WeVote

Bill

Bill

SB 185

Enhance Security of Office of Information Technology

2026 Regular Session

SB 185 strengthens Colorado’s IT security governance by boosting audits, public vendor contract transparency, and annual risk/compliance reporting.

Governor Signed
0
WeVote Research Nonpartisan
Bill Summary · SB 185

Summary of SB 185 (2026A) – Colorado: Enhance Security of Office of Information Technology

Purpose and intent

SB 185 aims to strengthen the security governance, oversight, and accountability of the Colorado Office of Information Technology (OIT) and the State’s information security framework. The bill creates new reporting, auditing, and contract-management requirements designed to improve transparency around security compliance, risk, and vendor arrangements.

Key provisions and changes

  • Joint Technology Committee (JTC) oversight and IT security audits

    • The JTC may, within 90 days after the Chief Information Security Officer (CISO) files a written Information Technology Security Compliance Report, formally request the Legislative Audit Committee to direct a special IT security audit of OIT.
    • Trigger conditions for directing an audit include: (a) unresolved state auditor recommendations two or more years past their implementation date, or (b) a material discrepancy between the compliance report and a prior audit finding.
    • If directed, the State Auditor conducts the IT security audit, with input from OIT on scope, and must deliver the audit report to the Legislative Audit Committee, JTC, Joint Budget Committee, and Governor. OIT must reimburse the Auditor’s costs.
  • Vendor contract transparency and oversight

    • OIT must maintain and provide a public-facing list of all active IT vendor contracts for state agencies, including vendor name, contract value, expiration date, and data classification or business criticality tier.
    • State agencies must share contract-related information with OIT for inclusion in the list, with OIT submitting a one-time budget request to fund building and maintaining the list. If additional funds are needed, OIT may request allocation from the Technology Risk Prevention and Response Fund.
  • Information technology standards and emergencies

    • In general, OIT cannot publish or implement a technical IT standard without public posting and approval by the CISO when the standard concerns security, access controls, or data handling.
    • In an IT security emergency, these requirements may be bypassed, but any emergency standard must be posted within 72 hours and expires after 90 days unless renewed in compliance with standards requirements.
  • Contract lifecycle and architecture documentation

    • For ongoing IT contracts delivering services to Coloradans, the contract must maintain current architecture diagrams updated at least annually.
    • State agencies may initiate IT procurements only with prior approval from OIT’s procurement official. OIT can enforce standards and perform due diligence or audits on contractors.
  • Non-delegation and leadership accountability

    • The CIO cannot delegate any duty, responsibility, or power of the CISO.
    • The CISO is responsible for ensuring accuracy of compliance and security risk reports and may delegate technical work within the Security Office, but not the ultimate authority.
  • Annual reporting by the CISO

    • The CISO must submit two annual reports to the JTC: 1) A written IT Compliance Report detailing current compliance status, open state auditor recommendations, and remediation timelines/mitigation plans. 2) A statewide IT Security Risk Report assessing the overall security posture of state agency IT systems. The CISO may conduct evaluations (e.g., penetration testing, vulnerability scanning) to support this.

Who is affected

  • OIT and its CISO, CIO, and related security leadership.
  • State agencies relying on OIT for IT procurement, standards, and oversight.
  • The Legislative Audit Committee, JTC, and Joint Budget Committee, which gain enhanced oversight and reporting requirements.
  • IT vendors and contractors providing services or products to state agencies.
  • Colorado residents whose data and state services may be affected by improved security governance and transparency.

Procedural and timeline aspects

  • The JTC must act within 90 days of the CISO’s compliance report filing to request a special IT security audit.
  • The Legislative Audit Committee must direct the audit, if approved, and the State Auditor has defined timelines for audit reports and cost reimbursement.
  • CISO must submit annual reports to the JTC by November 1 each year (starting after 2027, per final statutory language).
  • The bill emphasizes public posting and annual updates to the vendor contract list and imposes annual security documentation requirements.

Effective date

  • The act would take effect 12:01 a.m. on the day after the 90-day period following adjournment of the 2026 legislative session, with potential referendum adjustments.

Overall, SB 185 strengthens oversight, transparency, and accountability for IT security governance within Colorado state government.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.