As more federal agencies shift to cloud computing, officials are reexamining the responsibilities customers and service providers must bear to secure data.
After a long and continuous push for agencies to move their data and operations to the cloud, the federal government is closely considering what security commitments vendors of the technology and its related services are bringing to the table.
The latest episode of Nextgov’s Critical Update podcast looks at how introducing more certainty around the roles and responsibilities of cloud-based providers and their government customers could help chip away at one factor that might be affecting adoption of the technology: security officials’ fear of losing control.
“On the shared responsibility, I think there's anxiety,” Grant Schneider, former federal chief information security officer, told Nextgov. “There's always anxiety for quote, unquote, loss of control. Certainly, you know, IT professionals often like to control their infrastructure, they like to control everything about it.”
The National Institute of Standards and Technology is set to issue standard service level agreement language for agencies to use with cloud providers by next summer, according to the General Services Administration. GSA confirmed it is working with the Office of Management and Budget to attach SLA templates with security implications to every government contract.
A new council chaired by OMB could soon be putting cloud service providers under the microscope. According to advice the National Security Agency released on cloud security in January, responsibility for the security of cloud vendors’ supply chain falls to the vendors, but there are tools, such as third-party certifications that agencies could use to be more judicious in their selections. Next year could see the Federal Acquisition Security Council, which has the authority to recommend exclusion or removal orders, taking some of those decisions out of the hands of individual agency officials.
Schneider, who is now the senior director of cybersecurity services for the law firm Venable, says the FASC should hold cloud vendors, as part of federal agencies’ supply chains, accountable for criteria that includes ties to adversarial nations like Russia and China, as well as technical flaws and vulnerabilities in the design of vendors’ products.
He is joined on the podcast by Harvey Rishikof, a leading national security lawyer and former senior policy adviser for the director of national intelligence who thinks the government should consider regulating vendors of cloud infrastructure like it does utilities.
Rishikof is one of the authors of the landmark report, “Deliver Uncompromised,” which notes, “With limited exceptions, it is at best uncertain where or under what circumstances any DoD contractor would face liability to DoD for damages should it fail to fulfill minimum contractual requirements for supply chain and cyber security.”
Listeners will also hear from chief information officers and chief information security officers in and out of government on the pressures they face as policy-makers weigh their options to tighten accountability for cloud security.