The 2018 Kansas Cybersecurity Act created the Kansas Information Security Office (KISO) to reduce state agencies’ cybersecurity risk. KISO offers agencies 3 cybersecurity service levels--basic, intermediate, and advanced--that appear to align with the Cybersecurity Act requirements we could review. However, KISO’s services may not have as many effects as the Legislature intended because few agencies use intermediate or advanced services. Agency officials we surveyed had mostly positive opinions about KISO’s services but officials may not always know what their agencies’ needs are or what KISO services they receive. That may be because KISO’s communication with agencies isn’t proactive enough.

KISO is funded through fees it collects from agencies. Its revenues appeared to be less than its costs in fiscal years 2020-2021. But we don't know if KISO’s services are cost-effective because of data limitations and neither do KISO officials or most of the 7 agencies we interviewed. KISO officials described steps they take to limit their costs, some of which may have unintended negative effects.