CLOUD COMPUTING POLICY - 4983.1

Purpose:

The Cloud Computing Policy outlines the guidelines and procedures for the appropriate and secure use of cloud computing systems and resources within the State of California. It applies to all Agencies/state entities employees, contractors, and authorized users who access, use, or manage cloud services on behalf of their organization. The policy aims to ensure the confidentiality, integrity, and availability of State data and resources in the cloud environment.

Scope:

As part of the Cloud Computing policy, each Agency/state entity shall:

1. Identify and define the cloud computing technical and security requirements for all IT modernization, enhancement, and workload migration efforts.

2. Identify a cloud service model, e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS) whenever a feasible and cost-effective solution is available.

3. The use of cloud services must be consistent with the factors described in SAM 4981.1 Technical Considerations. In addition, the following shall be considered:

   1. Data classification (e.g., public, private, internal, confidential, restricted) of information assets

   2. Host location (e.g., on-premises, off-premises, hybrid, or multi-cloud)

   3. Target architecture

   4. Security, monitoring, and recovery

   5. Exit strategy

   6. Personnel resources

   7. Total Cost of Ownership (TCO)

   8. Procurement

   9. Cloud Readiness

4. INFRASTRUCTURE AS A SERVICE (IAAS) AND PLATFORM AS A SERVICE (PAAS)

   1. Must consider IaaS and PaaS as an alternative solution for new, expansion, or refresh initiatives.

   2. If IaaS or PaaS solutions are not available through the California Department of Technology (CDT), CDT will partner with the Department of General Services (DGS) to determine the best procurement method.

5. SOFTWARE AS A SERVICE (SAAS)

   1. Use SaaS solution(s) provided through CDT state service offerings (including email*) or through DGS’ Software Licensing Program (SLP), when implementing commercial and/or government SaaS cloud computing solutions.

      *Per Government Code Section 11546.3, all Agencies/state entities within the executive branch that are under the direct authority of the Governor must consolidate to the state’s shared e-mail solution.

   2. If required SaaS solutions are not provided through CDT, Agencies/state entities may acquire other commercial and/or government SaaS solutions through DGS.

6. DATA CLASSIFICATION & INFORMATION ASSETS

   1. Conduct categorization and classification of information assets following the Federal Information Processing Standards (FIPS) Publication 199, as required by the State Administration Manual (SAM) 5305.5 Information Asset Management policy.

   2. Based on data classification pursuant to SAM 5305.5, ensure compliance with relevant security provisions including, but not limited to those in the California Information Practices Act (Civil Code Section 1798 et seq,), Confidentiality of Medical Information Act (Civil Code Sections 56 through 56.07), Internal Revenue Service (IRS) Publication 1075, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, Payment Card Industry Data Security Standard (PCI DSS) including the PCI DSS Cloud Computing Guidelines, Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Health Information Technology for Economic and Clinical Health (HITECH) Act, and Criminal Justice Information Services (CJIS) Security Policy.

7. ARCHITECTURE

   1. Cloud solution architecture and design documentation must be provided to CDT at the network, system, infrastructure, application, interface, and data layers.

   2. Cloud computing architecture illustration examples can be found in the SIMM 141 California Cloud Services Assessment Guide.

8. SECURITY

   1. Reference SIMM 140 Cloud Security Guide to verify security controls and continuous security requirements.

   2. Ensure compliance with a System Security Plan per the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Additionally, a condensed Cloud System Security Plan (CSSP) template is available on CDT's Security Operations Center (SOC) website to aid entities with documenting their system security posture.

   3. Ensure compliance with the security provisions of the SAM (Chapters 5100 and 5300) and the SIMM (Sections 5300-A, 5305-A, 5310-A and B, 5315-B, 5325-A and B, 5330-A, B, and C, 5340-A, B and C, 5360-B).

   4. Ensure that the commercial and/or government cloud service provider’s Standards for Attestation Engagements (SSAE) No.18 Service Organization Control (SOC) 2 Type II report along with the cloud service provider’s plan to correct any negative findings is available to the Agency/state entity. Other equivalent attestation such as FedRAMP and/or StateRAMP may also be used for attestation SIMM (Section 5325).

   5. Ensure that all confidential, sensitive or personal information is encrypted in accordance with SAM 5350.1 and SIMM 5305-A, and at the necessary level of encryption for the data classification pursuant to SAM 5305.5.

   6. Ensure cloud service agreements include the state contracting provisions and specific to the type of service being procured, and all written agreements with cloud service providers address SAM 5305.8 provisions for agreements with state and non-state entities.

   7. Ensure that the physical location of the data center, where the data is stored, is within the continental United States, and remote access to data from outside the continental United States is prohibited unless approved in advance by the State Chief Information Security Officer, with a risk assessment completed and with risk acceptance with documented mitigation measures approved by the data owner.

   8. Maintain an effective incident response and mitigation capability for security and privacy incidents in accordance with SAM 5340. Report suspected and actual security incidents in accordance with the criteria and procedures set forth in SIMM 5340-A and other applicable laws and regulations.

   9. Ensure Zero Trust Architecture (ZTA) is in place following the Cybersecurity and Infrastructure Security Agency (CISA) CISA ZTA Maturity Model (April 2023) at the “Initial” baseline for Identities, Devices, Network, Applications/Workloads, and Data. ZTA is following the NIST Special Publication (SP) 800-207.

   10. Any ZTA gaps must be documented, and remediation progress tracked in the entity’s SIMM 5305-C, Risk Register and Plan of Action and Milestones (RRPOAM) quarterly submission.

   11. Enrollment in CDT’s Security Operations Center (SOC) monitoring services for all IaaS and PaaS cloud services is required unless the entity has an approved CDT SOC exemption.

   12. Develop a Business Impact Assessment, Recovery Point Objectives (RPO), and Recovery Time Objectives (RTO) documentation for the hosted system and in support of Technology Recovery Plan (TRP) development required by SAM 5325.1.

   13. Document the system security controls via the California Compliance and Security Incident Reporting System (Cal-CSIRS) risk assessment module.

9. EXIT STRATEGY

   1. Identify an exit strategy for IT solutions that utilizes a commercial and/or government cloud service.

   2. The exit strategy must include the Agency’s/state entity’s ability to export data in pre-defined formats and maintain, when needed, a current backup of the data in the Agency/state entity’s designated Tier III- equivalent data center facility.

   3. Designated data center facilities must be unrelated to the cloud provider; data center assignments are described in SAM 4982.1 Data Center Consolidation and Determination of Agency-Data Center Assignments.

10. IT PERSONNEL/WORKFORCE

    1. Identify internal state personnel who will implement, configure, and maintain the cloud software and/or environments.

    2. Determine if staff training is needed.

    3. Determine if contract personnel will be needed to augment state staff. Utilize the Government Code (GC) 19130 Personal Services request process if required.

11. TOTAL COST OF OWNERSHIP (TCO)

    1. The total cost of ownership should include, but not limited to infrastructure costs, data transfer costs, licensing costs, operational costs, support costs, downtime costs, data storage costs, data processing costs, security costs, migration costs, training costs, compliance costs, optimization costs, project costs, and oversight costs.

12. PROCUREMENT

    1. Utilize existing CDT IaaS and PaaS services provided through the California Department of Technology (CDT)

    2. Utilize existing CDT services or partner with CDT/DGS to determine the best procurement method.

    3. Use commercially available SaaS services provided through CDT for office productivity tools including the state shared email solution.

    4. Agencies/state entities requesting use of other commercially available SaaS solutions must procure through the Department of General Services.

    5. Departments must ensure compliance with the State Contracting Manual when procuring additional products and services available in cloud online Marketplaces. When possible, additional products and services should be procured through department procurement offices to ensure purchasing regulations and requirements are met. Negotiated contract pricing is not applicable to Marketplace products and services.

13. DELEGATED AUTHORITY/EXEMPTION

    1. Agencies/state entities who consistently demonstrate cloud readiness, may request delegated authority from CDT.

    2. If it is determined the use of a CDT managed or approved cloud service offering is not feasible, a cloud computing exemption must be obtained. The Cloud Computing Exemption request is defined in SIMM 18B.

14. CLOUD READINESS

    1. Reference SIMM 141 Cloud Computing Readiness Assessment Guide.

    2. Consult with CDT Cloud Services.

15. SUBMITTING A CLOUD SERVICE REQUEST

1. Cloud Requests are submitted to CDT’s IT Service Portal.``