You are here

Third-Party Risk Security Assessment Process


The Office of Management and Enterprise Services Cyber Command supports an extensive third-party risk management program to meet the needs of the State of Oklahoma’s diverse supply chain and ensures the protection of data and systems by utilizing the following measures:

  • Determine cybersecurity requirements for suppliers. ​​

  • Communicate cybersecurity requirements. ​​

  • Enact cybersecurity requirements through a formal agreement. ​​

  • Verify cybersecurity requirements are met.​​

  • Govern and manage the above activities.

One of the program’s main goals is to vet the security posture of primary suppliers, as well as their subcontractors and other downstream providers, through our assessment process based on the National Institute of Standards and Technology Cybersecurity Framework

For a company to access, process, store or transmit state data, it must have an Authority to Operate Order signed by the state chief information security officer or designee. An AOO is produced after OMES Cyber Command reviews a thorough security assessment.

What is an AOO?
An AOO asserts that the supplier’s internal security policies meet the minimum standards set by OMES Cyber Command. It is vital that our suppliers meet these requirements before being provided access to state data and systems. Cyber Command reserves the right to require a new assessment anytime there is a significant change in a supplier’s security or data-handling procedures.

In the spirit of efficiency, OMES Cyber Command accepts industry standard assessments and certifications in lieu of Cyber Command’s standard assessment since they are substantially similar in structure and content.

The following industry standard assessments and certifications are preapproved and do not require an OMES Cyber Command assessment:

  • SIG Lite for low-risk suppliers.
  • SIG Core for moderate- to high-risk suppliers.
  • CSA CAIQ v3.1 for low- to high-risk cloud providers.
  • CSA CCM/CAIQ v4 for low- to high-risk cloud providers.
  • FedRAMP for low- to high-risk cloud providers.
  • StateRAMP for low- to high-risk providers.

AOO Process

View our process document for detailed next steps to ensure you have an AOO within the State of Oklahoma.

I want to introduce you to the OMES Cyber Command third-party risk management program. We want to ensure our state’s data and systems remain protected. Vetting our primary suppliers’ security postures, as well as their subcontractors and other downstream providers, not only increases data protection but also meets the needs of the state’s diverse supply chain.