Skip to main content

SB 6281

In Committee

Senate

Commercial cloud assessment

Requiring an economic assessment before the purchase of any third-party, commercial cloud computing service.

This status may be delayed. See Action History below for the latest updates.

How does a bill become law?
  1. Introduced: The bill is filed and assigned a number.
  2. Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
  3. Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
  4. Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
  5. Governor: The Governor reviews the bill and decides whether to sign or veto it.
  6. Signed: The bill has been signed into law.
Introduced: January 21, 2026
Last Action: January 22, 2026
Status: S Environment, E

AI Analysis

This analysis was generated by AI and may contain errors. It is not legal advice. Always refer to the official bill text for authoritative information.
People & CommunitiesPeople-leaningCorporate & Wealthy Interests

This bill requires Washington state agencies to perform a detailed cost and risk assessment—including lifecycle expenses, security, and service reliability—before buying commercial cloud services, and to get approval from both the agency and the Office of Financial Management at least 30 days before purchasing. It also allows some agencies to opt out with justification and excludes colleges and universities.

  • State agencies must conduct a detailed assessment comparing multiple computing options—including public cloud, private cloud, hybrid cloud, and on-premises—before choosing a commercial cloud provider.
  • The assessment must include expected lifecycle costs (e.g., maintenance, data migration, security updates), service-level needs, cybersecurity compliance, and how quickly services can be restored after an outage.
  • Agencies must submit the assessment to both their own leadership and the Office of Financial Management for review and approval at least 30 days before purchasing any commercial cloud service.
  • Agencies can request a waiver to use servers outside the state’s common platform only if they provide written justification citing specific performance or service needs.
  • The legislature and judiciary may voluntarily agree to move their systems into the state data center or commercial cloud, but institutions of higher education are exempt from these rules.

Who is affected

  • State agenciesState agencies must now conduct a detailed cost and risk assessment before choosing a commercial cloud provider, and submit it for review and approval by their own agency leadership and the Office of Financial Management at least 30 days before purchasing a service.
  • Office of Financial ManagementThe Office of Financial Management must review and approve cloud procurement plans to ensure responsible use of taxpayer funds, adding a new layer of oversight and coordination.
  • Commercial cloud service providersVendors of commercial cloud services may face increased scrutiny and documentation requirements, as agencies must justify why their services are the best value compared to other computing models.
  • General publicResidents and businesses may benefit from improved data security and more stable government services, but could also face delays if cloud procurement takes longer due to new assessment requirements.
Fiscal impact: May increase short-term administrative costs for state agencies due to required assessments and reviews, but intended to reduce long-term costs by ensuring better-informed decisions about cloud procurement and avoiding costly mismatches or failures.
Model: Intel/Qwen3-Coder-Next-int4-AutoRoundGenerated: Mar 19, 2026 at 9:50 PM

Pro/Con Analysis

Stronger case for benefits

Potential Benefits (5)
  • Mandating lifecycle cost analysis—including migration, reformatting, and egress fees—reduces risk of underpriced contracts and hidden long-term expenses, helping prevent wasteful spending and ensuring better value for taxpayer dollars.

    FinancialPeopleRef: Sec. 1(2)(a)(i)
  • Requiring cybersecurity and regulatory compliance assessments for all workload types strengthens data protection and aligns procurement with the state’s cybersecurity policy, reducing breach risk and liability for sensitive resident data.

    Public SafetyPeopleRef: Sec. 1(2)(a)(iv)
  • Evaluating recovery speed and service restoration priorities during outages improves continuity of critical government services (e.g., emergency response systems, benefits delivery), enhancing resilience for all residents.

    Public SafetyPeopleRef: Sec. 1(2)(a)(iii)
  • Assessing governance, privacy, and data control requirements helps prevent outsourcing of services that could erode resident data rights—especially for vulnerable populations—by ensuring agencies retain appropriate oversight.

    Rights & LibertiesLean peopleRef: Sec. 1(2)(a)(ii)
  • Mandating joint agency and Office of Financial Management (OFM) review before procurement improves fiscal accountability and reduces risk of poorly scoped or overpriced contracts, supporting long-term budget stability.

    Local GovernmentLean peopleRef: Sec. 1(2)(c)
Potential Concerns (5)
  • The 30-day review and approval requirement adds administrative delay and bureaucratic overhead to cloud procurement, potentially slowing response to urgent technology needs (e.g., cybersecurity incidents or service outages).

    Local GovernmentRef: Sec. 1(2)(c)
  • The requirement to assess lifecycle costs—including data migration, reformatting, and egress fees—may discourage agencies from switching providers or adopting newer, more efficient platforms, entrenching incumbent vendors and reducing competitive pressure.

    Business & EmploymentRef: Sec. 1(2)(a)(i)
  • Mandating evaluation of hybrid cloud environments may increase procurement complexity and cost, disproportionately burdening smaller agencies with limited IT staff and expertise.

    Business & EmploymentRef: Sec. 1(2)(a)(v)
  • The waiver process—requiring written justification for servers outside the state’s common platform—creates a discretionary bottleneck that could delay or block legitimate technical needs, especially for agencies with unique security or compliance requirements.

    Local GovernmentRef: Sec. 1(3)
  • Excluding institutions of higher education from the requirements creates inconsistency across state IT governance, potentially leading to divergent security standards, higher aggregate costs, and fragmented procurement across the public sector.

    EducationRef: Sec. 1(5)

Who Is Most Affected

State agenciesMixed Impact

State agencies face increased administrative burden and procurement delays, but gain stronger oversight and potentially better long-term value. Smaller agencies with limited IT staff may be disproportionately impacted.

Office of Financial ManagementMixed Impact

The Office of Financial Management gains new oversight authority, increasing its role in IT procurement decisions. This strengthens fiscal accountability but adds staffing and expertise demands.

Commercial cloud service providersMixed Impact

Cloud vendors may face more rigorous documentation requirements and longer sales cycles, but also benefit from more deliberate, transparent procurement processes that reduce legal challenges and contract rework.

General publicPositive Impact

Residents benefit from improved data security, service reliability, and reduced risk of costly failures (e.g., benefit system outages), especially if the state avoids overpaying for cloud services.

Institutions of higher educationPositive Impact

Higher education institutions are exempt, preserving their procurement autonomy but potentially leading to inconsistent security and higher aggregate state costs due to lack of economies of scale.

Sponsors

Senator Boehnke(Republican)District 8Primary
Senator Hasegawa(Democrat)District 11Secondary