1

Technical Standards & Policies

Acceptable Use Policy (AUP)

Acceptable Use of State Data & IT Resources, CISP-018 (AUP), (PDF)


Accessibility

TS-OEA-001: Technology Accessibility for Persons with Disabilities

Digital Accessibility Guide

Accessibility Operations Memorandum, (Google Doc)


eSignature

eSignature Recommended Policy Guidelines for State Agencies, (PDF)


Financial Services

Vendor Selection Standard for Major IT Projects, OIT-FinSvc-100, (PDF)

Acquisition of IT Goods (Products) and/or Services 
The formal processes to purchase or acquire information technology products and/or services are described here.

Buying from State Price Agreements 
State Price Agreements may exist that do not meet mandatory OIT standards applicable to state agencies as defined in C.R.S. 24-37.5-102(4) or that require OIT approval prior to use. State agencies are therefore cautioned to ensure that any price agreement for communication and IT (C.R.S. 24-37.5-102(2)), hardware, software, radios, communication systems/towers meets OIT standards and that necessary OIT approvals have been obtained prior to use of the Price Agreement.

Digital Products and Services Accessibility Pre-Purchase Checklist


Governance

OIT Authority & Governance Operations Memorandum, (PDF)

IT Governance Guidebook - FY 2023-24, (PDF)

Statewide GenAI Policy


Information Security 

The Office of Information Security has issued the following policies, rules and standards under the authority of C.R.S. 24-37.5-401 et seq., which align with NIST 800-53 rev. 5. All public agencies and all third-party IT Services Providers are required to adhere to these policies, rules and standards. 

Rules
8 CCR 1501-5: Rules in support of the Colorado Information Security Act (State Agency Cyber Security Planning), (PDF)

Colorado Information Security Policies (CISPs) 
These policies are reviewed and updated annually but are subject to change more often as necessary. The policies below are effective as of December 2024.

Colorado Information Security Policy (CISP) Overview One Sheet, (PDF)

CISP Information Security Glossary, (PDF)

Supplemental Guidance for the Colorado Information Security Policies (CISPs), (PDF)

CISP-001: IT Access Control Management & User Security, (PDF)

CISP-002: IT Security Awareness Training, (PDF)

CISP-003: IT Audit Log Management & Accountability, (PDF)

CISP-004: IT Security Assessment & Authorization, (PDF)

CISP-005: Secure Configuration of IT Assets & Software, (PDF)

CISP-006: IT Contingency (Continuity of Operations) Planning, (PDF)

CISP-007: IT Account Management (Identification & Authentication) - RESCINDED

CISP-008: IT Incident Response Management, (PDF)

CISP-009: Information System Maintenance, (PDF)

CISP-010: Data Protection, Recovery & Sanitization, (PDF)

CISP-011: IT Environmental Protection & Physical Security, (PDF)

CISP-012: PS-Personnel Security - RESCINDED - See CISP-001

CISP-013: IT Risk Management, (PDF)

CISP-014: IT Service Provider Management (Systems & Services Acquisition), (PDF)

CISP-015: IT System & Communications Protection, (PDF)

CISP-016: IT System & Information Integrity, (PDF)

CISP-017: IT Security Planning, (PDF)

CISP-018: Acceptable Use of State Data & IT Resources (AUP), (PDF)

CISP-019: Continuous IT Vulnerability Management & Patching - RESCINDED


Project Management

The Portfolio and Project Management Center of Excellence (PPMCoE) is responsible for setting policies and procedures related to project, program and portfolio management within the Office of Information Technology (OIT) and for executive branch agencies that embark on projects that include an IT component.

The following documents are accessible to state employees only. If you are not a state employee and need access to one of the project management policies, please email oit@state.co.us

Major Projects Boards Policy (POL 200-02), (PDF)
Independent Verification and Validation Policy (POL 200-03), (PDF)
Project Lifecycle Methodology & Governance - POL 200-01 (formerly Standard for Project Management Methodology), (PDF)


Technical Standards

These technology standards support the State of Colorado's information security policies.

The Office of Enterprise Architecture has issued the following technical standards, superseding any standards posted prior. Each standard has been approved by the OIT Architecture Review Board (ARB), effective as of the "Effective Date" established in each document, and remains in effect until removed or revised by a decision of the ARB.

TS-APMS-001: Application Portfolio Management System (APMS)

TS-APP-003: Development Frameworks

TS-APP-004: Programming Languages

TS-APP-005: Application Software Configuration Management

TS-APP-006: Functional Application Test Automation Tool

TS-APP-007: Salesforce “Lightning First” Design Framework

TS-APP-009: Continuous Integration Servers

TS-APP-010: Code Repositories (Repository Manager)

TS-APP-011: Front End Website & Web Application Framework

TS-CISO-001: Data Security

TS-CISO-003: Electronic Media Reuse and Disposal

TS-CISO-004: OIT Firewall Design Standard

TS-CISO-005: Enterprise Two-Factor Authentication (2FA)

TS-CISO-006: Secure Applications Coding Standard

TS-CISO-007: Electronic Signatures (eSign)

TS-CISO-008: Remote Administration

TS-CISO-009: Server Virtualization Security

TS-CISO-010: PCI Solution Implementation

TS-CISO-011: Vendor Contract Standard

TS-DAT-001: Enterprise Data Access and Integration Services

TS-DAT-002: Secure File Transfer

TS-DBS-001: Supported Databases and Versions

TS-DBS-003: Oracle Database Patch Management

TS-DBS-005: Oracle Database Backup and Recovery

TS-DBS-006: Database Security

TS-DBS-007: Database Software Management

TS-DBS-008: Database User Administration

TS-DBS-009: Database Decommissioning and Data Archiving

TS-DBS-013: SQL DBMS Server Inventory

TS-DBS-014: Database Support in Cloud Services

TS-DBS-016: Database Developer Service

TS-DBS-017: SQL Server DBMS Installation

TS-INF-001: End User Computer Equipment

TS-INF-002: End User Enterprise Software

TS-INF-003: Identity and Access Administration

TS-INF-004: Kiosk Equipment

TS-INF-005: Structured Cabling

TS-INF-006: Enterprise Load Balancing

TS-INF-007: Wireless Site Survey

TS-INF-008: Network Monitoring

TS-INF-009: Infrastructure as Code Standard

TS-INF-010: Enterprise Wireless

TS-INF-011: Infrastructure Operations Technology Standards

TS-OEA-001: Technology Accessibility for Persons with Disabilities