…Or at least that’s what we should do if cloud computing is to gain broad adoption, according to experts who spoke at the Strategies and Technologies for Cloud Computing Interoperability meeting this week (Washington Technology report).
My observations of this discussion show that the biggest obstacles to the adoption of cloud computing in the Federal government are concerns over security and compliance to FISMA. FISMA regulations were written before cloud computing was a twinkle in Jeff Bezos’s eye, but now that he and legions of others are on the cloud computing bandwagon, these concerns prevent agencies from jumping in with both feet. FISMA assumes, for example, that agencies know where their data and systems are physically located, and that they can be physically audited. This runs completely contrary to the whole point of cloud computing (also known as utility computing), where you “switch on” and “switch off” computing capacity as you need it. You don’t care where it’s located, and nor should you; you merely have confidence that, when you need it, computing capability will be available — just like the electricity supply.
Several agencies are piloting cloud computing technologies now. Getting these initiatives into production, however, will require a change in the FISMA regulations — changes which, I understand, are currently being contemplated.
An early player in the emerging market for Federal cloud computing — http://www.fedcloud.com/ — represents a partnership between two firms, Apptis and ServerVault.
Ah, we know both of those folks very well (Apptis is on our OMB team) and we’re talking to them about this offering. However, it’s not “cloud” in the sense of “utility computing” but more a “large scale managed services” approach. At least, that’s how I see it!
If you think a revision to FISMA or NIST’s Framework for FISMA is going to include cloud computing, you’re in way over your head.
On the surface, the problem is framed as a “FISMA Compliance” issue but really it’s about “Do I trust my cloud provider to act in my best interest?” or “What kind of transparency into what’s happening behind the scenes with my data and the people who access it?” FISMA is the best flag to waive to get what your really need.
Think about it: if you are the Government and your cloud provider drops tapes off the back of a delivery truck, will you hear about it? Do you want to hear about it? What contractual obligation does the cloud provider have to tell you about it, and ethically should they tell you about it?
FISMA the law requires that each agency manage the IT systems to an “adequate” level of security with ~8 high-level tasks that agencies must perform–security planning, risk assessment, awareness training, etc. This is compatible with cloud computing as long as you have transparency and compensating controls.
Now the NIST FISMA Framework can be interpreted that you have to physically audit everything, and that’s how an auditor will read it. The guidance is already there, only nobody ever reads that part. Have a look at Section 2.4 of 800–53–it recommends compensating controls for commercial service providers and that’s about all you will get from NIST on the subject. The key as a cloud service provider is to provide a demonstrable level of security that meets what we would call “adequate”.
Thanks for your very considered comment! You obviously know your subject very well, and you’re clearly far more familiar with FISMA than I am. 🙂 The guidance that I’ve received from CISOs in government is that conducting a C&A and getting FISMA compliance in the cloud is a non-starter, precisely because of the reasons mentioned in the blog posting.
If there’s an avenue to address that within the existing regulations, I’m not aware of any agency that’s investigated it. Everyone I’ve spoken to has said, “FISMA needs to be updated to allow it” not “There’s a clause we’re unwilling to use.”
The bottom line is that *someone* has to be the first to go through the FISMA/C&A process in the cloud, and no-one has yet done so. But once it’s completed for the first time, you can bet that it’ll be used as a precedent that others will cite for their own projects.
Do you know of anyone who’s successfully gone through a C&A process for a cloud-based system in government?