The following process provides Vendors with the Cloud requirements and procedures for submitting cloud services for evaluation prior to their authorization for use within the State's enterprise environment. It applies to Vendors that currently provide, or seek to provide, cloud services to the State.
The sections of this portal define the information and requirements Vendors must include in their submissions to support the secure and timely adoption of cloud services. Vendors are required to formally attest to the accuracy and completeness of all submitted information and, where applicable, execute the State-specific Non-Disclosure Agreement (NDA) provided below to ensure the protection of sensitive and confidential information throughout the evaluation process.
This approach leverages recognized industry certifications, automation, and risk-based decision-making to ensure that Vendors meet defined eligibility requirements, maintain operational transparency, and comply with data residency and security obligations.
** Note - Vendors if you have questions or suggestions regarding this information please contact Gordon Klindt at gordon.klindt@wisconsin.gov
Vendors must provide accurate and current corporate identification information as part of the cloud service review and authorization process.
At a minimum, Vendors shall provide:
- Legal Corporate Name
- The Vendor's full legal corporate name as registered with the appropriate government authority.
- Any “doing business as" (DBA) names used in offering the cloud solution must also be disclosed.
- Place of Incorporation
- The jurisdiction in which the Vendor is incorporated or organized.
- Vendors must be incorporated within the United States to be eligible to provide cloud solutions to the State.
- Corporate Headquarters
- The physical address of the Vendor's corporate headquarters, which must be located within the United States.
- Contact Information
- Name and title of a primary business contact.
- Business email address and telephone number.
- Name and contact information for a security or compliance contact responsible for audit coordination, risk management, and security incident communications.
- Ongoing Accuracy
- Vendors are responsible for ensuring that all corporate and contact information remains accurate and up to date for the duration of their relationship with the State.
Failure to provide or maintain the required corporate identification and contact information may result in denial, delay, or revocation of authorization to connect to the State's enterprise network or provide cloud services to State agencies.
Vendors should provide their Trust Center, a vendor-hosted portal providing real-time access to security compliance documents and status.
i. FedRAMP/StateRAMP validity is maintained via continuous monitoring of the authorization status on the respective marketplace.
ii. CSA STAR Level 2
iii. SOC 2 validity is 12 months from the audit period end date.
iv. ISO /IEC 27001 validity is 12 months from the audit period end date.
v. HITRUST r2 Validated Assessment validity is 12 months from the audit period end date.
“Bridge Letter" means a formal statement from vendor management asserting that no material changes to the control environment have occurred between the end of an audit period and the current date.
“Cloud Solutions" means the definition found within NIST Special Publication 800-145.
“CSA STAR" means Cloud Security Alliance Security, Trust, Assurance, and Risk program.
“Network Integration" or “Integration into the Network" is defined as any scenario where the cloud solution:
- Utilizes a persistent Site-to-Site VPN or ExpressRoute;
- Requires inbound firewall exceptions (North/South traffic); or
- Ingests or processes Restricted Data via API.
Note: Standard internet-based SaaS access (user initiated) does not constitute “Network Integration" but remains subject to data governance policies.
Vendors must compete the attached Vendor Form Vendor Cloud Solution Information Form (DOA-10816)