REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF THE COUNTY OF SAN BERNARDINO
AND RECORD OF ACTION
May 4, 2021
FROM
CURT HAGMAN, Chairman, Board of Supervisors
SUBJECT
Title
Salesforce Government Cloud Compliance Information Non-Disclosure Agreement
End
RECOMMENDATION(S)
Recommendation
Approve a non-financial Government Cloud Compliance Information Non-Disclosure Agreement with Salesforce.com, Inc. to evaluate the Salesforce Government Cloud compliance documentation and information under the exemptions provided by CA Gov. Code §6254.19 as it relates to the Board of Supervisors Customer Relationship Management system, effective upon the date of last execution until terminated by either party.
(Presenter: Luther Snoke, County Chief Operating Officer, 387-5425)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Improve County Government Operations.
FINANCIAL IMPACT
Approval of this item will not result in the use of additional Discretionary General Funding (Net County Cost), as the Government Cloud Compliance Information Non-Disclosure Agreement (Government Cloud NDA) is non-financial in nature.
BACKGROUND INFORMATION
Approval of this Non-Disclosure Agreement (NDA) with Salesforce.com (SFDC) will facilitate the County’s assessment of SFDC’s information security and privacy controls in relation to their Government Cloud Platform, and allow the County to establish appropriate cyber security incident response management protocols for the Board of Supervisors (Board) Customer Relationship Management (CRM) system for constituent case management.
On September 29, 2020 (Item No. 4), the Board approved Contract No. 20-916 with Incapsulate for implementation of the Board’s CRM system for constituent case management for the period of September 29, 2020 through September 28, 2023. On September 29, 2020 (Item No. 4), the Board also approved a contract with Carahsoft for $118,549.54, for licenses, and maintenance and support related to Salesforce government cloud services, which is used in conjunction with the Board’s CRM system developed by Incapsulate. On December 15, 2020 (Item No. 7), the Board approved Contract No. 20-1192 with Carahsoft in the amount of $117,263.43 for the purchase of five additional business units and 40 additional Service Cloud licenses for use with the Board’s CRM system to refine the system and allow additional users access to the Board’s CRM system.
On March 23, 2021 (Item No. 4), the Board approved a Mutual NDA with Salesforce to assess information security privacy and controls by the County. This Mutual NDA was not in conflict with the County’s obligations under the Public Records Act, under the exemption provided by CA Gov. Code §6254.19, which states that “Nothing in this chapter shall be construed to require the disclosure of an information security record of a public agency, if, on the facts of the particular case, disclosure of that record would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency. Nothing in this section shall be construed to limit public disclosure of records stored within an information technology system of a public agency that are not otherwise exempt from disclosure pursuant to this chapter or any other provision of law.”
Board approval is being requested for the Government Cloud NDA to engage the County and the Salesforce information/cyber security team(s) to have unfettered conversations surrounding their proprietary information security and privacy protocols and controls comprehensively, which includes an assessment of Salesforce’s Government Cloud Platform security protocols and controls. Similar to the Mutual NDA, the Government Cloud NDA is not in conflict with the County’s obligations under the Public Records Act, under the exemption provided by CA Gov. Code §6254.19. Under Section 4 of this recommended NDA, Compelled Disclosure, Salesforce also recognizes that the County may disclose information if compelled by law, including disclosures relating to the Brown Act, with prior notice of such compelled disclosure. Salesforce has been notified of the County’s intent to publish the NDA for purposes of transparency and open government, and does not contest the publishing of the recommended NDA. This Government Cloud NDA is being presented to the Board for approval at this time, after the Mutual NDA was presented to the Board for approval due to Salesforce’s established policy to not release the Government Cloud NDA until the Mutual NDA is executed with the party seeking the Government Cloud information.
Approval of the NDA will allow the County to receive, assess, and discuss Salesforce proprietary information security and information privacy protocols and controls for customer, constituent, and regulated data (e.g., Personally Identifiable Information) with Salesforce’s information security subject matter experts.
The County’s use of the Salesforce Government Cloud Platform offering has brought value and benefits in mitigating risk where further dialogue to assess current and future implementations will provide additional appropriate information security/privacy measures and controls. Additionally, the County’s ability to respond to cyber security events and incidents manifests its establishment of incident response management protocols. This provides the County an ability to participate and collaborate in discussions with Salesforce stakeholders when critical cyber security events or incidents occur that may have a significant impact to the Board’s CRM system operations in an effective and timely manner.
PROCUREMENT
N/A
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Michelle Blakemore, County Counsel, and Bonnie Uphold, Deputy County Counsel, 387-5455) on April 26, 2021; Innovation and Technology Department (Robert K Pittman, Jr., Chief Information Security Officer, 388-5510) on March 31, 2021; Finance (Stephenie Shea, Administrative Analyst, 387-4919) on March 31, 2021; and County Finance and Administration (Matthew Erickson, County Chief Financial Officer, 387-5423) on April 23, 2021.