62 O.S. § 34.12. Information Services Division - Powers and Duties

The Information Services Division of the Office of Management and Enterprise Services shall:
1. Coordinate information technology planning through analysis of the long-term information technology plans for each agency;
2. Develop a statewide information technology plan with annual modifications to include, but not be limited to, individual agency plans and information systems plans for the statewide electronic information technology function;
3. Establish and enforce minimum mandatory standards for:
  1. information systems planning,
  2. systems development methodology,
  3. documentation,
  4. hardware requirements and compatibility,
  5. operating systems compatibility,
  6. acquisition of software, hardware and technology-related services,
  7. information security and internal controls,
  8. data base compatibility,
  9. contingency planning and disaster recovery, and
  10. imaging systems, copiers, facsimile systems, printers, scanning systems and any associated supplies.
  The standards shall, upon adoption, be the minimum requirements applicable to all agencies. These standards shall be compatible with the standards established for the Oklahoma Government Telecommunications Network. Individual agency standards may be more specific than statewide requirements but shall in no case be less than the minimum mandatory standards. Where standards required of an individual agency of the state by agencies of the federal government are more strict than the state minimum standards, such federal requirements shall be applicable;
4. Develop and maintain applications for agencies not having the capacity to do so;
5. Operate a data service center to provide operations and hardware support for agencies requiring such services and for statewide systems
6. Maintain a directory of the following which have a value of Five Hundred Dollars ($500.00) or more: application systems, systems software, hardware, internal and external information technology, communication or telecommunication equipment owned, leased, or rented for use in communication services for state government, including communication services provided as part of any other total system to be used by the state or any of its agencies, and studies and training courses in use by all agencies of the state; and facilitate the utilization of the resources by any agency having requirements which are found to be available within any agency of the state;
7. Assist agencies in the acquisition and utilization of information technology systems and hardware to effectuate the maximum benefit for the provision of services and accomplishment of the duties and responsibilities of agencies of the state
8. Coordinate for the executive branch of state government agency information technology activities, encourage joint projects and common systems, linking of agency systems through the review of agency plans, review and approval of all statewide contracts for software, hardware and information technology consulting services and development of a statewide plan and its integration with the budget process to ensure that developments or acquisitions are consistent with statewide objectives and that proposed systems are justified and cost effective;
9. Develop performance reporting guidelines for information technology facilities and conduct an annual review to compare agency plans and budgets with results and expenditures;
10. Establish operations review procedures for information technology installations operated by agencies of the state for independent assessment of productivity, efficiency, cost effectiveness, and security;
11. Establish data center user charges for billing costs to agencies based on the use of all resources;
12. Provide system development and consultant support to state agencies on a contractual, cost reimbursement basis; and
13. In conjunction with the Oklahoma Office of Homeland Security, enforce the minimum information security and internal control standards established by the Information Services Division. An enforcement team consisting of the Chief Information Officer of the Information Services Division or a designee, a representative of the Oklahoma Office of Homeland Security, and a representative of the Oklahoma State Bureau of Investigation shall enforce the minimum information security and internal control standards. If the enforcement team determines that an agency is not in compliance with the minimum information security and internal control standards, the Chief Information Officer shall take immediate action to mitigate the noncompliance, including the removal of the agency from the infrastructure of the state until the agency becomes compliant, taking control of the information technology function of the agency until the agency is compliant, and transferring the administration and management of the information technology function of the agency to the Information Services Division or another state agency.
No agency of the executive branch of the state shall use state funds for or enter into any agreement for the acquisition of any category of computer hardware, software or any contract for information technology or telecommunication services and equipment, service costs, maintenance costs, or any other costs or fees associated with the acquisition of the services or equipment, without written authorization of the Chief Information Officer or a designee except the following:
1. A purchase less than or equal to Five Thousand Dollars ($5,000.00) if such product is purchased using a state purchase card and the product is listed on either the Approved Hardware or Approved Software list located on the Office of Management and Enterprise Services website; or
2. A purchase over Five Thousand Dollars ($5,000.00) and less than or equal to Twenty-five Thousand Dollars ($25,000.00) if such product is purchased using a state purchase card, the product is listed on an information technology or telecommunications statewide contract, and the product is listed on either the Approved Hardware or Approved Software list located on the Office of Management and Enterprise Services website.
  
  If written authorization is not obtained prior to incurring an expenditure or entering into any agreement as required in this subsection or as required in Section 35.4 of this title, the Office of Management and Enterprise Services may not process any claim associated with the expenditure and the provisions of any agreement shall not be enforceable. The provisions of this subsection shall not be applicable to any member of The Oklahoma State System of Higher Education, any public elementary or secondary schools of the state, any technology center school district as defined in Section 14-108 of Title 70 of the Oklahoma Statutes, or CompSource Oklahoma.
The Chief Information Officer and Information Services Division of the Office of Management and Enterprise Services and all agencies of the executive branch of the state shall not be required to disclose, directly or indirectly, any information of a state agency which is declared to be confidential or privileged by state or federal statute or the disclosure of which is restricted by agreement with the United States or one of its agencies, nor disclose information technology system details that may permit the access to confidential information or any information affecting personal security, personal identity, or physical security of state assets.

Associated Rules

General. The Chief Information Officer is appointed by the Governor and has authority over the Information Services Division of the Office of Management and Enterprise Services.
Authority. The Chief Information Officer, or any employee or agent of the Chief Information Officer acting within the scope of delegated authority, shall have the same power and authority regarding the procurement of all information technology and telecommunications products and services ... for all state agencies as the State Purchasing Director has for all acquisitions used or consumed by state agencies as established in The Oklahoma Central Purchasing Act.
Official directives. The Chief Information Officer shall issue directives, instructions or written communications to state agencies regarding required procurement practices and procedures for the acquisition of information technology and telecommunications goods and services.

Unless otherwise provided by law, state agencies shall acquire information technology products and services in accordance with the Oklahoma Central Purchasing Act [74 O.S. §§85.1 et seq.], the Oklahoma State Finance Act [62 O.S. §§34 et seq.] the rules of this chapter, and requirements established by the Information Services Division of the Office of Management and Enterprise Services.

Procurement.
1. To ensure accessibility of information technology for individuals with disabilities pursuant to 62 O.S. §34.28, procurement of information technology shall be subject to the Oklahoma Information Technology Accessibility Standards prescribed by the Office of Management and Enterprise Services and maintained by the Information Services Division. These standards apply to all information technology purchased after the effective date of these rules, providing the solicitation process was not initiated prior to the effective date.
2. When developing, procuring, maintaining or using information technology, or when administering contracts or grants that include the procurement, development upgrading, or replacement of information technology each state agency shall ensure, unless an undue burden would be imposed on the agency, that the information technology allows employees, program participants, and members of the general public access to use of information and data that is comparable to the access by individuals without disabilities. [62 O.S. §34.28(B)] When used in this section, "state agency" includes all agencies defined in 62 O.S. §34.29.
3. Unless an exception applies, an agency must procure a product or service that best meets the business needs of the agency and the applicable IT Accessibility Standards.
  1. Accessibility determination must be conducted as part of the acquisition evaluation.
  2. Accessibility must be considered among the general, technical and functional requirements of the procurement specifications. At a minimum, it must be accomplished through review of supplier provided information submitted in the form of a Voluntary Product Accessibility Template (VPAT) or comparable document with judgments made regarding degree of conformance to the IT Accessibility Standards.
  3. The relative accessibility weighting may be adjusted for due cause based on the specific procurement.
  4. When acquiring a product, an agency shall acquire products that comply with applicable IT Accessibility Standards when such products are available in the commercial marketplace or when such products are developed in response to an agency solicitation. Agencies cannot claim a product, as a whole is not commercially available by stating no product in the marketplace meets all of the IT Accessibility Standards. Instead, an agency must identify commercial, off-the-shelf products that best meet the general, technical and functional requirements as defined by the agency. Once those products have been identified, the agency should purchase the product that is the most accessibility compliant.
Contract clauses.
1. All solicitations and contracts for information technology shall include the accessibility clause adopted by the Information Services Division pursuant to 62 O.S. §34.28.
2. The IT Accessibility Standards shall be published on the OMES website.
3. A supplier shall provide a written certification, signed by an authorized officer of the supplier, describing the extent to which the product or service complies with applicable IT Accessibility standards required by such contracts or solicitations prior to the expenditure of state funds. An agency may also utilize a VPAT published on a supplier’s primary website. A VPAT obtained from a supplier website shall be good for a one-year period.
Exceptions. Exceptions to compliance with IT Accessibility Standards include:
1. information technology operated by state departments or agencies, the function, operation or use of which involves intelligence activities, crypto logic activities related to public safety, command and control of law enforcement, equipment that is an integral part of a weapon or weapons system or systems which are critical to the direct fulfillment of public safety or intelligence missions. Systems which are critical to the direct fulfillment of public safety or intelligence missions do not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics and personnel management applications);
2. information technology acquired by a contractor or grantee incidental to a contract or grant, provided the technology does not become State property upon the completion of the contract;
3. information technology located in spaces frequented only by service personnel for maintenance, repair or occasional monitoring of equipment;
4. information technology requiring a fundamental alteration in the nature of a product or its components to achieve accessibility;
5. Except as required to comply with the IT Accessibility Standards, state departments and agencies are not required to install specific accessibility-related software or attach an assistive technology device to information technology products unless required by other applicable State or Federal laws;
6. When state agencies provide public access to information or data through information technology, agencies are not required to make products owned by the agency available for access and use by individuals with disabilities at a location other than where the information technology is provided to the public, or to purchase products for access and use by individuals with disabilities at a location other than where the information technology is provided to the public;
7. information technology that would impose an undue burden on the agency.
Documentation of exceptions. Whenever an agency determines that an acquisition exceeding $5,000.00 meets the criteria of a general exception or undue burden, the agency shall document the explanation of why, and to what extent, compliance with applicable IT Accessibility Standards meets an exception or creates an undue burden on the agency. Agencies are encouraged but not required to maintain documentation for commercial off-the- shelf acquisitions of $5,000.00 or less unless the purchase is part of an existing contract or affects a larger EIT system where accessibility is critical.
1. The explanation shall be documented on a form prescribed by the Information Services Division and signed by the chief administrative officer of the agency or an employee of the agency to which responsibility for accessibility compliance has been delegated.
2. The documentation shall be retained in the acquisition file to support the procurement.
Alternative means of access. When compliance with IT Accessibility Standards imposes an undue burden, agencies shall provide individuals with disabilities the information and data involved by an alternative means of access that allows an individual to use the information and data in accordance with other applicable State and Federal laws such as Title I and Title II of the Americans with Disabilities Act and Section 504 of the Rehabilitation Act.