Standards around cloud computing and processes to ease cloud adoption by federal agencies are taking shape, say government officials.

It's easy to get "wrapped around the abstraction of cloud computing," admitted David McClure, associate administrator of the office of citizen services and communications, General Services Administration at a Brookings Institution event in Washington, D.C. on July 21. Now, GSA, the Office of Management and Budget and the National Institute for Standards and Technology will focus on implementation, he added.

NIST has identified a skeleton set of 25 requirements-based operation scenarios that Dawn Leaf, senior executive for cloud computing at NIST, said will address a good portion of the highest priority security, interoperability and portability requirements.

"We plan to explore those and make those available in the [Standards Acceleration to Jumpstart Adoption of Cloud Computing] portal. And the SAJACC portal we expect to stand up in 2010," said Leaf. See a diagram of the SAJACC structure here.

"SAJACC was very intentionally and very explicitly conceived in March of 2010 to address a specific problem. The problem being: How do you support the development and implementation of a new technology?" added Leaf.

But even with the proper guidelines, cloud computing "is not something in which there's a magical wand that simply says, 'go do cloud computing and ye shall be successful,'" said McClure. "The CIO of each agency needs to play a critical role in understanding the value case, the need, the business return, the mission impact from deploying cloud-based solutions."

McClure said it is inefficient and costly for each agency to do it's own certification and accreditation, and authorization. In an effort to remedy these inefficiencies, the Federal Risk and Authorization Management Pilot (FedRAMP) will be applied to cloud computing as a pilot, he said. However, agencies can continue to do their own C&A of cloud computing resources if they want, McClure said.

"We don't claim we've got the solution yet; we think we've got something we can start with and this is what we want to actually try to put in place. A centralized, C&A authorization process will not be used on everything, it's going to be focused on cloud," he added.

The beta FedRAMP program will define common security requirements from the cloud service provider and the agency, and authorize the security package through a joint authorization board comprised of the Defense Department, GSA and the sponsoring agency.

"The hope is that once that's done on a product and a service from the cloud community, vendor community, that can then be leveraged completely across government," said McClure. He expects the pilot phase to go on for several months, be tweaked accordingly and then stood up in a more permanent fashion.

In addition to the FedRAMP pilot, McClure said cloud acquisition needs to be simplified. GSA is addressing the problem with an update to the apps.gov site. The site, which was launched last year to provide cloud-based applications for procurement, will soon undergo a second phase where infrastructure as a service offerings will be made available to agencies.

"Virtualization, cloud hosting and storage, these are big-ticket items for federal government and this is where a lot of savings traditionally takes place. So we'll add that to the store front in the next few months and as a result I think we'll see a lot more interest and usage of cloud computing by the agencies through a more simplified storefront acquisition process," he said.

For more:
- see NIST's July 7 guidance Special Publication 800-125 DRAFT Guide to Security for Full Virtualization Technologies (.pdf)
- visit apps.gov
- see NIST's diagram of the Standards Acceleration to Jumpstart Adoption of Cloud Computing project

Related Articles:
Cybersecurity guidance lacking for federal cloud computing
McClure: GSA cloud migration 'inevitable'
Treasury CIO: Fewer data centers mean smaller budgets
DoD program managers wary of cloud computing
Desktop productivity apps provide gateway to the cloud
Oversight Committee presses GSA on cloud computing
GSA refreshes cloud computing RFQ with focus on security