While addressing an audience at a recent NIST-sponsored cloud computing forum, Kundra outlined the federal government’s data center consolidation efforts to reduce overlap and subsequently called for developing a uniform set of standards to promote security in the transition toward cloud computing.
“This is a huge opportunity for CIOs across the federal government to rethink how they are investing in information technology”, Kundra said. He then asked the audience to consider the appropriate applications that are candidates for moving to the cloud “without violating the privacy of the American people or compromising national security in any way”.
Kundra also discussed the Federal Risk and Authorization Management Program (FedRAMP), and how it can facilitate the cost-effective benefits of cloud computing by creating a uniform set of security standards to certify cloud computing offerings. Under the current process, cloud vendors are forced to certify products with every agency, sometimes hundreds of them. Kundra called this a highly inefficient certification model and suggested that agencies leverage the processes of other government departments to avoid waste and overlap.
“A number of these agencies can potentially leverage common platforms across the board”, he told the audience, including allowing state governments to take advantage of already-certified federal systems, which allows for cost savings at more than one level of government.
“We can create cross-government [certification] platforms so that we actually realize, not just the savings, but the value much faster, and we also accelerate the adoption towards cloud computing”, Kundra added.
For its part, NIST said it will begin to work with other government agencies and standards organizations in developing a framework to integrate current standards and identify gaps that may exist.
The institute noted that it will serve as a technical advisor to FedRAMP, “which will allow agencies to collaboratively develop baseline FISMA security criteria and authorization to operate deliverables upfront for use of cloud computing vendor products and services”. The aim here is to avoid redundancy, and save money for cash-strapped government IT departments across the nation. “Once a baseline is approved, each agency could augment the baseline according to its individual data and mission system security authorization needs”, NIST added.