J.R. Sloan, Arizona's Chief Information Officer, is working to uphold cybersecurity best practices thorugh championing StateRAMP.

May 02 2022

Q&A: Arizona CIO J.R. Sloan Gets Ahead of Challenges

The veteran IT administrator presses forward on cloud migration and security assessments to produce results.

Arizona CIO J.R. Sloan has gained national recognition for championing StateRAMP. After joining Arizona state government in 2013, J.R. Sloan became interim state CIO in 2019. 

The next year, he was appointed to that role in a permanent capacity. Over the course of his career, Sloan has been a cloud-first advocate, which he says paid dividends when Arizona closed offices due to the coronavirus pandemic.

Sloan also helped to stand up AzRAMP, the Arizona Risk and Authorization Management Program, a certification program to ensure the cybersecurity posture of state contractors. He recently led the way in taking the same concept across the country in the form of StateRAMP. StateTech talked to Sloan about Arizona’s big tech achievements during his tenure so far as CIO and what’s next for the state.

STATETECH: In the time you’ve been CIO, which of Arizona’s accomplishments are you most proud of?

Sloan: One of the things I’m really proud of is how the state was able to navigate a transition to work from home. That really was built on the back of work that was done and continues to be done to adopt cloud services. We set up a shared hosted data center, a place where any agency could drop equipment if they needed to. In terms of cloud migration, we have closed 85 data centers and we have migrated over 2,600 applications to the cloud. We had a data center that sat across the street from our building. It was going to cost somewhere between $15 million and $30 million to renovate that facility. A storm knocked the data center offline for about two weeks back around 2011. That opened some eyes.

We had to recognize that our job is to serve our citizens and residents and to do that as efficiently and effectively as possible, but we’re not necessarily the experts in managing facilities, especially data center facilities. A lot of times, it’s better if we find a partner. That preparation also helped us respond rapidly to the increased demand for online and digitized services.

We started to recognize the level of investment that cloud providers make in their data centers, their infrastructures, their policies and their procedures. They spend more on securing their environments than the state can. 

EXPLORE: How local governments can combine technology and values to effect change.

STATETECH: Last year, Arizona established a new cybersecurity command center. What are some of its capabilities?

Sloan: The elements of the Cyber Command Center have been in place for a while, but this was really more investment to bring them together in one place. We understand that the best way to enhance cybersecurity is through rapid and transparent information sharing to protect assets. We’ve seen some very public and visible cases where cybersecurity issues have had real-world impacts. 

So, we had a need for the center to coordinate information sharing and to support all the right people watching various aspects of the state’s cybersecurity in one place, where they can easily communicate with one another and share information. That was an excellent investment to protect the state of Arizona and its citizens.

STATETECH: Can you provide perspective on the evolution of StateRAMP and its benefits? What do states gain?

Sloan: The reason we created AzRAMP goes back to our desire to gain the value, the agility and the availability of the cloud, and we want that business benefit for our agencies. 

But we have to do it in a way that’s secure and recognize that state data is now going into infrastructure providers or software service providers. The state is ultimately accountable for that data, but there is a shared responsibility between the state and our cloud providers to secure the data. How do we assess that cloud provider and understand their security posture and the controls they have in place? 

The good news is that the federal government had already recognized that problem. They stood up the FedRAMP program. We used the same model as FedRAMP, which is built on the NIST 800-53 security standard.

It’s unreasonable to force 10 to 20 respondents to an RFP to go through a full security assessment when only one of them is going to get the award. Instead, with AzRAMP and StateRAMP, we can look at the security requirements upfront so we don’t hold up the project and its execution. A vendor could go through StateRAMP certification, and it would be valid in multiple places. 

There are a lot of suppliers that we work with that aren’t on FedRAMP. They’ll never be on FedRAMP because the federal government isn’t their market. State and local government is their market. If there’s no security path for those folks to follow, we have a problem, right?

For me, it’s also a virtuous cycle as more states come on board, and more vendors are on board now, the ecosystem grows. It’s bringing to state and local agencies the same benefits that the FedRAMP program brings to the federal government. There is more transparency for stakeholders.

LEARN MORE: How smart cities are using video surveillance and data-sharing to improve traffic.

STATETECH: For priorities not yet discussed, what do you hope to achieve in the year ahead?

Sloan: We really want to grow and mature the digital experience in Arizona with a more unified approach. We’ve done a decent job of digitizing a lot of our services. But from a digital experience perspective, there’s still some variation in the quality of the experience. 

We’ll seek to move toward single sign-on for citizens so they can manage a single identity across agencies. We want to put as much control of privacy as possible back in the hands of our residents, so they can opt into what information they want to share. But we can be responsible and good stewards, offering additional services if they opt in.

aaa 1

Register