State chief information officers say cloud services provide as good or better security than on-premise infrastructure, NASCIO research finds.
In the span of about a decade, state chief information officers flipped their script on cloud computing.
In the 2023 State CIO Survey, state CIOs overwhelmingly identified security as the most important benefit of cloud computing.
Doug Robinson, executive director of the National Association of State CIOs, said a decade ago the survey results were quite different.
Back then, “we asked the question: ‘What’s the major impediment or barrier to broader cloud adoption?’ The number one answer was, ‘We’re concerned about security,’ ” Robinson said during the Federal News Network StateRAMP Exchange 2024.
“We’ve seen this huge shift about their concern. Part of that was the fact that 87% said that they agreed that cybersecurity offered by third-party cloud providers is either on par or better than the security measures in place in their state government. That was a huge shift in the understanding and recognition, in addition to the investments that many of the cloud service providers put into their platforms in complying with StateRAMP — but also the fact that they had to meet the compliance of the various other federal regulatory requirements.”
Now, state CIOs say security has become the cloud characteristic that matters the most. Robinson said the shift is one major reason why StateRAMP, the state version of the Federal Risk Authorization and Management Program (FedRAMP) cloud security initiative, has taken hold and is seen as valuable.
“We saw accelerated cloud adoption during the pandemic because there was a compelling need — because states needed a speed to solution market adjustment. They had governors and other public officials saying, ‘We need to deliver this solution to citizens very quickly and that we need to scale it to millions of citizens very quickly. And we need to do this in a cost effective manner,’ ” Robinson said. “Now that the states are definitely invested in a cloud solutions, whether it’s on premise or off, they need the confidence that the CSPs meet the security demands, and StateRAMP provides that as an independent, neutral, third-party arbitrator. It addresses a lot of the constraints that the states currently have to deal with.”
Jim Weaver, president of NASCIO and CIO for the state of North Carolina, said he experienced this firsthand during the pandemic.
Weaver, who was the state of Washington’s CIO during the pandemic, said the emergency drove innovation and created an opportunity to change the way state and local agencies did business. As a result, it led to states taking advantage of secure cloud services, he said
“What we learned was how tangled our architecture truly was. As much as we thought we understood our architecture, we did not realize the spaghetti mess. I can recall as we were trying to move our disease reporting system, it was not an application. It was about 30 applications that had to move in tangent. That was eye opening to many, but we got it done,” Weaver said. “Now that they have the ability to be more agile and to be able to pivot in different directions, the flexibility that was provided to the business via the cloud is really going to be the game changer moving forward.”
The foundation of secure cloud services means state and local governments also can better prepare for new capabilities coming from artificial intelligence, specifically generative AI, and advanced analytics.
Weaver said these tools have to be flexible enough to support the business of government, and the only way to do that is through secure cloud services.
The confidence in CSPs being secure came initially from the FedRAMP certification and now from StateRAMP. Weaver said states moved applications to the cloud at an accelerated pace thanks to these assurances.
“Having vendors go through the StateRAMP process and get certified in that regard was very beneficial for us. We never looked to do our own thing. We’re very much looking at our partners in StateRAMP and leveraging what they have to offer when we look at the vendor community and who has gone through that certification process,” Weaver said. “When it comes to security, at the end of day, a bad app — whether hosted on premise or hosted in the cloud — is still vulnerable. I think it’s incumbent upon us to partner with the right vendor, who can understand our business, integrates with us very nicely and helps drive us along.”
The other big benefit state CIOs are seeing from taking advantage of StateRAMP is that it lets them focus their digital transformation efforts on business capabilities instead of technology tools.
Robinson said CIOs see the cloud no longer as a top priority but as an expectation of how they will modernize.
“Cloud is clearly a significant part of their modernization efforts, along with several others. But if you look at cloud adoption, which is now certainly extremely high, all states are doing something in cloud — either private, on-premise or, in most cases, third-party, off-premise cloud services,” he said. “What you see is the coupling of that with a number of other opportunities, may be things like looking at their data center footprint and making cases for closing down physical data centers so they can move to off-premise cloud solutions.”
Even so, states still have significant technical debt, Robinson said. “Our other modernization and application modernization study showed that 50% of the applications that are currently residing in state government and being used would be considered a legacy environment.”
Weaver added that if North Carolina can spend $1 on a program instead of on an IT system, the better it is for the citizens.
“When I talk about digital transformation, it really encompasses connectivity, which is essentially broadband. You have the cyber component, you have the privacy component and then you have the legacy modernization component, which is basically saying transition to the cloud. What stops us a lot of times from being able to enable digital transformation opportunities is the back end systems that are there, basically at the forefront of supporting constituent services,” he said. “We’re all coming to a point in time now from a capital aspect, we’re seeing the unnecessary investments that need to go back into a facility. And that’s probably not the best use of those dollars, when those dollars can get redirected to other modernization opportunities to get us to a better outcome for the citizens we serve.”
Discover more tips and tactics shared during the Federal News Network StateRAMP Exchange 2024.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED