SB 26-185

Senate Bill 26-185 aims to strengthen cybersecurity measures for Colorado's Office of Information Technology (OIT). It requires OIT to regularly report on its compliance with security standards and unresolved audit recommendations, allowing a committee to request an independent security audit if there are significant issues. The bill also mandates that OIT maintain transparency by listing all active IT vendor contracts and ensuring ongoing service contracts have updated architecture diagrams. Additionally, it restricts the chief information officer from delegating certain duties related to cybersecurity without proper oversight. The bill has been signed into law, meaning its provisions will now be enforced, enhancing security protocols for state technology systems and improving accountability within OIT.

Official Summary

Joint Technology Committee. The bill allows the joint technology committee (JTC), within 90 days after the day that the chief information security officer of the office of information technology (security officer) files a written information technology compliance report (compliance report) with the JTC as required by the bill, to vote to request that the legislative audit committee direct the state auditor to conduct a special information technology security audit (IT security audit) of the office of information technology (OIT) if the compliance report indicates that one or more audit recommendations made by the state auditor is unresolved 2 or more years past the implementation date for the audit recommendation or if a material discrepancy exists between a representation in the compliance report and a previous audit finding.      If the JTC votes to request an IT security audit and if the legislative audit committee votes to direct the audit, the bill requires:The state auditor to conduct the IT security audit;The state auditor to obtain input from OIT when the state auditor determines the scope and boundaries of the audit;The state auditor to submit the IT security audit report to the legislative audit committee, the JTC, the joint budget committee, and the governor; andOIT to reimburse the state auditor for the auditor's costs incurred in completing the IT security audit.     The bill requires OIT to establish, maintain, keep, update, and make available to state agency information technology leadership and the members of the JTC, a list of all active information technology vendor contracts for state agencies.     The bill specifies that, except in the case of an information technology security emergency, OIT shall not publish or implement a technical information technology standard, and that the standard is void, unless the standard:Was publicly posted; andReceived approval from the security officer if the standard relates to security, access controls, or the handling of data.     The bill requires OIT to ensure that, if an information technology contract provides ongoing service and delivery to Coloradans, that the contract maintains current architecture diagrams that are updated at least annually.     The bill prohibits the chief information officer from delegating a duty, responsibility, or power of the security officer.     The bill requires the security officer to submit 2 annual reports to the JTC. The first report is a written compliance report that includes OIT's current compliance status with applicable security standards; all open audit recommendations regarding OIT made by the state auditor and the date on which each recommendation was made; and a timeline for remediation and a mitigation plan or compensation controls for each open audit recommendation made by the state auditor.     The second report is a written statewide information technology security risk report (security risk report) that assesses the overall security risk posture of state agency information technology systems. To support the preparation of the security risk report, the security officer may conduct evaluations of state agency information technology systems, including penetration testing, vulnerability scanning, configuration evaluations, and vendor and system reviews. Each state agency shall provide to the security officer, upon request, the access and information necessary to conduct evaluations of state agency technology systems, including system access, product information, and architecture information.     The bill requires the security officer, or the chief information officer if the security officer is unavailable, to perform the duties and uphold the responsibilities assigned to the security officer pursuant to law.(Note: This summary applies to the reengrossed version of this bill as introduced in the second house.)

Topics

Votes