8 CCR 1501-9
OFFICE OF THE GOVERNOR Governor’s Office of Information Technology COLORADO RULES REGARDING ELECTRONIC TRANSACTIONS BY COLORADO GOVERNMENTAL AGENCIES 8 CCR 1501-9 [Editor’s Notes follow the text of the rules at the end of this CCR Document.] _________________________________________________________________________ PURPOSE The purpose of these rules is to promote the development and use of electronic transactions by Colorado governmental agencies in accordance with CRS 24-71.3-101 et seq. These rules identify the covered Colorado governmental agencies, define key terms, and require Colorado governmental agencies follow the policies established by the Governor’s Office of Information Technology (“OIT”) that: (i) require electronic transactions to be created by an authorized technology in order to be presumed valid; (ii) set forth criteria for determining if a technology is authorized; (iii) identify presently authorized technologies; (iv) provide a mechanism for authorizing new technologies; and (v) establish, approve, monitor and modify security requirements associated with electronic transactions. STATUTORY AUTHORITY CRS 24-37.5-101 et seq.
CRS 24-71-101 et seq.
CRS 24-71.3-101 et seq.
R1 Scope of Rules These Rules apply to any Colorado governmental agency transaction subject to CRS 24-71-101 and 24- 71.3-101 et seq.
R2 Definitions The definitions set forth in this Rule supplement the definitions set forth in CRS 24-71.3-102. A. “Electronic Transaction” means an electronic action or set of actions occurring between two or more persons relating to the conduct of business, commercial, charitable, or governmental affairs. B. “Policy Authority” means the entity that establishes standards, policies, and procedures governing electronic transactions subject to this Rule. The Governor’s Office of Information Technology, as established by CRS 24-37.5-101 et seq., will serve as the Policy Authority. C. “State Agency” means the departments, divisions, commissions, boards, bureaus, and institutions defined in CRS 24-37.5-103(4).
1 CODE OF COLORADO REGULATIONS 8 CCR 1501-9 Governor’s Office of Information Technology R3 Authorized Technologies for Electronic Transactions The Policy Authority will authorize technologies for use by Colorado governmental agencies in electronic transactions. Electronic transactions with Colorado governmental agencies must employ a technology authorized by the Policy Authority.
R4 Identification of Authorized Technologies A. The Policy Authority will review and authorize the use of technologies for electronic transactions by Colorado governmental agencies.
B. Procedure for Authorizing Technologies 1. Any person may petition the Policy Authority to review a technology for use in electronic transactions by providing a written request for review. 2. The petition must include a full explanation of the technology and show that it meets the security requirements and any additional applicable requirements established by the Policy Authority.
3. The Policy Authority has one hundred twenty (120) days from the date of receipt of the petition to review and to accept or reject the petition. 4. If the Policy Authority finds that the petitioner’s proposed technology meets the security requirements and any additional applicable requirements, the Policy Authority will authorize use of the technology by Colorado governmental agencies. 5. If the proposed technology is rejected, the petitioner may appeal the decision through the Administrative Procedure Act, CRS 24-4-101 et seq.
R5 Security Colorado governmental agencies seeking to use electronic transactions must adhere to the standards, policies, and procedures established by the Policy Authority concerning the security of electronic transaction technology.
R6 Presumption of Validity and Burden of Proof If an electronic transaction is entered into by a Colorado governmental agency that conforms to the standards, policies, and procedures established by the Policy Authority, the electronic transaction will be presumed valid. It will be the burden of the party contesting the validity of the electronic transaction to overcome this presumption.
R7 Suspension of Electronic Transactions In the event a State Agency fails to adhere to this Rule or the standards, policies, and procedures established by the Policy Authority, the Policy Authority may discontinue or suspend that State Agency’s use of electronic transactions until compliance with this Rule is established. _________________________________________________________________________ Editor’s Notes History New rule eff. 03/20/2017.
2