A Federal Cloud Computing

Roadmap

John Curran
ServerVault Corp

“A Federal Cloud Computing Roadmap” Slide 1

 A Federal Cloud Computing Roadmap
Provides one possible answer to the question:

“What set of actions by the cloud computing industry

(and related parties) would allow Federal agencies to
gain the benefits of cloud computing while maintaining
compliance with Federal IT policy?”

Why is this important to discuss?

• US Government is a potentially large, influential
customer for the cloud computing community
• The closer we are to consensus on a roadmap
for the solution, the less fear, uncertainty &
doubt will remain in circulation for our industry
• Some technical controls may have interoperability
or coordination aspects that have long lead times

“A Federal Cloud Computing Roadmap” Slide 2

 Cloud Computing is “Outsourced IT”
FISMA (Title III, Pub. L. No. 107-347), Section 3544(b)
requires each agency to provide information security for
the information and “information systems that support
the operations and assets of the agency, including those
provided or managed by another agency, contractor, or
other source.”

OMB M-08-21 includes specific guidance for use of contractor,

outsourced, and/or SaaS services:
• Security controls must be provided commensurate
with the risk and magnitude of harm of damage to
the information system (Risk Impact Level)
• Agencies must insure all FISMA policy requirements
are met, including identical (not “equivalent”) security
procedures and processes
• Service providers must work with agencies to meet all
requirements including an annual agency audit/evaluation

“A Federal Cloud Computing Roadmap” Slide 3

 Risk Impact Level & Authorization
FIPS Publication 199 requires that agencies categorize the risk of their
unclassified information systems and their data into three levels of potential
impact on organizations/agency or individuals should there be a breach of
security (i.e., a loss of confidentiality, integrity, or availability):

The potential impact is LOW if − The loss of confidentiality, integrity,

or availability could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals.

The potential impact is MODERATE if − The loss of confidentiality,

integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.

The potential impact is HIGH if − The loss of confidentiality, integrity, or

availability could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals.

FIPS Publication 200 requires that agencies employ, at minimum, an

appropriately tailored set of security controls (i.e. security plan) from
the corresponding security control baseline in NIST 800-53, based on
the highest risk impact level of all information contained in the system.

The Security Authorization Process requires preparation of a security plan, an

assessment of security controls, and plan to address any outstanding issues.
“A Federal Cloud Computing Roadmap” Slide 4
 The Federal CIO’s Dilemma
1. Enormous pressure to deploy timely, cost-effective IT systems
2. Administration agenda includes expectations of the benefits of
new IT technologies including virtualization, collaboration, utility
& cloud computing
3. Responsibility for compliance with numerous IT policy mandates
including both federal and agency-specific.
4. Varying financial and organizational support for common
infrastructure (e.g. authentication, change control systems)
and fear of vendor lock-in with any sizable deployment
5. The FISMA-specific compliance requirement to explicitly define
the security controls for authorization of any new IT system

Cloud Computing can address #1 & #2 today.

With some common industry effort, Cloud Computing can help with
#3, #4, and #5.

“A Federal Cloud Computing Roadmap” Slide 5

 Federal Cloud Computing & Compliance
For many agency applications, stringent compliance requirements
in areas such as privacy, financial controls, and health information
will preclude use of “public clouds”, regardless of the actual
security controls of the provider.

The cloud computing industry needs to recognize that there’s a

difference between security [providing adequate protection from
risks] and compliance [performing in specific documented
adherence to policy], and that will result in agencies having to
establish their own private cloud infrastructures.

The technical standards that allow private clouds to interface to

public clouds for workload surge, segmentation of processing,
continuity of operations, etc. is therefore an important topic for
discussion in the cloud community.

“A Federal Cloud Computing Roadmap” Slide 6

 Federal Cloud Computing & Lock-In

Federal procurement goes through significant contractual

lengths to insure that the government can obtain full productive
use of anything it procures, and in the past that has meant
interesting terminology in areas such as software licensing,
technology rights, etc.

The cloud computing industry needs technical standards for

interoperability not only to meet agency requirements for
mobility of applications and data between providers, but also to
avoid the alternative of having to provide technology & software
rights (for theoretical relief of vendor lock-in) which will
otherwise be sought.

This makes technical standards for migration of systems

between providers [servers, data volumes, network devices, and
entire application environments] also an important topic for
discussion in the cloud community.

“A Federal Cloud Computing Roadmap” Slide 7

 Federal Cloud Computing & FISMA
The Federal CIO Council has established a cloud computing
working group which is looking into this issue, and will make
the recommendations for the best path forward for agencies
which wish to utilize cloud service providers.

Explicit documentation of FISMA security controls and their

implementation is required for all Federal IT security
authorization decisions presently, and it seems improbable
that requirement would change for federal applications which
could have serious or catastrophic effects to the organization
if disclosed, compromised or made unavailable.

However, there are existing, proven mechanisms for

documenting security controls in commercial providers [e.g.
WebTrust/SysTrust, SAS 70, and PCI DSS] that these might
be deemed appropriate compensating controls for Low Impact
IT systems. Cloud providers should consider exploration of
these programs in preparation.

“A Federal Cloud Computing Roadmap” Slide 8

 Thank You!
• Questions?

• Contact Information:

John Curran
CTO & COO
ServerVault Corp

+1 703 652 5980

jcurran@servervault.com

“A Federal Cloud Computing Roadmap” Slide 9