Cybersecurity Policy Manager

Cybersecurity Policy Manager Recruitment #26-004730-0001 DEPARTMENT DoIT Enterprise Information Systems

DATE OPENED 3/11/2026 3

00:00 PM FILING

DEADLINE 3/25/2026 11

59:00 PM SALARY $155,334

• 161,507 EMPLOYMENT TYPE Full-Time

WORK LOCATION

Anne Arundel

TELEWORK ELIGIBLE

Yes Introduction As the state's IT leader, DoIT manages information technology and telmunications services and provides critical support to state agencies, the Executive Office of the Governor, coordinating offices, and independent Executive Branch agencies. The agency provides cybersecurity, digital, dataernance, AI enablement, infrastructure, and platform services to its partner agencies, ensuring the State of Maryland is more secure, productive, and accessible. GRADE STD 0025 LOCATION

OF POSITION

100 Community Place, Crownsville, MD 21032 Main Purpose Of Job The Cybersecurity Risk Management Manager is an integral part of the Maryland Department of Information Technology (DoIT) leadership team. This position will lead and oversee the development and implementation of a centralized cybersecurity risk management framework across all State Executive Agencies. The Cybersecurity Risk Management Manager will drive the standardization of cybersecurity risk practices, ensurepliance with federal standards and guidelines, and establish a robust third-party risk management program. Will architect and build from scratch a statewide cybersecurity risk management framework in a highly ambiguous environment, aligning with

NIST 800-53, NIST 800-37

(RMF), and

NIST CSF.

This role will work closely with agency stakeholders to assess risk, implement mitigation strategies, and create a continuous monitoring structure to provide real-time visibility into cyber risk posture for state leadership. This position will also lead the development and execution of riskernance processes, coordinate risk assessments and reporting, and support the implementation of enterprise-wide cybersecurity initiatives aligned with federal and other relevant standards.

• This is a management service position which serves at the pleasure of the appointing authority

• POSITION DUTIES

  Enterprise-Wide Risk Management Program
• Architect and build from scratch a statewide cybersecurity risk management framework in a highly ambiguous environment, aligning with

NIST 800-53, NIST 800-37

(RMF), and

NIST CSF.

• Act as an intrapreneur to independently conceptualize and develop risk management policies, procedures, and controls where processes are currently vague or non-existent, enhancing the security posture across Maryland's digital infrastructure.
• Proactively problem-solve by conducting risk assessments, threat modeling, and security gap analyses across agencies, navigating undocumented environments without waiting for a playbook.
• Synthesize disparate data points and connect context to establish meaningful Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) that effectively measure risk levels and cybersecurity maturity.
• Provide strategic cybersecurity risk guidance to executive leadership and agency stakeholders, driving initiatives forward autonomously and adapting fluidly to emerging threats.
• Lead continuous monitoring efforts, determining lightweight, scalable solutions to proactively manage and mitigate risks. Third-Party Risk Management Program
• Pioneer the development and implementation of a third-party/vendor risk management framework from the ground up, bringing structure to undefined processes while aligning with

NIST 800-161

(Supply Chain Risk Management) and State of Maryland IT Security Policies.

• Creatively assess and solveplex security risks associated with cloud providers, contractors, and IT vendors, even when historical data or established procedures are lacking.
• Take ownership of figuring out the best scalable approach to establish vendor security assessments, contract security requirements, and ongoingpliance monitoring.
• Connect the dots across departments, partnering seamlessly with procurement and legal teams to integrate cybersecurity requirements into contracts and vendor agreements.
• Oversee vendor audits, penetration testing, andpliance assessments, acting decisively to mitigate third-party cybersecurity risks without waiting for explicit guidance. Regulatory Compliance & Governance
• Navigateplex regulatory landscapes autonomously to ensure statewide cybersecurity, privacy and AIpliance with applicable and relevant federal and state laws, regulations and standards (MD COMAR, Senate & House Bills, NIST, etc.), translating rigid requirements into practical, actionable steps.
• Lead internal audits and risk reviews to assess cybersecurity effectiveness, bringing clarity and structured problem-solving to previously unassessed areas.
• Design innovative incident response strategies from a blank slate, coordinating agile risk mitigation efforts in response to dynamic cybersecurity threats.
• Absorb broad organizational context and collaborate with federal, state, and local agencies to strategically align our nascent risk management efforts with national cybersecurity standards.

MINIMUM QUALIFICATIONS

Education:

A bachelor's degree from an accredited college or university in cybersecurity, information technology, or other related field.

Experience:

Four years' experience in creating/architecting, maintaining and updating a risk management program(s) and processes that align with state and federal laws, regulations and standards. Developing and updating cybersecurity policy, standards and strategy inpliance with federal & state laws, regulations and standards. One of the four years' experience must have been in a supervisory capacity.

Notes:

Candidates may substitute the Bachelor's degree with two additional years of experience listed above.

DESIRED OR PREFERRED QUALIFICATIONS

Preference will be given to candidates who have experience in one or more of the following:

• Developing internal and external facing reports, documents, briefings, and surveys
• Briefing and consulting with Executive Leadership and Stakeholders

SELECTION PROCESS

Please make sure that you provide sufficient information on your application to show that you meet the qualifications for this recruitment. All information concerning your qualifications must be submitted by the closing date. We will not consider information submitted after this date. Successful candidates will be ranked as Best Qualified, Better Qualified, or Qualified and placed on the eligible (employment) list for at least one year.

BENEFITS

STATE

OF MARYLAND BENEFITS

FURTHER

INSTRUCTIONS

Online applications are highly rmended. However, if you are unable to apply online, the paper application and supplemental questionnaire may be submitted to: Department of Budget and Management, Recruitment and Examination Division, 301 W. Preston St., Baltimore, MD 21201. Paper application materials must be received in our office by the closing date for the recruitment. No postmarks will be accepted. For questions regarding this recruitment, please contact the DBM Recruitment and Examination Division at Application.

Helpmaryland or 410-767-4850, MD TTY Relay Service 1-800-735-2258. We thank our Veterans for their service to our country. People with disabilities and bilingual candidates are encouraged to apply. As an equal opportunity employer, Maryland ismitted to recruitment, retaining and promoting employees who are reflective of the State's diversity.