The new CalCloud will pair non-private cloud for nonconfidential information with private cloud that is hosted on-premise at the Statewide Data Center.
The Department of Technology has acted as a broker for different cloud services, responding to state customer demands.
This includes changing the security standards for different kinds of “as-a-service” offerings.
Chief Deputy Director Chris Cruz made an effort to dispel concerns about the security compliance requirements at the California Vendors Forum in October.
“FedRAMP only applies to infrastructure and platform as a service,” Cruz said.
For CalCloud 3.0, FedRAMP High will apply only to Infrastructure-as-a-Service and Platform-as-a-Service offerings. All Software-as-a-Service (SaaS) offerings must apply National Institute of Standards and Technology (NIST) 800-171 and SOC 2 Type 2.
While NIST for SaaS is “business as usual,” FedRAMP certification will only be required under one Authority to Operate issued by a federal sponsoring entity, Cruz explained in a “separating myth from fact” presentation at the Forum.
“We want to make the Department of Technology part of the vetting process (for vendors) so you can be sure that those requirements are consistent and complimentary for our state plans,” Cruz said.
Knowing NIST and FedRAMP requirements up front will stop contractors from struggling to become compliant and then partnering with subcontractors who do not match state standards, Chief Information Security Officer Peter Liebert said at the California Vendors Forum.
“This policy, of moderate level, NIST Moderate is the baseline for all state entities out there, it’s only by exception for low,” Liebert said. “FedRAMP is the only one who really is linked to NIST that will give us the risk assessment assuring that their security is equivalent to ours.”
Liebert said the state is trying to accelerate the FedRAMP certification.
“Modernization is not easy but we’re going to make fluctuations and be flexible when necessary,” Cruz said.
