Procurement Guide Offers Best Practices for Moving to Cloud

March 12, 2023 • 

Many governments that struggle with attracting and maintaining tech talent want to move more services to the cloud for support reasons. Others are seeking ease of use, help with computer system management tasks, more flexibility, lower costs, legacy system migrations or have other reasons for wanting to gain the benefits of scale and global expertise that cloud computing environments can offer.

However, government leaders often struggle to grasp how data migrations to the cloud can be implemented securely.

Further, the procurement hurdles and security clauses needed to ensure compliance with a wide range of legal and regulatory requirements can become overwhelming.

So here’s some good news: The Center for Digital Government (CDG)* has just released a very helpful publication entitled Best Practice Guide for Cloud and As-A-Service Procurements.

Here’s an outline of what the new 150-page guide covers:

Executive Summary
Introduction
Specific Models and Understanding Cloud Procurement
– Service Models
– Data
– Breach Notification
– Personnel
– Security
– Encryption
– Audits, Third Party Assessments and Continuous Monitoring
– Operations
– Hybrid Cloud Environments
– Preparation for Migrating Workloads to the Cloud
Conclusion
Workgroup Members and Contributors Appendix 1: Model Terms and Conditions Templates; Appendix 2: Service Level Agreement; Appendix 3: Key Contact Information; Appendix 4: Guiding Principles; Appendix 5: Procurement Approaches; Appendix 6: Glossary; Appendix 7: Clause Comparison Matrix; Appendix 8: Aligning Procurement with Risk Authorization and Management; Appendix 9: Risk and Authorization Management Program (RAMP) Checklist

Expert Spotlights on Companies: Amazon Web Services – Citrix – Knowledge Services – VMware

Endnotes

PROCUREMENT GUIDE OVERVIEW

On March 6, Adam Stone wrote this excellent guide overview, which I want to highlight. Here is how he begins:

“In 2014 the Center for Digital Government (CDG) produced its first cloud procurement guide to help state and local governments standardize cloud purchasing. A 2016 revision made it even easier for them to buy hosted software, infrastructure and platforms. ‘Since then, the cloud landscape has changed dramatically ‘both in terms of infrastructure in the cloud, and also in terms of buying applications as a service,’ said Center for Digital Government Executive Director Teri Takai.”

“States have accelerated cloud adoption, partly as a path to modernization and partly in response to the new requirements that emerged during the pandemic, said Arizona CIO J.R. Sloan, who helped craft the revision. ‘Arizona, and I think every other state in the U.S., has significantly increased its adoption of cloud services,’ he said.”

WHO WAS INVOLVED?

CDG convened a virtual work group that included representatives from six states — Arizona, Georgia, North Carolina, Massachusetts, Michigan and Texas — as well as the county of Sacramento, Calif., and three city governments: New York, New Orleans and Detroit. Industry representatives included Amazon Web Services, Knowledge Services, VMware and Citrix.

I really like the spotlight interviews at the end of the guide, and I highly recommend you read through those. Here is one small excerpt from Joe Bielawski, president of Knowledge Services and a founding member of the nonprofit StateRAMP.

Q: How have procurement policies for cloud evolved in recent years?
Joe: State and local governments have acknowledged that security risks are increasing every day. Procurement provisions related to cloud have evolved to require attestation that a provider meets security policies, disclosure of security incidents and increasing amounts of cyber insurance.

In particular, cyber insurance requirements have reached the point where we’ve seen vendors unable to obtain a policy large enough to comply. It’s not just about cost — some insurance companies are no longer underwriting cyber policies. As it becomes more difficult to obtain cyber insurance, preventative measures become even more important. The next evolution we are seeing in cloud procurement policies is a shift away from accepting self-attestation of a product’s security posture toward a verification model, such as StateRAMP.

Q: What are the biggest barriers to effective cloud procurement?
Joe: Governments have deep experience in procurement. However, most government procurement organizations don’t have the depth of experience or budget to support cybersecurity expertise. There’s work to be done in standardizing and simplifying procurements. And there’s the need for abundant yet confidential cyber transparency — without it, governments can’t say whether a vendor meets their security requirements. That adds costs, creates an uneven playing field, and puts constituents and governments at risk.

Q: What are the greatest benefits of StateRAMP for governments and vendors?
Joe: It comes down to cost and procurement efficiencies. Procurement teams are not staffed with cybersecurity experts to perform continuous security monitoring. Government IT and information security teams don’t have the resources for this either — they’re focused on battening down their own applications, data centers and physical spaces.

For solution providers, there’s also a cost; every government regulation carries a cost. What we are trying to do with StateRAMP is bring verification transparency and standardization to cloud procurement, which are the critical components to reducing the cost of continuous security monitoring and increasing speed to award.

Q: What do solid risk management programs look like?
Joe: FedRAMP established a model for a solid risk management program. StateRAMP’s governing committees leverage the work of FedRAMP to incorporate the best practices and chief characteristics that include independent audits, continuous security monitoring and NIST-based standards.

FINAL THOUGHTS

I think this guide is a “must-read” for serious government technology and cybersecurity leaders.

I am often asked what factors need to go into a secure cloud environment and what are the elements of people, processes and technology. While this guide does not even try to cover all of those pieces, it does a great job of addressing many of the people and process issues associated with state government procurements and ongoing contract management and programs.

As I have said many times, the technology piece is not the hardest part, it is doing all the things listed in this procurement guide — and doing them well — that is more challenging.

*The Center for Digital Government is part of e.Republic, Government Technology’s parent company.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.