Back to Colorado

SB26-185 • 2026

Enhance Security of Office of Information Technology

The act allows the joint technology committee (JTC), within 90 days after the day that the chief information security officer of the office of information technology (security officer) files a written

Budget Technology
Enacted

This bill passed the Legislature and reached final enactment based on the latest official action.

Sponsor
Sen. M. Baisley, Sen. J. Marchman, Rep. R. Keltie, Rep. B. Titone, Rep. A. Paschal, Sen. J. Coleman, Rep. J. Bacon, Rep. M. Carter, Rep. C. Clifford, Rep. J. Jackson, Rep. B. Marshall, Rep. M. Rutinel
Last action
2026-06-02
Official status
Governor Signed
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Enhance Security of Office of Information Technology

The act allows the joint technology committee (JTC), within 90 days after the day that the chief information security officer of the office of information technology (security officer) files a written information technology security compliance report (compliance report) with the JTC as required by the act, to vote to request that the legislative audit committee direct the state auditor to conduct a special information technology security audit (IT security audit) of the office of information technology (OIT) if the compliance report indicates that one or more audit recommendations made by the state auditor is unresolved 2 or more years past the implementation date for the audit recommendation or if a material discrepancy exists between a representation in the compliance report and a previous audit finding.

What This Bill Does

  • The act allows the joint technology committee (JTC), within 90 days after the day that the chief information security officer of the office of information technology (security officer) files a written information technology security compliance report (compliance report) with the JTC as required by the act, to vote to request that the legislative audit committee direct the state auditor to conduct a special information technology security audit (IT security audit) of the office of information technology (OIT) if the compliance report indicates that one or more audit recommendations made by the state auditor is unresolved 2 or more years past the implementation date for the audit recommendation or if a material discrepancy exists between a representation in the compliance report and a previous audit finding.
  • If the JTC votes to request an IT security audit and if the legislative audit committee votes to direct the audit, the act requires: The state auditor to conduct the IT security audit; The state auditor to obtain input from OIT when the state auditor determines the scope and boundaries of the audit; The state auditor to submit the IT security audit report to the legislative audit committee, the JTC, the joint budget committee, and the governor; and OIT to reimburse the state auditor for the auditor's costs incurred in completing the IT security audit.
  • The act requires OIT to establish, maintain, keep, update, and make available to state agency information technology leadership and the members of the JTC a list of all active information technology vendor contracts for state agencies.
  • The act specifies that, except in the case of an information technology security emergency, OIT shall not publish or implement a technical information technology standard, and that the standard is void, unless the standard: Was publicly posted; and Received approval from the security officer if the standard relates to security, access controls, or the handling of data.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

L.001

SEN Business, Labor, & Technology

Passed [*]

Plain English: SB185_L.001 SENATE COMMITTEE OF REFERENCE AMENDMENT Committee on Business, Labor, & Technology.

  • SB185_L.001 SENATE COMMITTEE OF REFERENCE AMENDMENT Committee on Business, Labor, & Technology.
  • SB26-185 be amended as follows: 1 Amend printed bill, page 4, line 24, after "THE" insert "LEGISLATIVE 2 AUDIT".
  • ** *** ** *** ** LLS: Nicole Myers x4326

Bill History

  1. 2026-06-02 Governor

    Governor Signed

  2. 2026-05-22 Governor

    Sent to the Governor

  3. 2026-05-22 House

    Signed by the Speaker of the House

  4. 2026-05-22 Senate

    Signed by the President of the Senate

  5. 2026-05-13 House

    House Third Reading Passed - No Amendments

  6. 2026-05-12 House

    House Second Reading Special Order - Passed - No Amendments

  7. 2026-05-12 House

    House Committee on Appropriations Refer Unamended to House Committee of the Whole

  8. 2026-05-09 House

    House Committee on State, Civic, Military, & Veterans Affairs Refer Unamended to Appropriations

  9. 2026-05-08 House

    Introduced In House - Assigned to State, Civic, Military, & Veterans Affairs

  10. 2026-05-08 Senate

    Senate Third Reading Passed - No Amendments

  11. 2026-05-07 Senate

    Senate Second Reading Special Order - Passed with Amendments - Committee

  12. 2026-05-07 Senate

    Senate Committee on Appropriations Refer Unamended - Consent Calendar to Senate Committee of the Whole

  13. 2026-05-05 Senate

    Senate Committee on Business, Labor, & Technology Refer Amended to Appropriations

  14. 2026-05-01 Senate

    Introduced In Senate - Assigned to Business, Labor, & Technology

Official Summary Text

The act allows the joint technology committee (JTC), within 90 days after the day that the chief information security officer of the office of information technology (security officer) files a written information technology security compliance report (compliance report) with the JTC as required by the act, to vote to request that the legislative audit committee direct the state auditor to conduct a special information technology security audit (IT security audit) of the office of information technology (OIT) if the compliance report indicates that one or more audit recommendations made by the state auditor is unresolved 2 or more years past the implementation date for the audit recommendation or if a material discrepancy exists between a representation in the compliance report and a previous audit finding.
If the JTC votes to request an IT security audit and if the legislative audit committee votes to direct the audit, the act requires:
The state auditor to conduct the IT security audit;
The state auditor to obtain input from OIT when the state auditor determines the scope and boundaries of the audit;
The state auditor to submit the IT security audit report to the legislative audit committee, the JTC, the joint budget committee, and the governor; and
OIT to reimburse the state auditor for the auditor's costs incurred in completing the IT security audit.
The act requires OIT to establish, maintain, keep, update, and make available to state agency information technology leadership and the members of the JTC a list of all active information technology vendor contracts for state agencies.
The act specifies that, except in the case of an information technology security emergency, OIT shall not publish or implement a technical information technology standard, and that the standard is void, unless the standard:
Was publicly posted; and
Received approval from the security officer if the standard relates to security, access controls, or the handling of data.
The act requires OIT to ensure that, if an information technology contract provides ongoing service and delivery to Coloradans, the contract maintains current architecture diagrams that are updated at least annually.
The act prohibits the chief information officer from delegating a duty, responsibility, or power of the security officer.
The act requires the security officer to submit 2 annual reports to the JTC. The first report is a written compliance report that includes OIT's current compliance status with applicable security standards; all open audit recommendations regarding OIT made by the state auditor and the date on which each recommendation was made; and a timeline for remediation and a mitigation plan or compensation controls for each open audit recommendation made by the state auditor.
The second report is a written statewide information technology security risk report (security risk report) that assesses the overall security risk posture of state agency information technology systems. To support the preparation of the security risk report, the security officer may conduct evaluations of state agency information technology systems, including penetration testing, vulnerability scanning, configuration evaluations, and vendor and system reviews. Each state agency shall provide to the security officer, upon request, the access and information necessary to conduct evaluations of state agency technology systems, including system access, product information, and architecture information.
The act requires the security officer, or the chief information officer if the security officer is unavailable, to perform the duties and uphold the responsibilities assigned to the security officer pursuant to law.
(Note: This summary applies to this bill as enacted.)