide Information Security Policies translate the NIST SP 800-53 control families into enforceable, environment-specific requirements. Together with the SISM, they ensure a consistent, NIST-aligned information security framework across all executive-branch entities.
All policies undergo annual review and update under § 143B-1376, ensuring continued alignment with federal guidance, State strategic priorities and the evolving cybersecurity landscape.
| NIST 800-53 Family |
Policy No. |
Policy Title |
Scope / Purpose |
| AC – Access Control |
SCIO-SEC-301 |
Access Control Policy |
Defines requirements for account authorization, least-privilege, session control and separation of duties. |
| AT – Awareness and Training |
SCIO-SEC-302 |
Awareness and Training Policy |
Establishes statewide security-awareness and role-based training obligations for all users of State IT systems. |
| AU – Audit and Accountability |
SCIO-SEC-303 |
Audit and Accountability Policy |
Requires audit logging, event-monitoring and log-retention consistent with ESRMO standards. |
| CA – Assessment and Authorization |
SCIO-SEC-304 |
Security Assessment and Authorization Policy |
Sets procedures for system authorization, security-control assessments and risk acceptance. |
| CM – Configuration Management |
SCIO-SEC-305 |
Configuration Management Policy |
Establishes baselines, change-control and configuration documentation requirements. |
| CP – Contingency Planning |
SCIO-SEC-306 |
Contingency Planning Policy |
Governs business-continuity, backup and disaster-recovery planning. |
| IA – Identification and Authentication |
SCIO-SEC-307 |
Identification and Authentication Policy |
Mandates user identification, password complexity and multi-factor authentication for access to State systems. |
| IR – Incident Response |
SCIO-SEC-308 |
Incident Response Policy |
Defines statewide procedures for detecting, reporting and managing cybersecurity incidents. |
| MA – Maintenance |
SCIO-SEC-309 |
Maintenance Policy |
Regulates preventive and corrective maintenance, documentation and off-site repairs. |
| MP – Media Protection |
SCIO-SEC-310 |
Media Protection Policy |
Controls media storage, transportation and sanitization of sensitive data. |
| PS – Personnel Security |
SCIO-SEC-311 |
Personnel Security Policy |
Specifies background checks, onboarding/offboarding and access-revocation procedures. |
| PL – Security Planning |
SCIO-SEC-312 |
Security Planning Policy |
Requires each agency to maintain a System Security Plan and define system boundaries, roles and responsibilities. |
| PE – Physical and Environmental Protection |
SCIO-SEC-313 |
Physical and Environmental Protection Policy |
Establishes requirements for facility access control, visitor management, physical safeguards and environmental protection of State IT assets and infrastructure. |
| RA – Risk Assessment |
SCIO-SEC-314 |
Risk Assessment Policy |
Establishes enterprise risk-assessment frequency, methodology and documentation requirements. |
| SA – System and Services Acquisition |
SCIO-SEC-315 |
System and Services Acquisition Policy |
Requires security integration in procurement and system-development lifecycles. |
| SC – System and Communications Protection |
SCIO-SEC-316 |
System and Communications Protection Policy |
Mandates boundary protection, encryption and network-security monitoring controls. |
| SI – System and Information Integrity |
SCIO-SEC-317 |
System and Information Integrity Policy |
Defines requirements for vulnerability management, patching and malware protection. |
| SR – Supply Chain Risk Management |
SCIO-SEC-318 |
Supply Chain Risk Management Policy |
Establishes third-party security, contract controls and vendor-risk management expectations. |
Implementing the Statewide Information Security Manual (SISM)
The implementation of the SISM extends beyond the establishment of policies and controls, it depends on the effective management of risk across every agency environment.
Risk management serves as the operational backbone of SISM, ensuring that controls are not only implemented but continuously evaluated for effectiveness. By integrating risk-based decision-making into planning, procurement and system operations, North Carolina ensures that information security remains adaptive, measurable and aligned with statewide strategic objectives.
Risk Management Program
North Carolina’s Statewide Risk Management Program is established under the Risk Assessment Policy (SCIO-SEC-314), which implements N.C.G.S. § 143B-1376 and aligns with the NIST 800-37 and NIST 800-53 (Rev. 5).
The program defines how agencies identify, assess and mitigate cybersecurity risks to protect the confidentiality, integrity and availability of State information systems and data. It is coordinated by the ESRMO)under the leadership of the State Chief Risk Officer (SCRO) and in consultation with the State Chief Information Security Officer (SCISO).
Roles and Responsibilities
| Role |
Responsibilities |
| Agency Senior Management (Agency Head, CIO and CISO) |
Must sponsor and approve the agency’s Risk Management Plan, review and endorse risk assessments and report mitigation activities to the State Chief Risk Officer (SCRO). |
| Security Liaisons |
Designated under SCIO-SEC-314, security liaisons are responsible for conducting risk assessments, analyzing findings, recommending and documenting controls and tracking the implementation of approved mitigations. |
| The State Chief Information Security Officer (SCISO) |
Under the delegated authority of the State CIO, the SCISO oversees the ongoing development, implementation and maintenance of the statewide Risk Management Program. |
Core Risk Management Activities
In accordance with NIST SP 800-53 (Rev. 5), particularly controls RA-1 (Policy and Procedures) and RA-3 (Risk Assessment), North Carolina’s program requires agencies to perform a continuous, cyclical risk-management process built around four key activities:
- Identification of Risks
Agencies must proactively identify and document risks that could affect business continuity, data security or operational performance. They must also document their potential impact and characteristics.
- Analysis of Risks
Estimate the probability, impact and timeframe of identified risks. Agencies must classify risks into related categories and prioritize them based on severity and likelihood.
- Mitigation Planning
Develop corrective strategies to reduce risk likelihood or impact. All Moderate or High risks require written mitigation plans, managerial approval and assigned accountability for completion.
- Tracking and Control
Agencies must also continuously monitor identified risks and mitigation progress, collect and report status updates and ensure through management oversight that all corrective actions are completed within established timelines.
Risk Assessment Process
Under the Risk Assessment Policy (SCIO-SEC-314) and NIST control RA-3, each agency must conduct formal, documented security and privacy risk assessments to evaluate potential harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of State systems and data.
Risk Assessment Requirements
- Risk assessments must address risks to agency operations, assets and individuals, including risks introduced by external entities (contractors, vendors, service providers or cloud partners).
- Be performed at least annually and whenever significant system or environmental changes occur.
- Include third-party independent assessments for all Restricted and Highly Restricted systems at least once every three years, with self-assessments or targeted reviews in between.
The results of these risk assessments must be submitted to the ESRMO within 30 days of completion, along with remediation plans, through the EGRC tool.
For all identified deficiencies, agencies must analyze business impact, classify findings by severity and document corresponding Plans of Action and Milestones (POA&M) or Corrective Action Plans (CAP).
All findings and mitigation progress are tracked in EGRC to ensure that weaknesses are addressed and residual risks are reduced to acceptable levels.
Assessment Cycle
North Carolina’s Continuous Monitoring Plan operates on a three-year assessment cycle, requiring each agency to undergo evaluations through one or both of the following approved methods:
- Third-Party Independent Assessment – Conducted by an external assessor to ensure objectivity and validate compliance with statewide information security standards.
- Self-Assessment – Conducted internally by the agency using ESRMO-approved templates, methodologies and evaluation criteria.
Within 30 days of completing an assessment, agencies must submit the full assessment results and a corresponding remediation plan in the EGRC system.
The ESRMO coordinates with agencies to review findings, track corrective actions and verify closure timelines, ensuring consistent statewide visibility into risk posture and compliance progress.
Control Assessment and Authorization
Under the Assessment, Authorization and Continuous Monitoring Policy (SCIO-SEC-304) and in alignment with NIST SP 800-53 controls CA-2 (Control Assessment), CA-6 (Authorization) and CA-7 (Continuous Monitoring), agencies are required to evaluate, authorize and continuously monitor the security controls protecting State information systems.
Agencies must:
- Assess Controls – Conduct internal or independent evaluations of implemented security and privacy controls to verify effectiveness and compliance.
- Authorize Systems – Submit assessment results to the Authorizing Official (AO) for a formal authorization decision based on residual risk.
- Document Remediation – Maintain Plans of Action and Milestones (POA&Ms) or Corrective Action Plans (CAPs) within the EGRC system to document remediation progress and closure.
- Continuously Monitor – Implement ongoing monitoring processes to ensure that system controls remain effective and that risk posture reflects current operational and environmental conditions.
Together, these activities establish a repeatable cycle of assessment, authorization and continuous improvement, forming the foundation of North Carolina’s enterprise cybersecurity assurance program.
Third-Party and Supply Chain Risk
The Risk Assessment Policy (SCIO-SEC-314 / RA-3) extends to contractors, service providers and third-party organizations that process, store or transmit State information.This ensures that external partners uphold equivalent security standards and do not introduce unmanaged risk into the State’s environment.
Key Vendor-Assessment Activities
| Process |
Description |
| Pre-Contract Review and Approval |
Agencies must obtain State CIO approval before entering contracts involving off-site or cloud-hosted services. |
| Vendor Readiness Assessment Report (VRAR) |
Vendors must complete a VRAR before contract execution. This demonstrates compliance with statewide security policies and standards. |
| Independent Attestation |
Vendors must provide valid third-party security certifications (e.g., FedRAMP Authorization, SOC 2 Type 2, ISO/IEC 27001 or HITRUST CSF) and renew them annually. |
| Continuous Monitoring |
Cloud Service Providers (CSPs) and other critical vendors must maintain active monitoring and demonstrate ongoing compliance. SaaS vendors cannot rely solely on underlying IaaS/PaaS certifications unless explicitly covered. |
Incident Reporting and Response
The Incident Response Policy (SCIO-SEC-308) establishes the statewide framework for detecting, reporting and responding to cybersecurity incidents across all executive-branch agencies.
The policy aligns with the Incident Response (IR) control family in NIST SP 800-53 Rev. 5 and defines uniform standards to ensure the confidentiality, integrity and availability of State information assets.
Enterprise Oversight: ESRMO
The Enterprise Security and Risk Management Office (ESRMO) serves as the State’s central coordinating authority for incident response. It maintains the Threat Management Team (TMT), which functions as the enterprise-level response and coordination body.
ESRMO also provides incident-handling guidance, forensic assistance and communication support to agencies during active incidents, ensuring consistency and alignment with statewide protocols.
In addition, it oversees incident tracking and reporting through the EGRC system, enabling centralized visibility and oversight of all cybersecurity events across executive-branch agencies.
Under IR-1 (Policy and Procedures), all systems that process, store or transmit State information must apply standardized incident-response procedures and controls consistent with SISM and NIST guidance.
Incident Response Roles and Responsibilities
The Incident Response Policy defines a structured chain of responsibility to ensure clear lines of communication and accountability:
| Role |
Responsibility |
| State CIO / State CISO / Agency Leadership |
Provide statewide oversight, policy enforcement and continuous improvement of the Incident Response Program. |
| Agency CIO / Agency CISO |
Implement statewide procedures within their agencies, activate the Incident Response Team (IRT) when required and ensure compliance with documentation and reporting requirements. |
| Incident Response Officer (IRO) |
Typically the Agency CISO or Security Liaison, this official is accountable for all agency-level incident-response activities. |
| Incident Response Manager (IRM) |
Leads the IRT, coordinates containment and recovery actions and manages communications during incidents. This role is typically housed within the ESRMO. |
| Incident Response Team (IRT) |
A cross-functional team including IT, security and business representatives. The IRT executes response actions, documents remediation and restores affected systems. |
| Local Incident Response Coordinator (LIRC) |
Serves as the agency’s designated Security Liaison and reports directly to the IRM for coordination. |
| Third-Party Vendors and Service Providers |
Any vendor handling State data must maintain and annually update an incident-response plan aligned with State standards. ESRMO reviews these plans to ensure adequacy and compliance. |
Reporting
IR-6 (Incident Reporting) requires that agencies and vendors must report all confirmed incidents to the ESRMO within 24 hours of discovery, document the event’s scope and mitigation.
Agencies and vendors must submit reports using one of the official ESRMO channels:
Through centralized coordination, standardized procedures and timely reporting, North Carolina’s Incident Response Policy (SCIO-SEC-308) ensures that state IT and cybersecurity officials respond quickly and effectively to cyber incidents.
By defining clear escalation paths and requiring consistent communication with the ESRMO, the policy enables coordinated containment, investigation and recovery efforts across all executive-branch agencies.
This unified structure helps minimize operational disruption, reduce statewide cyber risk and strengthen the overall resilience of North Carolina’s digital government infrastructure.
Statewide Threat Management and Coordination
The ESRMO TMT leads the coordinated statewide response to cybersecurity incidents across North Carolina’s executive agencies.
It operationalizes threat management by disseminating real-time alerts through the Multi-State Information Sharing and Analysis Center (MS-ISAC), ensuring agencies receive timely intelligence on emerging threats.
The team also provides specialized training, technical guidance and forensic support to agency personnel, helping them strengthen incident-response readiness.
In addition, ESRMO conducts simulation and tabletop exercises, including participation in Department of Homeland Security (DHS)–sponsored Cyber Storm events, to test response capabilities and improve interagency coordination during complex cybersecurity scenarios.
Enforcement and Compliance
North Carolina takes cybersecurity accountability seriously. Every executive-branch agency is responsible for following the SISM and related SCIO-SEC standards.
When an agency fails to meet these requirements, it can face disciplinary action, including suspension or termination. In severe cases, violations can also lead to civil or criminal penalties under state law.
Under N.C.G.S. § 143B-1376(a), the State CIO has the authority to step in and take direct responsibility for securing an agency’s systems if it fails to comply with statewide standards.
Even though this law doesn’t give the CIO full operational control, it makes the CIO ultimately accountable for ensuring that all state systems meet required cybersecurity standards.
The ESRMO helps the CIO monitor compliance across the state.
ESRMO uses the EGRC system to track agency risk assessments, remediation plans and progress on Plans of Action and Milestones (POA&Ms). It works closely with agency CIOs and CISOs to make sure corrective actions are completed and that remaining risks stay within the state’s acceptable limits.
In practice, enforcement follows these 4 steps:
| Step |
Enforcement |
| Agency accountability |
Each agency must follow SISM and SCIO-SEC policy requirements, perform regular assessments and document compliance in EGRC. |
| Enterprise oversight |
ESRMO reviews agency assessments and mitigation plans to ensure they align with NIST SP 800-37 and SP 800-53 control baselines. |
| Remediation |
Agencies must fix critical findings within 7 days, high-risk findings within 21 days and medium-risk findings within 30 days.
They must update their POA&Ms in EGRC to reflect completed actions. ESRMO tracks progress and escalates repeated or unresolved issues to the CIO. |
| CIO intervention |
If an agency continues to ignore standards or creates serious statewide risk, the CIO can issue directives or take temporary control of the affected systems until compliance is restored. |
Statewide Cyber Readiness and Coordination
To support enforcement and strengthen statewide cyber readiness, North Carolina created the Joint Cybersecurity Task Force (JCTF). This group brings together experts from law enforcement, emergency management, the N.C. National Guard Cyber Unit, the Local Government IT Strike Team, State IT and cybersecurity offices and federal partners.
The JCTF provides on-site response, technical assistance and coordinated communication during major cybersecurity incidents. It helps organizations contain threats, recover systems, preserve forensic evidence and reduce vulnerabilities.
Working together, these teams combine their legal authority, technical skill and rapid response capabilities to protect North Carolina’s public infrastructure, pursue malicious actors and uphold the enforcement framework that keeps the State’s cybersecurity program strong and accountable.
Implementation of Data Breach Notification Requirements
North Carolina’s Identity Theft Protection Act (Article 2A, Chapter 75) sets statewide rules for how public agencies and private organizations must protect residents’ personal information and what they must do if a data breach occurs. The law applies to any entity that owns, licenses or maintains personal data belonging to North Carolina residents.
Within the state government, these responsibilities are coordinated through the Attorney General’s Consumer Protection Division, which receives official breach reports and ensures that individuals are notified according to legal requirements.
When a breach is discovered or when an organization is notified that one has occurred, the responsible agency or business must alert affected individuals without unreasonable delay, unless law enforcement determines that immediate notice would interfere with an active investigation or national security.
If an organization maintains but does not own the data, it must notify the data owner or licensee immediately after discovering the breach.
Each breach notice must:
- Clearly explain what happened and what types of personal information were affected.
- Describe the steps being taken to fix the issue and prevent future incidents.
- Include contact information for the organization, identity-theft protection guidance and contact details for the Federal Trade Commission, major consumer reporting agencies and the North Carolina Attorney General’s Office.
Notifications can be sent in writing, by email (with prior consent) or by phone.
If direct contact isn’t possible, such as when more than 500,000 people are affected or the cost of notification would exceed $250,000, organizations may use substitute notice, which includes posting the information on their website, sending email notices (if available) and releasing the information through statewide media.
Whenever individuals are notified, the organization must also inform the Attorney General’s Consumer Protection Division as soon as possible, including details about the breach, how many residents were affected, what was done to investigate it and what measures were taken to prevent it from happening again.
If the notice affects more than 1,000 people, the organization must also notify Equifax, Experian and TransUnion.
These steps ensure that both residents and oversight authorities receive clear, timely and complete information whenever a data breach occurs, helping the State maintain transparency, protect citizens and reinforce public trust in North Carolina’s cybersecurity and privacy framework.
History and Development of North Carolina’s Statewide Information Security Manual (SISM)
Over the past several decades, North Carolina has deliberately evolved its information security framework to support a more coordinated, enterprise-wide IT environment. These shifts show a progression from isolated, department-specific systems toward shared infrastructure, standardized governance and consistent security practices.
From Data Processing to Enterprise IT Oversight (1969–2011)
The State began formal IT governance with Executive Order No. 2 (1969), creating the Governor’s Committee on Data Processing and Information Systems to oversee emerging computerization efforts.
Over time, multiple commissions and boards established coordinated planning and project oversight, leading to the creation of the Office of Information Technology Services (ITS) and the State Chief Information Officer (CIO) through the E-Commerce Act of 1999.
Legislative reforms in 2004, 2007 and 2011 further centralized IT authority and operational accountability, setting the groundwork for the creation of the Department of Information Technology (DIT) several years later.
The Identity Theft Protection Act of 2005 introduced North Carolina’s first statewide data protection and breach-notification requirements, setting the foundation for consistent privacy and cybersecurity practices.
IT policies during this period began emphasizing standardization, incident reporting and risk management across agencies.
Consolidation under the Department of Information Technology (NCDIT) (2015–2018)
The establishment of the North Carolina Department of Information Technology (NCDIT) as a standalone cabinet-level agency marked a turning point.
The Statewide IT Consolidation Act (§143B-1325) unified all executive-branch IT operations, data-center management, network administration and information-security responsibilities, under NCDIT and the State CIO.
In 2018, the ESRMO published a NIST SP 800-53-aligned version of the Statewide Information Security Manual (SISM), creating a single, enforceable security baseline for all State agencies.
Emerging Digital Governance and Strategic Direction (2024–2030)
NCDIT continues to expand its digital governance efforts through the State Government Responsible Use of Artificial Intelligence Framework (2024) rooted in the Fair Information Practice Principles (FIPPs) and the NIST AI Risk Management Framework (AI RMF 1.0).
In September 2025, the Executive Order No. 24 also established statewide AI governance consisting of the AI Leadership Council, an AI Accelerator housed within NCDIT as a central hub for AI research, governance and training and AI Oversight Teams in each agency.
This AI Council is tasked with developing a State AI Strategic Roadmap (due June 30, 2026), creating risk-assessment and transparency standards and launching a public AI Literacy and Fraud Prevention Training Program.
North Carolina is advancing enterprise cybersecurity through Zero Trust adoption, unified CISO accountability, expanded training and new resilience programs under the 2025–2030 Cybersecurity Strategic Plan.
Ongoing Developments and Modernization
Between 2020 and 2024, the SISM matured from a compliance framework into a dynamic, enterprise-wide governance tool.
Updates during this period reflected North Carolina’s adoption of NIST SP 800-53 Revision 5, the NIST Risk Management Framework (SP 800-37) and requirements under the National Cybersecurity Strategy Implementation Plan (NCSIP).
These revisions also expanded agency accountability, standardized reporting and reinforced continuous monitoring across executive-branch environments.
Key Driving Factors in 2020s
The creation and ongoing enhancement of the SISM during this period were shaped by several converging forces:
- Escalating cyber threats: Rising ransomware and supply-chain attacks targeting state and local governments demanded stronger baseline controls and faster incident response capabilities.
- Federal alignment: New federal cybersecurity grant programs and mandates required states to demonstrate NIST-aligned governance structures and measurable risk-management maturity.
- Enterprise integration: North Carolina’s decentralized agency environment highlighted the need for a unified security posture and standardized control implementation across systems.
- Privacy and data protection: Increasing public concern over the handling of personally identifiable, health and tax-related data reinforced the need for stricter classification and encryption standards.
- Statutory reinforcement: Under N.C.G.S. §§143B-1320 through 1374, the State CIO continued to expand enterprise authority for cybersecurity, ensuring that statewide standards and policies—embodied in the SISM—remained enforceable and current.
As of today, the SISM remains the operational backbone of North Carolina’s cybersecurity program. It translates State policy and legal mandates into action by aligning with NIST standards, federal grant requirements and the National Cybersecurity Strategy Implementation Plan (NCSIP) to maintain a secure, resilient and unified statewide posture.
Statewide Impact and Strategic Benefits of SISM
Implementing SISM delivers significant value beyond mere regulatory compliance. Organizations that fully embrace SISM requirements experience measurable improvements in security posture, operational resilience and stakeholder trust.
Risk Reduction Benefits
Enhanced Cyber Defense
North Carolina’s SISM strengthens statewide cyber defense by standardizing security controls, enabling faster detection and response, reducing successful cyberattacks and improving resilience against ransomware, phishing and insider threats.
Data Protection Outcomes
It enhances data protection by enforcing encryption, access controls and consistent data governance practices that safeguard personally identifiable information (PII), prevent unauthorized disclosure or modification and reduce breach-related risks.
Compliance and Regulatory Benefits
Regulatory Alignment
SISM ensures statewide compliance with N.C.G.S. § 143B-1376, aligns with NIST standards, meets federal and industry security requirements such as HIPAA and CJIS and demonstrates due diligence across all executive-branch entities.
Simplified Multi-Framework Compliance
By mapping NIST SP 800-53 controls across multiple frameworks, SISM reduces redundant compliance efforts, unifies documentation and provides a consistent structure for state, federal and third-party audits.
Audit Readiness
It streamlines audit preparation by centralizing documentation, clarifying accountability and providing measurable evidence of control effectiveness, cutting time and cost while increasing confidence in agency compliance.
Operational Improvements
Enhanced IT Operations
SISM drives operational efficiency through standardized security processes, configuration management and business continuity planning, improving system availability and reducing downtime caused by incidents.
Resource Optimization
It helps agencies prioritize investments based on risk, automate manual compliance tasks, eliminate redundant controls and allocate limited budgets more strategically to strengthen cybersecurity outcomes.
Improved Vendor Management
SISM establishes clear procurement requirements, enforces standardized vendor assessments and improves visibility into third-party risks, reducing vendor-related incidents and strengthening contractual accountability.
Business Value and Mission Enablement
Stakeholder Trust and Confidence
It builds public and institutional trust by demonstrating responsible stewardship of State data, reassuring citizens, lawmakers and federal partners of North Carolina’s strong cybersecurity governance.
Mission Continuity
By embedding contingency planning and tested recovery procedures, SISM ensures critical government services remain operational during cyber incidents and recover quickly from disruptions.
Competitive Advantage for Service Delivery
It provides a secure foundation for adopting emerging technologies, cloud, mobile, AI and remote work, enabling digital transformation, inter-agency collaboration and innovative citizen-service models.
Cost Avoidance
By preventing costly data breaches, agencies reduce financial exposure, avoid fines and litigation, lower insurance premiums and minimize crisis-management and forensic expenses.
Cultural and Organizational Benefits
Security Awareness Culture
It fosters a security-first mindset across agencies, where employees understand their role in safeguarding State information and actively contribute to reducing human-error-related incidents.
Professional Development
The framework promotes workforce growth by supporting cybersecurity training, certification and collaboration, strengthening the State’s capacity to attract and retain top security talent.
Organizational Maturity
It transitions agencies from reactive compliance to proactive, data-driven risk management, embedding continuous improvement and strategic decision-making into daily operations.
Long-Term Strategic Value
Future-Ready Security Posture
SISM establishes a scalable, adaptable security foundation that evolves with new threats, technologies and regulations, ensuring North Carolina remains resilient and forward-looking.
Interoperability and Collaboration
It creates a consistent statewide security baseline that enables secure data sharing, multi-agency coordination and collaboration with federal and local partners through unified standards.
While the benefits of SISM are clear, realizing them requires structure, coordination and continuous measurement. This is where Governance, Risk and Compliance (GRC) tools play a critical role.
GRC Software for North Carolina’s SISM Compliance
Implementing North Carolina’s SISM requires more than following policy. It demands continuous visibility, documentation and measurable accountability across every agency. Manual tracking through spreadsheets and email chains makes it difficult to maintain accuracy, meet reporting deadlines or demonstrate progress to the ESRMO.
A GRC platform provides the centralized foundation agencies need to operationalize SISM effectively.
With the right GRC software, agencies can:
- Centralize compliance management: Consolidate risk assessments, Plans of Action and Milestones (POA&Ms) and control documentation in a single, auditable system of record.
- Automate reporting and oversight: Streamline submissions to ESRMO with real-time dashboards that display risk posture, remediation progress and control effectiveness.
- Assign accountability and track progress: Use automated workflows to delegate tasks, verify corrective actions and ensure deadlines are met across teams and departments.
- Standardize vendor oversight: Conduct consistent third-party assessments, collect attestations and continuously monitor vendor compliance with statewide standards.
By automating documentation, assessments and evidence collection, GRC tools transform SISM from a static policy into an operational framework that strengthens oversight, improves collaboration and supports measurable information security outcomes.
Isora GRC for North Carolina’s Statewide Information Security Manual
North Carolina’s SISM requires continuous risk assessments, accurate asset inventories, documented POA&Ms and timely reporting to the ESRMO. Isora GRC gives North Carolina agencies a practical, ready-to-use system for executing these requirements.
Instead of managing assessments, risks, and inventories across scattered spreadsheets, agencies can coordinate all SISM activities within one structured platform.
Assessment Management
Isora GRC supports federal frameworks like NIST SP 800-53 and NIST CSF, both foundational to SISM. Agencies can deploy SISM-aligned assessments across departments, systems and vendors using prebuilt or custom templates. Findings automatically populate the risk register and remediation plans, enabling a consistent, evidence-based compliance process.
With this, North Carolina agencies achieve faster, standardized control validation across departments, reducing manual evidence collection and improving consistency in reports submitted to the NCDIT and the ESRMO.
Inventory Management
Isora GRC maintains a connected inventory of systems, applications and third-party providers tied directly to SISM controls and risks. Each record captures ownership, classification and control mappings, creating traceability from controls to risk treatment.
Agencies can gain a single, centralized system of record for all assets and vendors, ensuring full traceability from system-level risks to mitigation actions and improving accountability during ESRMO oversight reviews.
Risk Management
Isora’s live risk register helps agencies capture, prioritize and mitigate risks in real time. Findings from SISM assessments map directly to controls and risks. Exception tracking allows agencies to log justifications, assign owners, and set expiration dates for policy deviations.
North Carolina agencies maintain real-time visibility into statewide cybersecurity risks, enabling leadership to prioritize remediation efforts and demonstrate compliance maturity across all cabinet and non-cabinet entities under SISM.
Reports & Scorecards
Isora GRC generates audit-ready reports and dashboards aligned with SISM control families. Data from assessments, inventories, and risk registers consolidate into exportable, structured formats suitable for ESRMO submission and state auditor reviews.
North Carolina agencies can provide ESRMO and state auditors with real-time, audit-ready documentation that demonstrates compliance progress, risk trends, and control effectiveness — strengthening confidence in statewide cybersecurity readiness.
North Carolina SISM FAQs
What is the difference between SISM compliance and general NIST cybersecurity compliance?
NIST frameworks provide national best practices, while SISM applies those standards within North Carolina’s legal, operational and governance structure. SISM aligns directly with NIST SP 800-37 and SP 800-53, but it adds state-specific enforcement, reporting and oversight requirements. In short, NIST defines what to do, while SISM defines how North Carolina agencies must do it to remain compliant with state law and ESRMO directives.
How do agencies report cybersecurity risks and assessments to the NCDIT and ESRMO under SISM?
Under the SISM, agencies must perform risk assessments, develop mitigation plans and conduct continuous monitoring for all systems that process or store State data. These activities can be managed manually or through a GRC platform such as Isora GRC, which helps standardize documentation and reporting.
Once assessments and remediation plans are complete, agencies must submit the results and supporting documentation to the EGRC system. This is the statewide reporting platform managed by the ESRMO. The EGRC system serves as the official system of record that provides the State CIO with an enterprise-level view of risk posture and compliance progress across all executive-branch agencies.
What are the SCIO-SEC policies associated with SISM and how do they translate NIST controls into state standards?
The SCIO-SEC policies are North Carolina’s operational extensions of the SISM. Each policy maps directly to a NIST SP 800-53 Rev. 5 control family, covering areas such as access control, risk assessment, and incident response. Together, these policies convert NIST’s federal guidance into state-specific, enforceable security standards tailored for North Carolina’s IT environment, ensuring consistency and accountability across all agencies.
How does SISM support Zero Trust adoption and AI governance in North Carolina’s digital government?
SISM provides the security foundation for Zero Trust, emphasizing identity verification, access control, and continuous monitoring across state systems. These same controls now extend to North Carolina’s AI Governance Framework, aligning with NIST AI RMF 1.0 to ensure risk-based, transparent, and accountable AI adoption. Together, SISM and Zero Trust create a unified security posture that supports modern, AI-driven digital services.
What’s the difference between SISM compliance and CJIS, HIPAA, or IRS 1075 compliance?
SISM establishes North Carolina’s baseline information security requirements for all executive-branch agencies, while frameworks like CJIS, HIPAA, and IRS 1075 govern specific types of regulated data. Agencies managing such data must meet those federal requirements in addition to SISM. By aligning with NIST SP 800-53, SISM simplifies multi-framework compliance, allowing agencies to demonstrate both state and federal adherence through a unified control set.
Isora GRC helps agencies map, manage and report on these shared controls in one platform, reducing duplication, unifying documentation and streamlining compliance across SISM, CJIS, HIPAA, and IRS 1075.
How do third-party vendors demonstrate compliance equivalence when operating under frameworks like FedRAMP or ISO 27001?
Vendors working with North Carolina must show that their existing certifications, such as FedRAMP, SOC 2 Type II, or ISO 27001, meet or exceed SISM control requirements. The ESRMO verifies this through Vendor Readiness Assessment Reports (VRARs) and ongoing monitoring. This approach allows vendors to leverage recognized frameworks while ensuring their security posture remains equivalent to North Carolina’s SISM standards.
Table of Contents
Other Relevant Content 