March 19, 2026 · Technology Committee · 5,835 words · 7 speakers · 58 segments
JTC will come to order. Mr. Gravy, will you please take the roll?
Senators and Representatives, Baisley. Excused. Kelty.
Here. Haskell. Here. Rodriguez. Here.
Vice Chair Titone. I am here.
Madam Chair. Here. I would like to take a moment to welcome Representative Kelty to the Joint Technology Committee. We really appreciate you being here today. And unfortunately, we have our very earliest meeting ever next week. And I will tell you more about that later. But today, we are the Oversight Committee for OIT. And so we have done this three times where we've welcomed you to the dais. We're going to try it here again. Third time's a charm. Please join us at the dais. OIT, Mr. Gravy, please add Senator Baisley. We have everyone present. Amazing. That's six. That's amazing. We've done it. Okay. So we have Director Edinger here. He's our CIO and Executive director. We have Jill Frazier. We have Sarah Thunberg. And we have Paige, yes, Osman. I'm
sorry. And so I'm going to kick it off to Director Edinger. Thank you, Madam Chair and members of the Joint Technology Committee. I'm David Edinger, Executive Director of OIT. And as Madam Chair mentioned. I'm joined by Sarah Thunberg, Deputy Director of Digital and Delivery, and Jill Frazier, Deputy Director of Security and Infrastructure. It's a pleasure to be back to speak with you again. Last week, we discussed real-time billing and the IT revolving fund. The JBC Joint Budget Committee voted earlier this week to reduce the IT revolving fund by $10 million for fiscal year 2627. I want to emphasize that OIT is committed to reporting on the status and details of the IT revolving fund every quarter as we discussed last week which will allow us all to monitor performance to see if there are any ramifications to the $10 million reduction such as an additional interest expense incurred by borrowing from the treasury to cover OIT's accounts payable. We look forward to reporting on the current fiscal year's third quarter as soon as those data are available and we're able to be scheduled at the JTC. And when time allows we would appreciate the opportunity to provide an update on the state's security posture as it has been over a year since the last update to JTC. And now I'd like to turn our attention to the recent organizational changes at OIT. Let me start by saying that OIT has enjoyed success in many areas, including meeting four or five wildly important goals in fiscal year 24-25. We're on a similar path this year. There are many performance areas to celebrate from improving accessibility and broadband access to decreasing technical debt. However, we have struggled, and I mean really struggled, delivering for our agency partners at a strategic level. Sure, we're doing good at many of the more tactical services like desk side support and score consistently strongly in those areas on our annual agency survey, but the story is different when it comes to agency leadership's assessment of OIT supporting their mission. We see this reflected in a 36% agency leadership satisfaction rate that we've improved only slightly from a baseline of 31% in recent years. And we are far from our goal of 67% next year. This rating is reinforced by my conversations with agency leadership and from other sources of feedback. Similarly, we have mixed results regarding a secure and resilient technology foundation. For instance, on our wildly important goal to improve technology lifecycle maturity based on the NIST and CSR framework, work. We have improved from a 2.8 on a 7 point scale to a 3.8 last year and continue to improve in fiscal year 26. We believe we will achieve our goal of 5.0 on that same rating scale in fiscal year 27. The minimum threshold is 5.0 and that's what we're shooting for for a technology organization of our size and status. From this perspective, we're improving and we are on track. On the other hand, last year I made OIT's top priority, the remediation of the Ide-Bailey audit recommendations. And for the entire year, our performance measures were trending as I had anticipated, culminating with OIT submitting that 71 of 77 audit recommendations were successfully remediated by June 30, 2025. And we believed at the time the remaining six would be accomplished by the time we met with the Legislative Audit Committee later in 2026. At the time, from my perspective as Executive Director, evaluating our security and infrastructure performance, I had two independent sources indicating we were moving the needle in the right direction and achieving our goals. However, we received a different status of those audit recommendations from the auditor's office a short while later. Only 15, not 71, of the 77 were verified by the auditor's office as complete. We will get into more of the details at next week's legislative audit committee, but the summary is that a number of factors contributed to this subpar performance on the cybersecurity audit, despite it being our top priority last year. Together, the low agency satisfaction rate corroborated by multiple stakeholders and our poor cybersecurity audit performance led me to the conclusion that it is time to implement a more transformative organizational change. It's not that OIT doesn't have talent or resources, but rather that we lack a streamlined and simplified way of delivering technology expertise to our agency partners and for coordinating the work ahead of us. When our leadership team stepped back to evaluate why we were struggling in these two areas, we realized we had so many offices and units within OIT that we were competing to define priorities and drowning in our own burdensome processes. Also, we had drifted from our core purpose, expanding into areas we don't need to be in and that distract us from our core mission. Rather than continue the status quo, I felt it was time for OIT to pivot to a more focused and streamlined organizational model, one that includes enterprise architecture and governance. As a result, I expect OIT will improve performance at a faster rate, increase agency satisfaction, and strengthen our technology foundation, including our ability to perform well on audits. We realized the opportunity to do two things through organizational realignment. First, we could scale what's working, the product model led by the Colorado Digital Service, into the rest of OIT. The product model is a modern way to approach technology delivery. You've probably heard of several of its components like user-centered design, agile project delivery, and cross-functional teams. This is the new team known as digital and delivery. Second, we could eliminate the friction between our offices with a streamlined structure that aligns resources to our priorities, including audit remediation. And we could organize this work not as projects to check off boxes on, but rather as the fundamental work necessary to sustain the foundation on which our agencies rely. This is the new team known as security and infrastructure. Sarah Thunberg from Colorado Digital Service is on special assignment as the Deputy Director of Digital and Delivery, focusing on ensuring agencies realize tremendous value from partnering with OIT. Sarah will ensure that the great work of CDS, Colorado Digital Service, will become part of the broader fabric of OIT. Jill Frazier, who will remain as Chief Information Security Officer per Colorado statute, is on special assignment as the Deputy Director of Information and Security, ensuring a strong, secure foundation based on engineering and architectural excellence. Jill and Sarah are fueled by a passionate drive for transformational improvements and are fully committed to implementing the changes needed to achieve OIT's goals to serve agencies in Coloradans. I'd now like to turn things over to Jill and then to Sarah to provide a bit more detail.
Madam Chair. And thank you so much. We are going to go to Ms. Frazier.
Thank you, Madam Chair, members of the JTC. So to genuinely and permanently change how OIT delivers for the better, we're going to focus on five key areas. Our goals include that we will align the organization around enterprise standards, policy, and governance, that we intend to break down internal silos and instead center around service and product delivery. We will invest heavily in automation and simplify our processes in order to reduce friction and increase velocity and the quality of delivery. And all of these things will help ensure that we focus on meaningful outcomes, that we deliver actual and ongoing value through technology to agencies and Coloradans. Madam Chair, if I could hand it over to Sarah to talk more about our hypothesis.
Sounds good. Ms. Thunberg.
Thank you so much, Jill, Madam Chair, and members. On this slide, we are sharing a hypothesis. I want to assert and be clear that this is a hypothesis. I think sometimes there is an idea we come to you, our legislative oversight body, and we share something and it's fully baked. This is not that case. OIT is ultimately a service organization. We are in service to Coloradans through our agency partners who implement the policy that the legislative body sets through their programs In this era all of that has a digital component All of that has, whether it's an application or data that we give back to you, all of it is digital today, and we need to do this way better. And we have a hypothesis that this slide that we show here is the orientation and perhaps the organization that will help us achieve that in service to Coloradans. So I want to walk through this. At the bottom, the foundation of what OIT needs to be doing and should be doing is enterprise standards, policy, and governance. That is our statutory responsibility in it is one we have not done particularly well. We have a job posted currently which is for the executive level enterprise architect which our organization hasn't had in six years. That person will join Jill, David, and I to begin setting the course for real and meaningful technology standards. On top of that is an infrastructure layer. This is the traditional IT components that need to be on very reliably all the time and ideally are invisible. Security, cloud services, logging. This is that layer. On top of that, there are three delivery layers. This is the service delivery we need to be excellent at. First is delivering to state employees. This is where we're doing a really good job. Always room for improvement, but this is hardware, software, help that help people do their jobs as state employees. The next layer is the one that I would argue we're doing less great at, which is delivery to our agency partners. We have created a lot of process, a lot of coordination cost, a lot of manual effort that ends up being really high in friction and cost. And we need to do better on this. This is a place where we can move into a product model and become excellent technology strategy partners rather than in the business of process and friction. And at the top is delivery to Coloradans. This is the work that the Colorado Digital Service has been particularly good at. The MyColorado mobile app, building out a design system so that our web experience is seamless to Coloradans and they don't need to understand sort of the acronym jumble that is our agencies and what programs come where. Really intentionally, this stack has enterprise standards, governance, and rules at the bottom and Coloradans at the top. It is the sand which we need to be operating in is the highest priorities. Additionally, really importantly here is that OIT's business operations are a bookend. They are a support. They are not the foundation, but they are in service to the rest of that. This is the hypothesis we're working on and towards. And we are doing really deep but quick work to understand how we can operationalize this. Is this the right model? How will it work? That looks like service mapping. Outside in, what are the things agencies actually need from us? What do Coloradans need from us? Leveraging a huge amount of feedback we have gotten over the last several years years from our agency partners, from Coloradans directly, from our own employees, and also from you all in the form of the conversations we've had from the legislative feedback we've gotten from the Joint Budget Committee, from the LAC, and really fleshing out how do we do this better and far more efficiently through the use of modern tools, through the use of automation, as Jill said, so that we're not doing so much manual friction. So that is our hypothesis. One more slide for you. Part of our commitment to everyone, you, our employees, our agency partners, is incredible transparency and regular iterations of feedback. We asked a question on the OIT all staff meeting when we shared the news of this reorganization. It was, where are you with this change we've just shared? 517 employees shared their feedback. We asked, I'm on board, let's go. I'm cautious, I have questions, or I'm stuck. I don't understand why we're doing this. Of the 517, 239 nearly half said, let's go. This makes sense to me. I'm on board. 242 about the other half had questions. Appropriately so. This is a big deal. But only 31 of 517 were like, no. And I think that speaks to us being on the right track. and it being the time for us to make some really radical changes. To the right, we see the agency product directors. These are our one-to-one sort of matches, our agency partners who we work with day in and day out. We ask the same question. The N is much smaller, only 12 in this case that filled it out, but only one said they didn't understand, and only one said they were cautious. All the rest were like, yes, this resonates with me. This makes sense. I am on board. And we've had the same level of feedback as we've talked to the deputy directors, as we've talked to executive directors. Again, this is hope and this is belief and investment. It isn't, it is a, to quote Taylor Swift, it's a vibe. It is not a fact, but I wanted to share with you that this is where we are and where we're operating from. And with that, we are open to conversation.
Very good. Thank you so much. I finally got through that presentation. Wow. Awesome. It is a different one. Fair. Representative Titone.
Thank you, Madam Chair. I have several questions. And so if you wouldn't mind a dialogue, I would appreciate it.
Who do you want to dialogue with?
Director Edinger.
Okay, fair enough. All right.
Well, one question is about the survey. Was the survey done after the reorganization was announced, or was it done before the organization was announced?
You may dialogue. Director Edinger.
Thank you, Madam Chair. Thank you for the question, Representative Titone. I believe, well, there are several surveys. As Sarah shared, there were two that were done. The one with the employees, which we plan to do at the end of every all-hands meeting, which we do monthly, was conducted at the end of the all-hands meeting February 24th. In the last five minutes or so of that meeting, we launched the survey and collected the results there. the survey from the product directors which was the chart on the right on slide seven was conducted a week or two ago last week so you'd already made a decision to do it and the all hands meeting and then you asked everybody we're doing this what do you think instead of having a meeting about we're planning to do this what is your feedback there was none of that it was just this is our plan we're going to go there it's a dialogue so you okay thanks
yes that's correct I mean do you value the employees opinions and and feedback to try to make the organization better I mean what this is a top-down approach because I'm you know again I'll read to you what you said in the email you sent that the transformation was informed by conversations we had with various stakeholders, including JBC and JTC members. And this is not a conversation, even though we are dialoguing right now, but this is not a conversation when you come here to the committee, and that is not stakeholding. So I'm a bit confused why this was done in a vacuum, but the statement says that you had conversations in stakeholder with us and JBC and that wasn't the case.
I don't believe I used the word
stakeholder. Well, various stakeholders, conversations we've had with various stakeholders. I mean, that implies stakeholder because of conversations. I mean, the term stakeholder kind of implies that. Sure. Yeah, so we did receive a lot of
feedback from stakeholders. The feedback we get from the stakeholders that are JTC, JBC, LAC, auditor's office often occur in these types of settings. I also spent an entire year attending the quarterly business reviews with all of our agencies, getting their feedback in those settings. Those were more conversational and less of a formal type of a situation. And then there were multiple conversations I had with executive directors members of staff throughout And Sarah just pointed out their customer user group I attended which is the group of product directors that meet with our staff on a monthly basis The rates and services board was where I spent a lot of time. That's where we set the rates and services, obviously. So there were a lot of different places in which we gathered feedback. But I think your question, if I'm understanding it correctly or your point might be, were we incorporating directly the changes that we intended to make to improve OIT? Were we incorporating those plans?
It doesn't sound like you had much of a plan. It was more that you created this internally from a top down without actually getting the people actually doing the work to participate until you told them this is what we're going to do. Do you like it? That's how it sounds to me. Is that a good assessment of that?
Since we're in a dialogue, you're entitled to your opinion. And I think we analyzed this top to bottom for quite some time and concluded that it was time for a transformational change to OIT to try to deliver better in the areas where we were not delivering at a satisfactory level. and we did not see how we were going to be able to deliver, especially around strategic partnership and around some of the foundational elements, including being able to deliver on the audit, cybersecurity audit and those types of areas, unless we made the changes that we've just made, that our current organizational structure would not enable us to do that. Now, rolling out an organizational realignment is not something that's possible to do by bringing everyone along at every step of the way. So I think your criticism that it was top down in some ways is a fair one.
Okay. Do you have any plan in this reorganization to have a better strengthening relationship with the Office of Independent Auditor? because they have been frustrated with getting information, and frankly, I believe that it is against statute to not provide information to the auditor just as it is against statute to withhold information from us. And is there a plan to have a better open relationship with the auditor?
Yes, and Jill, if you would like to talk to this about the monthly meetings we've set up and some of the other ways we've done that.
Director Frazier.
Thank you. Representative Titone, the team within the security office, our compliance team, has been regularly meeting with, in particular, the technical auditors that we have had, that have done the IT resilience audit in the past to help strengthen both the relationship but also our understanding to ensure that we're aligned with their expectations in meeting those as we move forward. So our commitment is absolutely to lean in in ways that we may not have been leaning in in the past.
Okay. And then it's my understanding that, you know, when you came to us, you were quoting NIST standards for how you were evaluating the AI for the budget request. But as far as I'm understanding, that you're failing to meet the standards of NIST for OIT, 853 in particular. Why are you so strongly trying to get the standards for NIST when it comes to AI, but you fail to meet the standards for your own organization?
Yes, Director Frazier.
Thank you, Madam Chair. Thank you, Representative Satone. So if I could take a step back for a second, there are a number of framework standards that NIST puts forward. NIST 853 is one very detailed mandatory framework for the federal government. NIST's cybersecurity framework is another framework that they put forward that is risk-based. That's the framework that we are using, and that's what we are holding ourselves accountable to. That's the framework that we've been measuring ourselves. That's a lower standard. It's a risk-based framework. It was intentionally developed to be more civilianized, and it is not where – that actually have federal data that goes through some of the systems that we have, and why would we not want to adhere to the highest standard possible to avoid that risk?
Yes, ma'am.
Two thoughts on that. One is 853 is a federal mandate, and where we have federal systems, for example, systems that have IRS data, Social Security data, we are absolutely meeting those expectations. we are actually in good standing with the SSA and IRS for all of the audits that they do on those systems and expect to continue to be. The reason to use a risk-based framework like NIST cybersecurity is because it's incredibly expensive to set really high standards for all your technology across the board. So what we're saying, what the decision we've made is we're going to set this standard, And based on risk, we will apply additional protections to ensure that we are doing the most thoughtful job of protecting state data, but also in a very financially responsible way. So that's the rationale for using cybersecurity.
One more question I just want to ask Director Edinger. Are you familiar with the state controller policy on conflict of interest? And do you believe that your board position on TechNet is a conflict of interest, or is that not a conflict of interest, and why? I'm not sure.
What is this?
I'm asking about the state controller policy on conflict of interest with state employees when there is procurement contracts involved. And I'm asking the director if his board seat on TechNet, which has all these tech companies, would be considered a conflict of interest, being that OIT contracts with many of those companies that are in TechNet. That is the question.
Director Edinger.
Thank you, Madam Chair. Thank you for the question, Representative Titone. I don't believe that I don't have a board position on TechNet. I have...
You're not on the board of TechNet.
I'm not on the board of TechNet, so I'm not... So I haven't looked into a conflict of interest related to that because I'm not on the board. Okay.
Fair enough.
No? Okay. Very good. Does anyone else have any questions? Yeah, Senator Baisley.
Thank you, Madam Chair, and thank you all. I want to reset the tone a bit because we are the legislative branch, and we certainly have oversight for results. You all are the executive branch. You run the show. And I hope you don't come away with the impression that you need to organize yourselves according to what would be a preference of the legislative branch, because that's just not how life works in America. So I applaud you for your introspection, and you have a relatively new team over the past couple of years. There's been a lot of personnel changes, and you seem to have really gelled together, and in your introspection, asking the question, how can we be more effective, and the outcome being a very significant reorganization. I just applaud you for that. You should make this yours. Make it your own. Be the boss. Don't apologize that you make the decision top down. That's fine. It would be our role to judge the outcome, but not to tell you how to get it done. So I just think you're doing – I think this is a very refreshing moment that you've said. We've rethought this through. How do we perform better? How do we deliver the expectation for our organization more effectively? And you're making those adjustments, and you seem to be a great team together to do that. So I want to say way to go. Thank you.
Thank you, Senator Baisley. Representative Paschal.
Thank you, Madam Chair. I just wanted to comment from looking at your hypothesis. It makes sense to me. It seems like a way to go. But, of course, we don't know how it's going to turn out. Right. There's a lot of work to be done, and especially in your delivery to agency partners slide or piece of meat or whatever you call it in the sandwich So I would be very interested in having us stay informed on what going on there Like, what are you guys figuring out? What are the changes that you're going to go for? What, you know, what are you seeing? What are the results? Because we, you know, we often see, we've seen several presentations, not from you guys in particular, but, you know, over the course of the year, which is, oh, we're going to do this thing completely new now. And we don't really want to talk about the past. Now we're doing this new thing. So I definitely want to see that it's... I have seen in industry sometimes there's distraction by reorg, right? And so it needs to be reorg with a purpose and we need to see that it's producing something and it's working. And so I would just like us to be able to hear some regular status about what's happening and how are you feeling about what's working and just being able to have more of a partnership. And so, you know, that involves us understanding what's going on because it's hard for us to have thoughts about something when we don't really know exactly what's
going on. So that's my input. Yeah. And I agree. I was going to ask for a 90-day kind of update every quarter, if you guys could just give us, is that quarters? Yeah, three months. If you guys could give us an update on how things are going. I did have a question about why, this is just philosophical, why are they interims versus actual directors? I just hope that being an interim, you still have that same authority to be able to do what we've said, we're going to change digital and delivery and security and infrastructure. Like, I'm curious why they're interim.
Thank you, Madam Chair, for the question as well. Yeah, we gave that some thought. And, you know, Sarah used the term hypothesis, and we recognize we're not likely to get everything 100% right out of the gate. We're also putting, and so we wanted to maintain the flexibility, but it doesn't detract from their ability to lead these two teams. But we recognize that things may need to change. One of the things that I think we're putting a lot of pressure on is, you know, Jill Frazier, who's retaining her role as the chief information security officer, which is a big role in and of itself on top of being the deputy for infrastructure, security and infrastructure. So we just wanted to sort of highlight to everybody on our team, this is our first take at this. And if this structure works, which we believe it will, but again, it's a hypothesis, we will adapt accordingly. There are many different ways we could structure a technology department, and this is just one of them.
Awesome. I appreciate that. And then I was going to say, too, I appreciate your openness to say we've had these three bad metrics. and we're going to improve them. And so when we have our updates and our responses, I guess that's what we're looking at. There was the low agency satisfaction of 37%. We're going to see that go up, so that will be a metric. When you come back, it would be great to hear. So try to keep things kind of similar, how you've done the surveys or whatever. The second one, I'm assuming, is the cybersecurity. There's the 15 of 77 versus 71 of 77. We'll delve into some of that next week. But that is another one that we're going to want to have regular updates on. And then that final one, that WIG around the NIST 2.8, I think that's going to be another. Now, I don't know how frequently those measurements are taken, and so I don't know if it's going to be reasonable to have a quarterly update on those. but would love to have your feedback as to what kind of key metrics you're bringing to us also as you're coming back every quarter. Director Thunberg.
Thank you for the question. You're correct in that these are sort of once a year evaluated metrics. We are currently in the process of evaluating what monthly and quarterly cadence metrics and measurements we can put in place that then allow us to understand that where we are trending, we would love to share those with you. We need a couple more weeks to test them to make sure we can measure them. This is another place where the organization has struggled, is that we have good lofty ideas about what we can measure, and then we go back and people are like, you know, we don't have the data for that. So not an ideal situation. But I think we are working really hard to not just measure once a year, but every week, every month, every quarter to ensure that we can adjust if we aren't hitting. So we'll happily bring those to you.
That'll be great. And then I see that Rep Kelty also has a question.
Thank you, Madam Chair. And I'm the new kid on the block, so this may be information that you've already put out and I'm hard of hearing, so maybe you had mentioned it earlier. But with the reorganization that you're doing and the new ideas that you have, Are you modeling that off of something else or somewhere else, another – so we're not recreating the wheel from, you know, we can use somebody else's wheel if it's working great. Are you modeling this off of someone else or another idea or is it something that just came up on your own?
Is that for Rep. Kelty? Apologies. Director Ettinger?
Sure. Yeah. Great. Thank you, Madam Chair. Thank you for the question, Representative Kelty. I think part of it – so is this – the saying goes when it comes to state IT departments, if you know one state, you know one state. So every state is organized differently. This model, I think, more than being based on any traditional model, having these two teams, digital and delivery and security and infrastructure, a lot of it is based off what we've seen as successful in Colorado, which is the Colorado Digital Service, and what they've been able to do with their model, the product model that we mentioned briefly, and sort of building off of that to try to pervade that model throughout the rest of OIT because we know that that works and how can we scale that up to the rest of the department. The other, I would say, is more of an internal focus on reducing the friction. So I would say it's a response to the model we've had, which is one of many offices siloed within OIT, often with conflicting priorities and trying to do what we can to cut down as much as possible on that to eliminate that friction so that we can operate with the same set of priorities and resource alignment. Very good and I want to do you have something to say too yeah Director
Toonberg if there's time additionally we are looking at models that have worked across the world. So Estonia has a really good digital model, as does the British digital service and the Ontario digital service. Additionally, Jill and David and I each work in community with other states, our peers. So I work really closely in particular with Pennsylvania, Maryland, and we are learning iteratively together, trying to drive that change, not just in Colorado, but we deal with a lot of the same thing. So how do we divide and conquer and as you say, not reinvent the wheel?
Representative Paschal, follow up?
I just wanted to, that made me think of the fact that I did go to a conference in Utah over the summer and they have an office of artificial intelligence, I think is how they framed it, and just thought that might be something worth looking at as well. Director Thunberg
Thank you Madam Chair Thank you for the question Utah or other of our very close colleagues They're doing amazing work and we're trying to leverage what they do and give back particularly on areas related to AI and digital identity
Okay, very good I am going to remind the committee about our next meeting and then if you would hang out for a second Director at Injure we'll have a conversation kind of off the mic. Next Wednesday, March 25th at 7.15 until 8.30 a.m., we will be joining the Legislative Audit Committee, our colleagues at OIT, and the Office of State, of the State Auditor, to go through the confidential portion of the audit. So we did hear about that today. That was one of the metrics that's being worked on. We're going to go into the old Supreme Court chambers and hear all about it. It'll be early on Wednesday morning. So we will not be meeting as JTC next week at this time. Okay. Thank you so much for your time today. And with that, JTC is adjourned.