This is the accessible text file for GAO report number GAO-10-513 
entitled 'Information Security: Federal Guidance Needed to Address 
Control Issues with Implementing Cloud Computing' which was released 
on July 1, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

May 2010: 

Information Security: 

Federal Guidance Needed to Address Control Issues with Implementing 
Cloud Computing: 

GAO-10-513: 

GAO Highlights: 

Highlights of GA0-10-513, a report to congressional requesters: 

Why GAO Did This Study: 

Cloud computing, an emerging form of computing where users have access 
to scalable, on-demand capabilities that are provided through Internet-
based technologies, has the potential to provide information 
technology services more quickly and at a lower cost, but also to 
introduce information security risks. Accordingly, GAO was asked to 
(1) identify the models of cloud computing, (2) identify the 
information security implications of using cloud computing services in 
the federal government, and (3) assess federal guidance and efforts to 
address information security when using cloud computing. To do so, GAO 
reviewed relevant publications, white papers, and other documentation 
from federal agencies and industry groups; conducted interviews with 
representatives from these organizations; and surveyed 24 major 
federal agencies. 

What GAO Recommends: 

GAO is recommending that the Office of Management and Budget, General 
Services Administration, and the Department of Commerce take several 
steps to address cloud computing security, including completion of a 
strategy, consideration of security in a planned procurement of cloud 
computing services, and issuance of guidance related to cloud 
computing security. In comments on a draft of this report, these 
agencies generally concurred with GAO's recommendations and described 
efforts under way to implement them. 

What GAO Found: 

Cloud computing has several service and deployment models. The service 
models include the provision of infrastructure, computing platforms, 
and software as a service. The deployment models relate to how the 
cloud service is provided. They include a private cloud, operated 
solely for an organization; a community cloud, shared by several 
organizations; and a public cloud, available to any paying customer. 

Cloud computing can both increase and decrease the security of 
information systems in federal agencies. Potential information 
security benefits include those related to the use of virtualization, 
such as faster deployment of patches, and from economies of scale, 
such as potentially reduced costs for disaster recovery. Risks include 
dependence on the security practices and assurances of a vendor, 
dependency on the vendor, and concerns related to sharing of computing 
resources. However, these risks may vary based on the cloud deployment 
model. Private clouds may have a lower threat exposure than public 
clouds, but evaluating this risk requires an examination of the 
specific security controls in place for the cloud's implementation. 

Federal agencies have begun efforts to address information security 
issues for cloud computing, but key guidance is lacking and efforts 
remain incomplete. Although individual agencies have identified 
security measures needed when using cloud computing, they have not 
always developed corresponding guidance. For example, only nine 
agencies reported having approved and documented policies and 
procedures for writing comprehensive agreements with vendors when 
using cloud computing. Agencies have also identified challenges in 
implementing existing federal information security guidance and the 
need to streamline and automate the process of implementing this 
guidance. These concerns include having a process to assess vendor 
compliance with government information security requirements and the 
division of information security responsibilities between the customer 
and vendor. Furthermore, while several governmentwide cloud computing 
security initiatives are under way by organizations such as the Office 
of Management and Budget (OMB) and the General Services Administration 
(GSA), little has been completed as a result of these efforts. For 
example, OMB has not yet finished a cloud computing strategy. GSA has 
begun a procurement for cloud computing services, but has faced 
challenges in completing the procurement due in part to information 
security concerns. In addition, while the Department of Commerce's 
National Institute of Standards and Technology has begun efforts to 
address cloud computing information security, it has not yet issued 
cloud-specific security guidance. Until specific guidance and 
processes are developed to guide agencies in planning for and 
establishing information security for cloud computing, they may not 
have effective information security controls in place for cloud 
computing programs. 

View [hyperlink, http://www.gao.gov/products/GA0-10-513] or key 
components. For more information, contact Gregory C. Wilshusen (202) 
512-6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 
Background: 

Cloud Computing Is a Form of Shared Computing with Several Service and 
Deployment Models: 

Cloud Computing Has Both Positive and Negative Information Security 
Implications: 

Federal Agencies Have Begun Efforts to Address Information Security 
Issues for Cloud Computing, but Specific Guidance Is Lacking and 
Efforts Remain Incomplete: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Cloud Computing Case Studies: 

Appendix III: Comments from the Office of Management and Budget: 

Appendix IV: Comments from the General Services Administration: 

Appendix V: Comments from the Department of Commerce: 

Appendix VI: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: NIST Essential Characteristics of Cloud Computing: 

Table 2: Potential Benefits of Cloud Computing: 

Table 3: Potential Risks of Cloud Computing: 

Figures: 

Figure 1: Cloud Computing Service Models: 

Figure 2: Cloud Computing Deployment Models: 

Figure 3: NIST Essential Characteristics: 

Figure 4: NASA Nebula Container: 

Abbreviations: 

CARS: Car Allowance Rebate System: 

CIO: chief information officer: 

DOD: Department of Defense: 

DOT: Department of Transportation: 

FIPS: Federal Information Processing Standards: 

FISMA: Federal Information Security Management Act: 

GSA:General Services Administration: 

IT: information technology: 

NASA: National Aeronautics and Space Administration: 

NIST: National Institute of Standards and Technology: 

RACE: Rapid Access Computing Environment: 

SAS: Statement on Auditing Standards: 

SP: Special Publication: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

May 27, 2010: 

Congressional Requesters: 

Cloud computing, an emerging form of delivering computing services, 
has been highlighted by the current administration as having the 
potential to provide information technology (IT) services both more 
quickly and at a lower cost. Although exact definitions vary, cloud 
computing can, at a high level, be described as a form of computing 
where users have access to scalable, on-demand IT capabilities that 
are provided through Internet-based technologies. 

Cloud computing has been reported to have several potential benefits 
over current systems, including faster deployment of computing 
resources, a decreased need to buy hardware or to build data centers, 
and more robust collaboration capabilities. However, along with these 
benefits are the potential risks that any new form of computing 
services can bring, including information security breaches, 
infrastructure failure, and loss of data. Several media reports have 
described security breaches of cloud infrastructure. Furthermore, 
other reports have identified security as the major concern hindering 
federal agencies from adopting cloud computing. 

Given these concerns, you asked us to (1) identify the models of cloud 
computing, (2) identify the information security implications of using 
cloud computing services in the federal government, and (3) assess 
federal guidance and efforts to address information security when 
using cloud computing. 

To identify the models of cloud computing, we reviewed publications, 
guidance, and other documentation from the National Institute of 
Standards and Technology (NIST), industry groups, and private-sector 
organizations and then conducted interviews with representatives from 
these organizations to identify commonly expressed characteristics of 
cloud computing. To identify information security implications of 
using cloud computing services in the federal government, we obtained 
and reviewed publications and guidance from the preceding sources and 
analyzed them to identify positive and negative information security 
implications of using cloud computing. We also obtained perceptions of 
security implications from federal agencies by developing, pretesting, 
and distributing a survey to 24 major federal agencies.[Footnote 1] To 
assess federal guidance and efforts to address information security 
when using cloud computing, we obtained and analyzed federal 
information security guidance relevant to cloud computing, identified 
federal agencies that have implemented cloud computing services, and 
examined relevant agency security practices related to cloud computing 
for consistency with existing federal guidance. Appendix I contains 
additional details on the objectives, scope, and methodology of our 
review. 

We conducted this performance audit from September 2009 through May 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

Background: 

Cloud computing is an emerging form of computing that relies on 
Internet-based services and resources to provide computing services to 
customers, while freeing them from the burden and costs of maintaining 
the underlying infrastructure. Examples of cloud computing include Web-
based e-mail applications and common business applications that are 
accessed online through a browser, instead of through a local 
computer. The President's budget has identified the adoption of cloud 
computing in the federal government as a way to more efficiently use 
the billions of dollars spent annually on IT.[Footnote 2] As part of 
the 2011 budget, the administration plans to deploy cloud computing in 
a series of pilot projects across the government. According to the 
President's budget, these pilots could potentially lead to significant 
savings in federal IT spending. However, along with the potential 
benefits of using cloud computing come the potential risks and 
challenges of adopting a new model for delivering IT services. 

Federal Systems and Infrastructure Are at Risk from Cyber Threats: 

We have previously reported that cyber threats to federal information 
systems and cyber-based critical infrastructures are evolving and 
growing.[Footnote 3] Without proper safeguards, computer systems are 
vulnerable to individuals and groups with malicious intentions who can 
intrude and use their access to obtain and manipulate sensitive 
information, commit fraud, disrupt operations, or launch attacks 
against other computer systems and networks. The threat is substantial 
and increasing for many reasons, including the ease with which 
intruders can obtain and use hacking tools and technologies. 

Our previous reports and those by agency inspectors general describe 
serious and widespread information security control deficiencies that 
continue to place federal assets at risk of inadvertent or deliberate 
misuse, mission-critical information at risk of unauthorized 
modification or destruction, sensitive information at risk of 
inappropriate disclosure, and critical operations at risk of 
disruption. Accordingly, we have designated information security as a 
governmentwide high-risk area since 1997,[Footnote 4] a designation 
that remains in force today.[Footnote 5] 

Further, the growing interconnectivity among information systems, the 
Internet, and other infrastructure presents increasing opportunities 
for attacks. For example, in 2009, several media reports described 
incidents that affected cloud service providers such as Amazon and 
Google. According to these reports, in December 2009, Amazon's Elastic 
Compute Cloud experienced two attacks on its cloud infrastructure. 
Google reported that in December 2009, an attack was made on e-mail 
accounts that it provided, which resulted in the inadvertent release 
of sensitive information. Adoption of cloud computing will require 
federal agencies to implement new protocols and technologies and 
interconnect diverse networks and systems while mitigating and 
responding to threats. 

Policies, Procedures, and Required Controls Have Been Established to 
Protect Federal Information and Information Systems: 

Federal laws and guidance specify requirements for protecting federal 
systems and data. This includes systems used or operated by a 
contractor or other organization on behalf of a federal agency, which 
would include cloud computing. Recognizing the importance of securing 
federal systems and data, Congress enacted the Federal Information 
Security Management Act of 2002 (FISMA) to strengthen the security of 
federal information and information systems within federal agencies. 
FISMA requires each agency to develop, document, and implement an 
agencywide information security program to provide security for the 
information and information systems that support operations and assets 
of the agency, including those provided or managed by another agency, 
contractor, or other source. Specifically, FISMA requires that 
information security programs include, among other things, the 
following: 

* risk-based policies and procedures that cost-effectively reduce 
information security risks to an acceptable level and ensure that 
information security is addressed throughout the life cycle of each 
information system; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices that include testing of 
management, operational, and technical controls for every system 
identified in the agency's required inventory of major information 
systems; 

* a process for planning, implementing, evaluating, and documenting 
remedial actions to address any deficiencies in the information 
security policies, procedures, and practices of the agency; 

* procedures for detecting, reporting, and responding to security 
incidents; and; 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

FISMA assigns certain responsibilities to the Office of Management and 
Budget (OMB) and other responsibilities to NIST. FISMA states that the 
Director of OMB shall oversee agency information security policies and 
practices, including: 

* developing and overseeing the implementation of policies, 
principles, standards, and guidelines on information security; 

* requiring agencies to identify and provide information security 
protections commensurate with the risk and magnitude of harm resulting 
from the unauthorized access, use, disclosure, disruption, or 
destruction of information collected or maintained by or on behalf of 
an agency, or information or information systems used or operated by 
an agency, or by a contractor or other organization on behalf of an 
agency; 

* overseeing agency compliance with FISMA to enforce accountability; 
and; 

* reviewing, at least annually, and approving or disapproving agency 
information security programs. 

Each year, OMB provides instructions to federal agencies regarding 
FISMA reporting. In this guidance, for example, OMB has stated that 
agencies are permitted to utilize private sector data services, 
provided that appropriate security controls are implemented and, more 
generally, that agencies ensure that their information security 
programs apply to all organizations that possess or use federal 
information, including contractors. 

Under FISMA, NIST is tasked with developing, for systems other than 
national security systems, standards and guidelines that must include, 
at a minimum, (1) standards to be used by all agencies to categorize 
all of their information and information systems based on the 
objectives of providing appropriate levels of information security, 
according to a range of risk levels; (2) guidelines recommending the 
types of information and information systems to be included in each 
category; and (3) minimum information security requirements for 
information and information systems in each category. 

Specifically, NIST has developed a risk management framework of 
standards and guidelines for agencies to follow in developing 
information security programs. 

* NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying 
the Risk Management Framework to Federal Information Systems: A 
Security Life Cycle Approach.[Footnote 6]; 

* Federal Information Processing Standard (FIPS) 199, Standards for 
Security Categorization of Federal Information and Information 
Systems.[Footnote 7]; 

* FIPS 200, Minimum Security[Footnote 8]; 

* NIST SP 800-53, Recommended Security Controls for Federal 
Information Systems and Organizations.[Footnote 9] 

NIST SP 800-37 provides agencies with guidance for applying a risk 
management framework to federal information systems to include 
security categorization, security control selection and 
implementation, security control assessment, information system 
authorization, and security control monitoring. This framework 
includes the preparation of a security assessment report and 
authorization package.[Footnote 10] 

FIPS 199 provides agencies with criteria to identify and categorize 
all of their information and information systems based on the 
objectives of providing appropriate levels of information security 
according to a range of risk levels. 

FIPS 200 requires a baseline of minimum information security controls 
for protecting the confidentiality, integrity, and availability of 
federal information systems and the information processed, stored, and 
transmitted by those systems. FIPS 200 directs agencies to implement 
these baseline control recommendations as follows: 

* Access control: limit information system access to authorized users 
and to the types of transactions and functions that authorized users 
are permitted to exercise. 

* Certification, accreditation, and security assessments: periodically 
assess security controls, develop and implement plans of action 
designed to correct deficiencies and reduce or eliminate 
vulnerabilities, authorize operation of systems and any associated 
system connections, and monitor system security controls on an ongoing 
basis. 

* Risk assessment: periodically assess the risk to operations, assets, 
and individuals, resulting from the operation of systems and the 
associated processing, storage, or transmission of information. 

In applying the provisions of FIPS 200, agencies first categorize 
their information and systems as required by FIPS 199, and then 
typically select an appropriate set of security controls from NIST SP 
800-53 to satisfy their minimum security requirements. This helps to 
ensure that appropriate security requirements and security controls 
are applied to all federal information and information systems 
including cloud computing. 

Selected Organizations Have Established Information Security Guidance 
for Cloud Computing: 

As stated previously in this report, federal laws, such as FISMA, and 
guidance such as that issued by NIST, specify requirements for 
protecting federal systems and data. Other organizations have 
developed security models and guidance that specifically apply to 
cloud computing services. These groups include the Cloud Security 
Alliance and the European Network and Information Security Agency. 

The Cloud Security Alliance is a nonprofit organization formed to 
promote the use of leading practices for providing security assurance 
when using cloud computing. In December 2009, the alliance issued 
Security Guidance for Critical Areas of Focus in Cloud Computing, 
v2.1.[Footnote 11] 

The guidance provides recommendations in 13 cloud computing domains: 

* Architectural framework: provides a conceptual framework focusing on 
cloud computing. 

* Governance and enterprise risk management: ability of an 
organization to govern and measure enterprise risks. 

* Legal and electronic discovery: potential legal issues including 
protection requirements for information and computer systems. 

* Compliance and audit: proving compliance when using cloud computing 
during an audit. 

* Information life cycle management: managing data that is placed in 
the cloud and determining responsibility for data confidentiality, 
integrity, and availability. 

* Portability and interoperability: the ability to move data and 
services from one provider to another or bring it back in-house. 

* Traditional security, business continuity, and disaster recovery: 
identifying where cloud computing may assist in lowering security 
risks, while potentially increasing it in other areas. 

* Data center operations: common data center characteristics that 
could be detrimental to ongoing services, and those that are 
fundamental to long-term stability. 

* Incident response, notification, and remediation: addresses 
complexities that cloud computing brings to an incident handling 
program and forensics for both the provider and customer. 

* Application security: securing application software that is either 
running on or being developed in the cloud. 

* Encryption and key management: identifying proper encryption usage 
and scalable key management. 

* Identity and access management: focuses on issues encountered when 
extending an organization's identity into the cloud. 

* Virtualization: risks associated with items such as multitenancy, or 
the sharing of computing resources by different organizations. 

For each domain, the guidance documents areas of concern for cloud 
computing. 

The European Network and Information Security Agency is an 
organization established by the European Union that specializes in 
information security. In November 2009, the agency issued Cloud 
Computing: Benefits, Risks, and Recommendations for Information 
Security,[Footnote 12] which provides a set of information 
requirements and includes questions that a customer can ask a cloud 
computing service provider in order to evaluate the service provider's 
information security practices. The requirements address: 

* Personnel security: policies and procedures when hiring IT 
administrators or others with system access. 

* Supply chain assurance: defining and detailing services outsourced 
or subcontracted, inquiring about the measures taken to ensure third-
party service levels are met and maintained, and confirmation that 
security policy and controls are applied to third party providers. 

* Operational security: ensuring a provider employs appropriate 
controls to mitigate unauthorized disclosure of information in 
addition to defined agreements. 

* Identity and access management: controls that apply to both the 
cloud providers and the customer, including access control, 
authorization, frameworks, identity provisioning, management of 
personal data, key management, encryption, authentication, and 
credential compromise or theft. 

* Asset management: ensuring cloud providers maintain an inventory of 
the assets under their control. 

* Data and services portability: clarifying the risks related to 
becoming dependent on one vendor. 

* Business continuity management: maintaining a documented method to 
determine the impact of a disruption and the relevant response and 
restoration process. 

* Physical security: ensuring the vendor provides adequate physical 
security for the customers' data. 

* Environmental controls: policies and procedures to ensure 
environmental issues such as fires, floods, and power failures do not 
cause an interruption of service. 

* Legal requirements: compliance with regulatory frameworks. 

In addition, the agency's Information Assurance Framework[Footnote 13] 
states the need for a clear definition and understanding of security-
relevant roles and responsibilities between the customer and the 
provider. 

Cloud Computing Is a Form of Shared Computing with Several Service and 
Deployment Models: 

According to NIST, cloud computing is a means "for enabling 
convenient, on-demand network access to a shared pool of configurable 
computing resources that can be rapidly provisioned and released with 
minimal management effort or service provider interaction."[Footnote 
14] This definition has been generally adopted throughout the federal 
government. Cloud computing is a form of delivering IT services that 
takes advantage of several broad evolutionary trends in IT, including 
the use of virtualization;[Footnote 15] the decreased cost and 
increased speed of networked communications, such as the Internet; and 
overall increases in computing power. As such, any definition of cloud 
computing will be somewhat broad and subject to interpretation. While 
several other organizations have developed definitions of cloud 
computing, many of the elements of these definitions are encompassed 
in the NIST definition. 

Cloud computing is further defined by its service and deployment 
models. There are three service models: infrastructure as a service, 
platform as a service, and software as a service (see figure 1). 

* Infrastructure as a service provides various infrastructure 
components such as hardware, storage, and other fundamental computing 
resources. 

* Platform as a service provides a service that runs over an 
underlying infrastructure. A platform vendor offers a ready-to-use 
platform, such as an operating system like Microsoft Windows or Linux, 
which runs on vendor-provided infrastructure. Customers can build 
applications on a platform using application development frameworks, 
middleware capabilities, and functions such as databases. 

* Software as a service runs on an underlying platform and 
infrastructure managed by the vendor and provides a self-contained 
operating environment used to deliver a complete application such as 
Web-based email and related management capabilities. 

Figure 1: Cloud Computing Service Models: 

[Refer to PDF for image: illustration] 

Infrastructure as a service: 

The consumer has the capability to provision processing, storage, 
networks, and other fundamental computing resources where the consumer 
is able to deploy and run his or her own software, which can include 
operating systems and applications. The consumer does not manage or 
control the underlying infrastructure but controls and configures 
operating systems, storage, deployed applications, and possibly, 
selected networking components (e.g., host firewalls). 

Platform as a service: 

Consumers deploy consumer-created or acquired applications created 
using programming languages and tools supported by the provider. The 
consumer does not manage or control the underlying infrastructure, but 
controls and configures the deployed applications and platform. 

Software as a service: 

Consumer uses the provider’s applications that are accessible from 
various client devices through an interface such as a Web browser 
(e.g., Web-based e-mail). The consumer does not manage or control the 
underlying infrastructure or the individual application capabilities. 

Source: GAO analysis of NIST data. 

[End of figure] 

In addition to the service models that describe what can be provided, 
NIST and other entities describe four deployment models that relate to 
how the cloud service is provided. These four cloud models are 
private, community, public, and hybrid (see fig. 2). In a private 
cloud, the service is set up specifically for one organization, 
although there may be multiple customers within that organization, and 
the cloud may exist on or off the premises. In a community cloud, the 
service is set up for related organizations that have similar 
requirements. A public cloud is available to any paying customer and 
is owned and operated by the service provider. A hybrid cloud is a 
composite of the deployment models. 

Figure 2: Cloud Computing Deployment Models: 

[Refer to PDF for image: illustration] 

Private cloud is operated solely for an organization and the cloud may 
be on or off the premises. 

Community cloud is shared by several organizations and supports a 
specific community of customers that have similar information 
technology requirements. 

Public cloud has an infrastructure that is made available to the 
general public or large industry group. 

Hybrid cloud has an infrastructure that is composed of two or more 
clouds that remain unique entities but are bound together by 
standardized or proprietary technology. 

Source: GAO analysis of NIST data. 

[End of figure] 

According to NIST, cloud computing includes each of the 
characteristics listed in table 1 and in figure 3. 

Table 1: NIST Essential Characteristics of Cloud Computing: 

Essential characteristic: On-demand self service; 
Description: Consumer can unilaterally provision computing 
capabilities as needed automatically, without interaction with the 
service's provider. 

Essential characteristic: Broad network access; 
Description: Capabilities are available over the network and accessed 
through standard mechanisms such as desktop computers, laptops, mobile 
phones, and personal digital assistants. 

Essential characteristic: Resource pooling; 
Description: Provider's computing resources are pooled to serve 
multiple consumers using a multitenant model, with different physical 
and virtual resources dynamically assigned and reassigned according to 
consumer demand. 

Essential characteristic: Rapid elasticity; 
Description: Capabilities can be rapidly and elastically provisioned, 
in some cases automatically, to quickly scale out (increase) and 
rapidly released to quickly scale back in (decrease). 

Essential characteristic: Measured service; 
Description: Cloud systems automatically control and optimize resource 
use by leveraging a metering (measured use) capability at some level 
of abstraction appropriate to the type of service. 

Source: GAO analysis of NIST data. 

[End of table] 

Figure 3: NIST Essential Characteristics: 

[Refer to PDF for image: illustration] 

On-demand self service: 

Broad network access: 

Internet: 

Measured service: 

Pooled resources: 

Rapid elasticity: 
Applications; 
Processing/platforms; 
Storage. 

Source: GAO. 

[End of figure] 

While NIST states that all five of its essential characteristics 
should be present for an application to be considered cloud computing, 
other federal officials and experts stated that an application that 
has some but not all of these characteristics could still be 
considered cloud computing. 

Cloud Computing Has Both Positive and Negative Information Security 
Implications: 

Cloud computing can both increase and decrease the security of 
information systems. Potential information security benefits include 
those related to the use of virtualization, such as faster deployment 
of patches, and from economies of scale, such as potentially reduced 
costs for disaster recovery. Risks include those related to dependence 
on the security assurances of a vendor; dependence on the vendor; and 
concerns related to multitenancy, or sharing computing resources among 
different organizations. However, these risks may vary based on the 
cloud deployment model. 

Cloud Computing Can Provide Potential Information Security Benefits: 

The use of cloud computing has the potential to provide several 
benefits related to information security. These benefits are related 
to the attributes of cloud computing—specifically, its use of 
virtualization and automation, broad network access, potential 
economies of scale, and use of self-service technologies. 

The use of virtualization and automation in cloud computing can 
expedite the implementation of secure configurations for virtual 
machine images. Department of Defense (DOD) officials responsible for 
one cloud computing program stated that virtualization allows a cloud 
computing provider to rapidly replicate secure configurations for 
cloud-based virtual servers, rather than manually applying secure 
configurations to physical servers, which could be required in a 
traditional environment that has not employed virtualization 
techniques. Private sector representatives also stated that 
virtualization can allow faster deployment of secure server 
configurations, security upgrades, and patches for security 
vulnerabilities than a traditional computing infrastructure can. 

Other advantages relate to cloud computing's broad network access and 
use of Internet-based technologies. For example, several agencies 
stated that cloud computing provided a reduced need to carry data in 
removable media because of the ability to access the data through the 
Internet, regardless of location. NIST officials stated that shifting 
public data to a public cloud using the Internet that is separate from 
the agency's internal network is a means of network segmentation that 
may reduce exposure of sensitive data on the agency's internal network. 

Additional advantages relate to the potential economies of scale and 
distributed nature of cloud computing. For example, in response to our 
survey, 22 of the 24 agencies identified low-cost disaster recovery 
and data storage as a potential benefit. Specifically, cloud computing 
may provide a cheaper way to store backup copies of information. 
Agencies also stated that a cloud provider may have more resources to 
devote to security than the agency may have available. The large-scale 
and mitigation techniques that cloud providers offer may also reduce 
vulnerability to denial of service attacks. Department of 
Transportation (DOT) officials responsible for a cloud computing 
program noted that the program's Web site, which used a cloud 
computing service provider, was better able to withstand a denial of 
service attack because of the use of the cloud provider. The National 
Aeronautics and Space Administration (NASA) officials responsible for 
another cloud computing program stated that it may require less effort 
for cloud computing customers to ensure effective information security 
if information security controls were already implemented by the 
provider. Customers could also be freed from the responsibility of 
maintaining a physical infrastructure, as well as resolving 
management, operational, and technical issues related to the 
underlying cloud platform, although the customers would still be 
responsible for ensuring these issues are addressed and that data are 
adequately protected. 

The self-service aspect of cloud computing may also provide benefits. 
For example, 20 out of the 24 agencies identified the ability to apply 
security controls on demand as a potential benefit. A private sector 
representative stated that cloud computing provided the ability for 
more flexible and granular control of security. For example, features 
such as encryption and monitoring could be individually applied as 
needed. Table 2 lists the potential benefits of cloud computing 
grouped by cloud computing attribute. 

Table 2: Potential Benefits of Cloud Computing: 

Attribute: Virtualization and automation; 
Potential benefit: Rapid replication of securely configured servers, 
security upgrades, and patches. 

Attribute: Broad network access; 
Potential benefit: Reduced need to carry data in removable media 
Ability to shift data needed by public away from internal agency 
network. 

Attribute: Economies of scale and distributed; 
Potential benefit: Low-cost disaster recovery and storage 
infrastructure Resistance to denial of service attack. 

Attribute: On-demand self-service; 
Potential benefit: Apply security controls on demand Individually 
apply features such as encryption and monitoring. 

Source: GAO analysis of agency and private sector data. 

[End of table] 

Cloud Computing Can Create Information Security Risks: 

In addition to benefits, the use of cloud computing can create 
numerous information security risks for federal agencies. Twenty-two 
of the 24 agencies reported that they are either concerned or very 
concerned about the potential information security risks associated 
with cloud computing. These concerns include risks related to being 
dependent on a vendor's security assurances and the vendor, and risks 
related to the use of multitenancy. 

Several cloud computing information security risks relate to the 
ability to rely on a vendor's security assurances and practices. 
Specifically, several agencies stated concerns about: 

* the possibility of ineffective or noncompliant service provider 
security controls—which could lead to vulnerabilities affecting the 
confidentiality, integrity, and availability of agency information; 

* the potential loss of governance and physical control over agency 
data and information—that is, in using cloud computing services, the 
agency cedes control to the provider for the performance of certain 
security controls and practices; 

* the insecure or ineffective deletion of agency data by cloud 
providers once services have been provided and are complete; and; 

* potentially inadequate background security investigations for 
service provider employees—which could lead to an increased risk of 
wrongful activities by malicious insiders. 

Of particular concern is dependency on a vendor. All 24 agencies 
specifically noted concern about the possibility of loss of data if a 
cloud computing provider terminated its services. For example, the 
provider and the customer may not have agreed on terms to transfer or 
duplicate the data. The European Network and Information Security 
Agency also identified dependency on a vendor as a high risk, noting 
the lack of tools, procedures, or standard data formats to ensure 
data, application, and service portability. The agency stated that 
this can make it difficult for the customer to migrate from one 
provider to another or to migrate data and services back to an in-
house IT environment. One member of GAO's Executive Council on 
Information Management and Technology[Footnote 16] stated that if an 
agency chooses to implement cloud computing, at some point in the 
future the vendor may want to raise the cost for use of the cloud. The 
agency may then have no alternative to paying the cost because it 
lacks the technical ability to bring the service back in-house. 

Multitenancy and use of shared resources can also increase risk. 
Twenty-three out of the 24 agencies identified multitenancy as a 
potential information security risk because one customer could 
intentionally or unintentionally gain access to another customer's 
data, causing a release of sensitive information. 

Additional concerns relate to exchanging authentication information on 
users and responding to security incidents. For example, NASA 
officials responsible for a cloud computing program stated that 
identity management and user authentication are a concern because 
customers and a provider may need to establish a means to securely 
exchange and rely on authentication and authorization information for 
system users. In addition, responding to security incidents may be 
more difficult in a shared environment because there could be 
confusion over who performs the specific tasks—the customer or the 
provider. The Nuclear Regulatory Commission emphasized the importance 
of a clear delineation of responsibilities as they relate to incident 
response management, whereby the cloud computing service provider has 
the responsibility to report the security incident to the agency and 
the agency is responsible for reporting the incident to the 
appropriate government entity. 

Another concern is the increased volume of data transmitted across 
agency and public networks. This could lead to an increased risk of 
the data being intercepted in transit and then disclosed. 

NIST also stated that cloud computing security is dependent on the 
security of a user's Internet browser, and that vulnerabilities in the 
browser can create vulnerabilities for the cloud computing service. 

Although there are numerous potential information security risks 
related to cloud computing, these risks vary based on the particular 
deployment model. For example, NIST states that private clouds may 
have a lower threat exposure than community clouds, which may have a 
lower threat exposure than public clouds. Officials from another 
agency stated that they are considering implementing a private cloud 
behind their agency's firewall because of the moderate-to-high impact 
classification of sensitive data they were considering placing into 
this system.[Footnote 17] Several agency officials and industry 
representatives stated that initial use of public clouds may be 
focused on low-impact information. However, several industry 
representatives also stated that making general statements based on 
cloud deployment models may be misleading and that an agency would 
need to examine the specific security controls of the vendor they were 
evaluating. Table 3 lists the potential risks of cloud computing. 

Table 3: Potential Risks of Cloud Computing: 

Risk: Reliance on vendor's security assurances and practices; 
Explanation: An agency is dependent on a provider's ability to ensure 
effective security. A provider may have security weaknesses such as 
ineffective or noncompliant security controls. For example, a provider 
may not maintain adequate physical control over agency data and 
information or may have inadequate background investigations for 
provider employees. 

Risk: Dependence on a vendor; 
Explanation: If the agency and provider do not agree on a means to 
transfer or duplicate data, data may be lost if a provider ends its 
service. An agency that uses a cloud computing provider may also lose 
the technical ability to bring the information system back in-house. 

Risk: Insecure or ineffective identity management; 
Explanation: Agencies and a cloud provider may need to securely 
exchange and rely on sensitive authentication and authorization 
information for system users. 

Risk: Unclear responsibilities for incident response; 
Explanation: There may be confusion over roles and responsibilities 
between agency and provider. 

Source: GAO analysis of agency and private sector data. 

Federal Agencies Have Begun Efforts to Address Information Security 
Issues for Cloud Computing, but Specific Guidance Is Lacking and 
Efforts Remain Incomplete: 

Federal agencies have started to address information security when 
using cloud computing; however, they have not always developed 
corresponding guidance. Furthermore, agencies that have implemented 
cloud computing efforts have faced challenges in implementing existing 
federal information security guidance and identified the need to 
streamline and automate the process of implementing this guidance. 
While several governmentwide cloud computing security activities are 
under way by organizations such as OMB and the General Services 
Administration (GSA), significant work remains to be completed. In 
addition, NIST has begun certain efforts related to cloud computing 
information security, but its existing guidance is not specific to 
cloud computing issues, and it has only begun plans to issue cloud-
specific security guidance. 

Agencies Have Taken Steps to Address Information Security Issues for 
Cloud Computing, but Have Not Always Developed Corresponding Policies 
or Procedures and Face Challenges in Implementing Existing Guidance 
and Processes: 

About half of the 24 agencies we asked reported using some form of 
cloud computing for obtaining either infrastructure, platform, or 
software services. These agencies identified measures they are taking 
or plan to take when using cloud computing. Specifically, 23 of the 24 
agencies reported that they currently write or plan to write and 
enforce comprehensive service-level agreements to include information 
security control requirements and currently use or plan to use 
appropriate encryption when using cloud computing. Further, 22 of the 
24 agencies responded that they currently limit or plan to limit the 
type of information placed in a cloud, while 21 of the 24 agencies 
currently limit or are planning to limit the type of cloud deployment 
model used. Appendix II includes descriptions of three case studies of 
cloud computing implementations in the federal government, including 
steps taken to address information security. 

However, these actions have not always been accompanied by the 
development of related policies or procedures. Of the 23 agencies that 
reported writing and enforcing or planning to write and enforce 
comprehensive service-level agreements when using cloud computing, 9 
agencies have approved and documented policies and procedures for 
doing so. Fifteen agencies have documented policies and procedures for 
the use of encryption. Just four agencies responded that they have 
documented policies and procedures limiting the type of information 
placed in a cloud and two agencies responded that they have documented 
policies and procedures limiting the type of cloud deployment model 
used. The lack of approved and documented policies and procedures to 
ensure effective information security when using cloud computing could 
place sensitive information in a cloud environment at risk. 

Agencies Have Concerns About Ensuring Vendor Implementation of 
Information Security Requirements: 

Most agencies identified challenges and concerns in implementing 
existing information security laws and guidance. For example, 20 of 
the 24 agencies identified concerns about service provider compliance 
with and implementation of government information security 
requirements. Agencies also expressed concerns about limitations on 
their ability to conduct independent audits and assessments of 
security controls of cloud computing service providers. 

Several industry representatives agreed that compliance and oversight 
issues are a concern. However, the representatives also stated that 
requiring each individual agency that uses a service provider to 
conduct its own assessment of controls and audits and complete a 
separate assessment and authorization process would be burdensome and 
remove the cost advantages offered by cloud computing. In response, 
representatives raised the idea of having a single government entity 
or other independent entity conduct security oversight and audits for 
cloud computing service providers. The process could be similar to the 
Statement on Auditing Standards (SAS) 70 audit process often used as 
part of financial audits.[Footnote 18] A SAS 70 report is issued by an 
independent auditor for a service provider that processes financial 
data on behalf of others; it discusses the effectiveness of the 
service provider's internal controls over the processing of 
transactions that may be relevant to the financial reporting of 
customers. Management of the customer organization and its auditor may 
use this report to assess the internal control policies and procedures 
at the service provider as part of the overall evaluation of the 
internal control at the customer organization. Some cloud computing 
service providers have obtained a SAS 70 audit for use and review by 
its customers. In discussing the use of SAS 70 reports to meet 
information security requirements, OMB Memorandum M-09-29[Footnote 19] 
states that it is the agency's responsibility to ensure that: 

* the scope of the SAS 70 audit is sufficient and fully addresses the 
specific contractor system requiring FISMA review, and 

* the audit encompasses all controls and requirements of law, OMB 
policy, and NIST guidance. 

There are attestation standards, similar to those in SAS 70, that 
could be used to provide an assessment of controls at a service 
provider that relates to the effective implementation of security and 
compliance with specified requirements of laws and guidance. However, 
the scope of an audit based on a standard such as SAS 70 is defined by 
the service provider and could exclude key controls essential to 
effectively protecting agency information. Therefore, if an 
attestation report on security effectiveness and compliance with laws 
and guidance is used, it is critical that the scope of the controls 
addressed by the attestation report is sufficient to meet agency 
requirements. 

Agencies also stated that having a cloud service provider that had 
been precertified as being in compliance with government information 
security requirements through some type of governmentwide approval 
process would make it easier for them to consider using cloud 
computing. For example, DOT officials implementing the Car Allowance 
Rebate System program stated that having a cloud service provider that 
was precertified to process federal financial transactions may have 
made implementation of the payment processing system for the program 
easier. Until such precertified providers are in place, the adoption 
of cloud computing may be limited. 

Processes, Documentation, and Division of Roles and Responsibilities 
for Cloud Computing Create Challenges: 

In their efforts to ensure information security in cloud computing, 
agencies have had to re-examine and, at times, change related 
processes, documentation, and roles and responsibilities. For example, 
DOD officials implementing a cloud computing program identified the 
need to improve related DOD business processes, including those 
related to security. The existing DOD process required for risk 
assessment and assessment and authorization for information systems 
created challenges because of its focus on stand-alone systems and 
multiple levels of organizational review. In response, the program 
office worked with a contractor to re-engineer the process and reduce 
the time needed to complete information security requirements for new 
systems. NASA officials also noted the increased complexity of 
information security-related document maintenance in a shared owner 
environment and took steps to address this issue. 

Other agency concerns related to the division of information security 
responsibilities between customer and vendor. For example, both DOD 
and NASA officials responsible for cloud computing implementations at 
their agencies stated that a clear division of security roles and 
responsibilities in cloud computing was important. For example, NASA 
officials divided responsibility for the security controls in NIST SP 
800-53 Revision 3 for low-impact systems into customer and provider 
controls and found that the customer had primary responsibility for 47 
of the 112 total controls. Similarly, DOD officials also divided 
responsibilities for the corresponding DOD information assurance 
controls between customers and service providers. Both sets of agency 
officials commented on the challenges in analyzing and maintaining 
such a division of responsibilities but noted that clear assignment of 
responsibilities was important for effective information security. 

Several Governmentwide Cloud Computing Information Security 
Initiatives Have Been Started, but Key Guidance and Efforts Have Not 
Been Completed: 

To address cloud computing security issues, the executive branch has 
begun several initiatives. However, these initiatives have not yet 
been completed. For example, OMB stated that it began a federal cloud 
computing initiative in February 2009; however, it does not yet have 
an overarching strategy or an implementation plan. According to OMB 
officials, the initiative includes an online cloud computing 
storefront managed by GSA and will likely contain three pilot cloud 
computing projects, each with a lead agency: (1) a voucher payment 
portal led by the Department of the Treasury; (2) a tool for citizen 
interaction to support open government led by GSA; and (3) a citizen 
services dashboard led by GSA. However, as of March 2010, a date had 
not been set for the release of the strategy or for any of the pilots. 
In addition, OMB has not yet defined how information security issues, 
such as a shared assessment and authorization process, will be 
addressed in this strategy. 

Federal agencies have stated that additional guidance on cloud 
computing security would be helpful. Addressing information security 
issues as part of this strategy would provide additional direction to 
agencies looking to use cloud computing services. Until this strategy 
has been completed, agencies will lack clear direction in how to 
ensure information security while implementing cloud computing 
services. 

GSA Has Established Program Office and Cloud Computing Storefront, but 
Key Procurement Has Been Delayed in Part Due to Information Security 
Concerns: 

GSA has established a Cloud Computing Program Management Office that 
manages several cloud computing activities within GSA and provides 
administrative support for cloud computing efforts by the federal 
Chief Information Officers (CIO) Council. Specifically, the program 
office manages a storefront, www.apps.gov, established by GSA to 
provide a central location for federal agencies to purchase several 
software as a service cloud computing applications, including: 

* business applications, such as data analysis, human resources, and 
financial management software, and tools for tracking and monitoring 
various types of activities; 

* office productivity applications, which include standard word 
processing and spreadsheet applications, and also applications used 
for brainstorming, collaboration, document management, and project 
management; and; 

* social media applications that are focused on making it easier to 
create and distribute content and that enable people to communicate 
easily and share information. 

GSA plans to expand the storefront by also providing infrastructure as 
a service cloud computing offerings such as storage, virtual machines, 
and Web hosting. To this end, GSA began a procurement process by 
issuing a request for quotations in July 2009. The request asked for 
quotations to provide the government with required documentation on 
vendors' offerings of cloud storage services, virtual machines, or 
cloud Web hosting. These services would be available through the 
www.apps.gov storefront. The procurement closed in September 2009, 
with nine vendors submitting quotations. 

However, addressing information security issues has been a significant 
challenge in the procurement. GSA officials stated that as they were 
analyzing the submitted quotations, one issue they were attempting to 
resolve was establishing a process for federal agencies to work with 
GSA to complete the information security assessment and authorization 
process when using these services. In early March 2010, GSA canceled 
the request and announced plans to begin a new request process, in 
part due to concerns and challenges in addressing information 
security. Specifically, the new request will ask for services that 
meet the level of security for both low- and moderate-impact systems 
as defined in PIPS 199 and NIST SP 800-53. The canceled request 
required only low-level security. GSA stated that providing cloud 
computing services that meet both low-and moderate-impact information 
security controls would allow a broader range of services and 
customers. GSA officials also stated that they need to work with 
vendors after a new procurement has been completed to develop a shared 
assessment and authorization process, but have not yet developed 
specific plans to do so. 

Adding moderate-impact controls to the request may increase demand for 
the infrastructure services when the procurement is completed; 
however, establishing both an assessment and authorization process for 
customers of these services and a clear division of security 
responsibilities will help ensure that these services, when purchased 
and effectively implemented, protect sensitive federal information. 

Federal CIO Council Has Established Cloud Computing Executive Steering 
Committee but Has Not Finalized Key Process or Guidance: 

The CIO Council established the Cloud Computing Executive Steering 
Committee to promote the use of cloud computing in the federal 
government. The GSA Cloud Computing Program Management Office provides 
technical and administrative support for the committee. The committee 
consists of an overall advisory council and these four subgroups: 

* The communications subgroup provides information on the status of 
cloud computing in the federal government and is planning an 
information portal for the www.apps.gov storefront. 

* The operational excellence subgroup examines cloud computing 
implementations at federal agencies, assists agencies in evaluating 
potential applications for cloud computing, and identifies possible 
improvements to the storefront. 

* The standards subgroup is helping develop standards related to 
interoperability and portability of cloud computing services. 

* The security subgroup is addressing several issues related to 
information security and cloud computing. 

The security subgroup has begun developing recommendations for a 
streamlined assessment and authorization process through the Federal 
Risk and Authorization Management Program. This process would address 
authorizing operation of a system, including the development and 
implementation of risk assessments and security controls. For example, 
according to GSA, the program is to provide joint authorizations and 
continuous monitoring services for all federal agencies with an 
initial focus on cloud computing. The process would rely on several 
key steps of the process being performed by a governmentwide 
organization, while the final authorization to operate a system would 
still be made by a designated official at the agency purchasing the 
service. According to a summary provided by GSA, the goals for this 
process include providing better security and privacy, clearer 
communication of security requirements for government and industry, 
improved efficiency and broad acceptance for agencies, and compliance 
with existing federal information security guidance and legislation. 
Officials involved in the process have noted the need to clearly 
delineate security control responsibilities between providers and 
customers. The group is currently working with its members to define 
interagency security requirements for cloud systems and services and 
related information security controls from both the moderate and low 
baselines specified in NIST SP 800-53 Revision 3. 

According to GSA, a draft of the new assessment and authorization 
process has been approved by the Cloud Computing Executive Steering 
Committee. However, a deadline for completing development and 
implementation of this process had not been established. A particular 
concern of the committee is the requirement for agency CIOs to certify 
the adequacy of information security controls for systems that they do 
not own or operate. GSA officials involved in this effort stated that 
it may be up to OMB to clearly establish that agencies will be able to 
rely on the shared process. 

In addition to the Executive Steering Committee and its subgroups, 
another component of the CIO Council is working on information 
security issues related to cloud computing. The group, which is part 
of the CIO Council's Information Security and Identity Management 
Committee, is currently developing a white paper on guidelines for the 
secure use of cloud computing for federal departments and agencies, 
according to a co-chair of this group. The paper is intended to 
provide agencies with guidelines, use cases, and scenarios to help 
program managers make risk-based decisions when selecting cloud 
deployment and service models. 

Federal agencies responding to our information request, officials of 
the cloud computing case studies described in appendix II, and private 
sector representatives have all identified concerns with how to 
properly and efficiently complete activities related to the assessment 
and authorization process, including control selection and testing, 
when using cloud computing. Until a clear, comprehensive, and 
efficient process has been established, adoption of cloud computing in 
the federal government may be limited, and cloud computing programs 
that are implemented may not have appropriate information security 
controls in place. 

NIST Is Coordinating Activities with CIO Council but Has Not 
Established Cloud-Specific Guidance: 

NIST is responsible for establishing information security guidance for 
federal agencies to support FISMA. Cloud computing is an emerging 
model for IT, and NIST has not yet established guidance specific to 
cloud computing. However, according to its officials, the institute 
has begun several other activities related to cloud computing. For 
example, it has developed a definition of cloud computing and is 
participating in the activities of the CIO Council subgroups. 

The NIST official leading the institute's cloud computing activities 
stated that existing NIST requirements apply to cloud computing and 
can be tailored to the information security issues specific to cloud 
computing. However, as previously discussed in this report, both 
federal and private sector officials have made clear that existing 
guidance is not sufficient. At the conclusion of our review, NIST 
officials stated that the institute is planning to issue guidance on 
cloud computing and virtualization but had not yet finalized the 
topics that it would cover and had not determined a date for issuing 
this guidance. 

Our analysis also indicates areas where existing NIST guidance does 
not clearly address information security issues specifically related 
to cloud computing. While NIST SP 800-53 covers general security areas 
important to cloud computing to some extent, the guidance lacks 
specificity in key security areas. For example, NIST guidance does not 
directly address key cloud computing security issues such as 
portability and interoperability, data center operations, and 
virtualization. Both public and private sector officials identified 
interoperability issues and concerns about virtualization as 
challenges agencies face when making decisions on whether to implement 
cloud computing. At the end of our review, NIST officials stated that 
SP 800-53 was not intended to be specific to a particular type of 
computing, such as cloud computing, but agreed that areas such as 
portability and interoperability were important in implementing cloud 
computing and they were considering including them in future NIST 
publications. 

Furthermore, federal agencies stated that establishing a clear 
delineation of security control responsibilities between providers and 
customers is a challenge, but existing NIST guidance does not fully 
address these issues or establish a process for doing so Existing NIST 
guidance addresses the establishment of interconnection security 
agreements between different organizations; however, the guidance is 
not specific to issues related to cloud computing. For example, NIST 
guidance does not address the division of information security 
responsibilities when several organizations are involved in cloud 
computing or possible variations in these roles and responsibilities 
due to the use of different cloud deployment and service models. Until 
federal guidance addresses information security issues specific to 
cloud computing and provides information on how to divide 
responsibilities between providers and customers, agencies may not be 
able to effectively ensure the security of their systems when using 
cloud computing. 

Conclusions: 

About half of the 24 agencies are using various models of cloud 
computing, and many others are interested in using it; however, 
implementation of this emerging technology presents both information 
security benefits and risks. Agencies have taken steps to address 
cloud computing security but have not always developed corresponding 
guidance. The use of attestation standards and precertification of 
cloud service providers may provide a way for agencies to ensure 
information security when using cloud computing service providers. 
However, OMB has not yet developed a strategy that addresses the 
information security issues related to cloud computing, and guidance 
from individual agencies and NIST to ensure information security is 
insufficient. While the federal CIO Council is developing a shared 
assessment and authorization process, which could help foster adoption 
of cloud computing, this process remains incomplete, and GSA has yet 
to complete its procurement of cloud computing infrastructure as a 
service offerings for its storefront, in part due to security 
concerns. Until federal guidance and processes that specifically 
address information security for cloud computing are developed, 
agencies may be hesitant to implement cloud computing, and those 
programs that have been implemented may not have effective information 
security controls in place. 

Recommendations for Executive Action: 

To assist federal agencies in identifying uses for cloud computing and 
information security measures to use in implementing cloud computing, 
we recommend that the Director of OMB take the following three actions: 

* Establish milestones for completing a strategy for implementing the 
federal cloud computing initiative. 

* Ensure the strategy addresses the information security challenges 
associated with cloud computing, such as needed agency-specific 
guidance, the appropriate use of attestation standards for control 
assessments of cloud computing service providers, division of 
information security responsibilities between customer and provider, 
the shared assessment and authorization process, and the possibility 
for precertification of cloud computing service providers. 

* Direct the CIO Council Cloud Computing Executive Steering Committee 
to develop a plan, including milestones, for completing a 
governmentwide security assessment and authorization process for cloud 
services. 

To assist federal agencies in selecting and acquiring precertified 
cloud computing products and services, we recommend that the 
Administrator of GSA, as part of the procurement for infrastructure as 
a service cloud computing technologies, ensure that full consideration 
is given to the information security challenges of cloud computing, 
including a need for a shared assessment and authorization process. 

To assist federal agencies in implementing appropriate information 
security controls when using cloud computing, we recommend that the 
Secretary of Commerce direct the Administrator of NIST to issue cloud 
computing information security guidance to federal agencies to more 
fully address key cloud computing domain areas that are lacking in SP 
800-53, such as virtualization, data center operations, and 
portability and interoperability, and include a process for defining 
roles and responsibilities of cloud computing service providers and 
customers. 

Agency Comments and Our Evaluation: 

In providing comments on a draft of this report, OMB, GSA, and the 
Department of Commerce, stated that they generally concurred with the 
contents and recommendations of the report. The agencies' comments and 
our responses are summarized below: 

* In written comments on a draft of this report, the Federal Chief 
Information Officer stated that OMB agreed with our recommendations. 
He described efforts under way for developing a cloud computing 
strategy, stating that OMB intends to develop such a strategy over the 
next 6 months. In addition, he stated that OMB agrees that the 
strategy must address the security challenges associated with 
implementing cloud computing and has established a group to study, 
propose, and implement a solution for governmentwide assessment and 
authorization. The Office of Management and Budget's comments are 
reprinted in appendix BT. 

* In written comments on a draft of this report, the Administrator of 
GSA stated that GSA agreed in part with our findings and 
recommendation to complete the procurement for infrastructure as a 
service cloud computing technologies and ensure that it includes full 
consideration of the information security challenges of cloud 
computing. The Administrator stated that GSA will reissue the 
procurement request in May 2010. She also provided additional 
information on the Federal Risk and Authorization Management Program, 
which we have incorporated in the report as appropriate. In subsequent 
discussions with GSA, we revised our recommendation to clarify its 
intent, and agency officials stated that GSA had reissued the request 
on May 12, 2010, and fully agreed with our recommendation. GSA's 
comments are reprinted in appendix IV. 

* In written comments on a draft of this report, the Secretary of 
Commerce concurred with our recommendation. He noted that NIST expects 
to release a virtualization document for public comment in June 2010 
and release a cloud computing document for public comment in September 
2010. In addition, the Secretary provided technical comments which we 
incorporated in the draft as appropriate. Comments from the Department 
of Commerce are reprinted in appendix V. 

We provided a draft of this report to the other 22 major federal 
agencies to which we did not make recommendations and received 
technical comments from 4 agencies. We have incorporated these 
comments in the report as appropriate. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies to interested 
congressional committees, the Director of OMB, the Secretary of 
Commerce, and the Administrator of GSA. In addition, this report will 
be available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staffs have any questions about this report, please 
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this report. Key contributors to this report 
are listed in appendix VI. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

List of Congressional Requesters: 

The Honorable Joseph I. Lieberman: 
Chairman: 
The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Tom R. Carper: 
Chairman: 
Subcommittee on Federal Financial Management, Government Information, 
Federal Services, and International Security: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Diane E. Watson: 
Chairwoman: 
Subcommittee on Government Management, Organization, and Procurement: 
Committee on Oversight and Government Reform: 
House of Representatives: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to (1) identify the models of cloud 
computing; (2) identify the information security implications of using 
cloud computing services in the federal government; and (3) assess 
federal guidance and efforts to address information security when 
using cloud computing. 

To identify cloud computing models, we reviewed publications, white 
papers, and other documentation from public and private sector 
organizations. We then obtained relevant information through 
interviews with officials from the National Institute of Standards and 
Technology (NIST) and private sector organizations that offer cloud 
computing services. We compared cloud computing descriptions and 
definitions of cloud computing from these sources to identify 
similarities and differences. 

To identify the information security implications of using cloud 
computing services in the federal government, we reviewed 
documentation from the public and private sectors. Our documentation 
review focused on identifying the positive and negative information 
security implications (risks and benefits) of cloud computing. We 
supplemented this review by interviewing representatives of public and 
private sector organizations to prioritize these implications and 
identify information security challenges associated with federal 
agencies working with cloud computing service providers. We 
interviewed representatives of several of the 24 major federal 
agencies[Footnote 20] and private sector organizations that provide 
cloud computing services. In addition, we issued a survey and data 
request to the 24 federal agencies. We pretested the survey at three 
agencies to ensure that the questions were relevant and easy to 
comprehend. For each agency surveyed, we identified the appropriate 
point of contact, notified each one of our work, and distributed the 
survey along with a data request to each via e-mail in November 2009. 
All 24 agencies responded to our survey and data request from December 
2009 to February 2010; results are reported as of this date. We 
contacted agency officials when necessary for additional information 
or clarification of agency responses. We did not verify the accuracy 
of the agencies' responses; however, we reviewed supporting 
documentation that agencies provided to corroborate information 
provided in their responses. We then analyzed the results of the 
survey and data request responses to identify: 

* the potential information security implications agencies might 
consider positive or negative for cloud computing; 

* the techniques agencies are using to ensure that effective 
information security measures are being implemented when using cloud 
computing; 

* the extent to which the agency has procured or plans to procure 
cloud computing products or services using www.apps.gov; and; 

* the concerns agencies faced when working with cloud computing 
providers. 

Conducting any survey may introduce errors. For example, differences 
in how a particular question is interpreted, the sources of 
information that are available to respondents, or how the data are 
entered or were analyzed can introduce variability into the survey 
results. We took steps in the development of the survey instrument, 
the data collection, and the data analysis to minimize errors. 

To assess federal guidance and efforts to address information security 
when using cloud computing, we gathered and analyzed information at 
federal entities with specific governmentwide responsibilities, 
including the Office of Management and Budget (OMB), General Services 
Administration (GSA), NIST, and the federal Chief Information Officers 
Council. We further reviewed federal information security guidance to 
determine the extent to which the guidance addressed concerns 
specifically related to cloud computing and relevant information 
security areas. For example, we compared NIST Special Publication 800-
53 Revision 3 to key cloud computing security areas specified by other 
IT security organizations such as the Cloud Security Alliance and 
European Network and Information Security Agency. We also conducted 
case studies on three federal cloud computing programs, the Department 
of Defense's (DOD) Rapid Access Computing Environment (RACE) program, 
the National Aeronautics and Space Administration's (NASA) Nebula 
program, and the Department of Transportation's (DOT) Car Allowance 
Rebate System (CARS) program. We selected these agency case studies 
based on cloud computing experts' and agency officials' referrals, and 
any references in the documentation we reviewed. We also relied on the 
survey of the 24 major federal agencies to identify the techniques 
federal agencies stated they used to ensure that effective information 
security measures are in place when they use cloud computing. 

We conducted this performance audit from September 2009 through May 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: Cloud Computing Case Studies: 

The following is a description of three federal cloud computing 
programs: the DOD's RACE program; NASA's Nebula program; and 
Department of Transportation's CARS program, including lessons learned 
related to information security. 

DOD's RACE Program Provides Platforms for DOD Systems Development 
Efforts: 

The RACE program was started by DOD's Defense Information Systems 
Agency in October 2008 to provide platform as a service to support DOD 
systems development efforts. The goal of the program is to provide the 
service through a streamlined process including system provisioning, 
development, testing, assessment and authorization, and deployment of 
applications to DOD customers within a private cloud. RACE customers 
purchase one or many virtual machines[Footnote 21] through a self-
service portal. The RACE program is managed by both government and 
contractor personnel within existing DOD data centers and operates 
only on DOD's internal network. 

According to program officials, users can acquire server capacity 
rapidly for short- or long-term use without the need for approval for 
a capital acquisition expense. Initial provisioning in RACE takes a 
few days, while traditional purchasing can take a month or longer. 
RACE currently has about 120 virtual machines in use. Program 
officials state that they hope to expand RACE to the classified 
environment in the future. Currently, DOD uses three information 
system impact levels,[Footnote 22] which are equivalent to low, 
moderate, and high, as defined by NIST. RACE is currently certified to 
operate at the moderate-impact level, although the current use is for 
data at the lowest impact level. 

Information Security Controls and Lessons Learned: 

DOD officials emphasized the need for a clear division of 
responsibilities among its customers and cloud service providers when 
implementing cloud computing. For RACE, potential customers must agree 
to meet minimum information security requirements before becoming 
customers of the RACE program, including resolving any open 
vulnerabilities or documenting them in a plan of action and 
milestones. The program also has documentation that divides 
information security control responsibilities between controls managed 
by the RACE program and controls managed by the customer. Using a 
matrix containing the appropriate DOD information assurance controls, 
RACE officials determined that out of 106 controls, 62 were the 
responsibility of the customer, 31 of the service provider, and 13 
were not applicable. Of the 106 controls, 37 were classified as 
inheritable controls, meaning the customer application inherits 
several predefined information assurance controls from RACE. 

During the initial stages of RACE implementation, program officials 
recognized the need to improve related DOD business processes, 
including those related to security. The existing DOD process required 
for risk assessment and assessment and authorization for information 
systems created challenges because of its focus on stand-alone systems 
and multiple levels of organizational review. In response, the program 
office worked with a contractor to re-engineer the process to complete 
information security requirements for new systems. Program officials 
estimate that the total time required to complete the assessment and 
authorization process will be reduced from 80 days to 40 days for RACE 
customers, but the process is too new to be verified. A subsequent 
release is planned to further reduce this time to 7 days. The 
officials stated that overall implementation of the RACE program and 
other cloud efforts would have been faster if guidance and processes 
related to assessment and authorization for cloud computing had 
already been in place. 

NASA’s Nebula Pilot Uses Open-Source Technologies to Enhance 
Collaboration: 

Nebula is a cloud computing pilot under development at NASA's Ames 
Research Center in Mountain View, California. It is an infrastructure 
as a service implementation for scientific data and Web-based 
applications. Platform as a service capability is planned for the 
future. According to NASA, Nebula is to provide high-capacity 
computing, storage, and network connectivity using a virtualized, 
scalable approach to achieve cost and energy savings. Currently, 
NASA's Nebula is considered a private cloud and is operated at Ames 
Research Center on NASA equipment using both government and contractor 
personnel. Nebula is housed in a standard shipping container that is 
mounted in place, but could be transported if needed (see fig. 4). 
Program officials chose this design as a means to easily replicate the 
Nebula equipment as the program expands. The officials state that a 
future goal is for Nebula to become a hybrid cloud as a way to 
eventually foster collaboration in analysis of NASA-sponsored research 
with the academic community and the public. As a result, Nebula relies 
on open-source cloud computing technologies so that data can be easily 
transferred to other cloud service providers if required. 

The officials stated that when NASA data is first generated, its 
sensitivity must be evaluated to see if it is appropriate for public 
release. Once the decision has been made to share the data, the use of 
Nebula makes sharing information easier. The officials also stated 
that Nebula will provide other benefits. For example, according to 
NASA, researchers who use Nebula will not have to purchase their own 
servers, hardware, and computing infrastructure, which can be time-
consuming. Nebula is currently authorized to handle only low-impact 
data as defined in FIPS 199; however, officials noted that they may 
migrate to a moderate-impact system in the future. Currently, Nebula's 
customers include the World Wide Telescope from Ames Research Center 
and the Climate Grid led by NASA's Goddard Space Flight Center. 

Figure 4: NASA Nebula Container: 

[Refer to PDF for image: photograph] 

Source: NASA. 

[End of figure] 

Information Security Controls and Lessons Learned: 

NASA officials said that a major challenge in their implementation of 
Nebula was determining how to apply federal information security 
policies and guidance because current federal guidance does not 
clearly address specific controls for a cloud computing environment 
like Nebula. Examples included how to track, schedule, and report 
compliance with the Federal Information Security Management Act of 
2002 when customers are responsible for some controls and the provider 
is responsible for others, and how to address security and service-
level agreements. Nebula officials noted challenges in determining 
responsibilities and identifying the necessary documentation for 
interconnection security agreements[Footnote 23] between customers and 
third-party systems used by the customers. 

Additionally, officials noted the need to clearly define the 
information security controls for which the cloud provider is 
responsible and those for which the customer is responsible. For 
example, effective incident response in a cloud environment requires 
delineation of customer and provider responsibilities, which is 
information that is not currently addressed in federal guidance. NASA 
Nebula officials noted that the exact number of controls for which the 
customer is responsible varies depending on the cloud computing 
service model. In Nebula's current infrastructure as a service 
offering, the customer is responsible for 47 of the 112 total controls 
in NIST SP 800-53 Revision 3 for low-impact systems. They noted 
further that many of the responsibilities under the customer controls 
are actually shared between the customer and Nebula, as the service 
provider, because the provider will still have responsibility for the 
parts of the infrastructure under the provider's control. 

DOT’s CARS Program Made Partial Use of Cloud Computing, but Was 
Limited by Security Concerns: 

The CARS program used a public cloud for part of its system. CARS was 
administered by DOT under the authority of the Consumer Assistance to 
Recycle and Save Act of 2009. The program allowed owners of certain 
less fuel-efficient vehicles to receive a credit for trading in a 
vehicle and purchasing or leasing a new, more fuel-efficient vehicle. 
Dealers were reimbursed for this credit by the government. According 
to program officials, the program faced a number of challenges, 
including having only about 1 month to develop and deploy the system 
and an unexpectedly high demand for the program; users of the program 
tripled in number within 12 days of the start of the program. 

The program, which operated from July 24 to August 24, 2009, had two 
major information technology components: a publicly accessible Web 
site with content for consumers, dealers, and salvage facilities, and 
a payment processing system used by dealers to submit applications to 
the program. The Web site was considered a low-impact system under 
FIPS 199, but the payment processing system, which contained personal 
information, was considered a moderate-impact system. 

The public Web site used a cloud computing service provider that 
hosted the Web site and provided additional surge capabilities to cope 
with spikes in demand for Web content. Effective communication through 
the Web site was vital to implementation of the CARS program. 
According to department officials, because of the use of a cloud 
service provider, the CARS Web site was not affected by the July 4, 
2009, cyber attacks.[Footnote 24] Also, using the cloud service 
provider for Web content allowed the CARS program information to be 
accessible while protecting DOT's primary Web site from being 
overwhelmed and potentially disabled by the high demand for 
information about the program. The department's agreement with the 
cloud service provider allowed it to quickly and easily increase 
capacity as needed. 

In contrast, the payment-processing system used a more traditional 
database and financial management system containing commercial off-the-
shelf software and, according to DOT officials, was not able to cope 
with increases in demand for the program. Although the payment 
processing system was originally designed to process up to 250,000 
transactions over 4 months, the system actually processed 
approximately 690,000 transactions in about 1 month. Partly as a 
result of the overwhelming interest in the program, the department 
encountered several technical issues and capacity-related deficiencies 
with the payment system. Specifically, the system had numerous outages 
and periods of slow operation, causing frustration among dealers and 
disrupting the department's ability to review submissions. Since the 
payment processing system did not use cloud computing, expanding the 
system's capacity was more challenging. 

Information Security Controls and Lessons Learned: 

Officials said they briefly considered use of a cloud computing model 
for the payment processing system, but were reluctant to do so because 
of programmatic constraints to using applications already in use by 
the department. They also were concerned about processing personal 
information in a cloud environment without the environment having been 
precertified to handle the information. The officials acknowledged 
that many characteristics of the CARS program would have made the 
payment processing system a good candidate for cloud computing. These 
included the program's limited time available for deployment, short 
duration, and need to cope with sudden peaks in demand. However, the 
need to interface with existing department computing infrastructure, 
including using expertise from the existing vendor and the lack of an 
already developed and deployed cloud that had been certified to handle 
personal information made them hesitant to use a cloud computing 
solution and led them to instead use a more traditional application. 
As it was, the short time available to deploy the system made 
completion of information security processes, such as authorization 
and accreditation, a challenge. 

A program official added that successful implementation of cloud 
computing in the federal government will be dependent on several 
information security-related factors, including the ability to ensure 
continuous monitoring of security controls and the ability to 
independently verify the security of cloud computing providers. 

[End of section] 

Appendix III: Comments from the Office of Management and Budget: 

Executive Office Of The President: 
Office Of Management And Budget: 
Washington, D.C. 20503: 

Gregory Wilshusen: 
Director: 
The Government Accountability Office: 
441 G Street, Northwest: 
Washington, D.C. 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on your draft report, 
"Information Security: Federal Guidance Needed to Address Control 
Issues with Implementing Cloud Computing" (GAO-10-153). 

As an initial matter, OMB appreciates GAO's focus on this important 
issue, and we agree with GAO on the need for an overarching Federal 
cloud computing strategy with milestones. However, cloud computing is 
in its early stages. OMB has been deliberate in making sure a unified 
cloud strategy does not thwart innovation by prematurely hardwiring 
and institutionalizing cloud technologies, standards and security 
requirements. Accordingly, OMB, Federal agencies and private industry 
are partnering together to observe, test and deploy best practices as 
the cloud sector matures. OMB feels it would be appropriate to 
develop, over the next six months, a Federal cloud strategy that 
covers a planning horizon of five to 10 years and is based on lessons 
learned in the near term. Additionally, the strategy and related 
milestones may need to evolve over time, as cloud computing 
technologies establish market strongholds. 

As noted above, we agree that the strategy must address the security 
challenges associated with implementing cloud computing. For this 
reason the National. Institute of Standards and Technology (NIST), at 
the direction of the Federal CIO, is convening a cloud summit on May 
201", 2010. The Summit, which will feature a broad array of speakers 
from government, industry and academia, will broaden the dialogue on 
key cloud issues, including data interoperability, portability and 
security standards. Outputs from the Summit will be used to guide the 
development of appropriate security controls and inform a future 
Federal cloud computing strategic plan. 

OMB is committed to the Federal government developing and implementing 
secure cloud environments, and we are actively working to make this a 
reality. To that end, the Federal CIO has established the Cloud 
Computer Security Workgroup (led by NIST) to study, propose and 
implement a solution for government-wide security assessment and 
authorization. This Workgroup has already established a process for 
government-wide assessments and authorizations. 

Moreover, agency-specific guidance must address standards and the 
appropriate division of roles and responsibilities. The Federal CIO 
has also activated a standards workgroup, and OMB is working with NISI 
to propose and implement standards for implementing cloud computing 
environments in support of government programs and activities. 
Agencies recognize the need for agency-specific guidance in this area, 
and they are collaborating with OMB to align our cloud computing 
initiatives with agency business needs. 

Thank you again for the opportunity to comment on the draft report and 
to discuss our work on the development and implementation of a secure 
cloud computing environment. 

Sincerely, 

Signed by: 

Vivek Kundra: 
Federal Chief Information Officer: 

[End of section] 

Appendix IV: Comments from the General Services Administration: 

U.S. General Services Administration: 
GSA Administrator: 
1800 F Street, NW: 
Washington, DC 20405-0002: 
Telephone: (202) 501-0800: 
Fax: (202) 219-1243: 
[hyperlink, http://www.gsa.gov] 

May 7, 2010: 

The Honorable Gene L. Dodaro: 
Acting Comptroller General of the United States: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Dodaro: 

The U.S. General Services Administration (GSA) appreciates the 
opportunity to review and comment on the draft report entitled 
"Federal Guidance needed to Address Control Issues with Implementing 
Cloud Computing" (GA0-10-513). 

We agree in part to the findings and recommendations. Substantive 
comments to the findings and recommendations are provided below: 

1. The report recommends that "the CIO Council Cloud Computing 
Executive Steering Committee develop a plan, including milestones, for 
completing a government wide security assessment and authorization 
process for cloud services. 

The Security Working Group has developed the Federal Risk and 
Authorization Management Program (FedRAMP) that addresses this 
recommendation. The Security Working Group, as part of GSA's Cloud 
Computing Program with members from over 15 agencies, is led by the 
National Institute of Standards and Technology (NIST). FedRAMP is a 
government-wide program to provide joint authorizations and continuous 
security monitoring services for all Federal agencies with an initial 
focus on cloud computing. It is a major element in the strategy to 
facilitate the use of cloud computing by the Federal Government. 
FedRAMP is a central office that performs certification and 
authentications, recommends authority to operate, and supports 
continuous monitoring of systems in compliance with Federal laws and 
regulations. Agencies can leverage the Certification and Authorization 
(C&A) and Authority to Operate (ATO) without having to repeat the 
process for each system. We expect that FedRAMP will be operational in 
May 2010. 

As detailed in the GAO Report, agencies have expressed the following 
concerns: (a) depending on vendors ability to provide and maintain 
adequate security controls; (b) implementing and maintaining adequate 
security controls and monitoring; and (c) meeting the requirements of 
Federal information security requirements and guidance. Each agency is 
responsible to independently select appropriate security controls, 
implement and assess security, develop appropriate plans of action, 
and conduct ongoing security monitoring. 

As background, FedRAMP is a unified government-wide risk management 
for enterprise level IT systems. It enables agencies to leverage 
authorizations with: 

* Unified interagency C&A process; 

* Consistent application of Federal security requirements; 

* Consolidated risk management; and; 

* Increased effectiveness and management cost savings. 

FedRAMP has three components: 

* Security Requirement Authorities to create governmentwide baseline 
security requirements that are interagency developed and approved; 

* FedRAMP Office to coordinate authorization packages, manage 
authorized system list, and provide continuous monitoring oversight; 
and; 

* Joint Authorization Board to perform authorizations and on-going 
risk determinations that can be leveraged government-wide. Members of 
the Board are GSA, DoD, DHS and the sponsoring agency for the system 
to be authorized. 

Figure 1 presents a concept of operations and high level workflow for 
FedRAMP. 

Figure 1: FedRAMP Workflow: 

[Refer to PDF for image: illustration] 

1) Agency X acquires the ZipCloud service from ZipCorp. 

2) Agency X offloads risk management work to FedRAMP. 

3) FedRAMP accepts the work, reducing duplicative efforts by multiple 
agencies. 

4) ZipCorp performs risk management work once with FedRAMP for 
ZipCloud. 

5) Agencies perform agency specific security work as needed. 

[End of figure] 

FedRAMP will create a unified risk management process that: 

* increases security through focus assessments; 

* eliminates duplication of effort and associated cost savings; 

* enables rapid acquisition by leveraging pre-authorized solutions; 

* provides agency vetted transparent security requirements and 
authorization packages; 

* facilitates multi-agency use of shared systems; and; 

* ensures integration with governmentwide security efforts. 

FedRAMP allows agencies to leverage authorizations which reduces 
agency effort for authorizations and monitoring. With FedRAMP agencies 
will only have to review security details, leverage the existing 
authorization, and secure agency usage of system. This will greatly 
reduce cost, enable rapid acquisition, and reduce effort (diagrams 
that illustrate FedRAMP processes are enclosed). 

Currently, it is anticipated that FedRAMP will be operational in May 
2010. 

2. The GAO report recommends that the Administrator of GSA complete 
the procurement for pre-certified infrastructure as a service cloud 
computing technologies at the low and moderate impact levels and 
ensure that it includes full considerations of the information 
security challenges of cloud computing, including a need for a shared 
assessment and authorization process." 

GSA will reissue the Request for Quote for Infrastructure as a Service 
(IaaS) in May 2010. The RFQ will result in a multi-award blanket 
purchase agreement (BPA) for IaaS providers. Awardees of this BPA will 
be included in FedRAMP. FedRAMP is a government-wide program to 
provide joint authorizations and continuous security monitoring 
services for all Federal agencies with an initial focus on cloud 
computing. Upon successful completion of the FedRAMP process and 
approval by the Joint Approval Board, the IaaS services will be 
granted an Authority to Operate (ATO) at the moderate impact level as 
defined by the Federal Information Security Management Act. An ATO at 
the moderate level includes approval of operation at low impact level. 

Before reissuing the RFQ, GSA is working to improve the statement of 
work and to clarify the bidding instructions. As a result, the RFQ 
will better reflect customer requirements and vendors will be able to 
more accurately bid their services against requirements. 

If you have any additional questions or concerns, please do not 
hesitate to contact me. Staff inquiries may be directed to Ms. Katie 
Lewin, Director, Cloud Computing Program, Office of Citizen Services 
and Communications. She can be reached at (202) 219-0394. 

Sincerely, 

Signed by: 

Martha Johnson: 
Administrator: 

Enclosure: 

cc: Gregory C. Wilshusen: 

[End of section] 

Appendix V: Comments from the Department of Commerce: 

United States Department Of Commerce: 
The Secretary of Commerce: 
Washington, D.C. 20230: 

May 4, 2010: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
United States Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on the draft report from the 
Government Accountability Office (GAO) entitled "Information Security: 
Federal Guidance Needed to Address Control Issues with Implementing 
Cloud Computing" (GA0-10-513). 

We concur with the report's conclusions that Federal agencies should 
take several steps to address cloud computing security, including 
completing the strategy, considering security in a planned procurement 
of cloud computing services, and issuing guidance related to cloud 
computing security. The Department of Commerce offers the following 
comments regarding the GAO's conclusions: 

1. Page 14. The draft states that "Infrastructure as a service is the 
foundation of all cloud services." This is not accurate because one 
can build cloud services without relying on an "infrastructure as a 
service" system. We suggest deleting the sentence. 

2. Page 24. The NIST point about browser vulnerability (from page 23) 
should be part of table 3. 

3. Page 24. Delete and it does not currently have finalized plans or 
milestones to issue cloud-specific security guidance" and replace it 
with "NIST has two documents in preparation: a guide on virtualization 
and a guide on cloud computing. NIST expects the virtualization 
document to be released for public comment in June 2010 and the cloud 
computing document to be released for public comment in September 
2010." 

4. Page 32. Replace "stated that existing NIST guidance applies" with 
"stated that existing NIST requirements apply." 

Note: NIST publication 800-53 is a catalogue of controls that 
represent security requirements for information systems. It is 
designed to be flexible and adaptable to a variety of computing models 
and technologies, including cloud computing. We agree that guidance 
specific to cloud computing is needed. 

5. Page 33. NIST believes portability and interoperability are not 
"security issues," as the text implies in the second paragraph on the 
page. We suggest replacing the sentence For example, NIST guidance 
does not clearly address key cloud computing security issues such as 
portability and interoperability, data center operations, and 
virtualization" with "Current NIST guidance does not directly address 
key cloud computing issues such as portability and interoperability, 
data center operations, and virtualization." 

We welcome further communications with GAO regarding its conclusions 
and look forward to receiving the final report. Please contact Rachel 
Kinney at (301) 975-8707 if you have any questions regarding this 
response. 

Sincerely, 

Signed by: 

Gary Locke: 

[End of section] 

Appendix VI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov. 

Staff Acknowledgments: 

In addition to the contact name above, individuals making 
contributions to this report included Vijay D'Souza (Assistant 
Director), Season Dietrich, Neil Doherty, Nancy Glover, Dana Pon, 
Jason Porter, and Shaunyce Wallace. 

[End of section] 

Footnotes: 

[1] The 24 major federal agencies are the Agency for International 
Development; the Departments of Agriculture, Commerce, Defense, 
Education, Energy, Health and Human Services, Homeland Security, 
Housing and Urban Development, the Interior, Justice, Labor, State, 
Transportation, the Treasury, and Veterans Affairs; the Environmental 
Protection Agency; the General Services Administration; the National 
Aeronautics and Space Administration; the National Science Foundation; 
the Nuclear Regulatory Commission; the Office of Personnel Management; 
the Small Business Administration; and the Social Security 
Administration. 

[2] For fiscal year 2011, the administration has proposed about $79 
billion for IT projects. 

[3] GAO, Continued Efforts Are Needed to Protect Information Systems 
From Evolving Threats, [hyperlink, 
http://www.gao.gov/products/GAO-10-230T] (Washington D.C.: Nov. 17, 
2009) and Cyber Threats and Vulnerabilities Place Federal Systems at 
Risk, [hyperlink, http://www.gao.gov/products/GAO-09-661T] 
(Washington, D.C.: May 5, 2009). 

[4] GAO, High-Risk Series: Information Management and Technology, 
[hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, 
D.C.: February 1997). 

[5] GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 
2009). 

[6] NIST, Guide for Applying the Risk Management Framework to Federal 
Information Systems: A Security Life Cycle Approach, SP 800-37 
Revision 1 (Gaithersburg, Md., February 2010). 

[7] NIST, Standards for Security Categorization of Federal Information 
and Information Systems, FIPS Publication 199 (Gaithersburg, Md., 
February 2004). 

[8] NIST, Minimum Security Requirements for Federal Information and 
Information Systems, FIPS Publication 200 (Gaithersburg, Md., March 
2006). 

[9] NIST, Recommended Security Controls for Federal Information 
Systems and Organizations, SP 800-53 Revision 3 (Gaithersburg, Md., 
August 2009). 

[10] NIST, Guide for Applying the Risk Management Framework to Federal 
Information Systems, SP 800-37 Revision 1 was formerly MST, Guide for 
the Certification and Accreditation of Federal Information Systems, SP 
800-37. The assessment and authorization process replaces the process 
known as certification and accreditation described in the previous 
version of SP 800-37. 

[11] Cloud Security Alliance, Security Guidance for Critical Areas of 
Focus in Cloud Computing, version 2.1 (December 2009). 

[12] The European Network and Information Security Agency, Cloud 
Computing: Benefits, Risks and Recommendations for Information 
Security (November 2009). 

[13] The European Network and Information Security Agency, Cloud 
Computing: Information Assurance Framework (November 2009). 

[15] NIST began developing its definition of cloud computing in 
November 2008, and its most recent version, version 15, was released 
in October 2009. See NIST, The NIST Definition of Cloud Computing, 
version 15 (Gaithersburg, Md., Oct. 7, 2009). 

[15] Virtualization is a technology that allows multiple, software-
based virtual machines, with different operating systems, to run in 
isolation, side-by-side, on the same physical machine. Virtual 
machines can be stored as files, making it possible to save a virtual 
machine and move it from one physical server to another. 
Virtualization is often used as part of cloud computing. 

[16] The Executive Council on Information Management and Technology 
members include experts from the public and private sectors and 
representatives of related professional organizations who are widely 
recognized in IT and information management areas. Council members 
provide expert perspectives to senior GAO executives on performance 
goals contained in GAO's strategic plan that guide GAO's work in the 
areas of information security, information management, and IT 
management. 

[17] FIT'S Special Publication 199 defines three levels of potential 
impact on organizational operations, assets, or individuals should 
there be a breach of security. Low applies when the loss of 
confidentiality, integrity, or availability could be expected to have 
a limited adverse effect; moderate applies when the loss could be 
expected to have a serious adverse effect on operations, assets, or 
individuals; and high applies when the loss could be expected to have 
a severe or catastrophic adverse effect. 

[18] SAS 70 will soon be superseded by two new standards: a new audit 
standard for audits of entities that use service providers and a new 
attestation standard for reporting on controls at a service provider. 

[19] 0MB, FY2009 Reporting Instructions for the Federal Information 
Security Management Act and Agency Privacy Management, Memorandum M-09-
29 (Washington, D.C., Aug. 20, 2009). 

[20] The 24 agencies are the Agency for International Development; the 
Departments of Agriculture, Commerce, Defense, Education, Energy, 
Health and Human Services, Homeland Security, Housing and Urban 
Development, the Interior, Justice, Labor, State, Transportation, the 
Treasury, and Veterans Affairs; the Environmental Protection Agency; 
the General Services Administration; the National Aeronautics and 
Space Administration; the National Science Foundation; the Nuclear 
Regulatory Commission; the Office of Personnel Management; the Small 
Business Administration; and the Social Security Administration. 

[21] A virtual machine is a software image of a computer that executes 
programs in the same manner as a physical computer or server. Multiple 
virtual machine images can run on one physical computer. 

[22] DOD categorizes system impact levels using Mission Assurance 
Category I, II, and III: category I systems are considered high impact 
and handle information that is vital to mission success, category II 
systems are considered medium impact and handle information that is 
important for mission success, and category III systems are considered 
low impact and handle information that does not materially affect 
mission success. 

[23] An interconnection security agreement documents security roles 
and responsibilities and technical requirements related to the 
connection of two information systems. 

[24] In July 2009, press accounts reported that a widespread and 
coordinated attack over the course of several days had targeted Web 
sites operated by major government agencies, causing disruptions to 
the public availability of government information. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: