Cloud Provider Evaluation

profilematador
GAO-10-513InformationSecurity_FederalGuidanceNeededtoAddressControlIssueswithImplementingCloudComputing.pdf

Information Security: Federal Guidance Needed to Address Control Issues with Implementing

Cloud Computing comprises public domain material from the U.S. Government

Accountability Office. UMGC has modified this work.

Cloud Computing Has Both Positive and Negative Information Security Implications

Cloud computing can both increase and decrease the security of information systems. Potential information security benefits include those related to the use of virtualization, such as faster deployment of patches, and from economies of scale, such as potentially reduced costs for disaster recovery. Risks include those related to dependence on the security assurances of a vendor; dependence on the vendor; and concerns related to multitenancy, or sharing computing resources among different organizations. However, these risks may vary based on the cloud deployment model.

Cloud Computing Can Provide Potential Information Security Benefits

The use of cloud computing has the potential to provide several benefits related to information security. These benefits are related to the attributes of cloud computing—specifically, its use of virtualization and automation, broad network access, potential economies of scale, and use of self- service technologies.

The use of virtualization and automation in cloud computing can expedite the implementation of secure configurations for virtual machine images. Department of Defense (DOD) officials responsible for one cloud computing program stated that virtualization allows a cloud computing provider to rapidly replicate secure configurations for cloud-based virtual servers, rather than manually applying secure configurations to physical servers, which could be required in a traditional environment that has not employed virtualization techniques. Private sector representatives also stated that virtualization can allow faster deployment of secure server configurations, security upgrades, and patches for security vulnerabilities than a traditional computing infrastructure can.

Other advantages relate to cloud computing’s broad network access and use of Internet-based technologies. For example, several agencies stated that cloud computing provided a reduced need to carry data in removable media because of the ability to access the data through the Internet, regardless of location. NIST officials stated that shifting public data to a public cloud using the Internet that is separate from the agency’s internal network is a means of network segmentation that may reduce exposure of sensitive data on the agency’s internal network.

Additional advantages relate to the potential economies of scale and distributed nature of cloud computing. For example, in response to our survey, 22 of the 24 agencies identified low-cost disaster recovery and data storage as a potential benefit. Specifically, cloud computing may provide a cheaper way to store backup copies of information. Agencies also stated

Page 15 GAO-10-513 Cloud Computing

Page 16 GAO-10-513 Cloud Computing

that a cloud provider may have more resources to devote to security than the agency may have available. The large-scale and mitigation techniques that cloud providers offer may also reduce vulnerability to denial of service attacks. Department of Transportation (DOT) officials responsible for a cloud computing program noted that the program’s Web site, which used a cloud computing service provider, was better able to withstand a denial of service attack because of the use of the cloud provider. The National Aeronautics and Space Administration (NASA) officials responsible for another cloud computing program stated that it may require less effort for cloud computing customers to ensure effective information security if information security controls were already implemented by the provider. Customers could also be freed from the responsibility of maintaining a physical infrastructure, as well as resolving management, operational, and technical issues related to the underlying cloud platform, although the customers would still be responsible for ensuring these issues are addressed and that data are adequately protected.

The self-service aspect of cloud computing may also provide benefits. For example, 20 out of the 24 agencies identified the ability to apply security controls on demand as a potential benefit. A private sector representative stated that cloud computing provided the ability for more flexible and granular control of security. For example, features such as encryption and monitoring could be individually applied as needed. Table 2 lists potential benefits of cloud computing grouped by cloud computing attribute.

Table 2: Potential Benefits of Cloud Computing

Attribute Potential benefit

Virtualization and automation Rapid replication of securely configured servers, security upgrades, and patches

Broad network access Reduced need to carry data in removable media Ability to shift data needed by public away from internal agency network

Economies of scale and distributed infrastructure

Low-cost disaster recovery and storage Resistance to denial of service attack

On-demand self-service Apply security controls on demand

Individually apply features such as encryption and monitoring

Source: GAO analysis of agency and private sector data.

Cloud Computing Can Create Information Security Risks

In addition to benefits, the use of cloud computing can create numerous information security risks for federal agencies. Twenty-two of the 24 agencies reported that they are either concerned or very concerned about the potential information security risks associated with cloud computing. These concerns include risks related to being dependent on a vendor’s security assurances and the vendor, and risks related to the use of multitenancy.

Several cloud computing information security risks relate to the ability to rely on a vendor’s security assurances and practices. Specifically, several agencies stated concerns about

• the possibility of ineffective or noncompliant service provider security controls—which could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information;

• the potential loss of governance and physical control over agency data and information—that is, in using cloud computing services, the agency cedes control to the provider for the performance of certain security controls and practices;

• the insecure or ineffective deletion of agency data by cloud providers once services have been provided and are complete; and

• potentially inadequate background security investigations for service provider employees—which could lead to an increased risk of wrongful activities by malicious insiders.

Of particular concern is dependency on a vendor. All 24 agencies specifically noted concern about the possibility of loss of data if a cloud computing provider terminated its services. For example, the provider and the customer may not have agreed on terms to transfer or duplicate the data. The European Network and Information Security Agency also identified dependency on a vendor as a high risk, noting the lack of tools, procedures, or standard data formats to ensure data, application, and service portability. The agency stated that this can make it difficult for the customer to migrate from one provider to another or to migrate data and services back to an in-house IT environment. One member of GAO’s

Page 17 GAO-10-513 Cloud Computing

Executive Council on Information Management and Technology16 stated that if an agency chooses to implement cloud computing, at some point in the future the vendor may want to raise the cost for use of the cloud. The agency may then have no alternative to paying the cost because it lacks the technical ability to bring the service back in-house.

Multitenancy and use of shared resources can also increase risk. Twenty- three out of the 24 agencies identified multitenancy as a potential information security risk because one customer could intentionally or unintentionally gain access to another customer’s data, causing a release of sensitive information.

Additional concerns relate to exchanging authentication information on users and responding to security incidents. For example, NASA officials responsible for a cloud computing program stated that identity management and user authentication are a concern because customers and a provider may need to establish a means to securely exchange and rely on authentication and authorization information for system users. In addition, responding to security incidents may be more difficult in a shared environment because there could be confusion over who performs the specific tasks—the customer or the provider. The Nuclear Regulatory Commission emphasized the importance of a clear delineation of responsibilities as they relate to incident response management, whereby the cloud computing service provider has the responsibility to report the security incident to the agency and the agency is responsible for reporting the incident to the appropriate government entity.

Another concern is the increased volume of data transmitted across agency and public networks. This could lead to an increased risk of the data being intercepted in transit and then disclosed.

NIST also stated that cloud computing security is dependent on the security of a user’s Internet browser, and that vulnerabilities in the browser can create vulnerabilities for the cloud computing service.

16The Executive Council on Information Management and Technology members include experts from the public and private sectors and representatives of related professional organizations who are widely recognized in IT and information management areas. Council members provide expert perspectives to senior GAO executives on performance goals contained in GAO’s strategic plan that guide GAO’s work in the areas of information security, information management, and IT management.

Page 18 GAO-10-513 Cloud Computing

Page 19 GAO-10-513 Cloud Computing

Although there are numerous potential information security risks related to cloud computing, these risks vary based on the particular deployment model. For example, NIST states that private clouds may have a lower threat exposure than community clouds, which may have a lower threat exposure than public clouds. Officials from another agency stated that they are considering implementing a private cloud behind their agency’s firewall because of the moderate-to-high impact classification of sensitive data they were considering placing into this system.17 Several agency officials and industry representatives stated that initial use of public clouds may be focused on low-impact information. However, several industry representatives also stated that making general statements based on cloud deployment models may be misleading and that an agency would need to examine the specific security controls of the vendor they were evaluating. Table 3 lists potential risks of cloud computing.

Table 3: Potential Risks of Cloud Computing

Risk Explanation

Reliance on vendor’s security assurances and practices

An agency is dependent on a provider’s ability to ensure effective security. A provider may have security weaknesses such as ineffective or noncompliant security controls. For example, a provider may not maintain adequate physical control over agency data and information or may have inadequate background investigations for provider employees.

Dependence on a vendor If the agency and provider do not agree on a means to transfer or duplicate data, data may be lost if a provider ends its service. An agency that uses a cloud computing provider may also lose the technical ability to bring the information system back in-house.

Insecure or ineffective identity management

Agencies and a cloud provider may need to securely exchange and rely on sensitive authentication and authorization information for system users.

Unclear responsibilities for incident response

There may be confusion over roles and responsibilities between agency and provider.

Source: GAO analysis of agency and private sector data.

17FIPS Special Publication 199 defines three levels of potential impact on organizational operations, assets, or individuals should there be a breach of security. Low applies when the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; moderate applies when the loss could be expected to have a serious adverse effect on operations, assets, or individuals; and high applies when the loss could be expected to have a severe or catastrophic adverse effect.

Federal Agencies Have Begun Efforts to Address Information Security Issues for Cloud Computing, but Specific Guidance Is Lacking and Efforts Remain Incomplete

Federal agencies have started to address information security when using cloud computing; however, they have not always developed corresponding guidance. Furthermore, agencies that have implemented cloud computing efforts have faced challenges in implementing existing federal information security guidance and identified the need to streamline and automate the process of implementing this guidance. While several governmentwide cloud computing security activities are under way by organizations such as OMB and the General Services Administration (GSA), significant work remains to be completed. In addition, NIST has begun certain efforts related to cloud computing information security, but its existing guidance is not specific to cloud computing issues, and it has only begun plans to issue cloud-specific security guidance.

Agencies Have Taken Steps to Address Information Security Issues for Cloud Computing, but Have Not Always Developed Corresponding Policies or Procedures and Face Challenges in Implementing Existing Guidance and Processes

About half of the 24 agencies we asked reported using some form of cloud computing for obtaining either infrastructure, platform, or software services. These agencies identified measures they are taking or plan to take when using cloud computing. Specifically, 23 of the 24 agencies reported that they currently write or plan to write and enforce comprehensive service-level agreements to include information security control requirements and currently use or plan to use appropriate encryption when using cloud computing. Further, 22 of the 24 agencies responded that they currently limit or plan to limit the type of information placed in a cloud, while 21 of the 24 agencies currently limit or are planning to limit the type of cloud deployment model used. Appendix II includes descriptions of three case studies of cloud computing implementations in the federal government, including steps taken to address information security.

However, these actions have not always been accompanied by the development of related policies or procedures. Of the 23 agencies that reported writing and enforcing or planning to write and enforce comprehensive service-level agreements when using cloud computing, 9 agencies have approved and documented policies and procedures for doing so. Fifteen agencies have documented policies and procedures for the use of encryption. Just four agencies responded that they have documented policies and procedures limiting the type of information placed in a cloud and two agencies responded that they have documented policies and procedures limiting the type of cloud deployment model used. The lack of approved and documented policies and procedures to ensure effective information security when using cloud computing could place sensitive information in a cloud environment at risk.

Page 20 GAO-10-513 Cloud Computing

Most agencies identified challenges and concerns in implementing existing information security laws and guidance. For example, 20 of the 24 agencies identified concerns about service provider compliance with and implementation of government information security requirements. Agencies also expressed concerns about limitations on their ability to conduct independent audits and assessments of security controls of cloud computing service providers.

Agencies Have Concerns About Ensuring Vendor Implementation of Information Security Requirements

Several industry representatives agreed that compliance and oversight issues are a concern. However, the representatives also stated that requiring each individual agency that uses a service provider to conduct its own assessment of controls and audits and complete a separate assessment and authorization process would be burdensome and remove the cost advantages offered by cloud computing. In response, representatives raised the idea of having a single government entity or other independent entity conduct security oversight and audits for cloud computing service providers. The process could be similar to the Statement on Auditing Standards (SAS) 70 audit process often used as part of financial audits.18 A SAS 70 report is issued by an independent auditor for a service provider that processes financial data on behalf of others; it discusses the effectiveness of the service provider’s internal controls over the processing of transactions that may be relevant to the financial reporting of customers. Management of the customer organization and its auditor may use this report to assess the internal control policies and procedures at the service provider as part of the overall evaluation of the internal control at the customer organization. Some cloud computing service providers have obtained a SAS 70 audit for use and review by its customers. In discussing the use of SAS 70 reports to meet information security requirements, OMB Memorandum M-09-2919 states that it is the agency’s responsibility to ensure that

• the scope of the SAS 70 audit is sufficient and fully addresses the specific contractor system requiring FISMA review, and

18SAS 70 will soon be superseded by two new standards: a new audit standard for audits of entities that use service providers and a new attestation standard for reporting on controls at a service provider.

19OMB, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, Memorandum M-09-29 (Washington, D.C., Aug. 20, 2009).

Page 21 GAO-10-513 Cloud Computing

• the audit encompasses all controls and requirements of law, OMB policy, and NIST guidance.

There are attestation standards, similar to those in SAS 70, that could be used to provide an assessment of controls at a service provider that relates to the effective implementation of security and compliance with specified requirements of laws and guidance. However, the scope of an audit based on a standard such as SAS 70 is defined by the service provider and could exclude key controls essential to effectively protecting agency information. Therefore, if an attestation report on security effectiveness and compliance with laws and guidance is used, it is critical that the scope of the controls addressed by the attestation report is sufficient to meet agency requirements.

Agencies also stated that having a cloud service provider that had been precertified as being in compliance with government information security requirements through some type of governmentwide approval process would make it easier for them to consider using cloud computing. For example, DOT officials implementing the Car Allowance Rebate System program stated that having a cloud service provider that was precertified to process federal financial transactions may have made implementation of the payment processing system for the program easier. Until such precertified providers are in place, the adoption of cloud computing may be limited.

In their efforts to ensure information security in cloud computing, agencies have had to re-examine and, at times, change related processes, documentation, and roles and responsibilities. For example, DOD officials implementing a cloud computing program identified the need to improve related DOD business processes, including those related to security. The existing DOD process required for risk assessment and assessment and authorization for information systems created challenges because of its focus on stand-alone systems and multiple levels of organizational review. In response, the program office worked with a contractor to re-engineer the process and reduce the time needed to complete information security requirements for new systems. NASA officials also noted the increased complexity of information security-related document maintenance in a shared owner environment and took steps to address this issue.

Processes, Documentation, and Division of Roles and Responsibilities for Cloud Computing Create Challenges

Other agency concerns related to the division of information security responsibilities between customer and vendor. For example, both DOD and NASA officials responsible for cloud computing implementations at

Page 22 GAO-10-513 Cloud Computing

their agencies stated that a clear division of security roles and responsibilities in cloud computing was important. For example, NASA officials divided responsibility for the security controls in NIST SP 800-53 Revision 3 for low-impact systems into customer and provider controls and found that the customer had primary responsibility for 47 of the 112 total controls. Similarly, DOD officials also divided responsibilities for the corresponding DOD information assurance controls between customers and service providers. Both sets of agency officials commented on the challenges in analyzing and maintaining such a division of responsibilities but noted that clear assignment of responsibilities was important for effective information security.

Several Governmentwide Cloud Computing Information Security Initiatives Have Been Started, but Key Guidance and Efforts Have Not Been Completed

To address cloud computing security issues, the executive branch has begun several initiatives. However, these initiatives have not yet been completed. For example, OMB stated that it began a federal cloud computing initiative in February 2009; however, it does not yet have an overarching strategy or an implementation plan. According to OMB officials, the initiative includes an online cloud computing storefront managed by GSA and will likely contain three pilot cloud computing projects, each with a lead agency: (1) a voucher payment portal led by the Department of the Treasury; (2) a tool for citizen interaction to support open government led by GSA; and (3) a citizen services dashboard led by GSA. However, as of March 2010, a date had not been set for the release of the strategy or for any of the pilots. In addition, OMB has not yet defined how information security issues, such as a shared assessment and authorization process, will be addressed in this strategy.

Federal agencies have stated that additional guidance on cloud computing security would be helpful. Addressing information security issues as part of this strategy would provide additional direction to agencies looking to use cloud computing services. Until this strategy has been completed, agencies will lack clear direction in how to ensure information security while implementing cloud computing services.

GSA has established a Cloud Computing Program Management Office that manages several cloud computing activities within GSA and provides administrative support for cloud computing efforts by the federal Chief Information Officers (CIO) Council. Specifically, the program office manages a storefront, www.apps.gov, established by GSA to provide a central location for federal agencies to purchase several software as a service cloud computing applications, including

GSA Has Established Program Office and Cloud Computing Storefront, but Key Procurement Has Been Delayed in Part Due to Information Security Concerns

Page 23 GAO-10-513 Cloud Computing

• business applications, such as data analysis, human resources, and financial management software, and tools for tracking and monitoring various types of activities;

• office productivity applications, which include standard word processing and spreadsheet applications, and also applications used for brainstorming, collaboration, document management, and project management; and

• social media applications that are focused on making it easier to create and distribute content and that enable people to communicate easily and share information.

GSA plans to expand the storefront by also providing infrastructure as a service cloud computing offerings such as storage, virtual machines, and Web hosting. To this end, GSA began a procurement process by issuing a request for quotations in July 2009. The request asked for quotations to provide the government with required documentation on vendors’ offerings of cloud storage services, virtual machines, or cloud Web hosting. These services would be available through the www.apps.gov storefront. The procurement closed in September 2009, with nine vendors submitting quotations.

However, addressing information security issues has been a significant challenge in the procurement. GSA officials stated that as they were analyzing the submitted quotations, one issue they were attempting to resolve was establishing a process for federal agencies to work with GSA to complete the information security assessment and authorization process when using these services. In early March 2010, GSA canceled the request and announced plans to begin a new request process, in part due to concerns and challenges in addressing information security. Specifically, the new request will ask for services that meet the level of security for both low- and moderate-impact systems as defined in FIPS 199 and NIST SP 800-53. The canceled request required only low-level security. GSA stated that providing cloud computing services that meet both low- and moderate-impact information security controls would allow a broader range of services and customers. GSA officials also stated that they need to work with vendors after a new procurement has been completed to develop a shared assessment and authorization process, but have not yet developed specific plans to do so.

Adding moderate-impact controls to the request may increase demand for the infrastructure services when the procurement is completed; however, establishing both an assessment and authorization process for customers

Page 24 GAO-10-513 Cloud Computing

Page 25 GAO-10-513 Cloud Computing

of these services and a clear division of security responsibilities will help ensure that these services, when purchased and effectively implemented, protect sensitive federal information.

The CIO Council established the Cloud Computing Executive Steering Committee to promote the use of cloud computing in the federal government. The GSA Cloud Computing Program Management Office provides technical and administrative support for the committee. The committee consists of an overall advisory council and these four subgroups:

• The communications subgroup provides information on the status of cloud computing in the federal government and is planning an information portal for the www.apps.gov storefront.

• The operational excellence subgroup examines cloud computing implementations at federal agencies, assists agencies in evaluating potential applications for cloud computing, and identifies possible improvements to the storefront.

• The standards subgroup is helping develop standards related to interoperability and portability of cloud computing services.

• The security subgroup is addressing several issues related to information security and cloud computing.

The security subgroup has begun developing recommendations for a streamlined assessment and authorization process through the Federal Risk and Authorization Management Program. This process would address authorizing operation of a system, including the development and implementation of risk assessments and security controls. For example, according to GSA, the program is to provide joint authorizations and continuous monitoring services for all federal agencies with an initial focus on cloud computing. The process would rely on several key steps of the process being performed by a governmentwide organization, while the final authorization to operate a system would still be made by a designated official at the agency purchasing the service. According to a summary provided by GSA, the goals for this process include providing better security and privacy, clearer communication of security requirements for government and industry, improved efficiency and broad acceptance for agencies, and compliance with existing federal information security guidance and legislation. Officials involved in the process have noted the

Federal CIO Council Has Established Cloud Computing Executive Steering Committee but Has Not Finalized Key Process or Guidance

need to clearly delineate security control responsibilities between providers and customers. The group is currently working with its members to define interagency security requirements for cloud systems and services and related information security controls from both the moderate and low baselines specified in NIST SP 800-53 Revision 3.

According to GSA, a draft of the new assessment and authorization process has been approved by the Cloud Computing Executive Steering Committee. However, a deadline for completing development and implementation of this process had not been established. A particular concern of the committee is the requirement for agency CIOs to certify the adequacy of information security controls for systems that they do not own or operate. GSA officials involved in this effort stated that it may be up to OMB to clearly establish that agencies will be able to rely on the shared process.

In addition to the Executive Steering Committee and its subgroups, another component of the CIO Council is working on information security issues related to cloud computing. The group, which is part of the CIO Council’s Information Security and Identity Management Committee, is currently developing a white paper on guidelines for the secure use of cloud computing for federal departments and agencies, according to a co- chair of this group. The paper is intended to provide agencies with guidelines, use cases, and scenarios to help program managers make risk- based decisions when selecting cloud deployment and service models.

Federal agencies responding to our information request, officials of the cloud computing case studies described in appendix II, and private sector representatives have all identified concerns with how to properly and efficiently complete activities related to the assessment and authorization process, including control selection and testing, when using cloud computing. Until a clear, comprehensive, and efficient process has been established, adoption of cloud computing in the federal government may be limited, and cloud computing programs that are implemented may not have appropriate information security controls in place.

NIST is responsible for establishing information security guidance for federal agencies to support FISMA. Cloud computing is an emerging model for IT, and NIST has not yet established guidance specific to cloud computing. However, according to its officials, the institute has begun several other activities related to cloud computing. For example, it has developed a definition of cloud computing and is participating in the activities of the CIO Council subgroups.

NIST Is Coordinating Activities with CIO Council but Has Not Established Cloud-Specific Guidance

Page 26 GAO-10-513 Cloud Computing

The NIST official leading the institute’s cloud computing activities stated that existing NIST requirements apply to cloud computing and can be tailored to the information security issues specific to cloud computing. However, as previously discussed in this report, both federal and private sector officials have made clear that existing guidance is not sufficient. At the conclusion of our review, NIST officials stated that the institute is planning to issue guidance on cloud computing and virtualization but had not yet finalized the topics that it would cover and had not determined a date for issuing this guidance.

Our analysis also indicates areas where existing NIST guidance does not clearly address information security issues specifically related to cloud computing. While NIST SP 800-53 covers general security areas important to cloud computing to some extent, the guidance lacks specificity in key security areas. For example, NIST guidance does not directly address key cloud computing security issues such as portability and interoperability, data center operations, and virtualization. Both public and private sector officials identified interoperability issues and concerns about virtualization as challenges agencies face when making decisions on whether to implement cloud computing. At the end of our review, NIST officials stated that SP 800-53 was not intended to be specific to a particular type of computing, such as cloud computing, but agreed that areas such as portability and interoperability were important in implementing cloud computing and they were considering including them in future NIST publications.

Furthermore, federal agencies stated that establishing a clear delineation of security control responsibilities between providers and customers is a challenge, but existing NIST guidance does not fully address these issues or establish a process for doing so. Existing NIST guidance addresses the establishment of interconnection security agreements between different organizations; however, the guidance is not specific to issues related to cloud computing. For example, NIST guidance does not address the division of information security responsibilities when several organizations are involved in cloud computing or possible variations in these roles and responsibilities due to the use of different cloud deployment and service models. Until federal guidance addresses information security issues specific to cloud computing and provides information on how to divide responsibilities between providers and customers, agencies may not be able to effectively ensure the security of their systems when using cloud computing.

Page 27 GAO-10-513 Cloud Computing

About half of the 24 agencies are using various models of cloud computing, and many others are interested in using it; however, implementation of this emerging technology presents both information security benefits and risks. Agencies have taken steps to address cloud computing security but have not always developed corresponding guidance. The use of attestation standards and precertification of cloud service providers may provide a way for agencies to ensure information security when using cloud computing service providers. However, OMB has not yet developed a strategy that addresses the information security issues related to cloud computing, and guidance from individual agencies and NIST to ensure information security is insufficient. While the federal CIO Council is developing a shared assessment and authorization process, which could help foster adoption of cloud computing, this process remains incomplete, and GSA has yet to complete its procurement of cloud computing infrastructure as a service offerings for its storefront, in part due to security concerns. Until federal guidance and processes that specifically address information security for cloud computing are developed, agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place.

To assist federal agencies in identifying uses for cloud computing and information security measures to use in implementing cloud computing, we recommend that the Director of OMB take the following three actions:

Conclusions

Recommendations for Executive Action

• Establish milestones for completing a strategy for implementing the federal cloud computing initiative.

• Ensure the strategy addresses the information security challenges associated with cloud computing, such as needed agency-specific guidance, the appropriate use of attestation standards for control assessments of cloud computing service providers, division of information security responsibilities between customer and provider, the shared assessment and authorization process, and the possibility for precertification of cloud computing service providers.

• Direct the CIO Council Cloud Computing Executive Steering Committee to develop a plan, including milestones, for completing a governmentwide security assessment and authorization process for cloud services.

To assist federal agencies in selecting and acquiring precertified cloud computing products and services, we recommend that the Administrator

Page 28 GAO-10-513 Cloud Computing

of GSA, as part of the procurement for infrastructure as a service cloud computing technologies, ensure that full consideration is given to the information security challenges of cloud computing, including a need for a shared assessment and authorization process.

To assist federal agencies in implementing appropriate information security controls when using cloud computing, we recommend that the Secretary of Commerce direct the Administrator of NIST to issue cloud computing information security guidance to federal agencies to more fully address key cloud computing domain areas that are lacking in SP 800-53, such as virtualization, data center operations, and portability and interoperability, and include a process for defining roles and responsibilities of cloud computing service providers and customers.

In providing comments on a draft of this report, OMB, GSA, and the Department of Commerce, stated that they generally concurred with the contents and recommendations of the report. The agencies’ comments and our responses are summarized below:

Agency Comments and Our Evaluation

• In written comments on a draft of this report, the Federal Chief Information Officer stated that OMB agreed with our recommendations. He described efforts under way for developing a cloud computing strategy, stating that OMB intends to develop such a strategy over the next 6 months. In addition, he stated that OMB agrees that the strategy must address the security challenges associated with implementing cloud computing and has established a group to study, propose, and implement a solution for governmentwide assessment and authorization. The Office of Management and Budget’s comments are reprinted in appendix III.

• In written comments on a draft of this report, the Administrator of GSA stated that GSA agreed in part with our findings and recommendation to complete the procurement for infrastructure as a service cloud computing technologies and ensure that it includes full consideration of the information security challenges of cloud computing. The Administrator stated that GSA will reissue the procurement request in May 2010. She also provided additional information on the Federal Risk and Authorization Management Program, which we have incorporated in the report as appropriate. In subsequent discussions with GSA, we revised our recommendation to clarify its intent, and agency officials stated that GSA had reissued the request on May 12, 2010, and fully agreed with our recommendation. GSA’s comments are reprinted in appendix IV.

Page 29 GAO-10-513 Cloud Computing

• In written comments on a draft of this report, the Secretary of Commerce concurred with our recommendation. He noted that NIST expects to release a virtualization document for public comment in June 2010 and release a cloud computing document for public comment in September 2010. In addition, the Secretary provided technical comments which we incorporated in the draft as appropriate. Comments from the Department of Commerce are reprinted in appendix V.

We provided a draft of this report to the other 22 major federal agencies to which we did not make recommendations and received technical comments from 4 agencies. We have incorporated these comments in the report as appropriate.

As agreed with your offices, unless you publicly announce the contents of

this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to interested congressional committees, the Director of OMB, the Secretary of Commerce, and the Administrator of GSA. In addition, this report will be available at no charge on the GAO Web site at http://www.gao.gov.

If you or your staffs have any questions about this report, please contact me at (202) 512-6244 or at [email protected]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix VI.

Gregory C. Wilshusen Director, Information Security Issues

Page 30 GAO-10-513 Cloud Computing