Why contract language matters with cloud

The Federal Risk and Authorization Management Program is a valuable baseline for cloud security, but experts say agencies still need to fine-tune their arrangements with vendors by using service-level agreements.

The National Institute of Standards and Technology has been working on ways to standardize SLAs, which spell out performance expectations, pay and the nitty-gritty details of what a cloud service provider will do for an agency.

"There aren't any SLA standards," said John Messina, a senior member of the NIST Cloud Computing Program. And the agreements that do exist "are all over the map with cloud providers."

The lack of standard terminology for discussing those topics results in cloud providers and federal users having to re-educate themselves with every conversation they have with each other, Messina said at NIST's Cloud Computing Forum on Sept. 13.

"It's confusing for consumers," he added. "They can't take knowledge with them to a discussion with another provider."

NIST and international standards organizations are developing a four-part standard that will establish a common language for SLA terms, metrics and technology. Messina said the standard will likely be published in 2018. In the meantime, NIST is consulting with federal agencies to find out what they're looking for in SLAs.

The agreements bristle with legal issues, but agencies are ironing them out, said Jodi Cramer, senior air staff counsel for information law in the Administrative Law Directorate in the Air Force's Office of the Judge Advocate General.

The Defense Department and civilian agencies have been working on guidelines for SLAs since 2010. But data centers' physical locations, who's responsible for data breaches and customers' physical access to servers are just some of the issues that still must be hammered out, she said.

Federal users' SLA needs are as diverse as their missions. The National Science Foundation, for instance, has installations in Antarctica that use cloud services to support a number of activities, including retail point of sale, financial services and research, said Timothy Howard, a program manager in the Section for Antarctic Infrastructure and Logistics in NSF's Division of Polar Programs.

Howard said his biggest SLA issue would probably be reliable access to the Internet and the bandwidth to use it. In remote Antarctica, connectivity is an issue, but he added that FedRAMP's baseline security has been a big driver for his adoption of cloud technology.

"I'm a FedRAMP believer," Howard said, adding that it helps frame the conversation with cloud vendors. If a company is unfamiliar with FedRAMP, then it's a different talk, he added.

Federal agencies' adoption of cloud technology got off to a slow start in 2009, then the pace quickened in 2010 and for a few years after, but it has slowed a bit in the past few years, said Ron Ross, a fellow in NIST's Computer Security Division. He attributed the slowdown to the fact that low-level security applications have largely been moved to cloud.

FedRAMP offers low, medium and high security options. Low-security applications and services can move to public clouds because they have an acceptable level of risk when it comes to the loss or leakage of personally identifiable information. But medium-level applications and services are in something of a gray area for federal agencies, Ross said.

"We need cloud desperately to secure federal infrastructure," he added.

He advised agency IT leaders to take a closer look at the applications and services they have deemed to be medium-level -- just as they did to initially prioritize low- to high-level applications for cloud adoption -- and categorize them from low-medium to high-medium.

"Take that moderate category and do another triage," Ross said.

Not until agencies are comfortable moving all levels of data to the cloud will the technology's maximum cost and management efficiencies be realized, he added.