State of Maryland

DoIT Cyber Policy and Strategy Planner II (#004729)

- Hourly / - BiWeekly /
- Monthly / $95,798.00-$160,555.00 Yearly


STD 0024




A Department of Information Technology (DoIT) Cyber Policy and Strategy Planner II is the full performance level of work in the Office of Security Management (OSM) and is tasked with the development and documentation of plans, policies, and procedures, and oversight and guidance of certain subprograms, such as Security Awareness and Training. Employees in this classification do not supervise lower-level positions. This position may require work outside of regular business hours, and work in an on-call capacity.

Employees in this classification receive general supervision from an Executive Cyber Leadership Director or other higher level IT Director.

Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.

The DoIT Cyber Policy and Strategy Planner I and DoIT Cyber Policy and Strategy Planner II and are differentiated on the basis of degree of supervisory control exercised by the supervisor over these employees. The DoIT Cyber Policy and Strategy Planner I performs duties under close supervision at times and under general supervision at other times depending on the complexity of the specific duty being performed, and the DoIT Cyber Policy and Strategy Planner II performs the full range of duties under general supervision.


Develops policy, programs, and guidelines for implementation;

Establishes and maintain communication channels with stakeholders;

Reviews existing and proposed policies with stakeholders;

Serves on agency and interagency policy boards;

Advocates for adequate funding for cyber training resources, to include both internal and industry-provided courses, instructors, and related materials;

Ensures that cyber workforce management policies and processes comply with legal and organizational requirements regarding equal opportunity, diversity, and fair hiring/employment practices;

Promotes awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission, vision, and goals;

Reviews/Assesses cyber workforce effectiveness to adjust skill and/or qualification standards;

Interprets and applies applicable laws, statutes, and regulatory documents and integrate into policy;

Analyzes organizational cyber policy;

Assesses policy needs and collaborate with stakeholders to develop policies to govern cyber activities;

Defines and integrates current and future mission environments;

Designs/integrates a cyber strategy that outlines the vision, mission, and goals that align with the organization's strategic plan;

Drafts, staffs, and publishes cyber policy;

Monitors the rigorous application of cyber policies, principles, and practices in the delivery of planning and management services;

Seeks consensus on proposed policy changes from stakeholders;

Provides policy guidance to cyber management, staff, and users;

Reviews, conducts, or participates in audits of cyber programs and projects;

Supports the CIO in the formulation of cyber-related policies;

Performs other related duties.


Knowledge of computer networking concepts and protocols, and network security methodologies; Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy; Knowledge of cybersecurity and privacy principles; Knowledge of cyber threats and vulnerabilities; Knowledge of specific operational impacts of cybersecurity lapses; Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code); Knowledge of the nature and function of the relevant information structure (e.g., National Information Infrastructure); Knowledge of the organization's core business/mission processes; Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures; Knowledge of full spectrum cyber capabilities (e.g., defense, attack, exploitation); Knowledge of strategic theory and practice; Knowledge of emerging technologies that have potential for exploitation; Knowledge of industry indicators useful for identifying technology trends; Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber curriculum/training and Research & Development); Knowledge of current and emerging cyber technologies; Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list).

Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures; Skill in preparing plans and related correspondence.

Ability to determine the validity of technology trend data; Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities; Ability to leverage best practices and lessons learned of external organizations and academic institutions dealing with cyber issues.


Experience:  Nine years of experience in information security policy creation and compliance, legislation and governance programs and supporting internal audits. 


1. Candidates may substitute a bachelor’s degree in IT security management, IT management, information security, political science, business management, communications, public administration with cybersecurity experience or related field for up to four years of the required experience.

2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.


Must have a Cyber Security Service Provider (CSSP) Auditor certification as described on the Maryland Department of Information Technology website.


1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

2. Applicants for this classification may handle sensitive data.  This will require a full scope background investigation prior to appointment.  A criminal conviction may be grounds for rejection of the applicant.

3.  Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.


Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.


This classification is one level in a Non-Competitive Promotion (NCP) series.  NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series.  In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.

Date Established

July 1, 2021

Approved By

Director, Division of Classification and Salary

CLASS: 004729; EST: 7/1/2021; REV: 1/3/2022;

Powered by JobAps