Government Prepping Cloud Computing GuidanceGovernment Prepping Cloud Computing Guidance

Federal agencies in charge of the Obama administration's cloud computing push intend later this year to issue a comprehensive government cloud computing strategy and new cybersecurity guidance for federal cloud computing, officials said in Congressional testimony on Thursday, as a new Government Accountability Office report urged the government to develop more final guidance.

Federal CIO Vivek Kundra told the House Committee on Oversight and Government Reform that the administration is making it a point to take a "deliberate approach" to cloud computing, beginning over the past year with working groups, summits, and establishment of a program management office and some pilot efforts.

Now, Kundra said, the Office of Management and Budget is moving toward a comprehensive cloud computing plan that will be in place by December. The new strategy, Kundra said in a written response to the GAO report, will include a five- to 10-year plan, but will need to evolve over time based on market evolution.

According to the GAO report, OMB will ensure its strategy addresses security challenges, including agency-specific guidance, the appropriate use of standards, and the division of cybersecurity responsibility between agency and provider.

In addition, the National Institute of Standards and Technology is working on formal guidance, which will be available for comment in September, to address cloud computing security issues lacking in existing NIST documentation on federal cybersecurity requirements. NIST recently released a similar document dealing with virtualization.

"Both federal and private sector officials have made clear that existing guidance is not sufficient," the GAO report said. The report recommended that NIST "issue cloud computing information security guidance to federal agencies to more fully address key cloud computing domain areas that are lacking in SP 800-53, such as virtualization, data center operations, and portability and interoperability, and include a process for defining roles and responsibilities of cloud computing service providers and customers." The GAO report, also divulged at the hearing, urges OMB, GSA, NIST, and the federal CIO Council to finalize and formalize its guidance and processes to accelerate cloud adoption. "Until federal guidance and processes that specifically address information security for cloud computing are developed, agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place," the report says.

In carrying out the report, GAO surveyed 24 major federal agencies, conducted interviews with representatives from government and industry, and reviewed relevant publications and white papers, finding that agencies shared a number of common concerns about cloud computing.

Overall, 22 of 24 major agencies reported to GAO that they were concerned or very concerned about cloud security, including issues like data leakage to unauthorized users and loss of service if a cloud provider goes out of business or terminates a certain service. NASA officials pointed GAO to challenges with identity management and user authentication, while the Nuclear Regulatory Commission keyed in on the need to clearly delineate security responsibilities between customer and provider.

However, while agencies are expressing concern, few of their concerns have yet made it into formal policies and procedures. Only nine agencies had approved and documented policies for enforcing comprehensive cloud computing service level agreements, four agencies had documented policies limiting the type of information that can be placed in a cloud, and two limited the type of cloud deployment model used.

In related news, GSA deputy administrator Dave McClure, whose Office of Citizen Services and Innovative Technologies operates the government's Apps.gov application store, said that GSA on Wednesday closed a new blanket purchase agreement that will place infrastructure-as-a-service offerings like Amazon Web Services on Apps.gov.