What is a cloud solution?
DET uses the federal government's definition of a cloud solution, which is available on the NIST website as NIST Special Publication 800-145.
Which cloud solutions should be submitted through the cloud brokerage process?
The cloud brokerage process is recommended for all cloud solutions that Enterprise agencies wish to utilize for software, infrastructure or platform provisioned, owned, hosted, managed, and/or operated by a third party vendor or cloud provider other than the Department of Administration Enterprise data center(s).
Which agencies does the cloud brokerage process apply to?
The cloud brokerage process should be used by all Executive Branch agencies other than the UW system and statutory authorities.
How do I know if a cloud solution is already approved?
All cloud solutions submitted to DET for review are listed in the Cloud Solution Repository. There are seven possible statuses for each cloud solution:
“Approved” means the cloud solution, as reviewed, meets relevant laws, regulations, policies, standards, and procedures which allows implementation of the cloud solution.
“Approved with conditions” means the cloud solution, as reviewed, does not meet one or more relevant laws, regulations, policies, standards, or procedures, the agency has submitted a request to DET for a security exception, and DET has approved a security exception which allows implementation of the cloud solution.
“Not recommended” means the cloud solution, as reviewed, does not meet relevant laws, regulations, policies, standards, or procedures and agencies are discouraged from implementing the cloud solution. Agencies who wish to implement a cloud solution that is “Not Recommended” must work with DET to identify appropriate security controls prior to implementation.
“Not approved” means the cloud solution, as reviewed, does not meet relevant laws, regulations, and policies, and agencies should not use the cloud solution.
"Review Required” means the cloud solution was approved under the prior cloud brokerage process. Agencies should contact DET if they wish to use the cloud solution.
“Withdrawn” means the cloud solution was withdrawn by the agency prior to DET reaching a decision regarding use of the cloud solution. Agencies that wish to use the cloud solution must complete the cloud brokerage process.
“In process” means that the cloud solution is currently being reviewed as part of the cloud brokerage process.
Which agency staff should I work with to prepare the cloud solution information forms?
In addition to IT and program staff, agencies should also work closely with legal, finance, business, and procurement staff in preparing the cloud solution information forms to ensure that all information is complete and accurate. This avoids any delays in reviewing and approving the cloud solution for implementation.
Is the cloud brokerage process required?
While there is no statutory language or executive order that specifically requires agencies to complete the cloud brokerage process, applicable agencies are strongly recommended to use the cloud brokerage process. Using the cloud brokerage process allows DET and agencies to identify and address any security and compatibility issues before costs are incurred, speeding the process for agencies to begin using the cloud solution, avoiding failed implementations, and reducing potential agency costs associated with making post-implementation changes necessary to meet DET security policies and standards.