July 8, 2010 at 1:35 pm #105021
Key cybersecurity guidance for federal adoption of cloud computing is lacking even while almost all major federal agencies report that they are worried about potential security risks, says the Government Accountability Office.
In a July 1 hearing of the House Oversight and Government Reform Committee, Gregory Wilshusen, GAO’s director of information security issues, said that a survey of all 24 CFO Act agencies found that 22 out of the 24 “were concerned, or very concerned, about the potential security risk associated with cloud computing.”
That hasn’t prevented about half of the 24 CFO Act agencies from already adopting some form of cloud computing, whether for obtaining infrastructure, computing platforms or software as a service, according to the report–although the GAO classifies even basic online services such as web email as a “cloud” service. The GAO released the full results of its survey, conducted from November 2009 to February 2010, in a report (.pdf) also made publically available on July 1.
Agency access to cloud computing could increase following a new General Services Administration blanket purchase agreement with an unnamed vendor for governmentwide purchase of infrastructure as a service, a BPA that Dave McClure, the General Services Administration associate administrator for the office of citizen services and innovative technologies announced during the July 1 hearing.
Among the reservations agencies have about cloud computing are concerns over ineffective or noncompliant security practices of the cloud provider, an inability to examine cloud security controls, data leakage to unauthorized users, and loss of data if cloud service is terminated, Wilshusen said.
Until policies assuaging those risks are developed, “agencies will be hesitant to implement cloud computing programs and those that have implemented such programs may have appropriate–or may not–have appropriate security controls in place,” Wilshusen added.
In the Office of Management and Budget’s undated response to the GAO report–it appears to have been written in early May–Vivek, Kundra, the federal chief information officer, said that OMB will develop a strategic plan with a planning horizon of five to 10 years.
During the hearing, McClure pointed to an inter-agency effort known as FedRAMP as evidence that policies are being developed.
FedRAMP seeks to create a federalwide set of acceptable system authorizations and cybersecurity standards for cloud providers–although, even in the cloud, end user organizations don’t completely give up their cybersecurity concerns since even a badly configured browser can be a cybersecurity vulnerability.
In addition, the National Institute of Standards and Technology is developing a special publication on cloud computing cybersecurity, said Cita Furlani, director of the NIST information technology laboratory. Furlani also noted that agencies will retain responsibilities under cloud computing to manage their own destinies, since “applicable standards in the cloud computing environment will be dependent on which model of cloud computing you’re actually addressing and which kind you’re trying to use for your own particular program and your own mission requirements.”
view reports & video from Congressional hearing
Download GAO report:
November 2, 2010 at 8:08 pm #105024
This goes towards the policy needs of cloud computing. Please read and comment on the documents.
Dear Security Working Group Members –
As members of the Federal Cloud Computing Initiative, we wanted to let you know of some big news!
We are pleased to announce the release of Proposed Security Assessment and Authorization for U.S. Government Cloud Computing, documentation that reflects the best efforts of government in addressing the unique security challenges presented by cloud computing. This document was developed by an inter-agency team of the General Services Administration, the National Institute of Standards and Technology, the CIO Council, and other working bodies such as the FCCI committees and working groups.
This document is the basis for what most of us know as FedRAMP – the Federal Risk and Authorization Management Program. FedRAMP will provide standard Assessment and Authorization (A&A) services for cloud computing solutions used by multiple Federal agencies. The published document includes: the FedRAMP baseline security requirements, suggested A&A processes, and details on the role of FedRAMP in continuous monitoring. Reference documents with additional information have also been published.
All documents are available for downloading at http://www.FEDRAMP.gov.
This document and the FedRAMP program in general have been top priorities for the FCCI over the past year and much of the initial content for this document stems from work completed by the Cloud Computing Advisory Council’s Security Working Group. Our PMO sincerely appreciates the time and effort that you all provided to make this a reality.
However, the work is not done. As the title implies, these are proposed documents for A&A’s of cloud systems through FedRAMP. We know the work we have done is not perfect and are seeking help to improve this document. We are requesting feedback from the community to make FedRAMP work for the Federal Government as well as the vendor community. As members of the FCCI’s governance groups, we would appreciate your input once again before the first phase of FedRAMP becomes operational in the first quarter of CY2011. The document can be accessed at http://www.FedRAMP.gov, and all comments must also be submitted through this website. The comment period ends at 11:59 pm EST on Thursday, December 2, 2010. We look forward to your feedback and are grateful for the role that you all played in the creation of this document.
Thank you again and congratulations!
You must be logged in to reply to this topic.