Depending on the mission, scope, location and type of data collected, state and local agencies must comply with a possibly confusing array of both data privacy laws and industryspecific regulations. Determining which regulations apply isn’t always easy. Here are some of the most common, along with guidelines for when they may apply:


FISMA (Federal Information Security Management Act): State agencies administering federal programs such as Medicare, for example, must meet this standard. FISMA defines a framework for protecting government information, assets, and operations.

FedRAMP: (Federal Risk and Authorization Management Program):

Many states require agencies using cloud services to insist on FedRAMP certification, and it’s encouraged by the GSA. FedRAMP is a government-wide program providing a standardized approach to assessing cloud security.