The Question of the Month at the MITRE blog asks what government can do to facilitate the adoption of cloud computing to more effectively provide IT services. There are 3 things, actually.

But this question is clearly just a short step from January’s question. So, let’s deal with both of them:

First, January’s question: “What’s most significant cloud computing concern for federal orgs?”

The most authoritative and accurate answers would indeed come from federal “orgs” themselves. But, the three primary “lacks” in cloud computing that are encountered by organizations of all kinds, i.e., lack of standards, lack of portability, and (most importantly) the lack of transparency, are only intensified in government needs for cloud computing. See my research paper “Digital Trust In The Cloud” for more discussion.

When we consider:

1. That security-approval doctrine (certification and accreditation) is mandatory in government IT (not an item to be traded off as part of a risk/reward equation);
2. That government data can be nationally classified, and therefore directly subject to laws and consequential impacts of non-compliance (not just a policy violation); and,
3. That the government uses IT as an element of national policy projection (including combat), and therefore must include stakeholder impacts far beyond the normal set traditionally considered by commercial enterprises,

Then we can see how the impact of the three “lacks” becomes intensified. In particular, the loss of transparency in all but private applications of cloud computing presents a system approval problem that hamstrings federal attempts to capture the biggest payoffs in the elastic power of the cloud.

These circumstances lead naturally into a response for February’s question: “What can Government do to facilitate the adoption of cloud computing to more effectively provide IT services?”

If the lack of standards, portability, and (especially) transparency are, indeed, the largest obstacles to the effective provision of cloud-based IT services for government use, then the government can certainly move powerfully to reduce the impact of those “lacks.”

1. Publish the government’s interpretation of certification and accreditation (C&A) in cloud computing. We know that NIST is working hard on a publication that delivers the U.S. government definition of a cloud, and which is expected to provide recommendations on how cloud computing might be safely used by the government.
   By expanding this publication to include C&A doctrine and process for government cloud computing, much of the speculative ambiguity about what is and isn’t acceptable could be eliminated. No matter how restrictive or permissive the doctrine may be, simply having the approval standards and mechanisms would improve planning and deployment of cloud services.
2. Actively join in the standards bodies that are attempting to define protocols and techniques that can reclaim visibility/transparency into and through cloud processing. Such participation could also come via the issuance of government criteria, but interactive dialogue with industry around such efforts would be even better. For example, the A6 effort and industry offerings like our CloudTrust Protocol at CSC offer ready-made places to start.
3. Identify a government cloud research, development and approval “center of excellence.” While the pre-eminence of NIST as the cloud standards leader for the government is unquestioned, the initiation of a parallel development, test, and deployment lead would centralize and speed knowledge collection, including actual (trial) implementations and case studies. New applications for government use could emerge more quickly, even including a special emphasis on their “C&A-ability.” Such agencies as NASA or DHS could well organize and lead this effort on behalf of the entire government.

What do you think? For more thoughts on public sector cloud computing, you can download this CSC paper, “G-Cloud: The Future For Government Applications.”

Ron Knode is Director of Global Security Solutions at CSC and a Research Associate with the Leading Edge Forum.