Hearings & Rulemaking
In Progress Rulemaking and Hearings
Sign up to receive notifications about OIT rulemaking
Automated note-taking and/or recording bots are not permitted in rulemaking hearings and meetings unless under prior arrangement as a reasonable accommodation for a person with a disability. Note-taking and/or recording bots that show up during an event will be removed. OIT will provide a recording and transcript of the event for all participants. Please contact oit_rules@state.co.us if you would like to request a reasonable accommodation.
Rules in Support of the Colorado Information Security Act, 8 CCR 1501-5
OIT adopted amendments to the Rules in Support of the Colorado Information Security Act.
- Adopted Rules in Support of the Colorado Information Security Act (Word Doc)
- Adopted Rules Strikethrough Version of Changes from 2013 Rules (Word Doc)
These rules govern the development, maintenance and submission of Cybersecurity Plans for public agencies. Revisions clarify roles and expectations in order to focus on effective and actionable cybersecurity. They emphasize a cooperative approach to build maturity and reduce risks across the state. Key changes include:
- Streamlined definitions
- Replace the requirements about the contents of the agency security plans with a cybersecurity review template based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to make use of an industry standard self-evaluation that many agencies already complete
- Require discussion between the agencies and State Chief Information Security Officer (CISO) about the agency security plans and risks, providing more clarity for the agencies, more visibility for the CISO, and enabling a holistic security approach
- Disapproval of an agency security plan is due to not participating in the discussion with CISO
- Establishment of an extension / exception process
Rulemaking Timeline
October 2025 to March 2026: Regular working group meetings to revise the rules. Composed of OIT and security representatives from the non-consolidated agencies.
April 14, 2026: Public rulemaking hearing
- Public Rulemaking Hearing Record and Other Exhibits for 8 CCR 1501-5 (Google Drive)
- Hearing Recording (MP4)
- Hearing Presentation Slides (Google Slides)
May 11, 2026: Rule amendments adopted
- Rulemaking Packet for 8 CCR 1501-5 (Google Doc), including Statement of Authority, Basis and Purpose, rulemaking outreach, and cost-benefit analysis
June 30, 2026: Rule amendments effective
Completed Rulemaking and Hearings
OIT repealed 8 CCR 1501-6, Rules in Support of the Office of Information Technology on Thursday, February 19, 2026.
Current Version of the Rules in Support of the Office of Information Technology
Public Rulemaking Hearing Record and Other Exhibits for 8 CCR 1501-6 (Google Drive)
The Chief Information Officer adopted 8 CCR 1501-6, Rules in Support of the Office of Information Technology in 2009 to govern the purchase of information technology related goods and services in emergency situations and to enable OIT to report to the legislature about emergency IT purchases.
Two developments since their adoption rendered these rules redundant and unnecessary:
- In 2018 DPA revised the state fiscal and procurement rules to require OIT’s approval for IT purchases for consolidated agencies. DPA also clarified the narrow emergency situations that enable an agency to make purchases without following the standard approval process.
- Second, HB21-1236 updated OIT’s statutory authority to: 1) remove the requirement for OIT to report to the general assembly about statewide emergency IT purchases, and 2) mandate OIT’s role in purchasing contracts for IT resources at consolidated agencies.
OIT adopted amendments to the Rules Establishing Technology Accessibility Standards.
- 2025 Adopted Rules Establishing Technology Accessibility Standards (Google Doc)
- 2025 Adopted Rules Strikethrough of Changes from 2024 Adopted Rules (Word Doc)
- Read the Plain Language Guide to the State Technology Accessibility Rules
- Summary of Updates (Google Doc) | Summary of Updates (Word Doc)
- FAQs about the Rules Establishing Technology Accessibility Standards (Google Doc)
The rule amendments emphasize progress over strict technical conformance for technology accessibility and more clearly align with federal laws. Key changes include:
- Adding and clarifying definitions for key terms.
- Clarifying which technical standards apply to different technology types (digital content, installed software, closed functionality), with WCAG for digital content and Section 508 standards for others.
- Providing five options for compliance, including: WCAG compliance, using alternate versions, providing reasonable accommodations or modifications, progressing on accessibility plans, and choosing technology that best meets accessibility standards and business needs.
- Requiring public entities to tell users how to report accessibility issues in their Technology Accessibility Statements.
- Defining limited exceptions from technical standards, mirroring existing federal exceptions, to include: content posted by a third party, individualized password-protected documents, pre-existing social media posts, pre-existing documents, technology that provides substantially equivalent access and ease of use, and certain exceptions for self-contained closed products.
- Providing guidance on conforming alternate versions for different technology types.
- Aligning "undue burden" and "undue hardship" with federal and state definitions and expectations.
Rulemaking Schedule
March 2025: rule review, early stakeholder input and drafting
- Strikethrough Version of Draft Amended Rules_2025/3/14 (Google Doc)
- Clean Version of Draft Amended Rules_2025/3/14 (Google Doc)
- Feedback session recordings, transcripts, and slides (Google Drive)
April 2025: stakeholder input
- Strikethrough Version of Proposed Rules_2025/3/31 (Google Doc) | Strikethrough Version Proposed Rules_2025/3/31 (Word Doc)
- Clean Version of Proposed Rules_2025/3/31 (Google Doc) | Clean Version Proposed Rules_2025/3/31 (Word Doc)
- Read comments from other people (Google Drive)
- Summary of Comments and Responses (Google Doc)
May 1, 2025: rulemaking hearing
- Strikethrough Version of Proposed Rules_2025/4/25 (Google Doc) | Strikethrough Version of Proposed Rules_2025/4/25 (Word Doc)
- Clean Version of Proposed Rules_2025/4/25 (Google Doc) | Clean Version of Proposed Rules_2025/4/25 (Word Doc)
- Hearing Presentation Slides (Google Slides)
- Hearing Recording (MP4) | American Sign Language Interpretation (MP4)
- Hearing Transcript (Google Doc)
- Hearing Chat Log (Google Doc)
- Hearing Exhibits (Google Drive)
May 9, 2025: rule amendments adopted
- Packet of Rulemaking Outreach and Cost-Benefit Analysis (Google Doc)
- Packet of Rulemaking Outreach and Cost-Benefit Analysis (Word Doc)
June 30, 2025: rule amendments effective
For future rulemaking efforts, we will send an email to everyone who has signed up on the Accessibility Rulemaking Notification Sign-up form.
- Adopted 8 CCR 1501-12, Information Technology Lifecycle Planning (Google Doc)
- Frequently Asked Questions (Google Doc)
- Public Rulemaking Hearing Record and Other Exhibits for 8 CCR 1501-12 (Google Drive)
- Public Notice of Adopted Rules, 8 CCR 1501-12 (Google Doc)
In the fall and winter of 2023-24, OIT created rules regarding accessibility standards for IT systems. These rules establish the accessibility standards for public entities in Colorado, which includes state and local governments, special districts, and any other instrumentality of a state or local government.
- Redline of the Changes from the Proposed Rules Released 12/15/2023 to the Adopted Rules Released 2/23/2024 (Google Doc)
- Summary of the Changes from the Proposed Rules Released 12/15/2023 to the Adopted Rules Released 2/23/2024 (Google Doc)
- Public Notice of Adopted Rules, 8 CCR 1501-11 (Google Doc)
Rulemaking Schedule
Oct. 2023: Invitation to comment on potential rule topics (Closed)
- Summary of Public Comments Received Regarding Technology Accessibility Rules Potential Topics (Google Doc)
- Public Comments Received through the Survey Closing Oct. 27, 2023 (Excel)
- Public Comments Received through Email Regarding Technology Accessibility Rules Potential Topics (Google Drive)
Nov. 2023: Invitation to comment on the Draft Technology Accessibility Rules (Google Doc) (Closed)
- Public Comments Received through the Survey Closing Nov. 27, 2023 (Excel)
- Public Comments Received through Email Regarding Technology Accessibility Draft Rules (Google Drive)
- Listening Session Transcript (Google Doc)
- Listening Session Chat Log (Google Doc)
- Listening Session Presentation Slides (Google Slides)
Dec. 2023: Invitation to comment on proposed rules (Closed)
- Public Comments Received through Survey and Email Regarding Technology Accessibility Proposed Rules (Google Drive)
Jan. 2024: Public rulemaking hearing on proposed rules (Closed)
- Public Rulemaking Hearing Recording and Other Exhibit (Google Drive)
- Summary of Changes from the First Draft Rules Released 11/16/2023 to the Proposed Rules Released 12/15/2023 (Google Doc)
- Summary of Proposed Rules and Comments (Google Slides)
- Rulemaking Packet (Google Doc)
- Proposed Rules FAQs (Google Doc)
- Public Comments Received through Survey and Email Regarding Technology Accessibility Proposed Rules (Google Drive)
Feb. 2024: Rules adopted Feb. 23, 2024
April 2024: Technology accessibility rules become effective Apr. 14, 2024
For future rulemaking efforts, we will send an email to everyone who signed up on the Accessibility Rulemaking Notification Sign-up form.
Submit your comments to oit_rules@state.co.us.
General OIT Rules Information
Review the general information about OIT Rules.
Contact
If you have questions, contact us by email at oit_rules@state.co.us.