- Technology procurements, terms and conditions
- Statewide IT procurement
- Statewide Project Approval Lifecycle (PAL)
- CalNET
- Cloud exemption process
- Cybersecurity
“We are coming out and will make an attempt to award in June for FedRAMP moderate cloud providers in the infrastructure-as-a-service and platform-as-a-service space,” Cruz told Techwire in a phone interview.
There was a recent bid with the state Department of General Services that looked for FedRAMP moderate infrastructure-as-a-service and platform-as-a-service providers, for those that do not need such high security requirements. This could make services more available to state entities that would not experience “severe or catastrophic adverse effect on the organization’s operations, assets or individuals” through data loss, according to CDT spokesman Bryce Brown.
“For infrastructure-as-a-service and platform-as-a-service, we obviously have FedRAMP high that we’re requiring right now for hosting because that gives us the highest level of security threshold in place,” Cruz said.
That threshold makes sure that all security requirements are met for protected health information (PHI), personally identifiable information (PII) and HIPAA (Health Insurance Portability and Accountability Act) compliance, which is backed by an authority-to-operate certificate. FedRAMP moderate includes 300 requirements, while FedRAMP high includes an additional 100. Not all PHI, PII and HIPAA information would fit into FedRAMP high, either, according to Brown.
“FedRAMP is that federal measure that we’re basically aligning our security requirements to say that if you’re going to bid as an infrastructure-as-a-service and platform-as-a-service cloud provider, you must have that FedRAMP high requirement,” Cruz said.
Since that information is passing between a state entity and an external cloud provider, with sensitive information, security requirements are higher.
“And that’s on FedRAMP because that data is being hosted in the cloud,” Cruz said. “That necessitates a different kind of requirement. That requirement ensures that the interconnects through the state data center run through our Security Operations Center so we can monitor and do instant response and management of those tools, to monitor inbound and outbound traffic from the customer to that cloud provider,” Cruz said.
Separate from FedRAMP are the National Institute of Standards and Technology (NIST) requirements, but they are usually limited to software-as-a-service since data is maintained internally on software that has been installed or licensed.
“What we use here in the state for software-as-a-services is a requirement around NIST 800-171,” Cruz said. “That is a NIST requirement for software-as-a-service only.”
DGS is finalizing an agreement across the state that requires NIST 800-171 for software-as-a-service.
Wednesday's vendor forum is at 1:30 p.m. at the California Lottery, 700 N. 10th St., Sacramento. Registration, if space is still available, can be done here.
