Cybersecurity & Third Party Risk Analyst

As the state’s IT leader, DoIT manages information technology and telecommunications services and provides critical support to state agencies, the Executive Office of the Governor, coordinating offices, and independent Executive Branch agencies. The agency provides cybersecurity, digital, data governance, AI enablement, infrastructure, and platform services to its partner agencies, ensuring the State of Maryland is more secure, productive, and accessible. Main Purpose The purpose of this position is to support the development of the Department of Information Technology’s (DoIT) Third-Party Risk Management (TPRM) program while providing cross‑functional support for enterprise cybersecurity risk assessments and the policy lifecycle. As the primary analyst for third‑party oversight, this role ensures that all vendors, contractors, and cloud service providers comply with the State of Maryland’s security standards. Additionally, this position serves as a GRC generalist, facilitating the Authority to Operate (ATO) process and ensuring that cybersecurity policies are implemented and maintained in alignment with NIST frameworks and state legislative mandates. Position Duties Third-Party Risk Management Program Support the development and implementation of a third‑party/vendor risk management framework that aligns with NIST 800-161 (Supply Chain Risk Management) and State of Maryland Cybersecurity & Privacy policy suite. Assess and manage security risks associated with cloud providers, contractors, and IT vendors. Establish vendor security assessments, contract security requirements, and ongoing compliance monitoring. Partner with procurement and legal teams to integrate cybersecurity requirements into contracts and vendor agreements. Oversee vendor audits, penetration testing, and compliance assessments to mitigate third‑party cybersecurity risks. Cybersecurity Risk Management & ATO Support Support execution of statewide cybersecurity risk assessments and threat modeling for Executive Branch agencies. Facilitate the ATO (Authority to Operate) process by reviewing System Security Plans (SSPs) and assessing control implementation against NIST 800-53. Support the development and maintenance of the Enterprise Risk Register and assist agencies in developing Plans of Action and Milestones (POA&Ms) to remediate gaps. Provide cross‑pollination support for continuous monitoring efforts to track the state’s real‑time risk posture. Policy Lifecycle & Governance Management Manage the full lifecycle of cybersecurity and privacy policies, from initial drafting and stakeholder review to formal approval and publication. Ensure all policies remain current with evolving federal and state regulations (e.g., IRS 1075, HIPAA, State Senate/House Bills). Map policy requirements to technical controls to ensure measurable compliance across the enterprise. Minimum Qualifications Experience: Four years of experience in Information security as it relates to policy creation regarding compliance, legislation, governance programs and/or supporting internal audits. Notes: 1. Candidates may substitute a bachelor’s degree in IT security management, IT management, information security, political science, business management, communications, or public administration with cybersecurity experience or a related field for up to two years of the required experience. Preferred Experience Public Sector cybersecurity experience: Direct experience working within local, state, or federal government environments, with direct knowledge of the government Authority to Operate (ATO) process and specialized compliance mandates (e.g., IRS 1075, HIPAA, or State legislative frameworks). Supply Chain/Third‑Party Specialization: Working experience evaluating vendor security postures using NIST 800-161 (Supply Chain Risk Management) and interpreting SOC 2 reports or vendor‑provided System Security Plans (SSPs). Professional Certifications: Possession of foundational or intermediate GRC‑related certifications such as CompTIA Security+, ISACA CISA (Certified Information Systems Auditor), or CRISC (Certified in Risk and Information Systems Control). #J-18808-Ljbffr Maryland Department of Information Technology