Since then, the cloud landscape has changed dramatically “both in terms of infrastructure in the cloud, and also in terms of buying applications as a service,” said Center for Digital Government Executive Director Teri Takai.
A new revision of the guide, Best Practice Guide for Cloud and As-A-Service Procurements, will help government address today's journey to the cloud.
WHY NOW?
States have accelerated cloud adoption, partly as a path to modernization and partly in response to the new requirements that emerged during the pandemic, said Arizona CIO J.R. Sloan, who helped craft the revision. “Arizona, and I think every other state in the U.S., has significantly increased its adoption of cloud services,” he said.
As a result of the pandemic, “we saw a lot of infrastructure as a service, platform as a service, and particularly software-as-a-service solutions” adopted very quickly, said Center for Digital Government Senior Fellow Dugan Petty, who also participated in revising the guide. The shift has set new expectations around both technological change and the pace of citizen service. “That trend is only going to continue,” he said.
At the same time, government’s use of cloud environments has evolved considerably since the procurement guide had its last refresh. “It is much more sophisticated now,” Takai said. “With everyone in hybrid multicloud environments, the complexity has changed, and the ability to secure the data has changed.”
To address those changes, CDG convened a virtual work group that included representatives from six states — Arizona, Georgia, North Carolina, Massachusetts, Michigan and Texas — as well as the county of Sacramento, Calif. and three city governments: New York, New Orleans and Detroit. Industry representatives included Amazon Web Services, Knowledge Services, VMware and Citrix.
“We had information technology leaders, cybersecurity leaders, and also folks from the procurement and legal teams for each of those jurisdictions. We had a good diverse group,” said Center for Digital Government Senior Fellow Sean McSpaden.
Together they set out to bring the guidelines current.
“The previous guidelines are good, but things have changed over the course of time,” said former Massachusetts CIO Curt Wood. “When we first started going down the road of cloud procurement, we probably didn't have a full appreciation of everything. At the same time the vendor community has matured, the services have changed. We all need to adjust our thinking, especially around data privacy, data access, data transfer, things that make up data ownership.”
WHAT'S CHANGED
The new version of the guide delivers more specifics around several key areas, with a particular focus on mitigating risk in cloud environments.
The previous guide offered “a high-level view of how you manage risk with cloud providers. It didn't have the detailed information around what models you could use, what approaches you could use,” Takai said. “We have built out the risk management part of the guide. There’s a lot more detail.”
Other targeted updates incorporate emerging new guidance from the National Institute of Standards and Technology (NIST) and the Cybersecurity Infrastructure and Security Agency (CISA), among others.
The guide now features expanded sections dealing with things like data security breach notification and security audits, based on real-world experience. “Our working group members were able to provide key examples from their own states and local governments about how they're doing things,” McSpaden said.
In the past, governments may not have known what they could require by way of service level agreements, audits or continuous monitoring. Now the guide reflects a more mature understanding of what is possible.
“We're in a place where we can begin to provide more specific advice and best practices on what they can and should ask for within their procurement documents,” said McSpaden, whose efforts focused on updates to the security guidelines.
Wood meanwhile turned his attention to data management, transparency and security. “It's fair to say that five years ago we weren't as mature” in those areas, he said. “Where's the data actually, where's the data actually sitting? Who owns the data? Over the last few years, we've learned a lot more about those things.”
While the document gives a lot of detailed guidance, it preserves maximum flexibility. “Every state is a little different in their procurement, in their IT management,” Wood said. “This document is highly specific, yet general enough that a state or a municipal government can adopt this and incorporate into their own procurement strategy and procurement process.”
HOW IT WILL HELP
The document aims to simplify and standardize efforts by states and localities as they seek to navigate cloud purchasing.
States can leverage this guidance to incorporate best practices into their cloud procurements. “What everyone loved about the update that we did in 2016 was that they were able to just lift it and use it," Takai explained. "We wanted to provide the same assistance with this update.”
IT leaders can use the guide to ensure they are working in alignment with established standards, and thus create greater consistency in their cloud purchasing programs.
They also can use the guide as an educational tool. “In the majority of the procurements that we do on cloud, we manage the statewide contracts” for government entities, Wood said of his time in Massachusetts. By leveraging the procurement guide, “we can work with the business to make sure that they understand what they're getting themselves into, and whether they are ready for it.”
RESPONDING TO STATERAMP
The updated guide has been crafted to align with the vetting process for cloud providers laid out by StateRAMP and other state-specific Risk and Authorization Management Programs, or RAMPs.
Petty points to the inclusion of a RAMP checklist that will help governments know what questions to ask, while Sloan anticipates alignment between the guidance and StateRAMP will help the wheels turn smoothly, in part by delivering a consistent message to the vendor community. “It really helps set the expectations for the suppliers we need to work with, and as well as our agencies that are looking for solutions,” he said.
Overall, the new guidelines mirror much of what StateRAMP has to offer. That in turn should give government leaders the widest possible range of options. With common messaging from both the CDG guidance and from StateRAMP, states will be able to better determine whether they should go it alone, or pursue a RAMP process.
“We believe in StateRAMP, but also we understand the state and local market and the state and local market doesn't like to be told what to do. We wrote the guide to give people the choice,” Takai said.
Overall, the revised guidelines should streamline and simplify cloud procurements — a net win for state and local government. “It makes for a much more efficient, cost-effective procurement and ongoing contract over time, when everybody knows what they need to comply with,” McSpaden said.
*The Center for Digital Government is part of e.Republic, Government Technology's parent company.