U.S. considers cloud security standards

The U.S. federal government may step up with a set of cloud-security standards to meet government requirements for protecting sensitive data.

Federal CIO Vivek Kundra says he wants to certify cloud services that pass government muster so federal agencies can buy the computing or applications services they need and turn them on quickly. This requires establishing standards that officially meet 2002 Federal Information Security Management Act requirements that federal IT infrastructure must comply with.

NetworkWorld’s Tim Greene writes that the IT industry in general is grappling with how to address cloud security, with a comprehensive outline of concerns being offered up by the Cloud Security Alliance. These concerns are left to businesses to consider and address on their own as they engage cloud service providers. There is no widely accepted third-party certification that cloud providers can claim to demonstrate the security of their offerings.

Kundra proposes that the General Services Administration (GSA) designate acceptable cloud service providers that government agencies can hire quickly without each agency having to independently determine that they are secure. The goal is to cut the cost and time needed to expand computing resources of government agencies by embracing the well known economic advantages of cloud computing.

Kundra likened this cloud environment to a storefront where agencies can buy what they need immediately. The underlying services would be provided by commercial cloud providers. This storefront scenario implies a set of standards that are acceptable to the federal government and that my prove to be transferable to what businesses need. Whether commercial businesses will think such standards are sufficient is another question.