Third-Party Cyber Management

The Office of Management and Enterprise Services Oklahoma Cyber Command supports an extensive Third-Party Cyber Management program to meet the needs of the State of Oklahoma’s diverse supply chain and ensures the protection of data and systems by utilizing the following measures:

• Determine cybersecurity requirements for suppliers. ​​
• Communicate cybersecurity requirements. ​​
• Enact cybersecurity requirements through a formal agreement. ​​
• Verify cybersecurity requirements are met.​​
• Govern and manage the above activities.

One of the program’s main goals is to vet the security posture of primary suppliers, as well as their subcontractors and other downstream providers, through our assessment process based on the National Institute of Standards and Technology Cybersecurity Framework.

For a company to access, process, store or transmit state data, it must have an Authority to Operate signed by the state chief information security officer or designee. An ATO is produced after OMES Oklahoma Cyber Command reviews a thorough security assessment.

An ATO asserts that the supplier’s internal security policies meet the minimum standards set by OMES Oklahoma Cyber Command. It is vital that our suppliers meet these requirements before being provided access to state data and systems. OMES Oklahoma Cyber Command reserves the right to require a new assessment anytime there is a significant change in a supplier’s security or data-handling procedures.

In the spirit of efficiency, OMES Oklahoma Cyber Command accepts certain industry standard assessments and certifications in lieu of OMES Oklahoma Cyber Command's vendor security assessment if they are substantialy similar in structure and content.

The following industry standard assessments and certifications are preapproved and do not require State of Oklahoma Cybercommand's assessment:

• SIG Lite.
• SIG Core.
• CSA CAIQ v3.1.
• CSA CCM/CAIQ v4.
• FedRAMP.
• StateRAMP.

View our process document for detailed next steps to ensure you have an AOO within the State of Oklahoma.

I want to introduce you to the OMES Oklahoma Cyber Command Third-Party Cyber Management program. We want to ensure our state’s data and systems remain protected. Vetting our primary suppliers’ security postures, as well as their subcontractors and other downstream providers, not only increases data protection but also meets the needs of the state’s diverse supply chain.

OMES Oklahoma Cyber Command supports an extensive third-party risk managment program to meet the needs of the state's diverse supply chain. By vetting not only our primary supplier's security posture but also their subcontractors and other downstream providers, we ensure that the state's data and systems remain protected.

For a company to host, store, transmit, process, and/or access state data, or provide products/services that will access state information/information systems, they must have an Authority to Operate signed by the state Chief Information Security Officer or designee. An ATO is produced after a thorough security analysis has been performed by OMES Oklahoma Cyber Command.

• New Supplier Process
• Renew an Authority to Operate Older Than One-Year