The Office of Management and Enterprise Services Oklahoma Cyber Command supports an extensive third-party risk management program to meet the needs of the State of Oklahoma’s diverse supply chain and ensures the protection of data and systems by utilizing the following measures:
- Determine cybersecurity requirements for suppliers.
- Communicate cybersecurity requirements.
- Enact cybersecurity requirements through a formal agreement.
- Verify cybersecurity requirements are met.
- Govern and manage the above activities.
One of the program’s main goals is to vet the security posture of primary suppliers, as well as their subcontractors and other downstream providers, through our assessment process based on the National Institute of Standards and Technology Cybersecurity Framework.
For a company to access, process, store or transmit state data, it must have an Authority to Operate Order signed by the state chief information security officer or designee. An AOO is produced after OMES Oklahoma Cyber Command reviews a thorough security assessment.
What is an AOO?
An AOO asserts that the supplier’s internal security policies meet the minimum standards set by OMES Oklahoma Cyber Command. It is vital that our suppliers meet these requirements before being provided access to state data and systems. OMES Oklahoma Cyber Command reserves the right to require a new assessment anytime there is a significant change in a supplier’s security or data-handling procedures.
In the spirit of efficiency, OMES Oklahoma Cyber Command accepts industry standard assessments and certifications in lieu of OMES Oklahoma Cyber Command’s standard assessment since they are substantially similar in structure and content.
The following industry standard assessments and certifications are preapproved and do not require an OMES Oklahoma Cyber Command assessment:
- SIG Lite for low-risk suppliers.
- SIG Core for moderate- to high-risk suppliers.
- CSA CAIQ v3.1 for low- to high-risk cloud providers.
- CSA CCM/CAIQ v4 for low- to high-risk cloud providers.
- FedRAMP for low- to high-risk cloud providers.
- StateRAMP for low- to high-risk providers.
View our process document for detailed next steps to ensure you have an AOO within the State of Oklahoma.
I want to introduce you to the OMES Oklahoma Cyber Command third-party risk management program. We want to ensure our state’s data and systems remain protected. Vetting our primary suppliers’ security postures, as well as their subcontractors and other downstream providers, not only increases data protection but also meets the needs of the state’s diverse supply chain.
Third-Party Security Assessment Process
OMES Oklahoma Cyber Command supports an extensive third-party risk managment program to meet the needs of the state's diverse supply chain. By vetting not only our primary supplier's security posture but also their subcontractors and other downstream providers, we ensure that the state's data and systems remain protected.
For a company to access, process, store or transmit state data, they must have an Authority to Operate Order signed by the state Chief Information Security Officer (CISO) or designee. An AOO is produced after a thorough security assessment has been reviewed by OMES Oklahoma Cyber Command.
New Supplier Process
Security analyst sends supplier a security assessment. Supplier completes.
Analyst reviews responses. If there are any questions or issues, the analyst works with the supplier to resolve.
Once the assessment is complete, a security engineer reviews the document. If approved, engineer submits approval to analyst for crafting AOO.
If not approved, the analyst and supplier work to resolve issues.
CISO signs the AOO and then analyst issues it to supplier.
Renew an Authority to Operate Older Than One-Year
For suppliers whose AOO has expired, a security analyst requests an updated security assessment or an attestation on company letterhead indicating the supplier's security posture has not deterioriated since the execution date on their last AOO.
For a new, full assessment, the same steps as above are completed.
For an attestation, the supplier completes the document and submits for approval.
CISO signs renewed AOO and then analyst issues it to supplier.