Slideshow: Cloud Security Pros And Cons

The federal government's standards organization plans to develop a roadmap for cloud computing standards and guidance, National Institute of Standards and Technology officials said Thursday during the first day of a two-day government cloud computing forum.

"Right now, when government CIOs want to go to the cloud, it's kind of a free-for-all, and they have to think of everything themselves," NIST director Patrick Gallagher said in a brief interview. "We want to help provide a structure."

Developing a roadmap, officials said, will help prioritize standards efforts, looking to remove perceived barriers to cloud adoption around security, interoperability, portability and reliability.

The new effort, the NIST Strategic Cloud Computing initiative, is targeted both at vendors and at government, according to NIST. "On the one hand, it's imperative to understand the challenges federal CIOs face. On the other, we have to leverage the enormous technological resources that exist in the cloud provider community," Gallagher said. "I envision this roadmap as a dialogue between these two sides."

NIST's initial plan is to define targeted government cloud computing use cases and determine the priorities, risks and obstacles to making those use cases a reality within government. The agency then will help build a neutral cloud computing reference architecture and taxonomy, and finally create a roadmap. In the end, NIST cloud computing program manager Dawn Leaf said, the effort may lead to standards, guidance, research and development prioritization, prototypes and pilots of reference implementations, and perhaps even new administration policy on cloud computing. In a PowerPoint presentation accompanying her speech at the event, Leaf noted that NIST's cybersecurity arm, which develops prescriptive cybersecurity standards and guidelines that agencies must follow under the Federal Information Security Management Act, will release guidance for cloud security in December.

Leaf also provided an update on an early-stage cloud standards effort called Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC). Since May, when NIST announced the effort, the agency has launched a Web portal that includes draft use cases the agency thinks will be key to the development of future cloud standards.

In an interview after his keynote address, federal CIO Vivek Kundra offered his vision for the upcoming multi-vendor cloud email and collaboration contract the General Services Administration announced in late October.

Eventually, Kundra said, the effort, still in preliminary stages, may allow federal employees to choose which cloud service they want to use. In contrast to the flexibility offered by Web-based e-mail in the consumer world, federal agencies today typically sign multi-year exclusive agreements with vendors like IBM and Microsoft, locking themselves and their employees into specific e-mail software for years at a time. "We want to shift power to the end user, who then can decide, ‘I'd like product A versus product B,’ " Kundra said. "I've switched e-mail providers several times in my personal life; why can't I do it in government?"

Numerous roadblocks must be removed before this happens, however, among them issues involving archiving, data storage and security demands such as authentication and directory support.

In his speech, Kundra said that cloud computing will be at the top of his mind as he evaluates agencies' budget requests for next year. "I want to make sure a cloud-first policy is central to our thinking around how we're hard-wiring capital across the government," he said.