Third-Party Cyber Management
Overview
The Office of Management and Enterprise Services Oklahoma Cyber Command supports an extensive Third-Party Cyber Management program to meet the needs of the State of Oklahoma’s diverse supply chain and ensures the protection of data and systems by utilizing the following measures:
- Determine cybersecurity requirements for suppliers.
- Communicate cybersecurity requirements.
- Enact cybersecurity requirements through a formal agreement.
- Verify cybersecurity requirements are met.
- Govern and manage the above activities.
One of the program’s main goals is to vet the security posture of primary suppliers, as well as their subcontractors and other downstream providers, through our assessment process based on the National Institute of Standards and Technology Cybersecurity Framework.
For a company to access, process, store or transmit state data, it must have an Authority to Operate signed by the state chief information security officer or designee. An ATO is produced after OMES Oklahoma Cyber Command reviews a thorough security assessment.
What is an ATO?
An ATO asserts that the supplier’s internal security policies meet the minimum standards set by OMES Oklahoma Cyber Command. It is vital that our suppliers meet these requirements before being provided access to state data and systems. OMES Oklahoma Cyber Command reserves the right to require a new assessment anytime there is a significant change in a supplier’s security or data-handling procedures.
In the spirit of efficiency, OMES Oklahoma Cyber Command accepts certain industry standard assessments and certifications in lieu of OMES Oklahoma Cyber Command's vendor security assessment if they are substantialy similar in structure and content.
The following industry standard assessments and certifications are preapproved and do not require State of Oklahoma Cybercommand's assessment:
- SIG Lite.
- SIG Core.
- CSA CAIQ v3.1.
- CSA CCM/CAIQ v4.
- FedRAMP.
- StateRAMP.
ATO Process
View our process document for detailed next steps to ensure you have an AOO within the State of Oklahoma.
I want to introduce you to the OMES Oklahoma Cyber Command Third-Party Cyber Management program. We want to ensure our state’s data and systems remain protected. Vetting our primary suppliers’ security postures, as well as their subcontractors and other downstream providers, not only increases data protection but also meets the needs of the state’s diverse supply chain.
Third-Party Security Assessment Process
OMES Oklahoma Cyber Command supports an extensive third-party risk managment program to meet the needs of the state's diverse supply chain. By vetting not only our primary supplier's security posture but also their subcontractors and other downstream providers, we ensure that the state's data and systems remain protected.
For a company to host, store, transmit, process, and/or access state data, or provide products/services that will access state information/information systems, they must have an Authority to Operate signed by the state Chief Information Security Officer or designee. An ATO is produced after a thorough security analysis has been performed by OMES Oklahoma Cyber Command.
New Supplier Process
Step One
The TPCM team sends supplier a security assessment. Supplier completes.
If supplier holds a certification or assessment from the list above, they should submit it to the TPCM team for review.
Step Two
The TPCM team reviews responses. If there are any questions or issues, the team works with the supplier to resolve.
Step Three
Once the assessment is complete, a security engineer reviews the document. If approved, an ATO is submitted by the team for approval.
If unable to approve ATO, The TPCM team works with the vendor and agency to resolve any issues.
Step Four
CISO, or designee, signs the ATO, and distributes the ATO as needed.
Renew an Authority to Operate Older Than One-Year
Step One
For a supplier whose ATO has expired, an updated security assessment is required. If the security assessment has been updated since last ATO, then a new security assessment needs to be completed.
Step Two
Submit new or updated assessment to TPCM team for review. If certification or other assessment is used in lieu of Oklahoma's Vendor Security Assessment, then an updated copy that does not expire within a year needs to be submitted.
Step Three
Same as Step 3 in "New Supplier Process."
Step Four
Same as Step 4 in "New Supplier Process."