CIO-051 Information Technology Standards Policy

Office of the Chief Information Officer Enterprise Policy

CIO-051: Information Technology Standards Policy

Effective Date: 12/23/2015
Revision Date: 04/04/2019
Review Date:  04/04/2019

Policy Statement:
This policy establishes the standards for the development and maintenance of Kentucky Information Technology Standards (KITS).  This policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment. 
  • Kentucky Information Technology Standards (KITS):  KITS are formalized IT standards addressing the broad spectrum of technology environments, including software, hardware, networks, applications, data, security, access, communications, project management, and other relevant architecture disciplines. 
Only IT products listed in KITS, or products granted a written exception to KITS, are approved for installation and use in the executive branch of Kentucky State Government.  Agencies requesting the purchase and/or the use of products and services outside the parameters of KITS must, regardless of cost, develop a business case supporting their request for an exception or modification to existing standards or the addition of a new standard. All requests must be approved by the agency's highest ranking IT officer prior to Commonwealth Office of Technology (COT) submission.
COT shall review all requests for KITS changes or temporary exceptions.  After a review of the request COT shall 1) add elements to KITS, 2) modify existing elements in KITS, 3) provide temporary exceptions to KITS, or 4) deny any change or exception to KITS. All changes to KITS (excluding approved temporary exceptions) shall be documented and published in KITS.
Compliance with KITS is required for traditional IT products as well as off-premise solutions (vendor-hosted, cloud-based: Infrastructure as a Service – IaaS, Platform as a Service – PaaS and Software as a Service –SaaS).  The review of off-premise solutions is automatically triggered during the review of Strategic Procurement Requests (SPR) and during the COT technical review of Requests for Proposal (RFP), Requests for Information (RFI), and Requests for Bid (RFB).  Off-premise solutions require the approval of the specific business case being considered and are not, unlike other KITS requests, an approval for the use of a particular product or technology.  (In other words, a new request for approval is required to deploy use cases off-premise even if the proposed technology is already approved for a different business case.  (This is most likely encountered when using IaaS – Azure, AWS, Rackspace, etc., and PaaS – AWS Elastic Beanstalk, Google App, Oracle Cloud, Salesforce, etc.).  Agencies may request a solution review through their lead technology officers at any time to support business/technology planning.
The KITS database shall be maintained by the Office of Data, Information, and Analytics (ODIA) and published using established COT communication channels (e.g. that supports review by Commonwealth employees, contractors, and vendors as well as citizens not specifically affiliated with the Commonwealth.
Visit the COT - Exceptions, Modifications and Additions to Kentucky Information Technology Standards web page for details related to the submission of these requests.
Agencies may incur additional shared service charges for support efforts and costs associated with non-compliance of approved IT standards.
Authority:  KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
Applicability:  All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services must adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:  Each agency must ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance:  COT’s Office of Data, Information and Analytics (ODIA) is responsible for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request.  Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle:  COT’s ODIA will review this policy at least every two years.
This page was last modified 4/22/2019 1:12 PM

Return to CIO Policies Home Page.










​​ ​​​​​