State and local governments are rapidly expanding their use of cloud services, but with that growth comes complexity — fragmented procurement pathways, varying security expectations, and the challenge of applying consistent standards across jurisdictions. As agencies look for ways to streamline adoption while maintaining strong security, service providers (SPs) play an important role in helping drive clarity, alignment, and repeatable best practices.
To better understand how leading organizations are supporting this shift, we spoke with three experienced public sector technology and security leaders: Mike Lauer, Senior Director of U.S. Public Sector at Fortinet; Wally Dalrymple, Chief Security Officer at ETS/PSI; and Rick Mayfield, Director of Enterprise Government Solutions at Pitney Bowes. Collectively, they bring decades of experience working with government teams at the state, local, and federal levels. Their backgrounds span navigating evolving requirements, deploying secure cloud services, and supporting scalable approaches to compliance.
In this discussion, they share insights on the challenges SPs face in state and local environments, strategies for communicating security posture effectively, and the innovations needed to help governments scale cloud adoption securely and consistently.
Mike Lauer: Understanding the mission and goals of agencies of different sizes is a core challenge. Smaller agencies may not explicitly call out scalable security in solicitations even though it is essential. Requirements such as CJIS apply across both small and large organizations, reinforcing the need for SPs to build platforms that scale and meet security expectations by default. Taking a security-first approach ensures platforms are designed to meet compliance needs from day one.
Wally Dalrymple: SPs often encounter fragmented procurement processes and varying interpretations of security standards across jurisdictions. Without centralized guidance, implementations can slow down or diverge from expectations. We work to mitigate this through early collaboration, structured readiness assessments, and alignment with recognized security baselines—including those used by GovRAMP—to help teams establish a shared foundation.
Rick Mayfield: Procurement teams often face complex or evolving security requirements. To support them, we focus on early collaboration that brings procurement, technology, and security stakeholders together to ensure requirements are clearly defined and aligned with policy. This integrated approach leads to smoother deployments, stronger security outcomes, and avoids costly rework. GovRAMP’s work to help procurement offices align expectations has contributed to clearer solicitations and more streamlined evaluation processes.
Mike Lauer: We have seen value in using GovRAMP resources during outreach, webinars, and milestone communications. Sharing our GovRAMP authorization status—supported by consistent internal messaging—helps establish trust with customers encountering the program for the first time. Demonstrating alignment with GovRAMP security requirements provides a clear and credible signal of readiness.
Wally Dalrymple: Our approach enters on education. Rather than focusing on terminology, we translate GovRAMP authorization into practical outcomes including reduced risk, clearer control maturity, and stronger transparency. By mapping GovRAMP security requirements to state-specific frameworks, we help customers understand the program as a reusable, trusted foundation for secure cloud adoption.
Rick Mayfield: Communicating our GovRAMP authorization is an important part of helping agencies understand the security posture behind our solutions. We focus on educational activities, including virtual sessions, conferences, and digital channels. Our teams also share updates through direct outreach. GovRAMP’s resources help agencies quickly identify vetted, secure, and scalable solutions as they modernize.
Mike Lauer: GovRAMP verification accelerates adoption for public sector buyers by creating a trusted security foundation. It reduces ambiguity and lessens the need for extensive validation cycles, helping procurement and security teams make faster, more informed decisions.
Wally Dalrymple: Building and validating our environment against a recognized security baseline has already reduced friction in state and local engagements by limiting duplicative effort. Providing aligned controls, policies, and evidence packets gives agencies a strong starting point, making due diligence more efficient. As we move through our GovRAMP milestones, we expect further gains in both time and cost savings.
Rick Mayfield: We see clear value in GovRAMP’s “verify once, serve many” model. Historically, secure solution deployments required lengthy authorization processes that were costly and resource intensive. The ability to reuse GovRAMP verification benefits both SPs and agencies by reducing cost, shortening timelines, and supporting faster adoption of cloud services.
Mike Lauer: Compliance is complex, and CSPs with visibility across local, national, and international landscapes can offer perspective on emerging risks and best practices. Insights gained across sectors help inform government teams as they modernize systems and strengthen security postures.
Wally Dalrymple: CSPs help bridge frameworks by promoting reusable controls, shared reporting approaches, and scalable continuous monitoring practices. Reinforcing alignment across GovRAMP, FedRAMP, and agency-specific requirements supports greater national consistency.
Rick Mayfield: CSPs provide the secure platforms agencies rely on to keep applications and data aligned with required standards. GovRAMP’s Fast Track program has been particularly helpful in enabling reuse of existing verification to support broader harmonization.
Adam Chun: Evidence collection and risk remediation often take longer than CSPs expect. Depending on system categorization, evidence requests can number in the hundreds. Maintaining continuous monitoring practices helps make evidence generation more efficient. Risk remediation is equally important. A high volume of unresolved risks can delay assessment closeout, making vulnerability management and prioritization essential throughout the process.
Drew Forbes: Artifact gathering is frequently the longest phase, particularly when teams attempt to build documentation as they go. Scan finalization and flaw remediation can also cause delays, especially when these activities intersect with existing internal processes. Authentication issues are another common challenge. Inconsistent authentication, insufficient access permissions, or incomplete system coverage can slow progress. CSPs should verify that credentials provide administrative access and that the majority of the system inventory is consistently covered before assessment activities begin.
Adam Chun: SPs should consider entering the GovRAMP Security Snapshot Program or engaging advisory support if internal experience is limited. Advisors, along with the GovRAMP PMO, can help clarify expectations and guide preperation. Many SPs equate GovRAMP to SOC or ISO efforts. While GovRAMP is achievable with dedicated teams, its requirements and structure introduce additional coordination, documentation, and validation considerations that may require teams to adjust timelines or revisit scope without prior experience navigating the framework. Because 3PAO assessments represent a meaningful investment, early preparation and a clear understanding of expectations help control both cost and time.
Drew Forbes: Engaging a qualified advisory firm can help tailor preparation efforts to a SP’s specific environment. When feasible, using a structured GRC system or repository can also support consistent artifact collection and control implementation. Before a full assessment, CSPs should consider internal pre-testing or external readiness reviews. These lower-cost evaluations can identify critical issues early and prevent major disruptions during the formal assessment phase.
Across each perspective, one theme is clear: states benefit when they can rely on shared expectations and reusable security verification rather than rebuilding processes from scratch.
The insights from this panel reflect a broader reality across government: agencies move faster and more confidently when they have access to consistent guidance, transparent security practices, and collaboration with providers who understand the unique challenges of the public sector. Strengthening clarity, reducing duplication, and building a shared foundation for secure cloud adoption are collective efforts — shaped by governments, providers, and partners across the ecosystem.
As state and local teams continue modernizing services and improving resilience, the public-sector community plays an essential role in advancing approaches that are repeatable, equitable, and grounded in trust. These perspectives highlight the ongoing work needed to support that mission and the opportunities we all share in helping governments adopt secure cloud solutions with confidence and consistency.