Colorado Office of Information Technology: Digital Government Services

The Colorado Office of Information Technology (OIT) functions as the central technology authority for Colorado state government, consolidating infrastructure, cybersecurity, application delivery, and digital service standards across executive branch agencies. OIT operates under the authority of Colorado Revised Statutes Title 24, Article 37.5, which establishes the agency's mandate, governance structure, and relationship to the Governor's office. This reference covers OIT's organizational scope, service delivery mechanisms, common interaction scenarios, and the boundaries that define where OIT authority applies and where it does not.

Definition and scope

Colorado OIT was established as a cabinet-level agency responsible for managing shared technology services for Colorado state government. The agency is led by the Governor's Chief Information Officer (CIO), a position created by C.R.S. § 24-37.5-103, who reports directly to the Governor and holds authority over technology policy, standards, and major IT procurement across executive branch entities.

OIT's statutory scope covers:

  1. Enterprise infrastructure — statewide network (Colorado Communications Network, or CCN), data centers, and cloud brokerage
  2. Cybersecurity governance — the Colorado Information Security Office (CISO) operates within OIT and sets mandatory security standards under the Colorado Information Security Policies (CISP)
  3. Digital services and application delivery — citizen-facing portals, identity management, and shared application platforms
  4. IT project oversight — major IT project reviews, stage-gate approvals, and portfolio reporting
  5. Broadband policy — OIT administers Colorado's broadband deployment programs, coordinating with the federal Infrastructure Investment and Jobs Act (IIJA) allocations directed through the National Telecommunications and Information Administration (NTIA)

OIT's authority is limited to executive branch agencies under the Governor's jurisdiction. As a Colorado state government institution, its mandates do not extend to the Colorado General Assembly, the Judicial Branch, or constitutionally independent offices except through voluntary interagency agreements.

How it works

OIT delivers services through a shared-services model in which state agencies are customers of centrally managed platforms. Agencies do not independently procure major technology infrastructure; instead, they submit requests through OIT's service catalog and are billed through an internal cost-allocation mechanism aligned with the state's annual budget process.

Technology governance workflow:

  1. An executive branch agency identifies a technology need or initiates a project.
  2. If the project meets major IT project thresholds (typically projects exceeding $1 million in total cost or classified as high-risk), the project is subject to OIT's Major IT Project oversight process, including independent verification and validation (IV&V).
  3. OIT's Enterprise Architecture team reviews proposed solutions for alignment with the Colorado Technology Standards catalog.
  4. Procurement routes through the state's competitive bidding process managed jointly by OIT and the Department of Personnel & Administration (DPA), using contracts established under the State Purchasing and Contracts Under the Procurement Code (C.R.S. § 24-101 et seq.).
  5. Post-deployment, agencies transition to OIT-managed support under formal service level agreements (SLAs) documented in OIT's service management system.

Cybersecurity standards are enforced through CISP, which aligns Colorado requirements to the NIST Cybersecurity Framework and NIST SP 800-53. All state agencies must complete annual risk assessments, maintain incident response plans, and report confirmed breaches to OIT's Security Operations Center (SOC) within 24 hours of discovery.

Digital services — citizen-facing portals, online payment systems, and identity verification — are built or procured by OIT and offered to agencies as configurable components. The Colorado Digital Experience (CDEX) initiative standardizes web design, accessibility (aligned with WCAG 2.1 AA standards), and authenticated user session management across public-facing state sites.

Common scenarios

Agency technology modernization: A state department operating on a legacy system initiates a modernization effort. OIT reviews the business case, classifies the project under appropriate oversight tiers, assigns a project monitor, and coordinates vendor selection. The Colorado Department of Revenue and the Colorado Department of Transportation have each undergone major OIT-coordinated modernization programs affecting public-facing systems.

Cybersecurity incident response: A state agency detects unauthorized access to a networked system. Under CISP requirements, the agency notifies OIT's SOC, which leads forensic triage, coordinates with the Colorado Information Security Office, and determines whether notification obligations under the Colorado Security Breach Notification Act (C.R.S. § 6-1-716) are triggered. The SOC operates 24 hours per day, 7 days per week.

Broadband grant administration: A county government or internet service provider seeks to participate in Colorado's federally funded broadband expansion. OIT coordinates the Connecting Colorado program, manages the state's broadband map (built in alignment with the FCC's National Broadband Map requirements), and administers competitive grant rounds funded through IIJA allocations. Counties such as Huerfano County and Mineral County, classified as underserved under FCC definitions, are priority service areas in state broadband planning.

Shared services onboarding: A newly created state board or office requires email, document management, and identity services. Rather than building independent infrastructure, the entity onboards to OIT's Microsoft 365 enterprise agreement and connects to CCN, a process governed by a standard interagency MOU.

Decision boundaries

OIT's authority, scope, and limitations follow clear structural lines:

In scope:
- Executive branch agencies under direct gubernatorial authority
- State-funded IT projects meeting major project thresholds
- Cybersecurity standards enforcement across all executive agencies
- Statewide broadband mapping and grant coordination

Not in scope / not covered:
- The Colorado General Assembly, which operates its own technology infrastructure independently
- The Colorado Judicial Branch (Colorado Judicial Branch), which manages its own IT systems and is not subject to OIT enterprise standards
- Colorado's 64 counties and 271 incorporated municipalities, which procure and manage technology independently unless they voluntarily participate in OIT programs (such as shared broadband initiatives)
- Federal systems operated within Colorado by agencies such as the U.S. General Services Administration or the Department of Defense

OIT vs. DORA distinction: The Colorado Department of Regulatory Agencies (DORA) licenses technology-sector professionals such as engineers and certain telecommunications providers, but does not govern state government IT operations. DORA and OIT operate in distinct regulatory lanes with no overlapping jurisdiction over state agency IT governance.

Local government technology: Municipal governments — including Denver, Aurora, and Fort Collins — are not subject to OIT mandates. Local governments may voluntarily access state contracts through the State Purchasing Office cooperative purchasing provisions, but OIT's CISP, architecture standards, and project oversight frameworks do not apply to local government entities by default.

References