NIST, GSA: Real cloud guidance by fall 2011


Before year end the National Institute of Standards and Technology and the General Services Administration will release concrete information that will assist agencies in adopting cloud computing technology.

NIST expects a first draft of a "Cloud Computing Technology Roadmap" to be published as an interagency report by the end of fiscal 2011, announced Dawn Leaf, senior executive for cloud computing at NIST, April 7 during a cloud computing workshop at the agency in Gaithersburg, Md.

Since May 2010 NIST has held periodic workshops and managed working groups to define and advance cloud standards. Leaf said the meetings have served as important "calibrating points on cloud strategy." NIST's next cloud computing forum and workshop, its fourth, will be in fall 2011 and will coincide with the publication of a draft, she said.

Meanwhile, GSA will likely promulgate a version of FedRAMP sometime this summer, said Katie Lewin, program manager for Cloud Computing at GSA, adding that the first release will be a "beta version."

GSA is weeding through more than 1,000 comments on policy, technical and security requirements for cloud computing under FedRAMP, said Lewin. Sixty of the FedRAMP controls received comments on technical feasibility, she said. Overall, GSA plans to reduce controls from initial FedRAMP mock ups.

In preparing for the first iteration of FedRAMP, GSA also wants to minimize agencies' paperwork burden and emphasize continuous monitoring. Not all controls can be handled by continuous monitoring, said Lewin, but a significant percentage of them can and that would free agencies from formal, quarterly reports. Reducing duplicative FISMA reporting is another goal of the latest revision, said Lewin.

"GSA is trying to make FISMA and FedRAMP more mutually beneficial," said Lewin. GSA wants to be sure that the two are not battling each other or putting an undue burden on agencies, she added.

FedRAMP aims to allow agencies to use commonly accepted risk assessments and cybersecurity evaluations of low to moderate impact cloud services, avoiding the need to individually certify and accredit solutions.

Related Articles:
FedRAMP officials reach consensus on controls, says Bhagowalia 
Kundra: Cloud computing data sovereignty a matter for 'international law' 
EPA taps three applications for cloud migration 
Davie: Cloud computing myths untrue