In moving to cloud, NASCIO advises 'buyer beware'
Connecting state and local government leaders
A report by NASCIO advises states CIOs to pull legal, human capital, finance and data management expertise into their teams to grapple with policy complexities of cloud computing.
The benefits of cloud computing to state governments fighting to keep from going broke can be irresistible. But the upside – including cost savings and operational efficiencies – shouldn’t distract state CIOs from the jurisdictional minefield that awaits them in setting up shared services with other agencies and jurisdictions.
An overview of the risks involved in building collaborative systems across state borders, as well as strategies to avoid them, are highlighted in a report published Dec. 8 by the National Association of State CIOs (NASCIO).
The detailed briefing, the third in NASCIO's “Capitals in the Clouds” series for CIOs, might best be summed up by a single in line in the report: “'Buyer beware’ is excellent advise for state government as it evaluates cloud computing options.”
Related coverage:
State CIOs: Better security starts with a common language
In hard times, state CIOs gain clout, survey finds
Minnesota CIO Carolyn Purcell, the co-chair of NASCIO’s enterprise architecture and governance committee, said the organization “(expects) a proliferation of state and local government partnering.”
But in doing so, “we’re encouraging state and local government to evaluate and prepare for real and potential jurisdictional issues on the forward side of contract negotiation with service providers and the formation of collaboration with other jurisdictions."
In laying out the risks of cloud computing, the NASCIO report calls for a “new operating discipline” among state CIOs that extends beyond in-house technology know-how to encompass people skilled in legal, human capital, finance and data management.
A clean slate
As the reports makes convincingly clear, cloud computing is fraught with policy entanglements for which there are few precedents. For one thing, there simply is little case law to help resolve conflicts that might arise among customers and cloud service providers in multi-tenant cloud communities.
The laws of a particular state apply only to that state, the report notes. “The collision point of conflicting state laws and contract terms and conditions is what presents the greatest concern. It’s therefore “critically important to establish the right precedent and rationale in the early cases that arrive.”
The report also cautions that service-level agreements, a popular vehicle for setting up a contract on the basis of a negotiated service outcome, may not cover many of the risks associated with the cloud. Those include occurrences of data theft or mishandling.
“Once data is stolen it cannot be retrieved,” notes the report. "State governments must evaluate service offerings with their eyes wide open.”
State CIOS must also understand the risks involved in the structure of cloud computing service providers, which may use third-party firms located in another state or country or those employed on a temporary basis. “Depending on how many layers of third-party contractors, the jurisdictional issues can become extremely complicated,” the report says.
Among strategies for curbing risk, NASCIO offers a lengthy set of practical advise for state and local CIOs, including the need to assemble a management team that has expertise in the area of auditing, procurement, finance, legal and security; the need to know how to “reverse your decisions in the event it becomes necessary to do so;” and “ensure your state retains and maintains ownership of data, applications and business rules.”
NASCIO’s “Capital in the Clouds, Part III – Recommendations for Mitigating Risks: Jurisdictional, Contracting and Service Levels" can be downloaded from NASCIO’s website.