Statewide Chief Information Security Officers


At least 16 states have a statewide executive branch chief information security officer (CISO) position or equivalent established by statute. Other states have created CISO positions through executive orders or agency actions. CISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected.

Examples of responsibilities of the CISO position under state laws include:

  • creating statewide security policies and IT standards,
  • requiring information security plans and annual assessments or reporting, and
  • requiring periodic security awareness training for employees.

Privacy and security go hand-in-hand, and at least five states—Arkansas, Massachusetts, Ohio, Utah and Washington—have expressly designated, in statute, a statewide chief privacy officer (CPO). Just as for CISO positions, however, some states have created CPO positions through executive orders or agency actions, or may include privacy protection within the responsibilities of a CISO or other position. 

Statutory language follows the table of states below, indicating the duties and responsibilities assigned to the position in each state. 

Statutes Establishing a Chief Information Security Officer
Ariz. Rev. Stat. § 18-105, 2022 S.B. 1598


Colo. Rev. Stat. § 24-37.5-401 et seq.


Del. Code § 9030C(a)(2)


Fla. Stat. § 282.318


20 ILCS 1375/5-20


Kan. Stat. § 75-7238


KRS § 42.724(d)


Mass. Gen. Laws Ch. 7D, § 4

New Hampshire

R.S.A. § 94:1-a


Ohio Rev. Code § 125.18 (5)

Rhode Island

R.I. Gen Laws § 42-11-2.8


Tex. Govt. Code §§ 2054.5112054.1125


Utah Code § 63F-2-102


RCW § 43.105.450

West Virginia

W. Va. Code § 5A-6B-1 to -6

Information Technology Governance and Structure

Establishing a statewide Chief Information Security Officer and specifying duties and responsibilities is increasingly a part of consolidated oversight and management of state agency IT resources.

Examples of state laws creating a consolidated information technology agency include: