US state and local governments lean on public cloud to: 1) enable citizen services delivery and business agility; 2) fulfill scalability requirements; 3) drive down labor and infrastructure cost; and 4) resolve compliance and audit pressures. Most recently, it has been used to power smart city, AI, and open data platforms. Today, there are no shortages of state and local examples: Delaware, Texas, California, Iowa, Michigan, Massachusetts, New York, North Carolina, San Francisco, Houston, Baltimore, New York City Cyber Command, etc.

A central theme in most state and local government (SLG) cloud strategies is security and governance to ensure protection of data and resilience of critical systems. While many of the drivers for state and local cloud security and governance match or overlap federal ones listed in our Tackling Cloud Security: US Federal Edition blog, state and local govt. presents unique challenges in the following areas:

  • SLG certification requirements go beyond federal ones. There are security certifications by state that often go above and beyond FedRAMP. Many states need to certify across every individual service enabled (for example, Amazon S3 and EBS). There are also requirements for third-party monitoring (e.g., the New York Department of Financial Services’ NYCRR 500 for third-party risk management and monitoring). Often, these monitoring requirements extend to employees who may also be subject to other states’ regulations.
  • Agencies must harmonize state, federal, and foreign security controls. Data privacy has significant impacts on cloud security controls — especially in data protection. How you handle and protect subjects’ data in your state and how you handle subjects that are out of state may be governed by different regulations. Reconciling different states’ regulatory and data privacy requirements with one another and federal/foreign jurisdictions’ mandates (for example, California’s CCPA with Illinois’ BIPA act or Massachusetts’ MIPSA law, sprinkled in with the EU’s GDPR) when agencies deal with multistate business partners or organizational clients/subjects is nontrivial.
  • Agencies must overcome higher levels of technical debt in state infrastructure. Based on anecdotal evidence, Forrester expects that security-related technical IT debt is generally higher with SLGs than at the federal level. Overcoming this debt — especially in light of the above harmonization requirements — is expensive and time-consuming.
  • Talent pressures are even greater than in the federal level. Not only may SLGs have lower budgets to staff IT management and cloud security operations, but often, the talent pool they can use is much smaller — because of employee residency and physical-office presence requirements — than it is for federal agencies. Many state and local groups also struggle with unions, unified titles that fail to describe the work, and pay-grade limitations.

To overcome the above challenges, Forrester recommends that SLGs:

  1. Factor in unique locally applicable requirements into their cloud security strategy. Unique aspects of talent pool size, connectivity bandwidth restrictions, and point-of-presence availability of major cloud service providers’ government zones all define SLGs’ cloud security strategies. An SLG has to tailor its cloud adoption, governance, and security strategies to meet state-specific compliance requirements while continually performing a reality check in budgeting and operations.
  2. Use locally available vendor and service provider services. SLGs should opt to work with service providers that have a proven track record of meeting state-specific regulatory requirements by offering products and services that do not excessively depend on out-of-state labor. Many cloud providers are certified on the state requirements for large states such as California and Texas, but you may find the list of precertified services more limited in smaller states.
  3. Build on federal government-specific certifications. To the greatest extent possible, SLG should not reinvent the wheel when it comes to new certifications. Find ways to build on and harmonize with federal (FedRAMP, NIST) as well as industry requirements (HIPAA, PCI-DSS, ISO 27001, SOC 2 Type 2/3) to meet state and local security, data protection, and privacy mandates. This will keep your contracting and tech state options more open so that you can focus on what you’re doing with the technology or how your team is securing applications in the cloud.
  4. Collaborate across jurisdictions. We have seen interagency collaboration in federal government overcome resource constraints. In some creative instances, open-source communities provide an avenue for collaboration between jurisdictions absent of political and bureaucratic hurdles. SLGs should engage with both peer governments and the broader open-source ecosystem to share best practices, collectively address vulnerabilities, and implement proven, SLG-ready solutions without large capital expenditures.