Citizen Portal
Sign In

State cybersecurity office details vulnerability-disclosure program and local partnerships

Budget and Taxation Committee · January 21, 2026

Get AI-powered insights, summaries, and transcripts

Sign Up Free
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Acting CISO James Saunders described the Office of Security Management's vulnerability disclosure program, local ISO enrollments, new defensive tools, and a plan to centralize cybersecurity and adopt zero-trust across the executive branch in 2026.

James Saunders, the acting chief information security officer, briefed the committee on the Office of Security Management’s (OSM) recent work, including a statewide vulnerability-disclosure program, information-sharing tools and a local ISO program.

Saunders said OSM launched a vulnerability disclosure program that extends to local-government partners and Network Maryland and has received about 150 reports to date, roughly one-third of which the office judged critical or high in severity. "That allows us to remediate and resolve those ahead of time before a threat actor takes advantage of those," he said.

Saunders also described the Maryland ISAC bot for sharing threat information with vendors and critical-infrastructure partners, deployment of defensive tools such as Abnormal Security AI for email threats and Cloudflare for DNS protection, and creation of a local information-security-officer (ISO) program that has enrolled 42 jurisdictions. He said OSM supported about 27 grant applications to state and federal cybersecurity grant programs and has completed a large number of security assessments, with additional assessments in progress.

On centralization and authority, Saunders said the state CISO role carries statutory authority and that the power to lead incident response has been used multiple times in recent incidents. When asked whether the CISO can make binding decisions during incidents, he answered plainly: "It's me," and added that the authority is clear in law and had been executed during incidents over the past summer.

Looking ahead to calendar year 2026, Saunders listed priorities: modernize governance by replacing the IT security manual with a modern security suite that integrates cybersecurity, AI and privacy governance; resume biannual security-preparedness assessments; advance centralization to create a common visibility plane across the executive branch; infuse zero-trust practices and post-quantum readiness; and deepen partnerships with local, industry and federal partners.

Committee members asked how OSM is working with counties and municipalities; Saunders said the office engaged all 24 counties plus Baltimore City on policy redlines, convened local stakeholders through a cybersecurity collaborative, and is exploring how to extend OSM capabilities to locals that are willing to adopt shared services.