Skip to main content
govconCyber
State profile

Colorado

Responsible agency: Dep't of Personnel and Admin. Off. of the State Controller State Purchasing and Contracts Off.

Last reviewedJune 7, 2026Version v1

Cybersecurity statutes (background)

In plain terms. Colorado runs cybersecurity under the Colorado Information Security Act, led by a Chief Information Security Officer, with mandatory agency security plans.

Who it applies to. State agencies (and public higher-education institutions) and their IT vendors. The state participates in StateRAMP, its baseline for vetting cloud-service security.

What it requires. State law establishes the Chief Information Security Officer, requires public agencies and higher-education institutions to maintain information-security plans, and gives the CISO authority over security incidents.

Why it matters. Vendors serving Colorado agencies must support the state's information-security plans and the CISO's incident authority.

Citation. Colo. Rev. Stat. §§ 24-37.5-403 (Chief Information Security Officer), 24-37.5-404 and -404.5 (Information Security Plans), and 24-37.5-405 (Security Incidents).

Regulations & policies (background)

In plain terms. Colorado backs its security act with formal rules and Cyber Information Security Policies (CISP).

Who it applies to. State agencies and their IT vendors and service providers.

What it requires. Rules in support of the Colorado Information Security Act, plus CISP standards on IT service-provider management, acceptable use, and security assessment and authorization, set the controls vendors must meet.

Why it matters. Expect Colorado's CISP standards — especially IT service-provider management — to appear in your contract.

Citation. 8 Colo. Code Regs. 1501-5 (Rules in Support of the Colorado Information Security Act); CISP-014 (IT Service Provider Management), CISP-018 (Acceptable Use), CISP-004 (Security Assessment and Authorization).