Security worries still impede cloud computing

The government lacks a complete framework of security requirements for the cloud computing model, government officials told a House panel. That's making security concerns difficult to overcome and slowing adoption of cloud computing.

.The General Services Administration is ramping up FedRAMP to provide a governmentwide provisional authority for cloud service providers to operate, but the security worries provide a significant obstacle.

“The adoption of cloud computing has the potential to provide benefits to federal agencies; however, it can also create numerous information security risks,” said Gregory Wilshusen, director of information security issues at the Government Accountability Office. “Continued efforts will be needed to ensure that cloud computing is implemented securely in the federal government.”

Those efforts already are under way at GSA, the Office of Management and Budget, the Federal CIO Council and the National Institute of Standards and Technology, Wilshusen said Oct. 6 in a hearing before the House Homeland Security Committee's Cybersecurity, Infrastructure Protection and Security Subcommittee. But policies and processes are not yet complete, and this could slow the adoption of cloud computing.

The federal Cloud First policy calls for agencies to consider cloud computing options before making new IT investments, and agencies are exploring and beginning the move to the cloud. Richard Spires, CIO of the Homeland Security Department, said DHS is adopting both private and public cloud platforms, using commercial service providers for low-impact applications, and hosting medium- and high-impact applications and services in its two data centers.

Not all cloud platforms will be adequately protected, Spires said. “Some cloud environments have capabilities necessary to defend against and provide recovery from these threats, such as advanced monitoring capabilities and cleared information security professionals, while others may not, because the increased costs to provide these security capabilities may price their offering outside of the competitive marketplace.”

Hosting applications on its own private cloud will allow DHS to use its enterprise security programs to protect them, Spires said.

Public cloud offerings will have to be evaluated to ensure they meet requirements under the Federal Information Security Management Act. To ease the burden both for industry and agencies, and to improve results, GSA is providing a governmentwide program for assessing security and providing an interim authorization to operate that each agency can use.

The Federal Risk Authorization and Management Program, or FedRAMP, “establishes a common set of baseline security assessment and continuous monitoring requirements for FISMA low- and moderate-impact risk levels using NIST standards that must be adhered to by all cloud systems,” said David McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies.

Third-party assessors for commercial cloud providers will be accredited by GSA, which can provide a provisional authorization to operate. Agencies contracting with the service provider can use the provisional authority, tailoring a final certification if necessary to agency-specific needs. Service providers must agree to near-real-time reporting of continuous monitoring data feeds to DHS and agency security operations centers.

FedRAMP will be launched in phases. It is expected to be formally established by OMB memo with initial rollout this fall. It will have limited scope under the Initial Operational Capabilities and will cover a small number of cloud service providers. Full operations are expected to begin next spring. Sustaining operations are expected to begin late in 2012 and to scale to satisfy demand.

Concerns about security remain, however, particularly in the public cloud environment. Wilshusen cited a number of worries, including:

  • The possibility that the security controls put in place could be ineffective or inadequate,  creating vulnerabilities.
  • The potential loss of governance and physical control over agency data when the provider is responsible for certain security controls and practices.
  • Potentially inadequate background security investigations for service-provider employees.
  • The possibility that a vendor could go out of business or stop providing services.
  • Vulnerabilities created by having multiple tenants in a virtual environment.

The issues are not being ignored, but no comprehensive policy for addressing them is yet in place, and full benefits of cloud adoption cannot be realized until the framework is completed, Wilshusen said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.