Politics

New audit raises questions about State of Colorado's vulnerability to cyberattacks

By Shaun Boyd

/ CBS Colorado

Colorado state auditor's office raises cybersecurity concerns

Colorado state auditors say it's unclear if the Governor's Office of Information Technology (OIT) is doing enough to secure state data from cybercriminals.

The Office of the State Auditor released its second audit of OIT in three years. The first audit recommended 77 changes; the second, 85. Auditors say many of the deficiencies they identified are "material weaknesses," which are the most serious type of deficiency.

David Edinger, Executive Director of OIT, says cybercriminals try to hack the state's system tens of thousands of times a day. He told the Legislative Audit Committee that the problem isn't a lack of security but a lack of documentation for auditors who need to verify the security.

"It wasn't a lack of effort in the conventional sense but rather not going far enough, particularly in the area of documenting the work that we did," said Edinger. 

State auditors released a report detailing deficiencies in everything from IT contingency planning to incident response and risk management. They say OIT doesn't have minimum security standards, hasn't trained staff or state agencies on their roles and responsibilities regarding cybersecurity, and has no one in charge of compliance tracking. The auditors say the issues date back three years and note that only 10 of the 77 recommendations they made in 2023 have been fully implemented.

Edinger says he disagrees with most of the auditors' recommendations because his office has already implemented most of them.

"We believed we were communicating the right level of detail around what we believe to have implemented," he explained.

Auditors say OIT repeatedly ignored requests for documentation. They did a second audit last fall and issued 85 more recommendations.

"Some of them are very, very significant and very, very serious," said Sen. Lisa Frizell.

She says that if OIT can't prove it has implemented the changes recommended by auditors, she may introduce a bill to ensure compliance.

"Technology changes every minute of every day, and I don't know that we have the sophistication to keep up with the attacks that are ultimately one day going to get us if we don't make changes," Frizell said.

Some of the deficiencies identified by auditors were so serious that they were shared with the Audit Committee in a confidential report.

"I feel like we have a cybersecurity system that's held together with baling wire and duct tape right now," Frizell said.

Edinger says his office plans to meet monthly with state auditors until they have provided all the documentation necessary. The Audit Committee wants an update on their progress in the next couple of months.

Shaun Boyd

Shaun Boyd is Your Political Reporter at CBS News Colorado. Share you story ideas with her by sending an email to sboyd@cbs.com or yourreporter@cbs.com.

© 2026 CBS Broadcasting Inc. All Rights Reserved.

Read more
f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.