Statewide Information Security Policies

Based on industry standards and best practices, the Statewide Information Security Manual is the foundation for security in the state of North Carolina. It provides state agencies with a baseline for managing information security and making risk-based decisions.

These policies were developed with the assistance of subject matter experts and peer-reviewed by agency representatives using NIST 800-53 revision 5 controls as the framework. The policies align to 18 NIST control families, including previous policies and addressing NIST 800-53 control gaps, as appropriate.

Statewide Information Security Policies

Tab/Accordion Items

2025 Statewide Information Security Manual & Policies

Statewide Information Security Manual - Signed

2025 Statewide Information Security Manual Revisions

SCIO-SEC-302: Awareness and Training Policy (AT)

SCIO-SEC-311: Personnel Security Policy (PS)

SCIO-SEC-301: Access Control Policy (AC)

SCIO-SEC-307: Identification and Authentication Policy (IA)

SCIO-SEC-313: Physical and Environmental Protection Policy (PE)

SCIO-SEC-305: Configuration Management Policy (CM)

SCIO-SEC-309: Maintenance Policy (MA)

SCIO-SEC-316: System and Communications Protection Policy (SC)

SCIO-SEC-317: System and Information Integrity Policy (SI)

SCIO-SEC-303: Audit and Accountability Policy (AU)

SCIO-SEC-304: Security Assessment and Authorization Policy (CA)

SCIO-SEC-314: Risk Assessment Policy (RA)

SCIO-SEC 318: Supply Chain Risk Management

SCIO-SEC-306: Contingency Planning Policy (CP)

SCIO-SEC-308: Incident Response Policy (IR)

SCIO-SEC-310: Media Protection Policy (MP)

SCIO-SEC-312: Security Planning Policy (PL)

SCIO-SEC-315: System and Services Acquisition Policy (SA)

Off