This comes after the passage and signing in April of two key pieces of legislation that expand state tech support and oversight in different ways. The first is Senate Bill 51, which formally lets the state's Office of Information Technology Services (OITS) provide IT and cybersecurity services to cities, counties, schools, hospitals and nonprofits. The state will use a chargeback model, which means recipients pay for services rendered, rather than for tech support in perpetuity. The second is House Bill 2574, which requires new ongoing cybersecurity assessments and maturity reporting within the state government itself, while also giving the state's chief information security officer more flexibility to set security standards across agencies as threats continue to rapidly evolve.
SB 51 "allows us to build our own economies of scale, so we can hopefully reduce costs not just for local governments but for the state,” Maxon said. “It also increases visibility into what’s going on across the state, so we know how to better defend and where to allocate resources.”
Under previous law, Maxon said that reporting requirements existed, but they didn’t provide a complete picture. As this model grows, it will provide more insight into things like local cybersecurity-related outages, and it is expected to bring more consistency to cloud adoption as OITS provides direct services.
While leaders cannot predict how quickly local entities will adopt the program, they want small and rural communities to know help is now available. Maxon said the state will also continue encouraging communities to partner with one another, as they do in traditional emergency situations, both in terms of cybersecurity and IT.
HB 2574, meanwhile, expands cybersecurity governance within the state by centralizing oversight and requiring ongoing cybersecurity assessments and maturity reporting. The bill strengthens the authority of the Kansas Information Security Office, reaffirms cybersecurity oversight across branches of government, and creates recurring assessments and reporting.
The reporting mechanism will show state lawmakers each agency’s cybersecurity progress and maturity. Rather than relying only on static compliance requirements, the state security office is building an assessment program focused on monitoring, managing and improving cybersecurity over time. Maxon said the shift is needed because compliance standards often lag behind rapidly evolving threats. For example, while some frameworks require monthly workstation vulnerability scans, Kansas has moved to real-time device scanning because vulnerabilities are exploited more quickly than in the past.
“If we just focused on monthly scanning, we would be exposed to a lot more vulnerabilities,” he said.
As agencies mature, the state wants them focused on building future capabilities and efficiencies, not just checking compliance boxes. The law also gives the state CISO flexibility to adapt standards and targets as threats evolve, allowing agencies to move toward more advanced security practices over time. This is all especially pressing in 2026, as the rapid evolution of AI and related technologies increases the number and efficiency of cybersecurity threats.
Cyber assessments are also now tied to the state budget. Once an assessment produces a set of findings or recommendations, each agency must create a plan of action and set of related milestones to remediate those findings, Maxon said. Lawmakers can withhold IT funding if remediation isn’t moving forward.
Overall, the laws formalize a broader enterprise approach to cybersecurity governance that officials have been building for years. Kansas' cybersecurity office was established in 2018 as a two-person operation. Under current CISO John Godfrey, it now has about 40 staff members.
Maxon said years of foundational work are translating into operational progress, even as agencies work through implementation challenges and evolving threats. The broader goal is to keep improving IT and cybersecurity maturity through coordinated, enterprise-style governance and shared operational models.
