Federal Agencies Jittery over CloudGuidance is Lacking as Government Awaits Further Action
Testifying before Congress Thursday, the information security issues director of the Government Accountability Office said 22 of the 24 large federal agencies have expressed concerns about the potential hazards cloud computing presents despite initiatives launched by the Office of Management and Budget and the General Services Administrations.
"Guidance is lacking," GAO's Gregory Wilshusen told the House Homeland Security Committee, despite efforts taken by the Office of Management and Budget and General Services Administration. "But (OMB and GSA) have not completed key actions related to cloud computing security."
Wilshusen cited ineffective or noncompliant security practices of service providers, the inability of customers to examine controls, the prospect of data leakage and the loss of data if a cloud service is terminated. "These risks are related to the dependence on security practices of the provider and the sharing of resources," Wilshusen said.
David McClure, GSA's associate administrator of citizen services and innovative technologies, told lawmakers the initiative known as FedRAMP - Federal Risk and Authorization Management Program - should mitigate many of the risks associated with contracting cloud computing services. FedRAMP allows a federal agency to assess the security of cloud computing services and products and authorize their use, letting other agencies piggyback on the first agency's approval (see Speeding Cloud Adoption Through New FedRAMP Initiative).
Through FedRAMP, McClure said, a uniform baseline of minimal controls will be established, based on existing National Institute of Standards and Technology standards and new controls, which would ensure that agencies and cloud service providers understand the minimal requirements of protecting the data. He pointed out that later this fall NIST is expected to issue new cloud computing guidance that should illuminate best practices in choosing secure cloud services.
Still, after listening to the witnesses, Committee Chairman Dan Lungren, R-Calif., lamented that the benefits of cloud computing may not be what they seem. "Sometimes things sound too good to be true," he said. "What assurances do we have as we move towards the cloud?" Lungren suggested stronger IT security awareness should help. "But," he said, "if there's not awareness ... it's not going to happen."
Question Raised over DHS's Foreign Cloud Provider
During the hearing, the ranking Democratic member of the committee, Bennie Thompson of Mississippi, questioned Department of Homeland Security Chief Information Officer Richard Spires about a cloud services contract DHS awarded to CGI Federal Inc., a subsidiary of Montreal-based CGI Group. Thompson expressed concern about CGI's foreign roots.
Spires assured Thompson that DHS has complied with all regulations in issuing the CGI contract, and placed a clause in the agreement that everyone who works on the cloud program must be an American citizen and that all data would remain on servers located in the United States. The hosting of the data will be at two data centers in the U.S., Spires said.
The DHS CIO said cloud services contracts the agency has with companies like CGI will save the government money. Spires estimated that DHS should see savings of 8 to 10 percent once it migrates selected data and systems to the cloud.