US State and Local governments lean on public cloud to: 1) enable citizen services delivery and business agility; 2) fulfill scalability requirements, 3) drive down labor and infrastructure cost, and 4) resolve compliance and audit pressures. Most recently it has been used to power smart city, AI, and open data platforms. Today, there are no shortages state and local examples: Delaware, Texas, California, Iowa, Michigan, Massachusetts, New York, North Carolina, City of San Francisco, City of Houston, City of Baltimore, New York City Cyber Command etc.
A central theme in most state and local government (SLG) cloud strategies is security and governance to ensure protection of data and resilience of critical systems. While many of the drivers for state and local cloud security and governance match or overlap Federal ones listed in our “Tackling Cloud Security: US Federal Edition” blog, state and local gov presents unique challenges in the following areas.
SLG certification requirements go beyond federal ones. There are security certifications by state that often go above and beyond FedRAMP. Many states need to certify across every individual service enabled (for example AWS S3, and EBS). There are also requirements for third party monitoring (e.g., New York Department of Financial Services’ (NYDFS) NY CRR 500 for third party risk management and monitoring.) Often, these monitoring requirements extend to employees who may also be subject to other states’ regulations.
Agencies must harmonize state, federal, and foreign security controls. Data privacy has significant impacts on cloud security controls – especially in data protection. How you handle and protect subjects’ data in your state and how you handle subjects that are out of state may be governed by different regulations. Reconciling different states’ regulatory and data privacy requirements with one another and federal/foreign jurisdictions’ mandates (for example California’s CCPA with Illinois’ BIPA act or Massachusetts’ MIPSA law, sprinkled in with EU’s GDPR) when agencies deal with multi-state, business partner or organizational clients/subjects is non-trivial.
Agencies must overcome higher levels of technical debt in state infrastructure. Based on anecdotal evidence, Forrester expects that security-related technical IT debt is generally higher with SLGs than at the federal level. Overcoming this debt – especially in the light of the above harmonization requirements – is expensive and time consuming.
Talent pressures are even greater than with federal level. Not only may SLG have lower budgets to staff IT management and cloud security operations, but often the talent pool they can use is much smaller – because of employee residency and physical office presence requirements – than for federal agencies. Many state and local groups also struggle with unions, unified titles that fail to describe the work, and pay grade limitations.
To overcome the above challenges, Forrester recommends that SLGs:
Factor in unique locally applicable requirements into their cloud security strategy. Unique aspects of talent pool size, connectivity bandwidth restrictions, point of presence availability of major cloud service providers’ government zones all define SLGs’ cloud security strategies. SLG has to tailor its cloud adoption, governance and security strategies to meet state-specific compliance requirements while continually performing a reality check in budgeting and operations.
Use locally available vendor and service provider services. SLGs should opt to work with service providers that have a proven track record of meeting state specific regulatory requirements by offering products and services that do not excessively depend on out-of-state labor. Many cloud providers are certified on the state requirements for large states like California and Texas, but you may find the list of pre-certified services more limited in smaller states.
Build on federal government specific certifications. To the greatest extent possible, SLG should not reinvent the wheel when it comes to new certifications. Find ways to build on and harmonize with federal (FedRAMP, NIST) as well as industry requirements (HIPAA, PCI-DSS, ISO 27001, SOC 2 Type 2/3) to meet state and local security, data protection, and privacy mandates. This will keep your contracting and tech state options more open such that you can focus what you’re doing with the technology or how your team is securing applications in the cloud.
Collaborate across jurisdictions. We have seen interagency collaboration in federal government to overcome resource constraints. In some creative instances, open-source communities provide an avenue for collaboration between jurisdictions absent of political and bureaucratic hurdles. SLGs should engage with both peer governments and the broader open-source ecosystem to share best practices, collectively address vulnerabilities, and implement proven, SLG-ready solutions without large capital expenditures.
