The National Institute of Standards and Technology (NIST) has finalized the first two volumes of its U.S. Government Cloud Computing Technology Roadmap, laying critical requirements for security, interoperability and portability, addressing cloud migration challenges and defining priority action plans (PAPs) for each requirement.
Designed to further the 2011 Federal Cloud Computing Strategy's goal “to identify and reach consensus on cloud computing technology & standardization priorities,” the finalized roadmap reflects comments and recommendations to an earlier draft of the first two volumes.
According to the report, NIST crafted the program to accelerate U.S. government adoption of cloud and “leverage the strengths and resources of government, industry, academia, and standards organization stakeholders” to spur innovation.
Among the critical requirements, security maintains a prominent role, with the standards body modifying two from the earlier draft to specify in one that security solutions “must satisfy” federal government requirements as well as “be de-coupled from organizational policy decisions.” Noting that IT security has traditionally “relied on logical and physical system boundaries,” which are more complex in cloud computing, NIST said traditional security mechanisms are “less effective.”
In an attempt to inspire confidence in cloud security, federal IT and security pros need “more transparent and effectively demonstrated cloud services' security” before they more fully adopt cloud solutions. Decoupling the technical implementation from policy decisions, NIST said “will foster cloud adoption because consumers will be able to agree on defined security controls and the methods for their assessment, without having to agree on when it is appropriate to apply them.”
To achieve those goals, NIST recommended the specific PAPs and timetables for each, among them, continuing to identify cloud consumer priority security requirements on a quarterly basis, periodically identifying and assessing risk mitigation through existing and new security controls, identifying gaps and modifying controls and developing neutral cloud security profiles.
While NIST has no authority to enforce requirements, the roadmap codifies its position in providing guidance for the adoption of cloud computing, much as it has served as beacon for other computing initiatives, such as cyber security.