Iowa Cybersecurity Audit Information Request

Alex Koma filed this request with the Department of Commerce of Iowa.
Est. Completion None
Partially Completed


From: Alex Koma

To Whom It May Concern:

Pursuant to the Iowa Open Records Law (Code Chapter 22), I hereby request the following records:

Any overview of the results of the most recent cybersecurity audit or risk assessment conducted by the Office of the Chief Information Officer or by a third party on behalf of the office.

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

I recognize that these types of documents contain sensitive information about the state's networks, and could be subject to an exemption to protect public safety. However, I'm not looking for specific details on the networks or their vulnerabilities, merely any summaries or aggregated data produced for the state to get an overall picture of cybersecurity concerns.

Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 10 business days, as the statute requires.


Alex Koma

From: von Wolffradt, Robert [OCIO]

Hi Alex,
In response to your open records request below:
Our Iowa Cyber Security Strategy document is available online at Iowa Cyber Security Strategy<>, our primary web page is at OCIO<>.
In accordance with Section 2: Risk Assessment of the State of Iowa Cybersecurity Strategy (referenced above), the State of Iowa will be adopting a process to report annually to the Governor's Office and the Iowa Legislature on the state of cybersecurity risk for the Executive Branch, which will be publically available. Once compiled, we intend to post that information on our web site.

At the present time, however, the only data held by the Office of the Chief Information Officer is the internal cybersecurity risk assessment data described in Section 2. This data provides detailed information on critical risk vectors and is deemed confidential under Iowa Chapter 22.7(50) and corresponding administrative rules adopted pursuant to that authority (see Iowa Admin. Code r. 129-2.12(k), (l), (m), (n)).
Thank you!
Robert von Wolffradt
Chief Information Officer
State of Iowa
Office: 515-281-3462<>

No employee or agent of the department or the State of Iowa is authorized to enter into a contractual agreement on behalf of the department or the State of Iowa with another party by email without the express written consent of the director of the department. This electronic communication (including any attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C. ยงยง 2510 - 2521, is confidential and is intended solely for the use of the individuals or entities to whom the email is addressed. If you receive this email in error, any review, use, dissemination, distribution, copying, or storing of the email or its attachments is prohibited. Notify me immediately of the error by return email, and delete this message from your system. Any views or opinions in this email are the author's and do not necessarily represent the views or opinions of the department or the State of Iowa.


There are no files associated with this request.