Statewide Chief Information Security Officers


At least 15 states have a statewide executive branch CISO position or equivalent required by statute. Other states have created CISO positions through executive orders or agency actions: all 50 states have a statewide chief information security officer (CISO) or equivalent, according to a Deloitte-NASCIO Cybersecurity StudyCISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected.

Examples of responsibilities of the CISO position under state laws include:

  • creating statewide security policies and IT standards,
  • requiring information security plans and annual assessments or reporting, and
  • requiring periodic security awareness training for employees.

Privacy and security go hand in hand, and at least five states—Arkansas, Massachusetts, Ohio and Washington—have expressly designated, in statute, a statewide chief privacy officer (CPO). Just as for CISO positions, however, some states have created CPO positions through executive orders or agency actions, or may include privacy protection within the responsibilities of a CISO or other position. 

Statutory language follows the table of states below, indicating the duties and responsibilities assigned to the position in each state. 

State Statutes Creating Statewide Chief Information Security Officer Positions


Arizona Ariz. Rev. Stat. § 41-3507
Colorado Colo. Rev. Stat. § 24-37.5-403
Delaware Del. Code § 9030C(a)(2)
Florida Fla. Stat. § 282.318
Illinois 20 ILCS 1375/5-20
Kansas Kan. Stat. § 75-7238
Kentucky KRS § 42.724
Massachusetts Mass. Gen. Laws Ch. 7D, § 4
New Hampshire R.S.A. § 94:1-a
Ohio Ohio Rev. Code § 125.18
Rhode Island R.I. Gen Laws § 42-11-2.8

Texas. Govt. Code §§ 2054.511, 2054.1125

Utah Utah Code § 63F-2-102
Washington  RCW § 43.105.215
West Virginia W. Va. Code § 5A-6B-1 to -6


Information Technology Governance and Structure

In addition to establishing a statewide Chief Information Security Officer and specifying duties and responsibilities, an increasing number of states are consolidating oversight and management of state agency IT resources under a single statewide agency.

Examples of state laws creating a consolidated information technology agency include: