wa-law.org > bill > 2025-26 > SB 6281 > Original Bill

SB 6281 - Commercial cloud assessment

Source

Section 1

  1. Except as provided by subsection (3) of this section, state agencies shall locate all existing and new information or telecommunications investments in the state data center or within third-party, commercial cloud computing services.

  2. Prior to locating any information or telecommunications investments within a third-party, commercial cloud computing service, a state agency shall perform an assessment to analyze all computing deployment models including, but not limited to, public cloud, private cloud, hybrid cloud, and on-premises solutions, for the purposes of data hosting, processing, management, networking, computing, and storage.

    1. This assessment must include, but not be limited to:

      1. The industry standard, expected life-cycle cost of each solution including, but not limited to, the ongoing maintenance, the operational costs, software updates, data migration costs, including any data ingress and egress fees, the cost to reformat data to improve accessibility, costs of security vulnerabilities from advancements in the solution's technology, and the cost of potential, required updates to the solution;

      2. The service level needs and business requirements, including governance requirements, related to privacy and control over data;

      3. The rapidity of return to service from any outages and order of return of service compared to other customers with the same provider;

      4. The cybersecurity and regulatory compliance for all workload types, including all data categories referenced in the document, published by the agency, entitled, "Washington state cybersecurity program policy," as that document exists on the effective date of this section and any subsequent amendments thereto; and

    2. The impact and availability of hybrid cloud environments in each respective cloud computing environment.

    3. The assessment required under this subsection (2) must be conducted prior to the purchase of any third-party, commercial cloud computing service for the state agency's data.

    4. The assessment required under this subsection (2) must be submitted to the state agency and the office of financial management for review and approval not less than 30 days before procuring any third-party, commercial cloud computing service. The state agency and the office of financial management shall, in approving or not approving the procurement of a third-party, commercial cloud computing service, keep at the forefront of their decision making the best stewardship of the taxpayer dollars that will be used in the purchase and ongoing operating costs of the solution chosen.

  3. State agencies with a service requirement that precludes them from complying with subsection (1) of this section must receive a waiver from the agency. Waivers must be based upon written justification from the requesting state agency citing specific service or performance requirements for locating servers outside the state's common platform.

  4. The legislature and the judiciary, which are constitutionally recognized as separate branches of government, may enter into an interagency agreement with the agency to migrate its servers into the state data center or third-party, commercial cloud computing services.

  5. This section does not apply to institutions of higher education.

Created by @tannewt. Contribute on GitHub.