California Cloud Services Assessment

CDT is statutorily tasked with protecting the state’s technology investment and mitigating risks. Gathering data as customers come through the assessment will help us understand the technology portfolio in the cloud and ensure that standards, protocols, and security measures are being taken and also identify potential blind spots in our cybersecurity posturing. Overall, it will give CDT visibility into the environments for the state’s critical data and services.

Workforce is another driver, as we have seen customers adopt or migrate to the cloud but are not fully prepared to support that and have to have vendors operate on their behalf, inconsistent with GC19130.

We are resetting Cloud First expectation of migrating/building workloads and establishing a cloud smart strategy to review and ensure cloud is the best solution for certain workloads. If you are planning to modernize a current system, or build a new one, your environment is going to change and there are benefits, features, and functionalities that CDT can help you select, as well as review the readiness for customers to move to cloud, suggest the appropriate cloud environment that fits your requirements. By consulting with CDT to understand the business drivers of building or migration to cloud, we can explore different scenarios for your environment so you can take advantage of the great benefits and features the cloud offers.

As specified by TL 23-03 Update to Cloud Computing Policy – Cloud Smart, all new systems and/or existing applications being modified/migrated to the cloud, are subject to this assessment process. Engagement with customers around existing services will be included in Phase 2, beginning around Spring of 2024.

Any type of major architectural changes, changes to data classifications, expanding services where it will have a significant impact on other ancillary, feeder, or downstream systems, or if it is public facing will all trigger the CCSA review. Examples of systems/environments include, but are not limited to, AWS Accounts, Azure Account Owner/Subscriptions, Google Project, Oracle (OCI) Tenant, etc.

If there are no changes to previously submitted documentation, workforce, or architecture, then the CCSA process may not be required. For additional guidance, please contact your Account Lead.

Engagement with customers around existing services will be included in Phase 2, beginning around Spring of 2024. Please connect with your Account Lead if you need CDT assistance in preparing a diagram to be ready for the effective date.

The CCSA applies to each system or solution that is hosted in your cloud account.

Customers requesting information about existing cloud services or requesting modifications to account users should utilize the Off-Premises Cloud User Maintenance catalog item.

Review the California Cloud Services Assessment webpage for requirements and instructions. Initiation of the CCSA has been integrated within the existing Off-Premises Cloud Services Request catalog item in the CDT IT Service Portal.

It is a Service Level Objective (SLO), contingent upon complete documentation and timely response from customers on any questions.

CDT does not anticipate follow-up reviews. Each review will be for a new account or change to cloud. The 14-business days will restart if there is incomplete or missing documentation in the request.

Questions about the overall process and submitting a request can be directed to your Account Lead. Questions about completing the Cloud System Security Plan can be directed to the Office of Information Security Advisory Team at ciooisadvisoryservices@state.ca.gov.

Managed Cloud Services is exempt from the cloud assessment, TL 23-03 requirements will be met by CDT as the service provider.

There is currently no cost associated with the CCSA process. Any future costs will be published in CDT’s service rates catalog.

Customers will initiate the CCSA either during stage 2 or stage 3, depending on the type of procurement. Once a solution is identified and the architectural planning is underway, the customer should initiate the CCSA process. The CCSA review team will coordinate with CA-PMO.

All IaaS and PaaS Off-Prem Cloud Service requests will be required to follow the CCSA. CDT’s CAMC services are not subject to the CCSA.

Questions regarding Zero Trust Architecture and implementation may be directed to Office of Information Security Advisory Services at ciooisadvisoryservices@state.ca.gov.

You may check status of the request in the CDT IT Service Portal or contact your Account Lead.

First check with your Department ISO, as your department may likely already have an account. If a new account is needed, you may contact the Office of Information Security at security@state.ca.gov. It will take approximately 1-2 days to complete.

In addition to existing security audits, periodic configuration, service health checks, and compliance inspections will be conducted. Health checks evaluate the operational efficiency, robustness, and security of a cloud system and can also help identify potential risks of current cloud architecture.

Yes, CCSA is required for all requests except CDT Managed Cloud (CAMC) services.

Each Department is assigned one (or more) account billing codes. If you do not know your department’s Account Code, contact your Account Lead.

CDT approved cloud services: https://cdt.ca.gov/services/cloud-services/.

At this time, detailed instructions on the CCSA request process can be found in SIMM 141 California Cloud Services Assessment Guide. Additional training and guidance will be available to state employees via forums and regular communication from CDT.

Customers can review knowledge articles specific to the request processes: CDT IT Service Portal.

Security Operations Center as a Service (SOCaaS) is mandatory for all state departments. Per SIMM 141, all pre-existing IaaS and PaaS cloud implementations but be subscribed by June 30, 2025. Please review the CDT Security Operations Center webpage for service details.

As of June 1, 2023, log ingestion and retention costs will be incurred by the customer. There is no additional cost for SOCaaS monitoring and alerting. Visit https://cdt.ca.gov/services/security-operations-center-as-a-service-socaas/ to learn more about services.

Agencies/state entities with existing monitoring services can work with CDT’s Office of Information Security on a case-by-case basis, to determine monitoring needs, requirements, and exemptions. Contact your Account Lead to initiate this process.

All new or additional accounts and services to a commercial and/or government cloud service must use SOCaaS. Please initiate the Security Operation Center as a Service (SOCaaS) onboarding process by completing the Intake Form prior to completing the service request for Off Premises Cloud Services.

This is already an existing requirement and has not changed. TRPs will be validated during the California Cloud Assessment. If state entity is not planning to submit a CCSA request for new services, they should ensure the TRP is updated per existing SAM requirements.

TRPs are an existing requirement and should address current systems, not planned systems. As per the current process, TRPs should be updated to include new systems, once implemented.

Departments must ensure compliance with the State Contracting Manual when procuring additional products and services available in cloud online Marketplaces. When possible, additional products and services should be procured through department procurement offices to ensure purchasing regulations and requirements are met. Negotiated contract pricing is not applicable to Marketplace products and services and IaaS or PaaS services are recommended to be procured through CDT’s negotiated contracts.

There are no exemptions to the CCSA review process. If CDT’s Cloud service offerings do not satisfy requirements, a Cloud Exemption Request (SIMM 18B) may be submitted, following existing processes. As we progress, CDT will be considering a delegated authority type of approach, whereas when a department demonstrates they are successfully meeting the policies and requirements to migrate workloads into the cloud, CDT may no longer need to have the documents submitted to us. From there, it will be periodic assessments, similar to the California Department of Military audits, to ensure the solutions and systems are maintained over time.

Contact your Account Lead to initiate discussions and prior to submitting through the CCSA process. CDT SMEs can help determine requirements for aPaaS and iPaaS on a case-by-case basis.

If utilizing CDT’s On-Prem STaaS, requests would not go through assessment. If using CDT’s off-prem cloud contract, CCSA applies.

Currently, only requests for Off-Prem IaaS and PaaS solutions require the CCSA. CDT will begin integrating SaaS services in the CCSA process towards the end of 2024.

An exemption from CDT is not required.

Visit CDT’s SaaS catalog for a listing of solutions. At this time, all other SaaS products should be procured through the DGS procurement mechanisms.