California Cloud Services Assessment

Description

CDT has developed an update to the Cloud Computing Policy, a Cloud Smart strategy, which leverages modern technology and practices created to deliver the full potential of cloud computing, driving digital transformation to achieve improved operational efficiency, agility, and innovation.

To ensure alignment with this strategy, CDT has implemented a California Cloud Services Assessment to validate security, cloud architecture, workforce, and procurement requirements. This process will be applicable to Agencies and/or state entities that plan to either introduce new systems, or modify and migrate existing systems into the cloud. The assessment scope extends to both commercial and government clouds provided in Off-Premises Cloud Services. Details on the process to complete the assessment will be in California Cloud Services Assessment Guidelines (SIMM 141). Upon assessment approval, the Agency/State entity may proceed with their Cloud implementation.

Access CDT’s CloudSmart Playbook.

Security

Cloud Architecture

Cloud Architecture

Workforce Dev

Workforce Development

Procurement

Procurement

Security Benefits

The State of California validation for:

  • A current Technology Recovery Plan (TRP) with systems, Business Impact Assessment (BIA), Recovery Time
  • Objectives (RTO), and a Recovery Point Objectives (RPO)
  • Alignment to/with:
    • Cloud Security Standard (SIMM 5315-B)
    • Cloud Security Guide (SIMM 140)
    • Cal-Secure goals & technical capabilities
    • NIST 800-207 Zero Trust Architecture
    • Security Risk Assessment requirements (SAM 5305.7)
    • Security Data Classification Assessment requirements (SAM 5305.5)
    • Security Privacy Impact Analysis requirements (SAM 5310.8)

Required Documentation

The following documents are required to be uploaded to the CDT Secure Automated File Exchange (SAFE) Account:

CDT Secure Automated File Exchange (SAFE) Account

  1. California Cloud Services Assessment Questionnaire

  2. Classification Categorization Form – System Classification (FIPS 199)

  3. Cloud Alternative Analysis

  4. Cloud Architecture & Network Diagram

  5. Cloud System Security Plan (CSSP)

  6. Organizational Chart of Cloud-related Staffing

  7. Privacy Threshold and Impact Analysis (SIMM 5310-C)

  8. Well-Architected Framework Assessment or Equivalent from Cloud Provider (if you already have a cloud account)

Roles & Responsibilities

RoleCDTCustomer
Gather all relevant required documentation and information.X
Complete a Case/Request and answer all questions.X
Submit all required documentation through the CDT Secure Automated File Exchange (SAFE) service.X
Ensure technical Subject Matter Experts (SMEs) are available for follow up questions related to security and architecture.X
Review for verification of cloud readiness.X
Submit revised documentation and information upon request.X
Complete status updates in Case/Request in the CDT IT Service Portal.X

Request Service

Off-Premises Cloud Services requires completion of a California Cloud Services Assessment in alignment with Cloud Computing Policy (TL 23-03).

California Cloud Services Assessment ProcessLink
STEP 1 – Review California Cloud Services Assessment Guidelines (SIMM 141).California Cloud Services Assessment Guide (SIMM 141)
STEP 2 – Complete the Off-Premises Cloud Services request.Off-Premises Cloud Services

Questions regarding submitting a request can be directed to your Account Lead.

Questions about completing the Cloud System Security Plan can be directed to the Office of Information Security Advisory Team at ciooisadvisoryservices@state.ca.gov.

Service Level Objectives

From the date all documents are submitted and determined by CDT to be complete, the assessment will conclude in no more than 14 business days.

Dependencies:

  • A meeting or consultation may be necessary to discuss architectural questions.
  • If required documentation is not submitted to the CDT Secure Automated File Exchange (SAFE) service or missing, CDT will request additional documentation, which will extend the review period.
  • If required documentation is not submitted the request will be closed in thirty (30) days from the original Case/Request submission date.

FAQs

Why is CDT implementing this new assessment process?

CDT is statutorily tasked with protecting the state’s technology investment and mitigating risks. Gathering data as customers come through the assessment will help us understand the technology portfolio in the cloud and ensure that standards, protocols, and security measures are being taken and also identify potential blind spots in our cybersecurity posturing. Overall, it will give CDT visibility into the environments for the state’s critical data and services.

Workforce is another driver, as we have seen customers adopt or migrate to the cloud but are not fully prepared to support that and have to have vendors operate on their behalf, inconsistent with GC19130.

We are resetting Cloud First expectation of migrating/building workloads and establishing a cloud smart strategy to review and ensure cloud is the best solution for certain workloads. If you are planning to modernize a current system, or build a new one, your environment is going to change and there are benefits, features, and functionalities that CDT can help you select, as well as review the readiness for customers to move to cloud, suggest the appropriate cloud environment that fits your requirements. By consulting with CDT to understand the business drivers of building or migration to cloud, we can explore different scenarios for your environment so you can take advantage of the great benefits and features the cloud offers.

What cloud account requests are covered in this assessment process?

As specified by TL 23-03 Update to Cloud Computing Policy – Cloud Smart, all new systems and/or existing applications being modified/migrated to the cloud, are subject to this assessment process. Engagement with customers around existing services will be included in Phase 2, beginning around Spring of 2024.

For existing cloud customers, what is considered a modification to an existing system? What conditions can trigger an assessment?

Any type of major architectural changes, changes to data classifications, expanding services where it will have a significant impact on other ancillary, feeder, or downstream systems, or if it is public facing will all trigger the CCSA review. Examples of systems/environments include, but are not limited to, AWS Accounts, Azure Account Owner/Subscriptions, Google Project, Oracle (OCI) Tenant, etc.

If there are no changes to previously submitted documentation, workforce, or architecture, then the CCSA process may not be required. For additional guidance, please contact your Account Lead.

Are updated architecture diagrams required when changes are made? If so, what is the timeframe for which they will need to be submitted?

Engagement with customers around existing services will be included in Phase 2, beginning around Spring of 2024. Please connect with your Account Lead if you need CDT assistance in preparing a diagram to be ready for the effective date.

Does the CCSA apply to cloud accounts or individual solutions hosted in the cloud accounts?

The CCSA applies to each system or solution that is hosted in your cloud account.

Do departments have to follow the California Cloud Services Assessment (CCSA) process for account inquiries or modifications?

Customers requesting information about existing cloud services or requesting modifications to account users should utilize the Off-Premises Cloud User Maintenance catalog item.

How do I initiate the CCSA? Is there a form?

Review the California Cloud Services Assessment webpage for requirements and instructions. Initiation of the CCSA has been integrated within the existing Off-Premises Cloud Services Request catalog item in the CDT IT Service Portal.

Is the 14-business days review time an SLA from CDT? Will the 14-business days start over for each review cycle?

It is a Service Level Objective (SLO), contingent upon complete documentation and timely response from customers on any questions.

CDT does not anticipate follow-up reviews. Each review will be for a new account or change to cloud. The 14-business days will restart if there is incomplete or missing documentation in the request.

What if assistance is needed to complete the required documentation?

Questions about the overall process and submitting a request can be directed to your Account Lead. Questions about completing the Cloud System Security Plan can be directed to the Office of Information Security Advisory Team at ciooisadvisoryservices@state.ca.gov.

Will Managed Cloud Services be subject to the California Cloud Assessment?

Managed Cloud Services is exempt from the cloud assessment, TL 23-03 requirements will be met by CDT as the service provider.

What is the cost for the CCSA process?

There is currently no cost associated with the CCSA process. Any future costs will be published in CDT’s service rates catalog.

How does this process align with the CDT Project Approval Lifecycle (PAL) Process?

Customers will initiate the CCSA either during stage 2 or stage 3, depending on the type of procurement. Once a solution is identified and the architectural planning is underway, the customer should initiate the CCSA process. The CCSA review team will coordinate with CA-PMO.

Does the CCSA apply to initiatives that fall below the threshold for CDT oversight or PAL?

All IaaS and PaaS Off-Prem Cloud Service requests will be required to follow the CCSA. CDT’s CAMC services are not subject to the CCSA.

How will guidance be provided to Agencies/State entities for implementation of Zero Trust Architecture?

Questions regarding Zero Trust Architecture and implementation may be directed to Office of Information Security Advisory Services at ciooisadvisoryservices@state.ca.gov.

How will status of the Cloud Assessment be communicated?

You may check status of the request in the CDT IT Service Portal or contact your Account Lead.

What if my Agency/state entity does not have a CDT Secure Automated File Exchange (SAFE) Account?

First check with your Department ISO, as your department may likely already have an account. If a new account is needed, you may contact the Office of Information Security at security@state.ca.gov. It will take approximately 1-2 days to complete.

What additional or modified audits will be conducted? Will they be security or architectural related? What is the frequency?

In addition to existing security audits, periodic configuration, service health checks, and compliance inspections will be conducted. Health checks evaluate the operational efficiency, robustness, and security of a cloud system and can also help identify potential risks of current cloud architecture.

Does the CCSA apply to FedRAMP compliant cloud providers?

Yes, CCSA is required for all requests except CDT Managed Cloud (CAMC) services.

What is my Account Code (required to submit CCSA request)?

Each Department is assigned one (or more) account billing codes. If you do not know your department’s Account Code, contact your Account Lead.

Where can I find a list of CDT’s approved cloud services?

CDT approved cloud services: https://cdt.ca.gov/services/cloud-services/.

Will training be offered on the request process in a portal format such as CalLearns?

At this time, detailed instructions on the CCSA request process can be found in SIMM 141 California Cloud Services Assessment Guide. Additional training and guidance will be available to state employees via forums and regular communication from CDT.

Customers can review knowledge articles specific to the request processes: CDT IT Service Portal.

What cloud elements will require SOCaaS monitoring?

Security Operations Center as a Service (SOCaaS) is mandatory for all state departments. Per SIMM 141, all pre-existing IaaS and PaaS cloud implementations but be subscribed by June 30, 2025. Please review the CDT Security Operations Center webpage for service details.

What are the costs for SOCaaS?

As of June 1, 2023, log ingestion and retention costs will be incurred by the customer. There is no additional cost for SOCaaS monitoring and alerting. Visit https://cdt.ca.gov/services/security-operations-center-as-a-service-socaas/ to learn more about services.

Is there an exemption to SOCaaS?

Agencies/state entities with existing monitoring services can work with CDT’s Office of Information Security on a case-by-case basis, to determine monitoring needs, requirements, and exemptions. Contact your Account Lead to initiate this process.

What if my Agency/state entity uses a department monitoring system?

All new or additional accounts and services to a commercial and/or government cloud service must use SOCaaS. Please initiate the Security Operation Center as a Service (SOCaaS) onboarding process by completing the Intake Form prior to completing the service request for Off Premises Cloud Services.

Do the TRPs need to be updated upon release of the TL?

This is already an existing requirement and has not changed. TRPs will be validated during the California Cloud Assessment. If state entity is not planning to submit a CCSA request for new services, they should ensure the TRP is updated per existing SAM requirements.

Technology Recovery Plans (TRP) are updated annually, so new initiatives may not be captured.

TRPs are an existing requirement and should address current systems, not planned systems. As per the current process, TRPs should be updated to include new systems, once implemented.

Can services be procured through Cloud Service Provider Marketplaces?

Departments must ensure compliance with the State Contracting Manual when procuring additional products and services available in cloud online Marketplaces. When possible, additional products and services should be procured through department procurement offices to ensure purchasing regulations and requirements are met. Negotiated contract pricing is not applicable to Marketplace products and services and IaaS or PaaS services are recommended to be procured through CDT’s negotiated contracts.

Are exemptions allowed for special circumstances?

There are no exemptions to the CCSA review process. If CDT’s Cloud service offerings do not satisfy requirements, a Cloud Exemption Request (SIMM 18B) may be submitted, following existing processes. As we progress, CDT will be considering a delegated authority type of approach, whereas when a department demonstrates they are successfully meeting the policies and requirements to migrate workloads into the cloud, CDT may no longer need to have the documents submitted to us. From there, it will be periodic assessments, similar to the California Department of Military audits, to ensure the solutions and systems are maintained over time.

Is a CCSA required for cloud service variants (e.g., aPaaS and iPaaS)?

Contact your Account Lead to initiate discussions and prior to submitting through the CCSA process. CDT SMEs can help determine requirements for aPaaS and iPaaS on a case-by-case basis.

Does the CCSA apply to Storage as a Service (STaaS) requests?

If utilizing CDT’s On-Prem STaaS, requests would not go through assessment. If using CDT’s off-prem cloud contract, CCSA applies.

Are Software as a Service (SaaS) requests required to go through the CCSA??

Currently, only requests for Off-Prem IaaS and PaaS solutions require the CCSA. CDT will begin integrating SaaS services in the CCSA process towards the end of 2024.

Is an exemption from CDT required to utilize other commercially available SaaS solutions (DGS)?

An exemption from CDT is not required.

What SaaS Solutions must be procured through CDT?

Visit CDT’s SaaS catalog for a listing of solutions. At this time, all other SaaS products should be procured through the DGS procurement mechanisms.