Cybersecurity & Third Party Risk Analyst (DoIT Cyber Policy and Strategy Planner I)

Introduction

As the state’s IT leader, DoIT manages information technology and telecommunications services and provides critical support to state agencies, the Executive Office of the Governor, coordinating offices, and independent Executive Branch agencies. The agency provides cybersecurity, digital, data governance, AI enablement, infrastructure, and platform services to its partner agencies, ensuring the State of Maryland is more secure, productive, and accessible.\r\n

GRADE

STD 0023 \r\n

Main Purpose of Job

The purpose of this position is to support the development of the Department of Information\r\nTechnology’s (DoIT) Third-Party Risk Management (TPRM) program while providing cross-\r\nfunctional support for enterprise cybersecurity risk assessments and the policy lifecycle.\r\nAs the primary analyst for third-party oversight, this role ensures that all vendors, contractors,\r\nand cloud service providers comply with the State of Maryland’s security standards.\r\nAdditionally, this position serves as a GRC generalist, facilitating the Authority to Operate\r\n(ATO) process and ensuring that cybersecurity policies are implemented, and maintained in\r\nalignment with NIST frameworks and state legislative mandates.

POSITION DUTIES

\r\n\r\nThird-Party Risk Management Program\r\n\r\n- Support the development and implementation of a third-party/vendor risk management framework that aligns with NIST 800-161 (Supply Chain Risk Management) and State of Maryland Cybersecurity & Privacy policy suite.\r\n- Assess and manage security risks associated with cloud providers, contractors, and IT vendors.�\r\n- Establish vendor security assessments, contract security requirements, and ongoing compliance monitoring.�\r\n- Partner with procurement and legal teams to integrate cybersecurity requirements into contracts and vendor agreements.�\r\n- Oversee vendor audits, penetration testing, and compliance assessments to mitigate third-party cybersecurity risks.�\r\n\r\n\r\nCybersecurity Risk Management & ATO Support�\r\n- Support execution of statewide cybersecurity risk assessments and threat modeling for Executive Branch agencies.�\r\n- Facilitate the ATO (Authority to Operate) process by reviewing System Security Plans (SSPs) and assessing control implementation against NIST 800-53.�\r\n- Support the development and maintenance of the the Enterprise Risk Register and assist agencies in developing Plans of Action and Milestones (POA&Ms) to remediate gaps.�\r\n- Provide cross-pollination support for continuous monitoring efforts to track the state's real-time risk posture.�\r\n\r\n\r\nPolicy Lifecycle & Governance Management�\r\n- Manage the full lifecycle of cybersecurity and privacy policies, from initial drafting and stakeholder review to formal approval and publication.�\r\n- Ensure all policies remain current with evolving federal and state regulations (e.g., IRS 1075, HIPAA, State Senate/House Bills).�\r\n- Map policy requirements to technical controls to ensure measurable compliance across the enterprise.\r\n\r\n\r\n

MINIMUM QUALIFICATIONS

Experience: Four years of experience in Information security as it relates to policy creation regarding compliance, legislation, governance programs and/or supporting internal audits.\r\nNotes:\r\n1. Candidates may substitute a bachelor’s degree in IT security management, IT management, information security, political science, business management, communications, or public administration with cybersecurity experience or a related field for up to two years of the required experience.\r\n

DESIRED OR PREFERRED QUALIFICATIONS

Our preferred candidate will also have one or more of the following:\r\n\r\n\r\nPublic Sector cybersecurity experience: Direct experience working within local, state, or federal government environments, with direct knowledge of the government Authority to Operate (ATO) process and specialized compliance mandates (e.g., IRS 1075, HIPAA, or State legislative frameworks).�\r\n\r\n\r\nSupply Chain/Third-Party Specialization: Working experience evaluating vendor security postures using NIST 800-161 (Supply Chain Risk Management) and interpreting SOC 2 reports or vendor-provided System Security Plans (SSPs).�\r\n\r\n\r\nProfessional Certifications: Possession of foundational or intermediate GRC-related certifications such as CompTIA Security+, ISACA CISA (Certified Information Systems Auditor), or CRISC (Certified in Risk and Information Systems Control).\r\n

SPECIAL REQUIREMENTS

1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.\r\n2. Applicants for this classification may handle sensitive data. This will require a full-scope background investigation before the appointment. A criminal conviction may be grounds for rejection of the applicant.\r\n3. Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. A standard mileage allowance will be paid for the use of a privately owned vehicle.\r\n

BENEFITS

STATE OF MARYLAND BENEFITS\r\n

FURTHER INSTRUCTIONS

Online applications are highly recommended. However, if you\r\nare unable to apply online,�the paper application and supplemental\r\nquestionnaire may be submitted to:�Department of Budget and Management,\r\nRecruitment and�Examination Division, 301 W. Preston St., Baltimore, MD\r\n21201.�Paper application materials must be received in our office�by\r\nthe�closing date for the recruitment. No postmarks will be accepted.\r\nFor questions regarding this recruitment, please contact\r\nthe�DBM Recruitment and�Examination Division at�Application.Help@maryland.gov�or\r\n410-767-4850,�MD TTY Relay Service 1-800-735-2258.\r\nWe thank our Veterans for their service to our country.\r\nPeople with disabilities and bilingual candidates are\r\nencouraged to apply.\r\nAs an equal opportunity employer, Maryland is committed to\r\nrecruitment, retaining and promoting employees who are reflective of the\r\nState's diversity.\r\n