Key cybersecurity guidance for federal adoption of cloud computing is lacking even while almost all major federal agencies report that they are worried about potential security risks, says the Government Accountability Office.

In a July 1 hearing of the House Oversight and Government Reform Committee, Gregory Wilshusen, GAO's director of information security issues, said that a survey of all 24 CFO Act agencies found that 22 out of the 24 "were concerned, or very concerned, about the potential security risk associated with cloud computing."

That hasn't prevented about half of the 24 CFO Act agencies from already adopting some form of cloud computing, whether for obtaining infrastructure, computing platforms or software as a service, according to the report--although the GAO classifies even basic online services such as web email as a "cloud" service. The GAO released the full results of its survey, conducted from November 2009 to February 2010, in a report (.pdf) also made publically available on July 1.

Agency access to cloud computing could increase following a new General Services Administration blanket purchase agreement with an unnamed vendor for governmentwide purchase of infrastructure as a service, a BPA that Dave McClure, the General Services Administration associate administrator for the office of citizen services and innovative technologies announced during the July 1 hearing.

Among the reservations agencies have about cloud computing are concerns over ineffective or noncompliant security practices of the cloud provider, an inability to examine cloud security controls, data leakage to unauthorized users, and loss of data if cloud service is terminated, Wilshusen said.

Until policies assuaging those risks are developed, "agencies will be hesitant to implement cloud computing programs and those that have implemented such programs may have appropriate--or may not--have appropriate security controls in place," Wilshusen added.

In the Office of Management and Budget's undated response to the GAO report--it appears to have been written in early May--Vivek, Kundra, the federal chief information officer, said that OMB will develop a strategic plan with a planning horizon of five to 10 years.

During the hearing, McClure pointed to an inter-agency effort known as FedRAMP as evidence that policies are being developed.

FedRAMP seeks to create a federalwide set of acceptable system authorizations and cybersecurity standards for cloud providers--although, even in the cloud, end user organizations don't completely give up their cybersecurity concerns since even a badly configured browser can be a cybersecurity vulnerability.

In addition, the National Institute of Standards and Technology is developing a special publication on cloud computing cybersecurity, said Cita Furlani, director of the NIST information technology laboratory. Furlani also noted that agencies will retain responsibilities under cloud computing to manage their own destinies, since "applicable standards in the cloud computing environment will be dependent on which model of cloud computing you're actually addressing and which kind you're trying to use for your own particular program and your own mission requirements."

For more:
- go to the hearing webpage, complete with webcast and prepared statements
- read GAO report 10-513 (.pdf)

Related Articles:
McClure: GSA cloud migration 'inevitable'
Treasury CIO: Fewer data centers mean smaller budgets
Desktop productivity apps provide gateway to the cloud
Oversight Committee presses GSA on cloud computing