Oct 23 2014

14 Tenets of California’s Cloud-First Policy

The new policy requires state agencies to evaluate cloud computing as an alternative investment for all IT projects.

The state of California isn’t just considering cloud technologies. Under a newly adopted Cloud First policy, state agencies are required to evaluate cloud computing as an alternative investment for all IT projects.

“Whenever feasible, agencies [and] state entities must utilize cloud services provided by the Office of Technology Services (OTech),” according to the state administrative manual (SAM). “If required services are not available through OTech, agencies [and] state entities must utilize other commercially available Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS) cloud service models when feasible and cost effective.”

California’s policy mirrors federal efforts to speed adoption of cloud services. The 2010 policy issued by then-federal CIO Vivek Kundra, required agencies to default to secure, reliable, cost-effective cloud-based solutions when evaluating options for new IT deployments. To initiate the shift to a Cloud First policy, agencies were instructed to move at least three services to the cloud within 18 months.

State officials expect California’s policy to accelerate the return on cloud investments and address information security and risk management, privacy, legal issues and other statutory requirements governing state IT systems.

To ensure that cloud computing plays a major role in improving the delivery of state services, the new policy requires agencies and state entities to do the following:

  1. Evaluate, in consultation with their IT organization, secure cloud computing solution options for all new IT projects.

  2. Use a cloud service model, such as SaaS, PaaS, or IaaS, for all new IT projects whenever a feasible and cost-effective solution is available that meets the agency/state entity requirements and provides the required level of security, performance and availability.

  3. Use cloud services provided through OTech as the first-choice cloud computing solution for all new IT projects. If required services are not available through OTech, use other commercially available SaaS, PaaS or IaaS solutions.

  4. If using a commercially available SaaS service model, utilize it for commodity applications, such as office productivity tools, virtual desktop, customer relationship management, human resources management, finance, project management, open data, and inventory management. Use a PaaS or an IaaS service model for all other application categories when feasible.

  5. Classify the data managed by the applications that utilize cloud service models.

  6. Ensure compliance with the security provisions of the SAM.

  7. Based on data classification, ensure compliance with relevant security provisions, including those in the California Information Practices Act; Internal Revenue Service Publication 1075; Social Security Administration Electronic Information Exchange Security Requirement;, Payment Card Industry Data Security Standard; Health Insurance Portability and Accountability Act Security Rule; Health Information Technology for Economic and Clinical Health Act; and Criminal Justice Information Services Security Policy.

  8. Ensure appropriate level of compliance with the Federal Risk and Authorization Management Program certification for all IT projects using commercial cloud solutions where federal funding is involved.

  9. Ensure that the commercial cloud service provider’s Standards for Attestation Engagements No. 16 Service Organization Control (SOC) 2 Type II report as well as the provider’s plan to correct any negative findings are available to the agency/state entity.

  10. Ensure that the confidential, sensitive or personal information is encrypted at the necessary level for the data classification.

  11. Ensure that written agreements with cloud service providers address required SAM provisions, and SaaS service agreements include the Department of General Services’ Cloud Computing Services Special Provisions.

  12. Ensure that the physical location of the facility where the data is stored is within the continental United States, and that remote access to data from outside the continental United States is prohibited unless approved in advance by the State Chief Information Security Officer.

  13. Maintain an exit strategy for IT projects that utilize a commercially available SaaS service model. The exit strategy includes the agency’s/state entity’s ability to export data in predefined formats and maintaining, when needed, a current backup of the data in the Tier III-equivalent data center facility designated to the agency/state entity and unrelated to the cloud provider.

  14. Maintain an effective incident response and mitigation capability for security and privacy incidents. Report suspected and actual security incidents in accordance with the criteria and procedures set and other applicable laws and regulations.

To learn more about how cloud computing solutions can help your organization get ahead, visit cdw.com/cloud.

Wavebreakmedia Ltd/thinkstock

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.