NIST Issues Cloud Computing Standards Roadmap and Reference Architecture

The National Institute of Standards and Technology ("NIST"), whose definition of cloud computing has been widely referenced and recognized, has a long-term goal of providing leadership and guidance around cloud computing to effectuate its use in industry and government.  NIST also was designated by the Federal CIO to help accelerate the U.S. government's secure adoption of cloud computing as part of FedRAMP.  To further that effort, NIST recently released a cloud computing reference architecture in which NIST sets forth the components and offerings of cloud computing, as well as a cloud computing standards roadmap in which NIST identified current standards, standards gaps, and standardization priorities.  

The NIST reference architecture serves several objectives, including facilitating the analysis of standards for security, interoperability, and portability of data.  The reference architecture includes a helpful explanation of the often referenced and often confused terms "public cloud", "private cloud", "community cloud", and "hybrid cloud".  Of particular interest, NIST tackles the issue of security in the cloud, suggesting that the split of control between cloud providers and cloud consumers means both parties share responsibilities for providing adequate protections to cloud-based systems based on which party is in a better position to implement the protections.

The intent of the standards roadmap, on the other hand, is to use the standards strategy to support the U.S. government's adoption of cloud computing, with the expectation that the standards will be useful more broadly by industry, standards developing organizations, cloud adopters, and policy makers.  To produce the roadmap, the NIST Cloud Computing Standards Roadmap Working Group assessed the state of standardization in support of cloud computing, and compiled an inventory of standards relevant to cloud computing that the Working Group will continue to update. 

While the current list of standards is an alphabet soup of acronyms that seem more suited for software developers and IT engineers, there are several security standards that cloud computing customers can cross reference with their service provider.  As cloud computing continues to mature, it is expected that NIST will update the list to include standards regarding security, interoperability of systems, and portability of data that may be relevant to include in your cloud computing contracts.  It will be interesting to follow this NIST initiative to see whether any of these standards become "industry standard" for cloud computing.

Strengthening U.S. Leadership in Cloud Computing - A Proposed Roadmap

Yesterday the TechAmerica Foundation released a report from the Commission on the Leadership Opportunity in U.S. Deployment of the Cloud ("Cloud2") titled "Cloud First, Cloud Fast: Recommendations for Innovation, Leadership and Job Creation." The Commission, which consists of 71 companies and organizations primarily from industry, developed the report at the encouragement of the Federal Chief Information Officer and the U.S. Department of Commerce.  The Commission was tasked with developing recommendations for accelerating adoption of cloud technologies and to identify public policies that will help foster U.S. innovation, leadership, and economic growth in cloud computing. 

The report delivers detailed guidance through 14 recommendations that are categorized into four themes: Trust, Transnational Data Flows, Transparency, and Transformation.  Of particular interest to those who draft, structure and negotiate cloud computing contracts are the following five recommendations of the Commission. 

1.  Recommendation 1 (Security & Assurance Frameworks): Government and industry should support and participate in the development and implementation of international, standardized frameworks for securing, assessing, certifying and accrediting cloud solutions.

2.  Recommendation 3 (Response to Data Breaches):  Government should enact a national data breach law that preempts state law to clarify breach notification responsibilities and commitments of companies to their customers, and also update and strengthen criminal laws against those who attack computer systems and networks, including cloud computing services.  The notification requirements should be based on risk of harm.

3.  Recommendation 5 (Privacy): The U.S. government and industry should promote a comprehensive, technology-neutral privacy framework, consistent with commonly accepted privacy and data protection principles-based frameworks such as the Organization for Economic Cooperation and Development (OCED) and/or Asia-Pacific Economic Cooperation (APEC) frameworks.  The Commission believes this would be a step toward fostering a global marketplace for cloud services.

4.  Recommendation 6 (Government / Law Enforcement Access to Data):  The U.S. government should demonstrate leadership in identifying and implementing mechanisms for lawful access by law enforcement or government to data stored in the cloud.  The U.S. government needs to address the uncertainty and confusion caused by national security statutes that are viewed as barriers to a global marketplace for cloud services.

5.  Recommendation 9 (Transparency): Industry should publicly disclose information about relevant operational aspects of their cloud services, including portability, interoperability, security, certifications, performance and reliability.  Industry and Government should support development of metrics designed to meet the needs of different user groups.  These metrics should be developed in an open and transparent environment, taking into account the global nature of cloud use.

A complete version of the Commission's report can be found here.