Technical Standards & Policies
OIT technical standards, policies and guides are designed to support you and your agency in offering outstanding technology and ensuring the protection of state systems and data.
Financial Services
Acquisition of IT Goods (Products) and/or Services
The formal processes for purchasing or acquiring information technology products and/or services are described here.
Buying from State Price Agreements
State Price Agreements may exist that do not meet mandatory OIT standards applicable to state agencies as defined in C.R.S. 24-37.5-102(4) or that require OIT approval prior to use. State agencies are therefore cautioned to ensure that any price agreement for communication and IT (C.R.S. 24-37.5-102(2)), hardware, software, radios, communication systems/towers meets OIT standards and that necessary OIT approvals have been obtained prior to use of the Price Agreement.
Real-time Billing Dispute Process
Colorado Information Security Policies (CISPs)
Policies are reviewed and updated annually, but may be updated more frequently as needed.
Colorado Information Security Policies (CISPs)
These CISPs are in effect through June 30, 2026. Policies are reviewed and updated annually, but may be updated more frequently as needed.
CISP Information Security Glossary, (PDF)
- CISP-001 – IT Access Control Management and User Security
- CISP-002 – IT Security Awareness Training
- CISP-003 – IT Audit Log Management and Accountability
- CISP-004 – IT Security Assessment and Authorization
- CISP-005 – Secure Configuration of IT Assets and Software
- CISP-006 – IT Contingency (Continuity of Operations) Planning
- CISP-008 – IT Incident Response Management
- CISP-009 – Information System Maintenance
- CISP-010 – Data Protection, Recovery and Sanitization
- CISP-011 – IT Environmental Protection and Physical Security
- CISP-013 – IT Risk Management
- CISP-014 – IT Supply Chain Management
- CISP-015 – IT System and Communications Protection
- CISP-016 – IT System and Information Integrity
- CISP-017 – IT Security Planning
CISP-018 – Acceptable Use of State Data and IT Resources (AUP)
- Glossary
- Reference Links
Colorado Information Security Policies (CISPs)
Project Management
The Enterprise Project Management Office (EPMO) is responsible for setting policies and procedures related to project, program and portfolio management within the Office of Information Technology (OIT) and for executive branch agencies that embark on projects that include an IT component.
The following documents are accessible only to state employees. If you are not a state employee and need access to a project management policy, please email oit@state.co.us.
Technical Standards
These technology standards support the State of Colorado's information security policies.
The Office of Enterprise Architecture has issued the following technical standards, superseding any standards posted prior. Each standard has been approved by the OIT Architecture Review Board (ARB), effective as of the "Effective Date" established in each document, and remains in effect until removed or revised by a decision of the ARB.
Applications
- TS-APP-003: Development Frameworks
- TS-APP-004: Programming Languages (Custom Applications)
- TS-APP-005: Secure Application Software Standards & Configuration Management
- TS-APP-006: Functional Application Test Automation Tool
- TS-APP-009: Continuous Integration Servers
- TS-APP-010: Code Repositories (Repository Manager)
- TS-APP-011: Front End Website & Web Application Framework
Colorado Information Security Policies (CISPs)
- TS-CISO-001 Authentication & Account Management Standard v. 2026
- TS-CISO-002 Logging and Monitoring Standard v2026
- TS-CISO-003 Remote Access Standard v2026
- TS-CISO-004 Patch Management Standard v2026
- TS-CISO-006 Encryption Standard v2026
- TS-CISO-012: Physical Security for IT Spaces
Data
Databases
- TS-DBS-001: Supported Databases and Versions
- TS-DBS-003: Database Patch Management
- TS-DBS-005: Database Backup and Recovery
- TS-DBS-006: Database Security
- TS-DBS-007: Database Software Management
- TS-DBS-008: Database User Administration
- TS-DBS-009: Database Decommissioning
- TS-DBS-013: DBMS Server Inventory
- TS-DBS-014: Database Support in Cloud Services
- TS-DBS-016: Database Developer Service
- TS-DBS-017: DBMS Software Installation
Infrastructure
- TS-INF-001: End User Computer Equipment
- TS-INF-002: End User Enterprise Software
- TS-INF-003: Identity and Access Administration
- TS-INF-004: Kiosk Equipment
- TS-INF-005: Structured Cabling
- TS-INF-006: Enterprise Load Balancing
- TS-INF-007: Wireless Site Survey
- TS-INF-008: Network Monitoring
- TS-INF-009: Infrastructure as Code Standard
- TS-INF-010: Enterprise Wireless
- TS-INF-011: Infrastructure Operations Technology Standards
- TS-INF-012: Multifunction Device/Printer Configuration
- TS-INF-013: UPS/PDU for Network Systems
- TS-INF-014: Network Switching Standard
- TS-INF-015: Information Technology Multifactor Authentication (MFA)
Office of Enterprise Architecture
Office of Information Technology
Technical Standards & Policies Archives
Colorado Information Security Policies (CISPs) (Archived)
- Archived CISP-001 Access Control (2019 Version)
- Archived CISP-002 Awareness and Training (2019 Version)
- Archived CISP-003 Audit and Accountability (2019 Version)
- Archived CISP-004 Security Assessment and Authorization (2019 Version)
- Archived CISP-005 Configuration Management (2019 Version)
- Archived CISP-006 Contingency Planning (2019 Version)
- Archived CISP-007 Identification and Authentication (2019 Version)
- Archived CISP-008 Incident Response (2019 Version)
- Archived CISP-009 System Maintenance (2019 Version)
- Archived CISP-010 Media Protection (2019 Version)
- Archived CISP-011 Physical and Environmental Protection (2019 Version)
- Archived CISP-012 Personnel Security (2019 Version)
- Archived CISP-013 Risk Assessment (2019 Version)
- Archived CISP-014 System and Services Acquisition (2019 Version)
- Archived CISP-015 System and Communications Protection (2019 Version)
- Archived CISP-016 System and Information Integrity (2019 Version)
- Archived CISP-017 Security Planning (2019 Version)
- Archived CISP-018 Acceptable Use Policy (2019 Version)
Colorado Information Security Policies (CISPs) (Archived)
- Archived CISP-001 IT Access Control Management and User Security (2022 Version)
- Archived CISP-002 IT Security Awareness Training (2022 Version)
- Archived CISP-003 IT Audit Log Management and Accountability (2022 Version)
- Archived CISP-004 IT Security Assessment and Authorization (2022 Version)
- Archived CISP-005 Secure Configuration of IT Assets and Software (2022 Version)
- Archived CISP-006 IT Contingency (Continuity of Operations) Planning (2022 Version)
- Archived CISP-007 IT Account Management (Identification and Authentication) (2022 Version)
- Archived CISP-008 IT Incident Response Management (2022 Version)
- Archived CISP-009 Information System Maintenance (2022 Version)
- Archived CISP-010 Data Protection, Recovery and Sanitization (2022 Version)
- Archived CISP-011 IT Environmental Protection and Physical Security (2022 Version)
- Archived CISP-013 IT Risk Management (2022 Version)
- Archived CISP-014 IT Service Provider Management (Systems and Services Acquisition) (2022 Version)
- Archived CISP-015 IT System and Communications Protection (2022 Version)
- Archived CISP-016 IT System and Information Integrity (2022 Version)
- Archived CISP-017 IT Security Planning (2022 Version)
- Archived CISP-018 Acceptable Use of State Data and IT Resources (2022 Version)
- Archived CISP-019 Continuous IT Vulnerability Management & Patching (2022 Version)