After a long and continuous push for agencies to move their data and operations to the cloud, the federal government is closely considering what security commitments vendors of the technology and its related services are bringing to the table.
The latest episode of Nextgov’s Critical Update podcast looks at how introducing more certainty around the roles and responsibilities of cloud-based providers and their government customers could help chip away at one factor that might be affecting adoption of the technology: security officials’ fear of losing control.
“On the shared responsibility, I think there's anxiety,” Grant Schneider, former federal chief information security officer, told Nextgov. “There's always anxiety for quote, unquote, loss of control. Certainly, you know, IT professionals often like to control their infrastructure, they like to control everything about it.”
The National Institute of Standards and Technology is set to issue standard service level agreement language for agencies to use with cloud providers by next summer, according to the General Services Administration. GSA confirmed it is working with the Office of Management and Budget to attach SLA templates with security implications to every government contract.
A new council chaired by OMB could soon be putting cloud service providers under the microscope. According to advice the National Security Agency released on cloud security in January, responsibility for the security of cloud vendors’ supply chain falls to the vendors, but there are tools, such as third-party certifications that agencies could use to be more judicious in their selections. Next year could see the Federal Acquisition Security Council, which has the authority to recommend exclusion or removal orders, critical update government cloud anxiety
