This policy establishes
the standards for the development and maintenance of Kentucky Information
Technology Standards (KITS). This policy provides guidance in
decision-making and practices that optimize resources, mitigate risk, and maximize
return on investment.
Information Technology Standards (KITS): KITS are formalized IT
standards addressing the broad spectrum of technology environments, including
software, hardware, networks, applications, data, security, access,
communications, project management, and other relevant architecture
Only IT products listed in KITS, or products
granted a written exception to KITS, are approved for installation and use in
the executive branch of Kentucky State Government. Agencies requesting the purchase and/or the use of products and
services outside the parameters of KITS must, regardless of cost, develop a
business case supporting their request for an exception or modification to
existing standards or the addition of a new standard. All requests must be approved
by the agency's highest ranking IT officer prior to Commonwealth Office of
Technology (COT) submission.
COT shall review all requests for KITS changes or temporary exceptions. After a review of the request COT shall 1)
add elements to KITS, 2) modify existing elements in KITS, 3) provide temporary
exceptions to KITS, or 4) deny any change or exception to KITS. All changes to
KITS (excluding approved temporary exceptions) shall be documented and
published in KITS.
Compliance with KITS is required for traditional IT products as
well as off-premise solutions (vendor-hosted, cloud-based: Infrastructure as a
Service – IaaS, Platform as a Service – PaaS and Software as a Service
–SaaS). The review of off-premise
solutions is automatically triggered during the review of Strategic Procurement
Requests (SPR) and during the COT technical review of Requests for Proposal
(RFP), Requests for Information (RFI), and Requests for Bid (RFB). Off-premise solutions require the approval of
the specific business case being considered and are not, unlike other KITS
requests, an approval for the use of a particular product or technology. (In other words, a new request for approval
is required to deploy use cases off-premise even if the proposed technology is
already approved for a different business case.
(This is most likely encountered when using IaaS – Azure, AWS,
Rackspace, etc., and PaaS – AWS Elastic Beanstalk, Google App, Oracle Cloud,
Salesforce, etc.). Agencies may request
a solution review through their lead technology officers at any time to support
The KITS database shall be maintained by the Office of Data,
Information, and Analytics (ODIA) and published using established COT communication
channels (e.g. technology.ky.gov) that supports review by Commonwealth
employees, contractors, and vendors as well as citizens not specifically
affiliated with the Commonwealth.
Visit the COT -
Exceptions, Modifications and Additions to Kentucky Information Technology
Standards web page for details related to the submission of these requests.
Agencies may incur additional shared service charges for support
efforts and costs associated with non-compliance of approved IT standards.
42.726 authorizes the
Commonwealth Office of Technology (COT) to develop policies and compliance
processes to support and promote the effective applications of information
technology within the executive branch of state government.
All executive branch agencies and non-executive branch agencies using
COT-managed infrastructure or services must adhere to this policy. This includes employees, contractors, consultants,
temporaries, volunteers, and other workers within state government.
Responsibility for Compliance: Each agency must ensure that staff within
their organizational authority are made aware of and comply with this policy.
The agency is responsible for enforcing it.
Unauthorized and/or neglectful actions regarding this policy may result
in disciplinary action up to and including dismissal. COT may require additional service charges
for remediation efforts due to non-compliance with this policy.
COT’s Office of Data, Information and Analytics (ODIA) is responsible
for maintaining this policy.
Organizations may modify this policy to fulfill their responsibilities,
but must obtain approval through an exception request. Staff should refer to their internal policy,
which may have additional information or clarification.
COT’s ODIA will review this policy at
least every two years.