AGENDA

2

Opening RemarksIT Procurement Modernization StrategyCALNET UpdateProgress ReportQ & AClosing RemarksNetworking

4

UPDATESReset of Expectations for IT Procurement Modernization It is a two year effort, & it is just the beginning

Service Level Catalog

Hybrid Cloud Services for Infrastructure & Platform – CalCloud 3.0 Demand driven by State government customers & Security requirementsFedRAMP High IaaS & PaaS Cloud ServicesFedRAMP Mod to come soonStatewide Data Center still provides On-Premise services

Simplify Procurement Process State government customers to leverage the Service Request (SR) process Infrastructure & Platform Cloud Services, Data Center Services & VHSS Services

Myths vs Facts

5

MYTH FACTFedRAMP requirement applies to all Cloud Services FedRAMP requirement only applies to Infrastructure and

Platform Cloud Service (IaaS and PaaS) NIST requirement is for Software Cloud Services (SaaS)

For SaaS, NIST requirement will be further revised to NIST 800-171 & SOC 2 Type 2 (DGS will address notification per process)

Customer departments to determine appropriate security level based on individual needs

FedRAMP needs to be certified by each of the state entity who uses the service

FedRAMP just need one Authority to Operate (ATO) by a federal sponsoring entity

All data center on premise equipment will be purchased by CDT

Data center grade equipment will be available to be purchased by predefined data centers in the state

Procurement can be done through existing channels For departments (non data center) purchase of data

center equipment, CDT will be part of the vetting process with exemption process in place

State of CA is not leveraging NASPO State of CA is using NASPO for appropriate products & services, & is in regular dialog with NASPO for further collaboration

6

DEFINITIONSFollows NIST standard definition of IaaS, PaaS, & SaaSFor Procurement purpose only:IaaS PaaS SaaS Includes processing,

storage, networks that enable consumers to deploy & run operating systems & applications.

The consumer does not manage or control the underlying cloud infrastructure.

Minimum security requirement: FedRamp Moderate Authorized

Includes cloud infrastructure that enables customers to deploy consumer-created or acquired applications using programming languages, libraries, services, & tools supported by the Cloud Service Provider.

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications & possibly configuration settings for the application-hosting environment.

Minimum security requirement: FedRamp Moderate Authorized

Includes applications running on a cloud infrastructure that are accessible from a web browser or application programming interface (API).

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the exception of configuration settings.

Minimum security requirement: NIST 800-171, SOC 2 Type 2

8

FedRAMP OVERVIEW Created by the Federal Government to standardize the approach to for security

assessments, authorization, & continuous monitoring for cloud products & services. Thus far has saved Federal Government $130 million

Now has evolved to include “FedRAMP Accelerated” process which is cheaper/faster & FedRAMP Tailored for low security SaaS solutions. Thus far 15 FedRAMP Ready, 61 in process & 91 authorized products Multiple states utilize FedRAMP as a required security baseline for government contracts

10

CALNET: NEXT GENERATION OPPORTUNITIES Develop a roadmap to communicate Statewide Telecom strategic vision Increase customer base involvement Add more flexibility into our acquisition methods Improve vendor experience & engagement

12

CALNET: NEXT GENERATION PROPOSED CHANGES

13

CALNET – California Network & Telecommunications Program Statewide telecommunications service offerings under one program

Pre-qualified Multiple Award Contract (PMAC) Expansion Allow vendors to be in the pool based on general administrative requirements Just-in-time, continuous filing Vendors are not limited to specific categories

Adopt flexible acquisition models in addition to the current model Ability to add categories or services Staggered solicitations & not co-terminus Customizes acquisition approach appropriate to a serviceMay utilize Form 20 or RFO

PROGRESS IN PROCUREMENT

15

Winter 2015/16 Smaller procurement for Business

Solution providers (allow more vendors to compete)

Spring/Summer 2016 Pre-qualified vendor pool for Agile

developers, etc. (simplify procurement) Fall/Winter 2016/17 Amended CalNET3 to add new services Streamline process for customers to

acquire infrastructure & platform servicesSpring 2017 IT-MSA refresh (by DGS) On boarded additional Vendor Hosted

Service (VHSS) providers

Expanded Pre-qualified vendor poolSpring/Summer 2017 FedRAMP high contract awarded

Summer 2017 Codify 6611 for CDT with no sunset date

Fall 2017 Continuation of IT procurement

modernization IT-MSA Refresh – November IaaS, PaaS, SaaS T & Cs Refresh –

November FedRAMP Mod Procurement – Upcoming