Key Takeaways
- Kansas has launched a shared IT and cybersecurity service model for cities, counties, schools, hospitals, and nonprofits, using a charge‑back system so users pay only for what they consume.
- Senate Bill 51 authorizes the Office of Information Technology Services (OITS) to provide these services, aiming to create economies of scale that lower costs for both local entities and the state.
- House Bill 2574 mandates ongoing cybersecurity assessments, maturity reporting, and gives the state Chief Information Security Officer (CISO) flexibility to update standards as threats evolve.
- The new framework ties assessment findings to agency budgeting, allowing lawmakers to withhold IT funding if remediation lags.
- Kansas’ cybersecurity office has grown from a two‑person team in 2018 to roughly 40 staff, reflecting years of foundational work now being operationalized.
Overview of Shared IT and Cybersecurity Services
Kansas is now offering centralized IT and cybersecurity support to a broad range of public and nonprofit organizations, including municipalities, counties, school districts, hospitals, and charitable groups. By consolidating these services under the Office of Information Technology Services (OITS), the state hopes to deliver more reliable, cost‑effective technology assistance while improving overall security posture across the state. The initiative reflects a strategic shift from fragmented, agency‑by‑agency support to a coordinated enterprise model that can leverage shared resources and expertise.
Senate Bill 51 and the Charge‑Back Model
The enabling legislation for this shared service approach is Senate Bill 51, which formally authorizes OITS to provide IT and cybersecurity services to eligible local governments and institutions. Crucially, the bill establishes a charge‑back mechanism: recipients pay for the specific services they use rather than receiving open‑ended, perpetual support. This pay‑as‑you‑go structure incentivizes efficient consumption and allows the state to recover costs while still offering scaled‑down pricing compared to what individual entities could achieve on their own.
Economies of Scale and Cost Reduction
Chief IT Officer Jeff Maxon emphasized that the shared service model is designed to create economies of scale, thereby lowering expenses for both participating organizations and the state itself. By aggregating demand, OITS can negotiate better vendor contracts, spread fixed overhead across more users, and deploy specialized staff more efficiently. The resulting cost savings are expected to free up budgetary resources for other critical needs, such as infrastructure upgrades or program expansions, while simultaneously enhancing the state’s ability to monitor and respond to cyber threats.
Visibility, Resource Allocation, and Cloud Adoption
Beyond financial benefits, the centralized approach improves visibility into the cybersecurity landscape across Kansas. Maxon noted that previous reporting requirements offered an incomplete picture, making it difficult to identify systemic vulnerabilities or allocate resources where they are most needed. With standardized reporting and direct service delivery, the state can now track incidents such as local cybersecurity‑related outages more accurately and promote consistent cloud adoption practices, ensuring that agencies follow best‑in‑class guidelines for data storage and application deployment.
Support for Small and Rural Communities
State leaders acknowledge that adoption may vary, especially among smaller and rural jurisdictions that may lack the technical expertise or budget to engage quickly. To address this, Maxon said the state will actively encourage these communities to participate, highlighting that help is now readily available. Moreover, Kansas intends to foster partnerships among local entities—mirroring traditional emergency‑response collaborations—so that towns and counties can share knowledge, tools, and best practices in cybersecurity and IT management.
House Bill 2574: Ongoing Assessments and CISO Flexibility
Complementing SB 51, House Bill 2574 strengthens cybersecurity governance within the state government itself. The bill requires continuous cybersecurity assessments and maturity reporting for all state agencies, moving beyond static compliance checks to a dynamic, improvement‑focused process. It also consolidates authority in the Kansas Information Security Office, granting the state CISO greater flexibility to adjust security standards and targets as the threat landscape evolves, ensuring that defenses remain current rather than lagging behind emerging risks.
From Periodic Scanning to Real‑Time Monitoring
Maxon illustrated the shift in mindset with a concrete example: whereas some frameworks once prescribed monthly workstation vulnerability scans, Kansas has adopted real‑time device scanning because modern threats can exploit weaknesses far more quickly. Relying solely on periodic scans would leave agencies exposed to a window of vulnerability that attackers could exploit. By emphasizing continuous monitoring, the state aims to mature its cybersecurity posture, encouraging agencies to invest in proactive capabilities and operational efficiencies rather than merely ticking compliance boxes.
Budget‑Tied Assessments and Accountability
The legislation further links assessment outcomes to fiscal accountability. When an evaluation yields findings or recommendations, each agency must develop a concrete remediation plan with defined milestones. Lawmakers retain the authority to withhold IT funding if an agency fails to make satisfactory progress on its remediation efforts. This mechanism creates a strong incentive for timely action and ensures that cybersecurity improvements are not merely aspirational but backed by enforceable consequences.
Historical Growth and Enterprise‑Scale Goals
Kansas’ cybersecurity office began in 2018 as a two‑person operation; under current CISO John Godfrey, it has expanded to roughly 40 staff members, reflecting years of foundational work in policy, technology, and training. Maxon noted that this groundwork is now translating into tangible operational progress, even as agencies navigate implementation challenges and an ever‑changing threat environment. The overarching objective is to elevate the state’s IT and cybersecurity maturity through a coordinated, enterprise‑style governance model that leverages shared services, continuous assessment, and adaptive standards—positioning Kansas to better defend against the rising tide of AI‑driven and other sophisticated cyber threats anticipated in 2026 and beyond.