Kansas looks to codify CISO role, technology advisory body

Two bills advancing through the legislature would formalize existing practices and ensure stakeholders across the state are informing security policy.

The Kansas state legislature is making progress on a pair of bills that would codify existing cybersecurity practices and set a foundation for an evolving governance structure in the state.

The bills would enter the state’s Information Technology Executive Council into law, adjust its membership and create a formal chief information security officer position and a Kansas Information Security Office. House Bill 2332 and House Bill 2359 passed by voice votes Thursday and will head for final approval on Monday, where if passed they will head to the Senate.

While Kansas already has a CISO, Joseph Acosta, who has been with the state for two years, House Bill 2359 would formalize his position, which was created by an executive order.

The bill says the CISO must report to the executive branch chief information technology officer within the Office of Information Technology Services (OITS), a position that was until recently held by Phil Wittmer, who resigned amid a change in governorship earlier this year. The state’s interim replacement is Chief Operating Officer Donna Shelite, who will serve while the office of Gov. Jeff Coyler searches for a full-time replacement.


OITS Spokesperson John Milburn told StateScoop that House Bill 2359 would be a welcome first step toward bolstering the state’s IT security and oversight.

“We hope it does lead to bigger changes and support security across the state as we protect taxpayer information,” Milburn said.

House Bill 2332 would shuffle membership roles in the ITEC, a body Milburn explained as a “star chamber for all things state IT.”

“That organization has not functioned as well as it needs to and governments have not kept up with advancements in technology,” Milburn said.

House Bill 2332 would change the structure to include cities, counties, members of the state’s three branches of government and the board of regents for higher education, and additionally require that the group meet quarterly.


Milburn said the changes are hoped to make the group “more attuned to what’s happening and be a little more nimble to set forth policy and make reviews and guide where we go with Kansas governmental IT.”

Perhaps revealing one of the motivations for the bills, the Kansas Department for Aging and Disability Services shared during floor discussions that personal information of approximately 11,000 state residents had recently been disclosed to contractors — including medical identification, Social Security numbers, birth dates and other private information.

Latest Podcasts