Cloud Brokerage

Cloud Brokerage Overview

With the growing availability and appeal of cloud solutions, DET's priority is to protect our networks' and citizen's data. To ensure we achieve this, DET has improved the cloud brokerage process to review cloud solutions for compatibility with the state's network and compliance with important security and privacy controls.

This process builds off similar efforts managed by the federal government and other state governments and forms a critical part of DET's statutory oversight responsibilities. The process:

Provides additional vetting and oversight for cloud solutions under consideration;
Includes streamlined reviews and approvals for additional agencies to use approved cloud solutions;
Reiterates agency’s responsibility to craft appropriate terms and conditions;
Requires further reviews of the cloud solutions as they become further defined, via previously established processes.

Cloud Forms

These forms should be completed so that the appropriate evaluation can be completed. While this process only applies to Executive Branch agencies, we are including the forms here for others to utilize and/or vendors to understand what we will be asking as part of our process.

Agency Cloud Solution Information Form (DOA 10817)

Vendor Cloud Solution Information Form (DOA 10816)

Cloud Policy

DET has created an updated cloud policy which outlines the "cloud-smart" approach DET has adopted towards the usage of cloud solutions, seven minimum requirements that must be met for all cloud vendors, minimum requirements for the cloud brokerage process, and minimum requirements for the cloud solution repository.

Cloud Brokerage Policy

Cloud Brokerage Process Standard

Cloud Provider Minimum Requirements Standard

Cloud Solutions Reference Document Explaining Advantages and Disadvantages

Data Classification

Cloud solutions often process, transmit, or store one or more types of protected data, which is information that has been designated as confidential by State or federal laws, executive orders, or regulations.

DET uses the DET Data Classification Standard to identify the necessary level of security for cloud solutions that process, transmit, or store protected data.

Cloud Brokerage FAQs

What is a cloud solution?

DET uses the federal government's definition of a cloud solution, which is available on the NIST website as NIST Special Publication 800-145.

Which cloud solutions should be submitted through the cloud brokerage process?

The cloud brokerage process is recommended for all cloud solutions that Enterprise agencies wish to utilize for software, infrastructure or platform provisioned, owned, hosted, managed, and/or operated by a third party vendor or cloud provider other than the Department of Administration Enterprise data center(s).

Which agencies does the cloud brokerage process apply to?

The cloud brokerage process should be used by all Executive Branch agencies other than the UW system and statutory authorities.

How do I know if a cloud solution is already approved?

All cloud solutions submitted to DET for review are listed in the Cloud Solution Repository. There are seven possible statuses for each cloud solution:

“Approved” means the cloud solution, as reviewed, meets relevant laws, regulations, policies, standards, and procedures which allows implementation of the cloud solution.
“Approved with conditions” means the cloud solution, as reviewed, does not meet one or more relevant laws, regulations, policies, standards, or procedures, the agency has submitted a request to DET for a security exception, and DET has approved a security exception which allows implementation of the cloud solution.
“Not recommended” means the cloud solution, as reviewed, does not meet relevant laws, regulations, policies, standards, or procedures and agencies are discouraged from implementing the cloud solution. Agencies who wish to implement a cloud solution that is “Not Recommended” must work with DET to identify appropriate security controls prior to implementation.
“Not approved” means the cloud solution, as reviewed, does not meet relevant laws, regulations, and policies, and agencies should not use the cloud solution.
"Review Required” means the cloud solution was approved under the prior cloud brokerage process. Agencies should contact DET if they wish to use the cloud solution.
“Withdrawn” means the cloud solution was withdrawn by the agency prior to DET reaching a decision regarding use of the cloud solution. Agencies that wish to use the cloud solution must complete the cloud brokerage process.
“In process” means that the cloud solution is currently being reviewed as part of the cloud brokerage process.

Which agency staff should I work with to prepare the cloud solution information forms?

In addition to IT and program staff, agencies should also work closely with legal, finance, business, and procurement staff in preparing the cloud solution information forms to ensure that all information is complete and accurate. This avoids any delays in reviewing and approving the cloud solution for implementation.

Is the cloud brokerage process required?

While there is no statutory language or executive order that specifically requires agencies to complete the cloud brokerage process, applicable agencies are strongly recommended to use the cloud brokerage process. Using the cloud brokerage process allows DET and agencies to identify and address any security and compatibility issues before costs are incurred, speeding the process for agencies to begin using the cloud solution, avoiding failed implementations, and reducing potential agency costs associated with making post-implementation changes necessary to meet DET security policies and standards.

Contact Information

If you have any questions about the cloud brokerage process or the cloud solution repository, please contact, DOADETCloudBrokerage@wisconsin.gov.

For State of Wisconsin executive branch agencies other than the University of Wisconsin System and statutory authorities, click Here for more information.