Procurement Guide Offers Best Practices for Moving to Cloud
With
a
seemingly
never-ending
list
of
data
breaches,
ransomware
attacks,
and
network
vulnerabilities
that
threaten
sensitive
constituent
data,
how
can
state
and
local
governments
securely
execute
leadership
plans
to
move
more
data
into
cloud
computing
environments?
Many
governments
that
struggle
with
attracting
and
maintaining
tech
talent
want
to
move
more
services
to
the
cloud
for
support
reasons.
Others
are
seeking
ease
of
use,
help
with
computer
system
management
tasks,
more
flexibility,
lower
costs,
legacy
system
migrations
or
have
other
reasons
for
wanting
to
gain
the
benefits
of
scale
and
global
expertise
that
cloud
computing
environments
can
offer.
However,
government
leaders
often
struggle
to
grasp
how
data
migrations
to
the
cloud
can
be
implemented
securely.
Further,
the
procurement
hurdles
and
security
clauses
needed
to
ensure
compliance
with
a
wide
range
of
legal
and
regulatory
requirements
can
become
overwhelming.
So
here’s
some
good
news:
The
Center
for
Digital
Government
(CDG)*
has
just
released
a
very
helpful
publication
entitled
Best
Practice
Guide
for
Cloud
and
As-A-Service
Procurements.
Here’s
an
outline
of
what
the
new
150-page
guide
covers:
Executive
Summary
Introduction
Specific
Models
and
Understanding
Cloud
Procurement
–
Service
Models
–
Data
–
Breach
Notification
–
Personnel
–
Security
–
Encryption
–
Audits,
Third
Party
Assessments
and
Continuous
Monitoring
–
Operations
–
Hybrid
Cloud
Environments
–
Preparation
for
Migrating
Workloads
to
the
Cloud
Conclusion
Workgroup
Members
and
Contributors
Appendix
1:
Model
Terms
and
Conditions
Templates;
Appendix
2:
Service
Level
Agreement;
Appendix
3:
Key
Contact
Information;
Appendix
4:
Guiding
Principles;
Appendix
5:
Procurement
Approaches;
Appendix
6:
Glossary;
Appendix
7:
Clause
Comparison
Matrix;
Appendix
8:
Aligning
Procurement
with
Risk
Authorization
and
Management;
Appendix
9:
Risk
and
Authorization
Management
Program
(RAMP)
Checklist
Expert
Spotlights
on
Companies:
Amazon
Web
Services
–
Citrix
–
Knowledge
Services
–
VMware
Endnotes
PROCUREMENT
GUIDE
OVERVIEW
On
March
6,
Adam
Stone
wrote
this
excellent
guide
overview,
which
I
want
to
highlight.
Here
is
how
he
begins:
“In
2014
the
Center
for
Digital
Government
(CDG)
produced
its
first
cloud
procurement
guide
to
help
state
and
local
governments
standardize
cloud
purchasing.
A
2016
revision
made
it
even
easier
for
them
to
buy
hosted
software,
infrastructure
and
platforms.
‘Since
then,
the
cloud
landscape
has
changed
dramatically
‘both
in
terms
of
infrastructure
in
the
cloud,
and
also
in
terms
of
buying
applications
as
a
service,’
said
Center
for
Digital
Government
Executive
Director
Teri
Takai.”
“States
have
accelerated
cloud
adoption,
partly
as
a
path
to
modernization
and
partly
in
response
to
the
new
requirements
that
emerged
during
the
pandemic,
said
Arizona
CIO
J.R.
Sloan,
who
helped
craft
the
revision.
‘Arizona,
and
I
think
every
other
state
in
the
U.S.,
has
significantly
increased
its
adoption
of
cloud
services,’
he
said.”
WHO
WAS
INVOLVED?
CDG
convened
a
virtual
work
group
that
included
representatives
from
six
states
—
Arizona,
Georgia,
North
Carolina,
Massachusetts,
Michigan
and
Texas
—
as
well
as
the
county
of
Sacramento,
Calif.,
and
three
city
governments:
New
York,
New
Orleans
and
Detroit.
Industry
representatives
included
Amazon
Web
Services,
Knowledge
Services,
VMware
and
Citrix.
I
really
like
the
spotlight
interviews
at
the
end
of
the
guide,
and
I
highly
recommend
you
read
through
those.
Here
is
one
small
excerpt
from
Joe
Bielawski,
president
of
Knowledge
Services
and
a
founding
member
of
the
nonprofit
StateRAMP.
Q:
How
have
procurement
policies
for
cloud
evolved
in
recent
years?
Joe: State
and
local
governments
have
acknowledged
that
security
risks
are
increasing
every
day.
Procurement
provisions
related
to
cloud
have
evolved
to
require
attestation
that
a
provider
meets
security
policies,
disclosure
of
security
incidents
and
increasing
amounts
of
cyber
insurance.
In
particular,
cyber
insurance
requirements
have
reached
the
point
where
we’ve
seen
vendors
unable
to
obtain
a
policy
large
enough
to
comply.
It’s
not
just
about
cost
—
some
insurance
companies
are
no
longer
underwriting
cyber
policies.
As
it
becomes
more
difficult
to
obtain
cyber
insurance,
preventative
measures
become
even
more
important.
The
next
evolution
we
are
seeing
in
cloud
procurement
policies
is
a
shift
away
from
accepting
self-attestation
of
a
product’s
security
posture
toward
a
verification
model,
such
as
StateRAMP.
Q:
What
are
the
biggest
barriers
to
effective
cloud
procurement?
Joe:
Governments
have
deep
experience
in
procurement.
However,
most
government
procurement
organizations
don’t
have
the
depth
of
experience
or
budget
to
support
cybersecurity
expertise.
There’s
work
to
be
done
in
standardizing
and
simplifying
procurements.
And
there’s
the
need
for
abundant
yet
confidential
cyber
transparency
—
without
it,
governments
can’t
say
whether
a
vendor
meets
their
security
requirements.
That
adds
costs,
creates
an
uneven
playing
field,
and
puts
constituents
and
governments
at
risk.
Q:
What
are
the
greatest
benefits
of
StateRAMP
for
governments
and
vendors?
Joe:
It
comes
down
to
cost
and
procurement
efficiencies.
Procurement
teams
are
not
staffed
with
cybersecurity
experts
to
perform
continuous
security
monitoring.
Government
IT
and
information
security
teams
don’t
have
the
resources
for
this
either
—
they’re
focused
on
battening
down
their
own
applications,
data
centers
and
physical
spaces.
For
solution
providers,
there’s
also
a
cost;
every
government
regulation
carries
a
cost.
What
we
are
trying
to
do
with
StateRAMP
is
bring
verification
transparency
and
standardization
to
cloud
procurement,
which
are
the
critical
components
to
reducing
the
cost
of
continuous
security
monitoring
and
increasing
speed
to
award.
Q:
What
do
solid
risk
management
programs
look
like?
Joe:
FedRAMP
established
a
model
for
a
solid
risk
management
program.
StateRAMP’s
governing
committees
leverage
the
work
of
FedRAMP
to
incorporate
the
best
practices
and
chief
characteristics
that
include
independent
audits,
continuous
security
monitoring
and
NIST-based
standards.
FINAL
THOUGHTS
I
think
this
guide
is
a
“must-read”
for
serious
government
technology
and
cybersecurity
leaders.
I
am
often
asked
what
factors
need
to
go
into
a
secure
cloud
environment
and
what
are
the
elements
of
people,
processes
and
technology.
While
this
guide
does
not
even
try
to
cover
all
of
those
pieces,
it
does
a
great
job
of
addressing
many
of
the
people
and
process
issues
associated
with
state
government
procurements
and
ongoing
contract
management
and
programs.
As
I
have
said
many
times,
the
technology
piece
is
not
the
hardest
part,
it
is
doing
all
the
things
listed
in
this
procurement
guide
—
and
doing
them
well
—
that
is
more
challenging.
*The
Center
for
Digital
Government
is
part
of
e.Republic,
Government
Technology’s
parent
company.
About Author
