Technology Letter 23-03October 2023
Update To Cloud Computing Policy – Cloud Smart
Government Code sections 11545, 11546
State Administrative Manual (SAM) sections 4819.2, 4819.34, 4906, 4981.1, 4982.1, 4983, 4983.1, 5100, 5305.5, 5305.7, 5305.8, 5325.1, 5340, 5350.1.
Statewide Information Management Manual (SIMM) sections 18B, 71B, 140, 141, 5300-A, 5305-A, B, C, 5310-A, B, C, 5315-B, 5325-A, B, 5330-A, B, C, D, E, 5340-A, C, 5360-B
Technology Letter 23-03 supersedes 17-06
The California Department of Technology issued its first Cloud Computing policy in 2014, enabling government to deliver greater value by expanding access to underlying technologies that are transparent, ubiquitous, and interchangeable. The Cloud Computing policy granted Agencies/state entities broad authority to adopt cloud solutions provided through the California Department of Technology (CDT). Policy revisions were made in 2016 adding direction for productivity solutions for Software as a Service (SaaS), and in 2017 adding Infrastructure (IaaS) and Platform (PaaS) as a Service.
In 2019, the federal government developed a long-term strategy to support agencies, achieve additional savings, enhance security, and deliver faster services. This new California Cloud Computing – Cloud Smart policy aligns with three key pillars of successful cloud adoption identified in that strategy:
1. Security – Modernize security policies to focus on risk-based decision making, automation, and moving protections closer to data.
2. Procurement – Improve the ability of agencies and departments to purchase cloud solutions through repeatable practices and sharing knowledge.
3. Workforce – Recruit, retain and upskill key talent for cybersecurity, acquisition, and cloud engineering.
In addition, the Cloud Computing policy aligns the target architecture for the state’s cloud readiness in accordance with the department’s authority under Government Code section 11545.
Cloud Target Architecture – Develop a framework for planning, assigning resources, and streamlining activities to reach a desired state of cloud architecture.
The purpose of this Technology Letter (TL) is to announce updates to the Cloud Computing Policy under the Statewide Administrative Manual (SAM) 4983.1 and introduce the California Cloud Smart Strategy.
- Agencies/state entities must first consider CDT Managed Cloud Services or CDT approved cloud service offerings.
- Agencies/state entities must acquire all IaaS and PaaS solutions and services through CDT or approved through exemption.
- Agencies/state entities planning to utilize commercial and/or government cloud services must submit documentation to CDT that demonstrates planned cloud architecture, workforce, procurement, information assets, and security compliance.
- Agencies/state entities should reference the new State Information Management Manual (SIMM) 141 California Cloud Services Assessment Guide, to request new or additional accounts and services to a commercial and/or government cloud.
- Agencies/state entities requiring SaaS must utilize CDT state service offerings or procure other commercially available SaaS products through the DGS where available in accordance with SIMM 71B Certification of Compliance with IT Policies.
- If an Agency/state entity is planning to utilize cloud services and determines that the use of a CDT provided cloud service solution is not feasible, they shall submit an exemption request to CDT for approval. The Cloud Computing Policy exemption process is defined in SIMM 18B.
Questions about this Technology Letter may be sent to the Department of Technology at Californiacloudservices@state.ca.gov.
Liana Bailey-Crimmins, Director
California Department of Technology