Colorado Revised Statutes Title 24. Government State § 24-37.5-405. Security incidents--authority of chief information security officer

(1) A security incident in a public agency shall be reported to the chief information security officer in accordance with state incident reporting policies, standards, and guidelines.

(2) The chief information security officer shall be authorized to temporarily discontinue or suspend the operation of a public agency's communication and information resources in order to isolate the source of a security incident. The officer shall give notice to the governor, or the lieutenant governor in the event the governor is not available, the chief information officer, and the head of the public agency concurrent with such discontinuation or suspension of operations. The officer shall ensure, to the extent possible, the continuity of operations for the communication and information resources that support the operations and assets of the public agency.

(3) The chief information security officer may enter into contracts with a private person or entity to assist with resolving a security incident in a public agency. The officer shall establish an approved list of certified private persons and entities that may provide contract services in the event of a security incident. The officer shall establish criteria for the placement of private persons and entities on the list and shall select such persons and entities for placement on the list utilizing a request for proposals containing such criteria.

(4) Public agencies shall comply and cooperate with a directive of the chief information security officer pursuant to subsection (2) of this section to temporarily discontinue or suspend the operation of a public agency's communication and information resources.