Bob Murphy of the Legislative Office of Information Technology Services briefed the Committee on Legislative Modernization on the office’s cybersecurity program and how it aligns with last year’s SB 291 requirements.

Murphy said the legislature’s data center is “located in the Capitol basement” with backups in a Kansas City, Missouri LightEdge facility and that all Microsoft 365 data “is all located within The United States.” He emphasized that only screened U.S. citizens work at the data centers and said the legislative environment is logically separated from commercial customers.

The nut graf: The Legislative Office described a mix of technical controls, monitoring and governance—inventory and asset tracking, endpoint encryption, data-loss prevention, an incident response capability and NIST-aligned policy mapping—intended to reduce risk and meet statutory cybersecurity expectations.

Murphy outlined asset and software-tracking work (including scannable barcodes for hardware), endpoint encryption in transit and at rest, Bitwarden password management and information barriers to segregate departmental data. He said role-based and time-limited access has been implemented so contractors and staff activate roles for limited periods and must log reasons for access.

On detection and response, Murphy said the legislature maintains a 24/7 security operations center and endpoint detection-and-response tools. He described automated containment capabilities—“it takes about 10 seconds for us to activate and get through”—and an auto-purge feature that can remove malicious files across the environment.

Murphy said the office is mapping policies to NIST subcategories, using SCAP and CIS tools to assess endpoints, and plans tabletop exercises and collaborative assessments with CISA. He said the office is working on zero-trust and SASE (secure access service edge) technologies to replace legacy VPN approaches and reduce technical debt.

Representative Howerton asked about quarantined constituent emails and Murphy replied that the new constituent relationship management (CRM) system approved by the Legislative Coordinating Council is expected to address delays, with a target completion date he gave as February 28 (year not specified). “That will be addressed with the new constituent relationship management software… the time frame for that is February 28 to be complete,” Murphy said.

Ending: Murphy requested follow-up questions be taken offline and said the office is scheduling continued NIST-aligned assessments and CISA collaboration after session activity subsides.