[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



 
CLOUD COMPUTING: BENEFITS AND RISKS OF MOVING FEDERAL IT INTO THE CLOUD

=======================================================================


                             JOINT HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                     ORGANIZATION, AND PROCUREMENT

                                and the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                              JULY 1, 2010

                               __________

                           Serial No. 111-79

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform



                  U.S. GOVERNMENT PRINTING OFFICE
58-350                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             JOHN J. DUNCAN, Jr., Tennessee
JOHN F. TIERNEY, Massachusetts       MICHAEL R. TURNER, Ohio
WM. LACY CLAY, Missouri              LYNN A. WESTMORELAND, Georgia
DIANE E. WATSON, California          PATRICK T. McHENRY, North Carolina
STEPHEN F. LYNCH, Massachusetts      BRIAN P. BILBRAY, California
JIM COOPER, Tennessee                JIM JORDAN, Ohio
GERALD E. CONNOLLY, Virginia         JEFF FLAKE, Arizona
MIKE QUIGLEY, Illinois               JEFF FORTENBERRY, Nebraska
MARCY KAPTUR, Ohio                   JASON CHAFFETZ, Utah
ELEANOR HOLMES NORTON, District of   AARON SCHOCK, Illinois
    Columbia                         BLAINE LUETKEMEYER, Missouri
PATRICK J. KENNEDY, Rhode Island     ANH `JOSEPH'' CAO, Louisiana
DANNY K. DAVIS, Illinois             BILL SHUSTER, Pennsylvania
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
JUDY CHU, California

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director

  Subcommittee on Government Management, Organization, and Procurement

                 DIANE E. WATSON, California, Chairman
PAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California
JIM COOPER, Tennessee                AARON SCHOCK, Illinois
GERALD E. CONNOLLY, Virginia         JOHN J. DUNCAN, Jr., Tennessee
HENRY CUELLAR, Texas                 JEFF FLAKE, Arizona
JACKIE SPEIER, California            BLAINE LUETKEMEYER, Missouri
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
MIKE QUIGLEY, Illinois
                      Bert Hammond, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 1, 2010.....................................     1
Statement of:
    Charney, Scott, corporate vice president, trustworthy 
      computing, Microsoft Corp.; Daniel Burton, senior vice 
      president, global public policy, Salesforce.com; Mike 
      Bradshaw, director, Google Federal, Google Inc.; Nick 
      Combs, chief technology officer, EMC Federal; and Gregory 
      Ganger, professor, electrical and computer engineering, 
      director, Parallel Data Lab, Carnegie Mellon University....    81
        Burton, Daniel...........................................    96
        Bradshaw, Mike...........................................   108
        Charney, Scott...........................................    81
        Combs, Nick..............................................   117
        Ganger, Gregory..........................................   128
    Kundra, Vivek, Federal Chief Information Officer, 
      Administrator for e-Government and Information Technology, 
      Office of Management and Budget; David McClure, Associate 
      Administrator, Office of Citizen Services and Innovative 
      Technologies, General Services Administration; Cita 
      Furlani, Director, Information Technology Laboratory, 
      National Institute of Standards and Technology; and Gregory 
      Wilshusen, Director, Information Security Issues, 
      Government Accountability Office...........................    10
        Furlani, Cita............................................    37
        Kundra, Vivek............................................    10
        McClure, David...........................................    23
        Wilshusen, Gregory.......................................    49
Letters, statements, etc., submitted for the record by:
    Bradshaw, Mike, director, Google Federal, Google Inc., 
      prepared statement of......................................   110
    Burton, Daniel, senior vice president, global public policy, 
      Salesforce.com, prepared statement of......................    98
    Charney, Scott, corporate vice president, trustworthy 
      computing, Microsoft Corp., prepared statement of..........    84
    Combs, Nick, chief technology officer, EMC Federal, prepared 
      statement of...............................................   119
    Connolly, Hon. Gerald E., a Representative in Congress from 
      the State of Virginia, prepared statement of...............   151
    Furlani, Cita, Director, Information Technology Laboratory, 
      National Institute of Standards and Technology, prepared 
      statement of...............................................    39
    Ganger, Gregory, professor, electrical and computer 
      engineering, director, Parallel Data Lab, Carnegie Mellon 
      University, prepared statement of..........................   130
    Issa, Hon. Darrell E., a Representative in Congress from the 
      State of California, prepared statement of.................     8
    Kundra, Vivek, Federal Chief Information Officer, 
      Administrator for e-Government and Information Technology, 
      Office of Management and Budget, prepared statement of.....    13
    McClure, David, Associate Administrator, Office of Citizen 
      Services and Innovative Technologies, General Services 
      Administration, prepared statement of......................    26
    Towns, Chairman Edolphus, a Representative in Congress from 
      the State of New York, prepared statement of...............     3
    Watson, Hon. Diane E., a Representative in Congress from the 
      State of California, prepared statement of.................    72
    Wilshusen, Gregory, Director, Information Security Issues, 
      Government Accountability Office, prepared statement of....    51


CLOUD COMPUTING: BENEFITS AND RISKS OF MOVING FEDERAL IT INTO THE CLOUD

                              ----------                              


                         THURSDAY, JULY 1, 2010

        House of Representatives, Committee on Oversight 
            and Government Reform, joint with the 
            Subcommittee on Government Management, 
            Organization, and Procurement,
                                                    Washington, DC.
    The committee and subcommittee met, pursuant to notice, at 
10 a.m., in room 2157, Rayburn House Office Building, Hon. 
Edolphus Towns (chairman of the committee) presiding.
    Present from the Committee on Oversight and Government 
Reform: Representatives Towns, Watson, Cummings, Connolly, 
Quigley, Cuellar, Murphy, Foster, Chu, Issa, Bilbray, Jordan, 
Chaffetz, and Luetkemeyer.
    Present from the Subcommittee on Government Management, 
Organization, and Procurement: Representatives Watson, 
Connolly, Cuellar, Murphy, Quigley, Bilbray, and Luetkemeyer.
    Staff present: Krista Boyd, counsel; Linda Good, deputy 
chief clerk; Velginy Hernandez, press assistant; Adam Hodge, 
deputy press secretary; Carla Hultberg, chief clerk; Marc 
Johnson and Ophelia Rivas, assistant clerks; Mike McCarthy, 
deputy staff director; Amy Miller and Gerri Willis, special 
assistants; Jenny Rosenberg, director of communications; Leneal 
Scott, IT specialist; Mark Stephenson, senior policy advisor; 
Lawrence Brady, minority staff director; John Cuaderes, 
minority deputy staff director; Jennifer Safavian, minority 
chief counsel for oversight and investigations; Adam Fromm, 
minority chief clerk and Member liaison; Kurt Bardella, 
minority press secretary; Benjamin Cole and Seamus Kraft, 
minority deputy press secretaries; Justin LoFranco, minority 
press assistant and clerk; Christopher Hixon, minority senior 
counsel; Hudson Hollister, minority counsel; and John Ohly, 
minority professional staff member.
    Chairman Towns. The meeting will come to order.
    Thank you for being here.
    The purpose of today's hearing is to examine the benefits 
and risks of cloud computing for the Federal Government. At the 
most basic level, cloud computing is Web-based computing 
whereby computing resources are shared and accessible over the 
Internet on demand. In this way, cloud computing is like most 
utility services.
    Before the electric grid was developed, business owners who 
wanted to use machinery also needed to produce enough energy to 
run that machinery. That meant investing heavily to build and 
maintain a power source. The electric grid revolutionized the 
country by centralizing the resource and allowing businesses to 
simply purchase electricity.
    Cloud computing promises the same for computing power. 
Instead of building and maintaining an entire IT system in-
house, businesses can purchase computing power and tap into 
that resource over the Internet.
    Cloud computing is a very real technology that the Federal 
Government has already begun to embrace. The Federal Cloud 
Computing Initiative and an online cloud computing storefront 
were launched in September 2009.
    I have read that the Government-wide implementation of 
cloud computing will be a decade-long journey. It is the job of 
this committee to ensure that journey is well thought out, that 
the benefits and risks are fully examined, and that there are 
comprehensive plans in place to ensure that we do this the 
right way, the first time around.
    The shift to cloud computing offers the Federal Government 
tremendous promise, but it is not without risk. The balance 
between risk and reward is an important one and I hope to get a 
better understanding of that balance today.
    It is clear to me that security and privacy are real 
concerns. Our natural impulse is to hold the things we value 
close to us, but cloud computing requires entrusting data to 
others. The law's current focus on the physical location of 
data also presents unique privacy and legal challenges.
    A major benefit of cloud computing is the potential for 
significant cost savings. It makes sense: cloud computing 
allows agencies to pool resources and pay only for the 
computing power that they actually use.
    I look forward to today's hearing, to a thorough 
examination of the Federal Cloud Computing Initiative, and to 
addressing the emerging legal and policy issues that Federal 
cloud computing presents. I want to thank all of our witnesses 
for appearing here today and I really look forward to your 
testimony.
    At this time, I would like to yield 5 minutes to the 
ranking member of the committee, the gentleman from California, 
Congressman Issa.
    [The prepared statement of Chairman Edolphus Towns 
follows:]
[GRAPHIC] [TIFF OMITTED] 58350.001

[GRAPHIC] [TIFF OMITTED] 58350.002

[GRAPHIC] [TIFF OMITTED] 58350.003

    Mr. Issa. Thank you, Mr. Chairman. I too am looking forward 
to this important hearing. I too am expecting that if you and I 
are still serving here on the dais in 10 years, we will still 
be holding hearings on some portions of this.
    I base that on a hearing we had just a week ago, in which 
we recognized that half way through a contract that saved the 
American people, through its government, huge amounts of money 
if we implemented new contracts the GSA had negotiated for 
telecommunications, ones that offered high Internet speeds, 
better telecommunication, better redundancy, and new features, 
were not implemented, even though they would save money, 
because, of course, bureaucrats move slowly.
    So today, as we hear about cost savings, I will not yawn. I 
will not pretend to be disinterested. But I will not be a true 
believer from the dais that cost savings will drive this move 
to cloud computing. I will be particularly interested in 
details as to how companies believe that they can implement 
guaranteed security in a cloud environment.
    As all of you know, we do not guarantee security; we have 
breaches every week, every month, sometimes every day in 
government. And even here in the Capitol, the Chinese mainland 
government has repeatedly breached and taken confidential 
information from the House. They regularly are able to 
penetrate our security.
    So as we look to the Internet through a Web browser, we 
need to do better, not just as good as we are doing here today.
    Often said, history does not always repeat itself, but it 
very often rhymes. Today, as we start looking at cloud 
computing, at my age, I find that it is rhyming rather 
humorously. When I began my career, we were still using NCR-
500's. We would put as many of those card reading computers as 
close as we could to the source, and they would run the cards 
back and forth, distributing to us punching machines so that we 
could prepare our jobs and then go to that massive and 
expensive product and have it run.
    By the time I was a young officer, I was running a DEC 
facility with PDP-11/45s and DEC-10's, wonderful computers that 
could multitask, that could have multiple clients at one time, 
that could load-share and balance, that could distribute 
priorities of who needed what and when. But yet it was still 
sending to the big machine and the machine deciding what we 
would get when.
    As we look at the cloud, there is no question that we can 
look at the cloud as thousands, millions of computing devices 
available to us to load-share. Or, in the rhyming way, we can 
look at it as simply deja vu all over again. In fact, the 
cloud, in any configuration, is nothing but a return to those 
DEC-10 machines. You can have different sizes; you can have 
dual processors; you can share multiple across. We once had 14 
PDP-11s all deciding, with one central arbitrator, who got what 
load when, for what computing in order to keep us in real time.
    All of this has been done before, but not nearly at the 
scale it is being done. And, in my case, all of my previous 
history in the military was a closed system, an extremely 
closed system. Today we are going to talk about an open system, 
one in which encryption over a public line is our guarantee, 
and our only guarantee, that the data flowing back and forth 
will remain in the hands of those that it came from and is 
intended to go back to.
    I look forward to hearing how we can, and should, implement 
both public and, often, private cloud computing systems; how 
the Government can, once and for all, recognize that owning a 
computer is not as important as owning computer power time, 
something that, 30 or 40 years ago, everybody understood that 
owning time on a computer was what you did, not in fact owning 
a computer.
    But weaning the Federal Government off of the idea that 
they have endless arrays of PCs and servers all within a server 
room that they can walk to will take time and will take 
initiative by this committee. So because this is a Government-
wide problem, we believe, the chairman and I, that this is a 
government oversight solution that must be pushed through day 
after day, Congress after Congress.
    With that, Mr. Chairman, I yield back the balance of my 
time and thank you for this hearing.
    [The prepared statement of Hon. Darrell E. Issa follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.004
    
    [GRAPHIC] [TIFF OMITTED] 58350.005
    
    Chairman Towns. I would like to thank the gentleman from 
California for his statement.
    At this time, we would like to ask you to stand so I can 
swear you in.
    Raise your right hands.
    [Witnesses sworn.]
    Chairman Towns. You may be seated.
    Let the record reflect that all the witnesses answered in 
the affirmative.
    Let me begin with you, Mr. Kundra. As you know, you have 5 
minutes and, of course, at the end of 4 minutes the yellow 
light will come on, which means caution, and then 1 minute 
after that the red light will come on, and every place in the 
United States of America that means stop. So, Mr. Kundra, will 
you start?

STATEMENTS OF VIVEK KUNDRA, FEDERAL CHIEF INFORMATION OFFICER, 
  ADMINISTRATOR FOR E-GOVERNMENT AND INFORMATION TECHNOLOGY, 
   OFFICE OF MANAGEMENT AND BUDGET; DAVID McCLURE, ASSOCIATE 
   ADMINISTRATOR, OFFICE OF CITIZEN SERVICES AND INNOVATIVE 
 TECHNOLOGIES, GENERAL SERVICES ADMINISTRATION; CITA FURLANI, 
DIRECTOR, INFORMATION TECHNOLOGY LABORATORY, NATIONAL INSTITUTE 
 OF STANDARDS AND TECHNOLOGY; AND GREGORY WILSHUSEN, DIRECTOR, 
 INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

                   STATEMENT OF VIVEK KUNDRA

    Mr. Kundra. Good morning, Chairman Towns, Ranking Member 
Issa. Thank you for the opportunity to testify today on cloud 
computing and the Federal Government's approach toward cloud 
computing. What I would like to do is draw your attention to 
the first slide that you see before you.
    Earlier this week, the Obama administration focused on 
addressing some of the most persistent and structural issues we 
have faced as an administration when it comes to information 
technology. The U.S. Government is the largest buyer of IT on 
the planet. We spend approximately $80 billion annually on 
information technology systems.
    Yet, as you see on this slide, I want to point to one 
example. The Department of Defense spent 12 years and $1 
billion on deploying an integrated human resource system which 
ended up failing, and Secretary Gates said, essentially, that 
what we ended up with was an acronym that nobody could 
pronounce. Therefore, earlier this week, on Monday, we 
announced aggressive steps in terms of how we are going to 
confront some of these issues.
    June of last year we deployed an IT Dashboard that shines 
light on every aspect of Government operations when it comes to 
information technology spending with literally the picture of 
every agency CIR right next to the IT investment that they are 
responsible for so the American people could see where they 
were in terms of cost, schedule, and whether they are meeting 
performance targets or not.
    What we are doing is approaching this problem in three 
ways: No. 1, effective immediately, we are going to be 
reviewing the most troubled IT investments across the Federal 
Government as part of the fiscal year 2012 budget process and 
make decisions around where we need to halt, terminate, or turn 
around these investments; No. 2, effective immediately, we have 
halted future task orders on financial systems across the 
Federal Government for the CFO Act agencies to make sure that 
we are not throwing good money after bad money; and, No. 3, in 
the next 120 days, we are focused on making sure that we 
address some of the structural issues, understand what is going 
on, why, for the last 50 years, as we have tried to address 
some of these persistent problems, we continue to have 
spectacular failures in Federal IT.
    On slide 2, what I want to draw your attention to is what 
the Federal Government has been focused on. Unfortunately, the 
number of data centers in the U.S. Government has gone from 432 
to over 1,100 in a decade, while in the private sector IBM went 
from 235 data centers to 12. That is not sustainable in the 
long-term as we continue to plow capital in data center after 
data center.
    The next slide shows how other industries have applied 
these innovations around utility models. As you pointed out, 
Chairman Towns, we have seen this happen in the electricity 
space, where every home used to have to use candles to light 
their homes, to where now they just plug into the grid. Or, 
with water, every home used to have to essentially have a well 
to get water; now what we see is the ability to turn on and off 
a tap to consume those resources.
    That is one of the reasons we are moving toward the cloud 
environment. It is not just about cost, it is also about making 
sure that we are providing better service so CIOS are focused 
not on investing on yet another data center, but actually 
providing better services.
    I want to point you to the next slide, which is a tale of 
two cities. In the first story, how the Government deployed an 
IT system versus how a private sector company deployed an IT 
system. When we deployed a Cash for Clunkers program, we 
deployed the traditional approach to IT, and as demand grew, 
the system was unstable and continued to crash over a 30-day 
period, and we had to literally re-engineer the solution, buy 
new hardware and configure it.
    Yet, a company called Animoto faced similar problem but was 
using cloud technology. With 250,000 new users enrolled over a 
3-day period, they were able to scale from 50 virtual machines 
to over 4,000 virtual machines and supported, at peak times, 
20,000 new users an hour.
    What I want to point to in the next slide is what the 
Government has done so far in terms of making sure that we are 
focused on some of the security issues that you have raised; 
making sure that we are addressing some of the standards that 
we need to promulgate as a function of interoperability, data 
portability, and security; and procurement. And Dave McClure 
will talk about the procurement strategy and Cita Furlani will 
talk about our standards activities. But this work has been 
underway since April of last year.
    I want to leave you with a closing slide that you see on 
slide 7. What you see on the left is a cave. This is where most 
of the Federal Government's HR records are. What you see on the 
right is what the American people expect from their Government. 
The culture in the Government historically has been there is a 
form for that, and the American people have to wait in line, 
hold on the phone, or they actually have to come in and submit 
these complicated forms.
    Yet, in the private sector, what we have seen is 
innovation. And what we are trying to do is close that gap by 
making sure that we are responsibly and safely moving to a 
cloud environment.
    Thank you for the opportunity to testify, and I look 
forward to your questions.
    [The prepared statement of Mr. Kundra follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.006
    
    [GRAPHIC] [TIFF OMITTED] 58350.007
    
    [GRAPHIC] [TIFF OMITTED] 58350.008
    
    [GRAPHIC] [TIFF OMITTED] 58350.009
    
    [GRAPHIC] [TIFF OMITTED] 58350.010
    
    [GRAPHIC] [TIFF OMITTED] 58350.011
    
    [GRAPHIC] [TIFF OMITTED] 58350.012
    
    [GRAPHIC] [TIFF OMITTED] 58350.013
    
    [GRAPHIC] [TIFF OMITTED] 58350.014
    
    [GRAPHIC] [TIFF OMITTED] 58350.015
    
    Chairman Towns. Thank you very much for your testimony.
    Mr. McClure is the Associate Administrator of the General 
Services Administration's Office of Citizens Services and 
Innovative Technologies. Welcome, Mr. McClure.

                   STATEMENT OF DAVID McCLURE

    Mr. McClure. Thank you, Chairman Towns, Ranking Member 
Bilbray, all the other committee members here this morning. 
Thanks for having me testify in front of you on what the 
General Services Administration is doing to assist in the 
adoption of cloud computing.
    I think Vivek has done a good job in outlining for you what 
we see as some of the tremendous benefits of cloud computing 
being adopted in the Federal Government.
    At GSA, we also believe that the adoption of safe and 
secure cloud computing by the Federal Government represents a 
huge opportunity for us in terms of getting access to more 
modern technology and lowering the costs that we are spending 
on technology; and various forms of cloud computing are already 
in place in the Federal Government today.
    Quick example, at GSA we have put the Government's main 
primary information portal, USA.gov, into a cloud computing 
environment last year. We are already reaping the benefits in 
terms of a more reliable uptime from the system; we have 
lowered our overall computing costs by an estimated $1.7 
million; and we actually have raised the security posture of 
the system by going to a more reliable security arrangement 
with our cloud provider. So it does have tremendous benefits.
    As you also know, GSA plays a lead role in the President's 
sustainability agenda. We anticipate that cloud computing will 
be a major factor in reducing the environmental impact of 
technology and also will help achieve some of our national 
sustainability goals. Cloud computing can be part of an overall 
strategy to reduce the need for these multiple data centers 
that we have all over the Government and the energy they 
consume. So we see it helping improve services by lowering the 
cost and also maintaining a better environment compared to the 
redundant and often needlessly redundant brick and mortar data 
center structures that we have in place today.
    As part of our leadership in the cloud computing 
environment, we have stood up a cloud computing program 
management office, it is housed in my office at GSA. It 
provides the technical and administrative leadership for the 
administration's cloud computing initiatives.
    We support the design and operation of cloud procurement 
vehicles; we look at ways in which we can identify enhancing 
security requirements, working closely with NIST, as well as 
with OMB; we have facilitated the adoption of these 
requirements in the last few months; we also sponsor some cloud 
demonstration projects from a piloting perspective so that we 
can demonstrate how this technology can be effective before 
going full bore; and we are engaged in data center analysis and 
strategy planning with OMB as part of our responsibilities with 
the PMO as well.
    I think we also play a huge role in disseminating 
information throughout the Government on just what is happening 
in cloud computing. We are a knowledge repository for examples, 
best practices, and things that have really worked for us to 
date.
    So let me just highlight real quickly a few of those areas 
for you. I think one of the most significant challenges we face 
in cloud computing is certainly in the security area. Agencies 
are concerned about the risk of housing data offsite, in a 
cloud, if federally mandated security controls and 
accountabilities are not in place.
    The Federal CIO, our cloud PMO, the CIO Council, which has 
a security working group, and NIST have come together to try to 
tackle that problem. We have developed a process and 
corresponding security controls that have been agreed to by 
multiple agencies. We are calling this program FedRAMP. It 
provides a uniform Government-wide risk management approach for 
enterprise level IT systems and it will enable agencies to 
either use or leverage existing security authorizations.
    Mr. Chairman, this is a first in the Federal Government, 
and it should greatly reduce our security cost; it should 
enable rapid acquisitions of solutions; it should reduce agency 
levels of effort; and it should shift the focus of security to 
monitoring and protecting our computing environments.
    GSA is working with NIST and the CIO Council to make sure 
that this program is put in place and we will be piloting 
several things through FedRAMP to get it up to speed with some 
improvements as we test it out.
    The second area is providing newly commercial-provided 
cloud services via a Web site called Apps.gov. This is the 
primary responsibility of GSA. It is modeled on GSA product and 
service acquisition storefronts; it provides an easy, simple 
way to find, research, and procure commercial cloud products 
and services. And we feel like that has been a real benefit to 
Federal agencies both in the softwares of service area and soon 
to be in infrastructures of service for cloud computing.
    A new class of Internet-based applications have also come 
onboard called Web 2.0 that focus on delivering information to 
diverse communities. Many of these solutions are Web-based and 
many are also hosted in the cloud. We at GSA are making sure 
that we are providing, as common tools to agencies, social 
media Web 2.0 tools that are completely policy compliant with 
all Federal privacy and security policies, and it gives them an 
advantage in terms of doing this independently on their own. 
And I think we have already achieved some significant cost 
savings by putting some of these in place Government-wide.
    So cloud computing, from our perspective, has the ability 
to fundamentally reshape how we are approaching Government 
operations and how we are using computing power for business 
process improvement and citizen service delivery support. It 
can also shift the focus to the added value use of information, 
which I think is what our next decade is truly about; and do 
this in a very cost-effective way in today's digitally oriented 
world.
    Chairman Towns. Mr. McClure, could you sum up?
    Mr. McClure. Yes. And, third, I think it frees up some 
resources for us to really focus on some of the real 
information needs of the Government as well.
    So, in general, I think we are supporting the effort the 
best way we can with some of our procurement activities and 
some of our best practices support, and I think these are 
adding up to really advance the computing cause. Thanks.
    [The prepared statement of Mr. McClure follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.016
    
    [GRAPHIC] [TIFF OMITTED] 58350.017
    
    [GRAPHIC] [TIFF OMITTED] 58350.018
    
    [GRAPHIC] [TIFF OMITTED] 58350.019
    
    [GRAPHIC] [TIFF OMITTED] 58350.020
    
    [GRAPHIC] [TIFF OMITTED] 58350.021
    
    [GRAPHIC] [TIFF OMITTED] 58350.022
    
    [GRAPHIC] [TIFF OMITTED] 58350.023
    
    [GRAPHIC] [TIFF OMITTED] 58350.024
    
    [GRAPHIC] [TIFF OMITTED] 58350.025
    
    [GRAPHIC] [TIFF OMITTED] 58350.026
    
    Chairman Towns. Thank you very much for your testimony.
    Ms. Furlani is Director of the Information Technology 
Laboratory at the National Institute of Standards and 
Technology. Welcome.

                   STATEMENT OF CITA FURLANI

    Ms. Furlani. Thank you, Chairman Towns and members of the 
committee. I appreciate the opportunity to appear before you 
today to discuss our role in the deployment of cloud computing 
technology in the Federal Government.
    Our role is to promote the effective and secure use of the 
technology within Government by providing technical guidance 
and promoting standards. The three cybersecurity objectives, 
ensuring the confidentiality, integrity, and availability of 
information technology systems, are particularly relevant to 
cloud computing. These three objectives provide a technical 
foundation to help address the associated privacy requirements.
    This cloud model that I have listed in my testimony is 
composed of five essential characteristics, three service 
models, and four deployment models, which are laid out fully in 
the written testimony.
    The NIST cloud computing definition is the following: Cloud 
computing is a model for enabling convenient, on-demand network 
access to a shared pool of configurable computing resources, 
such as networks, servers, storage, applications, and services, 
which can be rapidly provisioned and released with minimal 
management effort or service provider interaction.
    This definition has been broadly recognized and helps to 
clarify a complex emerging information technology paradigm. 
However, there is still much work to be done. We have initiated 
focused activities to develop Federal cloud computing security 
guidance, as well as to facilitate the development of cloud 
computing standards. The following are specific NIST efforts 
which promote the effective and secure use of cloud computing 
technology within Government: NIST held a cloud computing forum 
and workshop in May to engage stakeholders on ways to best 
accelerate the Federal Government's secure adoption of cloud 
computing. Over 500 stakeholders attended this event.
    We are developing a cloud computing special publication 
which will provide insight into the technical benefits, risks, 
and considerations related to the secure and effective uses of 
cloud computing, and provide guidance in the context of cloud 
computing to provide interoperability, portability, and 
security. This publication will also identify future research 
areas in cloud computing.
    As requested by OMB, NIST serves as the Government lead 
working with other Government agencies, industry, academia, and 
standards development organizations to leverage appropriate 
existing standards and to accelerate the development of cloud 
computing standards where gaps exist. We have initiated the 
Standards Acceleration to Jumpstart Adoption of Cloud Computing 
[SAJACC]. The SAJACC goal is to facilitate the accelerated 
development of high-quality standards and to reduce the 
technical uncertainty during the interim period before many 
cloud computing standards are formalized.
    NIST, in a technical advisory role, supports the Federal 
interagency efforts which have been mentioned to the 
development of a concept for a Federal approach to coordinate 
and apply consistent security authorization requirements for 
cloud computing systems. The NIST role is to provide guidance 
for a technical approach and process which is consistent with 
NIST security guidance in the context of the Federal 
Information Security Management Act.
    NIST has also initiated a strategic virtualization 
laboratory effort to research and evaluate the security of 
virtualization techniques and to mitigate security 
vulnerabilities in virtualized and cloud systems. This will 
inform NIST cloud and virtualization guidelines.
    We have also initiated a Modeling and Analyzing Complex 
Behaviors in Cloud Computing project. This project seeks to 
understand and predict behavior in large distributed 
information systems. In cloud computing, NIST is initiating a 
study of the applicability of our modeling and analysis 
techniques to computational clouds.
    As you have just heard, this is a big effort. Thank you for 
the opportunity to testify today on NIST's role in the 
development and deployment of cloud computing technology. I 
would be happy to answer any questions you may have.
    [The prepared statement of Ms. Furlani follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.027
    
    [GRAPHIC] [TIFF OMITTED] 58350.028
    
    [GRAPHIC] [TIFF OMITTED] 58350.029
    
    [GRAPHIC] [TIFF OMITTED] 58350.030
    
    [GRAPHIC] [TIFF OMITTED] 58350.031
    
    [GRAPHIC] [TIFF OMITTED] 58350.032
    
    [GRAPHIC] [TIFF OMITTED] 58350.033
    
    [GRAPHIC] [TIFF OMITTED] 58350.034
    
    [GRAPHIC] [TIFF OMITTED] 58350.035
    
    [GRAPHIC] [TIFF OMITTED] 58350.036
    
    Chairman Towns. Thank you very much, Ms. Furlani.
    Mr. Wilshusen.

                 STATEMENT OF GREGORY WILSHUSEN

    Mr. Wilshusen. Chairman Towns, Ranking Member Issa, 
Chairwoman Watson, and Ranking Member Bilbray, and other 
members of the committee, thank you for the opportunity to 
participate in today's hearing on cloud computing.
    At Chairwoman Watson's request, GAO has been reviewing the 
information security implications of cloud computing and 
Federal efforts to address them. Today we are releasing our 
report. My statement will summarize the contents of that 
report. But first, if I may, Mr. Chairman, I would like to 
recognize two members of my staff, V.J. DeSouza and Season 
Dietrick, who were instrumental in the preparation of that 
report.
    As has been discussed, cloud computing is a form of shared 
computing where users have access to scalable, on-demand 
information technology services and resources. Service 
providers offer these capabilities using several service and 
deployment models, including, for example, a private cloud 
which is operated solely for an organization and a public 
cloud, which is available to any paying customer.
    Cloud computing has both positive and negative information 
security implications. Potential security benefits include 
those related to broad network access, possible economies of 
scale, and use of self-service technologies. Federal agencies 
frequently cited as potential benefits low cost disaster 
recovery and data storage, on-demand security controls, 
consistent application of those controls, and a reduced need to 
carry data and removable media.
    However, the use of cloud computing can also create 
numerous information security risks. Twenty-two of 24 major 
agencies reported that they were concerned or very concerned 
about the potential security risk associated with cloud 
computing. These risks include: ineffective or noncompliance 
security practices of the service provider, inability to 
examine controls of the provider, data leakage to unauthorized 
users, and loss of data if cloud service is terminated.
    These risks generally relate to the dependence on the 
security practices and assurances of the service provider and 
the sharing of computing resources. They also may vary 
depending upon the cloud deployment model used. For example, 
private clouds may have a lower threat exposure than public 
clouds, but evaluating this risk requires an examination of the 
specific controls in place for the cloud's implementation.
    Federal agencies have begun efforts to address information 
security issues for cloud computing, but specific guidance is 
lacking and often efforts remain complete. Although individual 
agencies have identified security measures needed when using 
cloud computing, they have not always developed corresponding 
guidance. In addition, several Government-wide cloud computing 
initiatives are underway by organizations such as OMB and GSA.
    Nevertheless, much work remains. For example, OMB has not 
yet finished the cloud computing strategy or defined how 
information security issues will be addressed in the strategy. 
GSA has begun a procurement for expanding cloud computing 
services, but still needs to develop specific plans for 
establishing a shared information security assessment and 
authorization process. Furthermore, NIST has not yet issued 
cloud-specific security guidance. Both Federal and private 
sector officials have identified the need for such guidance.
    Accordingly, in the report being released today, GAO 
recommended that OMB, GSA, and NIST take several actions to 
address these issues. These agencies generally agreed with our 
recommendations and indicated that actions were planned or 
underway to implement them.
    To summarize, the use of cloud computing offers promise, 
but also carries risk. Until Federal guidance and processes 
that specifically address information security are developed, 
agencies may be hesitant to implement cloud computing programs, 
and those that have implemented such programs may not have 
appropriate security controls in place.
    This concludes my statement. I would be happy to answer any 
questions.
    [The prepared statement of Mr. Wilshusen follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.037
    
    [GRAPHIC] [TIFF OMITTED] 58350.038
    
    [GRAPHIC] [TIFF OMITTED] 58350.039
    
    [GRAPHIC] [TIFF OMITTED] 58350.040
    
    [GRAPHIC] [TIFF OMITTED] 58350.041
    
    [GRAPHIC] [TIFF OMITTED] 58350.042
    
    [GRAPHIC] [TIFF OMITTED] 58350.043
    
    [GRAPHIC] [TIFF OMITTED] 58350.044
    
    [GRAPHIC] [TIFF OMITTED] 58350.045
    
    [GRAPHIC] [TIFF OMITTED] 58350.046
    
    [GRAPHIC] [TIFF OMITTED] 58350.047
    
    Chairman Towns. Thank you very much.
    Let me just announce to the Members that there are three 
votes, and what I would suggest is that we break now and then 
come back 10 minutes after the last vote. The witnesses, of 
course, need to stay in the area. Thank you very much. It will 
at least be half an hour or more before we get back.
    So we will recess.
    [Recess.]
    Chairman Towns. The meeting will reconvene.
    Let me again apologize, but we have to vote around here. 
And if you don't vote, they put your name in the newspaper.
    Let me begin with, I guess, this question probably to you, 
Mr. Kundra and to Mr. McClure. It seems to me that the shift to 
cloud computing will move a lot of responsibility that we 
currently maintain in-house to contractors. What impact will 
that move have on the Federal IT work force? Will we lose a lot 
of jobs as a result of this?
    Mr. Kundra. If I can step back for a second and look at the 
current environment that we are in. For example, based on the 
FISMA report of last year, there are over 4,000 systems in the 
U.S. Government that are maintained by contractors. Just to 
give you examples of that, with the Navy, their network 
infrastructure, over 300,000 desktops are maintained and 
operated by EDS/HP. Our travel system in the U.S. Government, 
for example, Northrop Grumman actually manages that 
infrastructure.
    So I want to be really careful as we talk about cloud 
computing in terms of how we treat it versus other IT systems. 
Like any technology, part of what we are trying to do is make 
sure that, as we move toward a cloud, that what Federal 
employees are doing, they are armed in training and that we are 
focusing on work, as I highlighted on my earlier slide in my 
opening testimony, that serves the American people. And what I 
mean by that is making sure that there is appropriate training, 
a path to actually fundamentally re-engineering the functions 
of those agencies.
    But cloud computing is not something that is going to 
change the way, in terms of the procurement side of it, because 
what we are already doing is we have already engaged in the 
last 10, 20, 30 years in a lot of outsource systems, and this 
is just another area that we are applying security and 
standards to.
    Mr. McClure. Yes, Mr. Chairman, I think it is a good 
question in terms of the work force impact. As you know, a lot 
of Federal IT spending is on infrastructure, and as we free up 
some of the personnel that are actually dedicated to 
maintenance of legacy systems and infrastructure, you can move 
them to more high value job categories and into analytical 
categories for the information.
    I will just draw on my own experience with USA.gov. That 
was heavily dependent upon a staff that was engaged in day-to-
day operations and maintenance activities, the updates, the 
patches, and so forth. By moving it to a cloud environment, we 
freed up those people to actually focus more of their time on 
applications for true business needs and high-value security 
functions.
    So that is the fundamental shift that could occur here, is 
that we are actually enabling an IT work force in the 
Government to be more focused and more targeted on high-value 
needs that we have.
    Chairman Towns. Thank you very much.
    Let me say this to you, Mr. Wilshusen. It seems clear to me 
that there are certain things that should never be placed in 
the cloud, particularly classified or maybe even sensitive 
information, because it is simply not worth the risk, I don't 
think. Do you agree?
    Mr. Wilshusen. I would say that there are certain 
applications and information in which it would probably perhaps 
be imprudent to put in a cloud, but it really depends on what 
type of cloud is being used, whether it is a private cloud, 
perhaps, behind an agency's firewalls; and specifically what 
types of controls and the effectiveness of those controls that 
are placed over the systems operating in that particular cloud.
    It is important to remember that the individual systems 
that are being used, even in the traditional sense now at many 
agencies, we have reported over years that many of them are not 
that secure in and of themselves, and it really gets down to 
assuring that the security controls over the systems that are 
processing the information are effective and protecting the 
information, be it classified information, be it unclassified 
or sensitive information, to a level that is required.
    But I would say that, certainly, what agencies are doing 
now are kind of taking a go slow approach in terms of limiting 
the type of information that they are putting in the cloud 
implementations that they are presently using. Most agencies 
that we looked at using this kind of low-impact or low-
sensitivity information for those clouds which may particularly 
be in a public cloud.
    And even in the private clouds they are still using, for 
the most part, low-impact information until they work out the 
issues related to adequately securing that information. Indeed, 
one of the risks that we have identified with our report is the 
fact that it may be difficult for agencies to currently assess 
the security and risk over the cloud implementations that are 
available.
    Chairman Towns. Thank you very much. I see my time has 
expired.
    The gentleman from Utah, Mr. Chaffetz.
    Mr. Chaffetz. Thank you.
    Thank you all for being here. It is very encouraging to see 
the presentations; it makes immense sense, particularly Mr. 
Kundra. I appreciate that.
    How do you get everybody moving in the same direction, 
though? I mean, you just know the discussion is going to 
happen. You are going to go over to the Bureau of Indian 
Affairs and they are going to say, oh, but you don't understand 
this and, oh, we have all this safety and security, and we have 
to have our own proprietary system. How do you standardize, how 
do you push them?
    Because I think we would probably all sit down and say we 
need a unified way to move forward, but the reality is that is 
why we end up with the thousands of different legacy systems 
that we have. How do you do that? I don't have a solution to 
that.
    Mr. Kundra. Part of the way that we are addressing that 
challenge is grounded in the budgeting process, so it is part 
of the fiscal year 2012 budget process. What agencies are doing 
is they are actually developing plans to consolidate 
infrastructure, to consolidate data centers, and that activity 
is vital as we think about where does it make sense for us to 
continue to invest in infrastructure versus where are there 
opportunities to move to the cloud in a safe and secure manner.
    Second thing is the program management office that we have 
stood up at GSA, where that is a center of gravity with the 
leadership that is being provided from an execution 
perspective.
    Third is making sure, with the Federal CIO Council, that we 
create the appropriate economic incentives. And what I mean by 
that is consider what it takes right now for any vendor to 
actually get certified to sell to the U.S. Government. Well, 
you have such a high barrier for entry because you have to get 
certified. If you are dealing with CDC, NIH, or if you are 
dealing with the FBI, and then you have to go deal with GSA. 
That is very difficult because the economics or the economies 
of scale don't work out.
    So, from a security perspective, one of the things we are 
doing in cloud computing is we have launched the FedRAMP 
program, where we are going to create a certification board 
made up of members from the Department of Defense, Department 
of Homeland Security, from GSA, and an agency that actually 
wants to procure that technology, so that you go through that 
certification, but you don't just stop there; you move toward a 
continuous monitoring environment so you are not just 
generating paperwork reports from a security perspective.
    Mr. Chaffetz. But is the idea that if you meet that minimum 
standard that would suffice for, say, some of these that truly 
do warrant more sophisticated security type applications, that 
if you meet that standard, that all the rest of the agencies 
would fall into line? Is that the idea?
    Mr. Kundra. Absolutely. They will be able to then leverage 
the work that has been done across the Federal Government. To 
give you a simple example, the State Department, over the last 
6 years, has spent $138 million on these paperwork exercises as 
far as certification and accreditation is concerned, and that 
is multiplied across the board with multiple agencies and 
departments.
    What we are trying to do is move away from this environment 
of just generating paperwork reports and much more toward 
continuous monitoring, and that is an area that NIST has been 
spending a lot of energy in terms of how do we get realtime 
data on the security of the systems, rather than just reports.
    Mr. Chaffetz. Some of the business models that we see out 
there that use kind of a version of cloud computing, if you 
will, are reliant upon those eyeballs and then selling those 
eyeballs, in essence, in an advertising manner to be able to 
say, oh, well, we can supplement it. It is free as long as you 
use it, but we are going to sell some advertising against it.
    Is there a standard that you have thought through on how 
that would work or not work? Because the sensitivity of who is 
looking at that information, selling of advertising, those 
types of things may look appetizing to kind of defray the cost, 
but there are also some security issues on the companies taking 
that information and then, in essence, packaging it up to an 
advertiser. Have you thought through how that works or won't 
work?
    Mr. Kundra. If we look at the Recovery Board and its move 
to the cloud when it comes to Recovery.gov, they went through 
those issues, and part of what they did was, as they were 
negotiating the contract. And that is why I want to be careful 
as we think about the move to the cloud not being something 
that is brand new, that has never happened. It is essentially 
contracting.
    As I mentioned, we are moving toward contracting systems, 
whether we are dealing with Lockheed Martin, Raytheon, or a 
number of other companies. In the same way, Recovery actually 
said, you know what, with the cloud vendor, the data must in 
the United States and here are a set of prerequisite solutions. 
And, frankly, they have to comply with Federal statutes such as 
FISMA and security guidance that has come out of OMB and NIST.
    Mr. Chaffetz. Well, Mr. Chairman, I know my time is short, 
but I am fascinated to continue on in having these further 
discussions, because my guess is, and it is just a guess, but 
is that the law is woefully behind in terms of the velocity and 
the speed in which these types of applications change. It is 
just the nature of the beast.
    We will have to be vigilant on that, but I appreciate the 
hearing today. Thanks for your input.
    Thank you, Mr. Chairman.
    Chairman Towns. Thank you very much.
    I now yield 5 minutes to the gentlewoman from California.
    Ms. Chu. Thank you, Mr. Chair.
    I would like to ask the panel concerns about the current 
electronic privacy laws as we head toward this cloud computing. 
Specifically, commentators have raised concerns about the 
Electronic Communications Privacy Act and that it hasn't 
changed in nearly 25 years.
    I am also on the Judiciary Committee, and we had a hearing 
on the fact that information in the clouds in large part is not 
protected by privacy laws; whereas, information in written 
communication is protected by the privacy laws. Basically, we 
have not changed these laws in these 25 years to accommodate 
this.
    So, looking ahead, what steps should Congress take to 
ensure that the privacy of both individual information and 
Government records is maintained?
    Mr. McClure. I think that is a great question. There are 
two directives that were issued by the OMB Director last Friday 
dealing with this issue of protection of personal 
identification information on third-party sites, which are 
largely where a lot of SAS cloud applications are being used; 
and those issues were reinforced by the policy that the 
protection of personal identifiable information is in place, 
that agencies have to take steps to ensure that is occurring. 
And if there is personal identification information collected, 
that it is specifically explained and posted why it is being 
collected and what it is being used for.
    So I think what we are doing in the policy area is actually 
bringing up some of the older policies for inspection and 
looking at ways in which we can modernize them in this 
environment but still offer security and privacy protections 
that are fundamental to the data needs of the Government.
    Ms. Chu. And are there specific laws that you think need to 
be changed and updated?
    Mr. McClure. I think that the next step will be to open up 
and look at some of the laws. We are trying to look at the 
directive and guidance that can come out of the administration, 
out of the executive branch, because that is normally how 
agencies implement the basic fundamentals of the laws 
themselves. So step one, I think, is can we get greater 
velocity and movement in what these changes need to be, and 
then I think, longer term, we can open up some of the statutes.
    Ms. Chu. Then next let me ask about security concerns. I 
believe, in testimony this morning, Mr. Bradshaw from Google 
will argue that the cloud can provide better information 
security than current legacy systems and, in particular, that 
the ability of agencies to store information in the cloud, 
instead of on personal computers, will actually allow for 
improved security. What do you think about this argument?
    Mr. Kundra. Well, I think when it comes to security, we 
need to remain ever-vigilant. Whether that is security in our 
mobile security or whether that is on systems that are 
Government-owned and operated or it is in an cloud environment. 
I don't think there is one answer that fits every single 
imaginable implementation of these technology solutions.
    That is one of the reasons President Obama, after coming 
into office, quickly issued a directive to his Homeland 
Security Council and National Security Council to do a bottom-
up review of cybersecurity. That is one of the reasons we have 
focused on investing over $3.6 billion in a comprehensive 
national cybersecurity initiative and that is one of the other 
reasons what we have done is looked at our cyber posture and 
have said, look, we really need to move away from these 
paperwork exercises and to realtime monitoring of how these 
systems are implemented.
    It used to be that you could literally come in and certify 
a system, and then come back 3 years later, which was the 
policy that was actually in place, and figure out whether it 
was still secure or not. But we have shifted that by guidance 
that we issued that moves us to more of a realtime monitoring 
approach where DHS, working with agencies, is going to make 
sure not only do we have continuous monitoring, but also 
investments in red teams that would actually look at our own 
systems to figure out if we have vulnerabilities or not.
    The days of just writing a report and hoping things are 
secure are over. We are confronting attacks on a real-time 
basis; therefore, we must confront them with realtime 
monitoring on a continuous basis. And NIST has actually been 
doing some really good work in the space from a framework 
perspective.
    Ms. Furlani. Agreed. The risk management framework defines 
ways to assess risk so that the program officials can actually 
make those decisions with the facts in front of them.
    Ms. Chu. So you are saying basically there would be better 
oversight, you would be monitoring this. But is there something 
inherent in the system that would make it more secure? For 
instance, would the information be fragmented in various 
locations?
    Mr. Kundra. Broadly speaking, when you are able to 
concentrate compute power in one place, you are inherently 
managing one system, rather than managing hundreds and hundreds 
of systems and trying to get firewalls in place, making sure 
that you are getting realtime traps of what is going on in 
servers and routers and switches.
    So you can make that argument, but in my view there needs 
to be a more fundamental shift, which is the cloud is not such 
a special technology, necessarily, that it is exempt from a 
security perspective, but it is just another implementation of 
IT and it is a natural evolution of where we have come from.
    Congressman Issa very well articulated sort of the 
historical evolution of where we have ended up in terms of 
cloud, but there are three big things that have happened. No. 1 
is bandwidth, the ability to have access to bandwidth in ways 
that were not available before. No. 2 is processing power; 
Moore's Law and the ability to have processing power in ways 
that were not available before.
    And No. 3 is storage, and the cost of storage has gone down 
exponentially. Therefore, now you are able to provide services 
in a centralized fashion that you couldn't before. But you 
still have to take the appropriate security safeguards. That is 
one of the reasons we have charged NIST with making sure that 
we are convening the right folks and that agencies have to 
comply with current statutes and security policy.
    Mr. Wilshusen. And if I may add, getting to the central 
question, is it more secure in a cloud versus in agency legacy 
systems, as I mentioned before, it really gets down to how 
security is implemented over those systems. Certainly we have 
reported in the past that agency legacy systems have had 
significant weaknesses in them.
    But there are some very real risks associated with putting 
information out in the cloud, particularly if they are public 
clouds. To the extent that agencies will now have to rely on 
the security of the service providers and have mechanisms in 
place to assure that those providers are adequately securing 
the information that they are given and processing. And just 
because it goes out to the cloud does not necessarily make it 
more secure, but there are some risks associated with it going 
out to the cloud.
    But there are possibilities where there are certain control 
elements that can help security over this data, but at the same 
time it gets back again to making sure there is verifiable 
implementation of effective security that is over those 
systems.
    Chairman Towns. The gentlewoman's time has expired.
    I now yield 5 minutes to the ranking member of the 
committee, the gentleman from California, Congressman Issa.
    Mr. Issa. Thank you, Mr. Chairman.
    I am going to pick up right where you left off. I am going 
to ask a leading question. Let's say I am the labs, the 
Department of Energy labs, and I have five sites. If those 
sites have a firewall and access to everybody inside to the 
Internet, and I take all five sites and I take all the assets 
that are inside, behind the firewall, and I move them to a 
private cloud, I move them to one, two, or three sites out on 
the Internet, and I make a VPN connection with them and I make 
all traffic to and from, no independent traffic, so it all goes 
there. And then from those locations, through those firewalls 
that are maintained, I can also go out and surf the Web.
    So I am not taking away any result, but I am simply moving 
everything to where your communication is simply to one or more 
locations, and then from there they are centrally located. 
Isn't it true I haven't changed anything at all? Assuming these 
are exactly the same assets, just moved, I haven't changed a 
thing; they are neither any more nor less secure as a result.
    Mr. Wilshusen. As long as the same set of security controls 
are implemented over the information.
    Mr. Issa. OK. So, as a baseline, I think you could all 
agree that, as long as you have an Internet portal, location 
out of that portal to some other location, if nothing else 
changes, makes no difference at all; it is neither more secure 
nor less secure.
    Mr. Wilshusen. As long as your Internet Web portal is 
securely configured and secure.
    Mr. Issa. Right. Well, you are only as secure as your 
firewall to begin with. So now going over and looking at GSA 
and Mr. Kundra, let's look at it another way. The bureaucracy. 
Every site, including the Congress, that is Internet access 
capable out of our firewalls, in other words, they are not 
closed systems, they are open to the Web, we could take every 
one of them and we could move them to Northern Canada so that 
we wouldn't have to worry about cooling year-round.
    And as long as we had the bandwidth, we would have changed 
nothing, isn't that right? Now, we are making the assumption. 
We are not going to cloud computing, we are just moving our 
data centers 500 milliseconds of latency time away, but we are 
moving them. Anyone disagree that we are changing nothing?
    [No response.]
    Mr. Issa. OK. So going back to those old systems of where 
we had a 1200 baud connection to some mainframe and we were 
going back and forth, the only thing that has really changed 
from those old systems in that situation is bandwidth; and 
bandwidth is no longer a limiting factor, right?
    Mr. Kundra. Yes. But, I mean, there are a lot more as far 
as cloud is concerned.
    Mr. Issa. OK. Now we want to get to being able to 
distribute our load, balance our load among more than one, but 
maybe hundreds or thousands of computing so that we get 
economies that we could not otherwise get and the ability to 
have surge without having, as you said, the Government solution 
that we had with Cash for Clunkers, being you have to buy more 
PCs all the time. We want to have that in place, right?
    So I am going to look at GSA and I am going to say why 
aren't you here today saying $80 billion, we would like $1 
billion to put up resources that would be available to new 
requirements and to those who wanted to move from where we are 
to there, where that, in a sense, you would be saying, look, we 
are not going to worry about your budget, we are going to worry 
about proving that we can take $1 billion and get what used to 
be $2 billion, but get it better, faster, and more reliable.
    Why are we not talking about a top-down implementation 
rather than the opening statement that, sadly, I heard where we 
talked about 500 people going to a big convention and trying to 
get buy-in? Five hundred people trying to get buy-in is what we 
were here a couple weeks ago talking about when we find that 
agencies, years after the GSA provides better, faster, cheaper 
solutions for Internet and telephone access, we find that we 
don't have them because the bureaucracy is slow, because they 
have their systems, because something as simple as is it safer 
or less safe?
    If the GSA took $1 billion and said we are going to 
contract a world-class private cloud in which all the vendors 
have locked doors and separate everything, but we are going to 
prove that it still is better, cheaper, faster, and provides 
that, and we are going to make it available to innovative 
projects or to innovative people that are already wanting to 
move from owning to simply having, why is it that is not what 
we are here today talking about? Because, otherwise, I fear 
that it will be 10 years from now, and even though you will 
have created the opportunity, the buy-in will be slow in 
coming.
    Mr. McClure. Well, Congressman, I think we are moving 
pretty aggressively in that area. We already, on our Apps.gov 
store site, have softwares of service solutions available 
Government-wide that provide economies of scale. We just closed 
yesterday an infrastructure as a service blanket purchase 
agreement offering that should be able to leverage cloud-based 
infrastructure purchasing Government-wide. So those vehicles, I 
think, we are rapidly putting in place to allow the economies 
of scale to actually work.
    Mr. Issa. But each agency is going to have to make those 
individual decisions, all the things we are hearing that slow 
the process down.
    Mr. McClure. Exactly, except, remember, what we have been 
talking about this morning also is a Government-wide 
certification process for the security of these infrastructure 
offerings, which is quite different from the way we have 
operated in the past. So an agency could get on our BPA, 
actually choose one of the vendors, but then each agency would 
go through its own certification, testing, and control 
processing.
    That is where the process has gotten very inefficient. If 
we can successfully stand up a FedRAMP process that allows a 
consensus to be built around the testing and controls being 
accepted by all parties, or if there is a variation that only 
the incremental testing is needed, not reinvention of it, we 
have moved the ball, I think, considerably down the path much 
further than we have previously.
    We also have several pilots. I think one of the other 
things we have to do--the question earlier was the bureaucracy 
not accepting this. So we have pilots underway to show proof of 
concept in these cloud arrangements that I think can also move 
the needle further down the road by actually showing where 
these successes are, that security is in place and that cost-
savings are being produced. It is, show me, I am from Missouri, 
and I think that is a valid concern. That is why we are working 
collaboratively in the E-Gov area to show some of these pilots 
and their merits.
    Mr. Issa. Thank you.
    Mr. Chairman, I might just note that although GSA doesn't 
control it directly, House Administration does, that you and I 
are part of a grand experiment where 540 servers in our 
individual offices are being moved to 540 virtual ones with no 
cloud capability, simply relocated. So as I went through that 
painful example of if you took everything and just moved it 
somewhere, but didn't get any of the benefits of the cloud, you 
wouldn't have changed anything, that is what we are doing in 
Congress.
    Chairman Towns. Right.
    Mr. Issa. Thank you, Mr. Chairman.
    Chairman Towns. You are right.
    I yield 5 minutes to the gentlewoman from California, Ms. 
Watson, who has been very involved in this issue.
    Ms. Watson. Thank you so much, Mr. Chairman. I am so glad 
that we are working in conjunction with the full committee 
because we have been looking at procurement, and we want to 
take a deeper look, and I want to continue to restate the 
purpose for today's hearing: to look at the benefits and the 
risks of the Federal Government's use of the cloud computing 
services. So, if you don't mind, I will read my statement, my 
opening statement.
    Chairman Towns. Without objection, so ordered.
    Ms. Watson. At its basic level, the term ``cloud 
computing'' is a metaphor for Internet-based computing. Some 
have described it as a new name for an old concept: the 
delivery of computing services from a remote location, similar 
to the way electricity and other utilities are provided to most 
customers. A preponderance of technology experts believe that 
by 2020 most people will access software applications online 
and share and retrieve information through the use of remote 
server networks. This is a dramatic departure from today's 
environment where we depend on software housed on individual 
computers.
    The use of cloud computing by Federal agencies has 
significant benefits for collaboration across a broad 
information infrastructure, as well as for reducing costs 
associated with long-term information technology investments. 
It holds out the promise of enabling IT assets to remain on the 
technological cutting edge over their life cycle at reduced 
costs.
    It is therefore appropriate that President Obama has 
targeted the Federal Government's IT infrastructure as part of 
his mandate to cut agency budgets by 5 percent in 2011, 
particularly when we consider that the Federal Government 
spends $76 billion annually on IT investments and that the 
majority of those investments are for software and IT services.
    Despite these benefits, we remain concerned with potential 
or unknown security risks associated with cloud computing 
across the Federal agency community. For example, Federal 
customers may become dependent on their cloud computing 
vendor's effective implementation of security practices or 
protocols for ensuring the integrity and reliability of agency 
data and applications.
    The cloud computing model also raises privacy issues, as 
well as the level of control over data, due to issues of 
portability across different platforms or the fact that vendors 
may not be willing to divulge proprietary information.
    Due to these concerns, in July 2009, I requested that the 
GAO evaluate the technical and security risks associated with 
cloud computing across the Federal Government. I am pleased to 
announce that GAO is releasing the report at the hearing today, 
and you probably have heard some of them in my absence. Mr. 
Greg Wilshusen, who was just reporting when we recessed, was 
relaying some of the findings.
    The GAO report notes that while individual agencies have 
identified security measures needed when using cloud computing, 
they have not always developed corresponding guidance, and that 
OMB and GSA have yet to complete Government-wide cloud 
computing security initiatives. Overall, I believe the report 
makes the point that cloud computing has both advantages as 
well as disadvantages, Mr. Chairman, with respect to 
cybersecurity and that the administration should move 
deliberatively and with caution in considering when or when not 
to use cloud computing platforms.
    Concerns involving vendor cybersecurity have not arisen in 
a vacuum or in an ad hoc manner. Specifically, we know, through 
reporting done in the Wall Street Journal and other 
publications, that multiple technology and industrial base 
companies, including Google, have been compromised by 
cyberattacks believed to be sourced from the People's Republic 
of China. It has subsequently been reported that both the 
Federal Bureau of Investigation and the National Security 
Agency have examined these episodes to determine their origins 
and the extent of damages sustained by all parties.
    Cyberattacks place personal data, intellectual property, 
and our national security at grave risk, and require our 
partners in the Government contractor community to be ever-
vigilant in securing those systems and infrastructures used to 
service both Federal agencies and private citizens alike.
    While I understand the aforementioned incidents may not be 
appropriate for discussion in an open hearing, Mr. Chairman, I 
believe our vendor panelists need to address the broader issue 
of how they plan on meeting Federal information security 
standards for protecting those programs and Federal data that 
may be hosted through their cloud services.
    [The prepared statement of Hon. Diane E. Watson follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.048
    
    [GRAPHIC] [TIFF OMITTED] 58350.049
    
    [GRAPHIC] [TIFF OMITTED] 58350.050
    
    Ms. Watson. I really needed to be here full-time to hear 
what the panelists have said, but if I might take a few minutes 
to raise a question, I would appreciate the time.
    Chairman Towns. Let me suggest to the gentlelady that what 
I will do is recognize Mr. Luetkemeyer and then come back to 
you.
    Ms. Watson. All right. That is fine. Thank you, Mr. 
Chairman. I yield back.
    Chairman Towns. I recognize Mr. Luetkemeyer from Missouri.
    Mr. Luetkemeyer. Thank you, Mr. Chairman. I was under the 
impression that statements like that normally were submitted 
for the record, but I guess it is proper to read the entire 
thing.
    Chairman Towns. If you have a statement, you can read it.
    Mr. Luetkemeyer. I am sorry?
    Chairman Towns. If you have a statement, you can read it.
    Mr. Luetkemeyer. I think that these gentleman probably have 
more to do than listen to my statement, so I would be glad to 
submit it for the record. Thank you, sir.
    Mr. Wilshusen, I am just kind of curious. What percentage 
of the Government's different duties and agencies do you think 
would be appropriate to put the cloud type of computing in 
place?
    Mr. Wilshusen. Well, I don't know if I can really state 
what percentage of systems should be placed in the cloud; I 
think it really depends upon what each agency feels would be 
best for its interest to go to a cloud environment. Certainly, 
in doing that, there are a number of benefits that come by 
placing systems and information out into a cloud. I think some 
of the other panelists have talked about those benefits. But 
they also have to weigh the risk in doing that. But I really 
couldn't hazard a guess as to what percentage of systems should 
be placed in a cloud.
    Mr. Luetkemeyer. Who approves the move to go to the cloud 
type of computing, is that something that there is a 
congressional committee that oversees this or is it just your 
department or various agencies? Who has the authority to make a 
decision like this, to dump everybody's information to a cloud?
    Mr. Wilshusen. Oh, I think that would probably be up to the 
individual agencies, but perhaps Mr. Kundra might be better 
able to answer that.
    Mr. Luetkemeyer. OK. Mr. Kundra.
    Mr. Kundra. It is like any other IT system, it would be the 
Chief Information Officer of the agency and the Chief 
Information Security Officer to make sure that, before moving 
any system to the cloud, that, one, they have made sure they 
have taken into account all the statutory requirements; two, 
all the policy guidance around privacy and security that have 
existed for many years.
    Mr. Luetkemeyer. I know that there are a couple of agencies 
and different groups that already use the cloud type of 
computing in our Government. Do you know how many? And are 
there other companies, other States, other countries that have 
gone to this type of computing that we can look at as models? 
Just kind of elaborate on that a little bit.
    Mr. Kundra. Sure. What I would love to do is share with you 
a report we put together where we have highlighted illustrative 
case studies, whether that is at a State level, local level, 
and even within the Federal Government.
    But just to give you one example, GSA, as part of the Open 
Government Directive, when every agency had to engage within 45 
days to get input from the American people, what GSA did was it 
provided a cloud solution, and they went through the 
appropriate security protocols. Instead of every agency having 
to go out there and build a proprietary system, they were able 
to leverage this cloud solutions and agencies, instead, focused 
actually on the content of how they were going to interact with 
the American people, how they were going to process that input, 
rather than standing up yet another set of data centers or 
servers.
    Mr. Luetkemeyer. In your testimony you indicate that the 
administration announced three actions this week. The first one 
was to take under review troubled IT projects across the 
Federal Government and identify serious problems. Can you 
identify some of the serious problems and how this cloud 
computing would impact those? Would that be something that 
would work with this situation or are they problems that are 
beyond this type of solution?
    Mr. Kundra. Well, I think they are larger problems in 
Federal IT. So as we look at the fiscal year 2012 budget, the 
President has called for a freeze on non-defense natural 
security spending and also the 5 percent cut that agencies have 
to meet, and one of the ways agencies are going to be able to 
make sure that they are still delivering services effectively 
is through investments and information technology.
    Mr. Luetkemeyer. Well, what are some of the serious 
problems? Is the cut you identified a serious problem?
    Mr. Kundra. No. What we want to make sure is that taxpayer 
money is being spent well, so some of these serious problems, 
the example I gave----
    Mr. Luetkemeyer. Identify a serious problem for me. I am 
just curious as to what the problems were that have been 
identified.
    Mr. Kundra. Procurement cycles, for example, that may take 
18 months or problems around the Government scoping IT projects 
with deliverables that take 2, 3, 4 years. And we have seen 
best practices where, at the local, State level, or even the 
private sector, where buyers are saying, look, you have to 
deliver value in 6 months, not 3 years from today.
    We have also seen problems in terms of how some of these 
systems are actually scoped, overly prescribing requirements 
that will end up in failure as a result of everything being 
overly specified.
    Mr. Luetkemeyer. OK, so basically the problems you 
identified there were problems of process and procedure versus 
something to be solved with the cloud, is that correct?
    Mr. Kundra. Right. Well, cloud is a technology, by no means 
a silver bullet that is going to solve all the IT problems we 
have. It is one approach, it is not the answer to everything 
that is wrong with Federal IT.
    Mr. Luetkemeyer. All right. Thank you.
    Thank you, Mr. Chairman.
    Chairman Towns. I thank the gentleman from Missouri.
    I now yield to the gentlewoman from California 5 minutes.
    Ms. Watson. Thank you so much, Mr. Chairman.
    Cost saving estimates for the Federal Government derived 
from the use of cloud computing very greatly, anywhere from 25 
percent to above 90 percent in savings. The wide range in cost 
estimates is in part due to the fact that cloud computing is 
still evolving, and savings are dependent on the type of cloud 
platform that is deployed.
    The required level of security is also an unknown variable. 
What other valuables should we take into account in measuring 
potential savings from cloud computing and what cost savings 
estimate can we reasonably expect? And let's start with Mr. 
Kundra and then go right down the panelists.
    Mr. Kundra. Sure. So from a savings perspective it is very 
much around the problem you are trying to solve. And what I 
mean by that is when Recovery.gov moved to the cloud, they 
saved $750,000 on an annual basis, which is very different than 
what GSA did when they moved USA.gov to the cloud; I believe it 
was $1.7 million is what GSA saved. But in some cases it may 
end up costing more because of security requirements that would 
have to be implemented. So I don't think there is a single 
number that is going to lead to these savings.
    Ms. Watson. It is a range.
    Mr. Kundra. Well, even within the range that is why you see 
such a wide, in terms of degrees of freedom, from 25 to 99 
percent, or whatever the number is. For example, with the Open 
Government Directive, that was a nominal cost to provide a 
platform for every single agency to engage the American people. 
We didn't have to go out there and spend millions of dollars 
and engage in a multi-year contract. So there is also a lot of 
cost avoidance as a result of leveraging these cloud solutions.
    And as we look forward, part of what we are doing is we are 
making sure we recognize that the power here, when we talk 
about cloud computing, is it is also greener from a computing 
perspective, because you don't have to go out there and keep 
building data center after data center. I mentioned earlier in 
my testimony how we have gone from over 400 data centers to 
over 1,100 in a 10-year period; whereas, in the private sector 
we have seen a move toward consolidation.
    So it is greener in terms of making sure that we are 
leveraging these assets more effectively, and also provides 
better customer service. Those are the other benefits. The 
example I used around Cash for Clunkers, where we had 
challenges around the system not being able to stay online 
because demand was so high, versus a private sector company 
that leveraged a cloud solution that kept up with demand 
without any failure.
    Ms. Watson. We don't want to keep our heads in the clouds. 
A pun is the worst form of humor.
    Mr. McClure.
    Mr. McClure. Yes, I think that is absolutely right, what 
Vivek was saying. I think we have to be careful with numbers on 
averages being thrown around. I think the examples that we have 
documented in the Federal Government, if you read the report 
Vivek was talking about in terms of the dozens of examples of 
cloud computing, if it has been used for improving software 
development activities it is one range of cost; if we are 
actually saving storage cost because it is more efficient in a 
cloud environment is another type of savings; if we have 
actually saved software development money by taking a common 
tool that is plug-and-play into an environment. So I think the 
cost savings will be dramatically different depending upon the 
type of application and type of cloud environment that we are 
putting these solutions in.
    But I would agree that we shouldn't focus totally on cost. 
Speed, agility, the ability to move quickly into the computing 
environments are significantly enhanced in these cloud 
environments, and those are huge payoffs for service delivery 
to citizens.
    Ms. Watson. Ms. Furlani.
    Ms. Furlani. I think where NIST contributes to this is the 
standardization or the recommendations of consistency in 
applying the guidelines and the standards across the agencies 
so that these cost savings can be realized. Understanding our 
risk management framework, the release we just put out, an 837 
updates and permits the leveraging of the certification and 
accreditation issues that we have mentioned; the baseline 
controls that Vivek has referenced, where you can actually 
continuously monitor security controls are actually deployed 
appropriately.
    So what NIST contributes is this capability of standards 
and guidelines to provide consistency so agencies can leverage 
each other's capabilities more effectively and make the cost 
savings real.
    Chairman Towns. Would the gentlewoman yield?
    Ms. Watson. Yes.
    Chairman Towns. Do we really know enough to set standards?
    Ms. Furlani. That is what we are working on, to identify 
where the standards need to be, and that was the starting point 
in the workshop where we had many stakeholders come and help us 
understand. We have guidelines now for how IT systems should be 
deployed, and that was what I was referencing.
    But the applicable standards in the cloud computing 
environment will be dependent on which model of cloud computing 
you are actually addressing and which kind you are trying to 
use for your own particular program and your own mission 
requirements. So it all comes back to the program official 
understanding the risks that are being undertaken and having 
guidance, which we provide, to assess that risk and make the 
decisions as to which standards are available and which can be 
monitored.
    Mr. Wilshusen. And although we did not look at the specific 
cost savings and issues related to cloud computing in our 
report, we did discuss the need for OMB to complete a strategy 
on its implementation of cloud computing and initiatives across 
the Government, and in our report we talked about the 
information security issues that need to be addressed in that 
strategy.
    But what also should probably be included in that are 
performance measures, particularly as they relate to cost 
savings; the speed, how much faster is it to obtain the 
resources that my other panelists here have been discussing? So 
certainly the need to develop performance measures, which data 
can be collected on, and then one can evaluate just how cost-
effective and what cost savings have been acquired through the 
use of cloud computing.
    Ms. Watson. Mr. Chairman, I know my time is up, but I just 
want to say that our subcommittee will continue to look at this 
issue, procurement and is it a cost savings. And what I am 
hearing today, we have to customize this particular IT, this 
cloud kind of IT for the services that you provide. I don't 
think one method will suit all. It is a work in progress, it is 
evolving, so we are going to keep tabs on it in the very near 
future and report back to the full committee. Thank you so much 
for the extra time.
    Chairman Towns. I thank the gentlewoman for her work and 
what she is doing in her subcommittee.
    I now yield to the gentleman from California.
    Mr. Issa. I am going to continue. I am a big fan of cloud 
computing, so don't have anything I say cause you to think that 
it is anything other than my fear of the bureaucracy that 
causes me to sound like we are not going to get there as quick 
as we would like to and I want to look at other things.
    Mr. Kundra, if we simply did a move and manage, just assume 
for a moment that anyone who is eligible to go to the cloud, 
instead of going to cloud, we just move and manage, meaning, 
like Congress, we say we are going to take it out of all your 
offices, where everybody had an individual server. You have 
enough bandwidth or we will provide you enough bandwidth at a 
relatively low cost. We are going to centrally manage. We are 
going to, where appropriate, have multiple servers and multiple 
raids.
    We will make those decisions, but we are providing you with 
an equivalent amount of processing to whatever you had, but we 
are going to relocate it. Literally the way they did it in 
Congress is they picked up your server and took it to another 
place, and then over time, using VMware or an equivalent, they 
are going to give you pieces of more powerful servers.
    From a purely speed of chipping away at that $80 billion 
and freeing up dollars for innovation and other uses, isn't 
that a step that can be done today without any of the concerns 
that are being talked about, about the fitness of some future 
vendor? In other words, if you assume that each agency, unless 
they consent otherwise, doesn't have sharing between agencies 
and so on, how would you envision that as a, if you can't get 
what you want, would this be a step?
    Mr. Kundra. Sure. And that is actually exactly what we are 
engaged in. One of the things we have done is we have looked at 
this problem around expenditures in information technology, and 
approximately $20 billion annually is spent on infrastructure. 
So if you take the entire $80 billion, break it down to just 
infrastructure spend on servers, routers, switches, networks.
    Mr. Issa. Air conditioning, backup generators, UPSes.
    Mr. Kundra. Exactly. So the first step we are taking is to 
make sure that, one, across the entire Federal Government we 
have detailed plans as far as data center consolidation is 
concerned.
    So that is an effort that is underway, and part of the 2012 
budgeting process, what agencies have to do is make sure they 
come in to the budget process to say, look, what is your plan? 
What is your strategy? For example, Department of Homeland 
Security has committed to move from approximately 24 data 
centers down to 2. GSA has over eight data centers. And I could 
cite department by department.
    Mr. Issa. And they are supposed to be the example of best 
of, right?
    Mr. Kundra. Well, look, we didn't get here overnight; this 
is a multi-decade problem. Over the last 50 years that is how 
the Government has been growing. In my testimony I talked about 
how companies like IBM have consolidated; whereas the 
Government continues to grow.
    Mr. Issa. Well, let me ask a question as to that. If that 
is the case, we here probably are the most parochial group you 
are going to find. We get reelected based on whether or not 
people believe we care about them. So it is not uncommon that 
we would want a data center in our district, particularly if it 
created good paying jobs.
    Chairman Towns. I want two. [Laughter.]
    Mr. Issa. I would second that for the chairman.
    Now, it happens that Brooklyn may not always be the best 
place. And I know that the electric costs in San Diego are not 
the lowest. So what are you, cumulatively or individually, 
doing to create, if you will, that best of location, best of 
price cost for some of these data systems, and what are you 
doing to ensure that GSA actually goes to zero--here me out for 
a second--zero data centers? Because there is no reason for you 
to have a unique data center that is only GSA.
    You can have a unique room in a larger data center that 
five other agencies each have a room in. But what would be the 
cost-effectiveness of having your own eight at your own sites. 
By the way, you probably would pick sites based on the 
Congressmen who have the most influence on you, and I am 
perhaps one of them, while Homeland Security might look to Mr. 
King and so on other there. What are we doing to ensure that 
these sitings are both as consolidated as possible and as 
efficient as possible?
    Mr. Kundra. And that is part----
    Mr. Issa. And as least interfered by people like us as 
possible.
    Mr. Kundra. Well, one, we look forward to working with the 
Congress as we take on this really, really difficult problem--
--
    Mr. Issa. I think you are getting those two data centers.
    Mr. Kundra [continuing]. Because you have 1,100, and what 
was really interesting was when we went back and looked at the 
data, some agencies couldn't produce that data right away in 
terms of where is your data center; how many servers do you 
have; what is your rack utilization? And what we are finding, 
unfortunately, is that in some agencies server utilization is 
actually at 7 percent. And when you think about cloud 
computing, that is where you have a lot of wasted capacity, 
because what ends up happening is everybody engineers their 
solution for what they expect the peak to be. Therefore, they 
overbuild and it ends up costing a fortune to maintain those 
systems.
    So by this December----
    Mr. Issa. You mean like the stories that we have seen where 
servers are actually retired, never having been powered up, but 
they were bought?
    Mr. Kundra. Right. And that is the type of waste we are 
taking head on, and that is why, by this December, agencies 
across the Federal Government have been directed by OMB to come 
up with road maps and plans on how they are going to 
consolidate. And part of what we want to make sure is that we 
are responsible in the consolidation, because what you don't 
want to do is consolidate to one place where now everybody 
knows if you go after that one place, you are going to be able 
to bring down all of Federal IT.
    So we have to figure out how do we, in this environment, 
where we have over 1,100--and that number may go up, by the 
way, because the final plans aren't due until this December--
how do we make sure that there is enough geodiversity to ensure 
security, but at the same time that it is not so crazy that you 
have data centers popping up every year all over the country.
    Mr. Issa. Thank you.
    Thank you, Mr. Chairman.
    Chairman Towns. Thank you very much.
    Let me thank all the witnesses for your testimony. You have 
been very, very helpful and I know the subcommittee will 
continue to work on this as well. We want to thank you for your 
time and, of course, the suggestions and recommendations. We 
look forward to working with you. Thank you very much.
    Mr. Kundra. Thank you very much.
    We would like to call up our second panel.
    Mr. Scott Charney is corporate vice president of 
trustworthy computing at the Microsoft Corp. Welcome. Mr. 
Daniel Burton is senior vice president of global public policy 
at Salesforce.com; Mr. Mike Bradshaw is director of Google 
Federal; Mr. Nick Combs is chief technology officer of EMC 
Federal; and Gregory Ganger is professor of electrical and 
computer engineering, as well as director of the Parallel Data 
Lab at Carnegie Mellon University.
    Welcome and thank you all for being here. Let me say to you 
that we always swear our witnesses in, so if you would stand 
and raise your right hands.
    [Witnesses sworn.]
    Chairman Towns. You may be seated.
    Let the record reflect that all the witnesses answered in 
the affirmative.
    Let me start with you, Mr. Charney, and we will just go 
right down the line. You know you have 5 minutes. You know how 
it works. After the light comes on caution, then red, and all 
of that, which will allow us ample time to raise questions. And 
you can see that we have a lot of questions. So why don't we 
just start with you, Mr. Charney, and come right down the line?

    STATEMENTS OF SCOTT CHARNEY, CORPORATE VICE PRESIDENT, 
 TRUSTWORTHY COMPUTING, MICROSOFT CORP.; DANIEL BURTON, SENIOR 
  VICE PRESIDENT, GLOBAL PUBLIC POLICY, SALESFORCE.COM; MIKE 
 BRADSHAW, DIRECTOR, GOOGLE FEDERAL, GOOGLE INC.; NICK COMBS, 
  CHIEF TECHNOLOGY OFFICER, EMC FEDERAL; AND GREGORY GANGER, 
   PROFESSOR, ELECTRICAL AND COMPUTER ENGINEERING, DIRECTOR, 
         PARALLEL DATA LAB, CARNEGIE MELLON UNIVERSITY

                   STATEMENT OF SCOTT CHARNEY

    Mr. Charney. Thank you, Chairman Towns, Ranking Member 
Issa, Chairwoman Watson. Thank you for the opportunity to share 
Microsoft's view on the benefits and risks of cloud computing 
for the Federal Government.
    My name is Scott Charney. I am the corporate vice president 
for trustworthy computing and environmental sustainability at 
Microsoft. I also serve as one of the four co-chairs for the 
Center for Strategic and International Studies Commission on 
Cybersecurity for the 44th Presidency. Prior to joining 
Microsoft, I was Chief of the Computer Crime and Intellectual 
Property Section at the U.S. Department of Justice.
    In my testimony today, I want to describe how cloud 
computing impacts responsibilities for the security, privacy, 
and reliability of IT systems, and I want to highlight the 
importance of Electronic Communications Privacy Act reform and 
identity management issues.
    While cloud computing creates new opportunities, it also 
presents new challenges. More specifically, a Government agency 
using a cloud service may shift certain security, privacy, and 
reliability responsibilities to the cloud provider. To ensure 
this is done properly, Government agencies need to clearly 
identify their security, privacy, and reliability requirements 
to the cloud provider, and cloud providers need to be 
transparent about the steps taken to meet those requirements.
    In Microsoft's case, we employ a holistic approach in 
managing security, privacy, and reliability issues, an approach 
that is designed to meet or exceed customer requirements. This 
approach, which encompasses physical personnel and IT security, 
has three parts: first, we have a risk-based information 
security program that assesses and prioritizes security and 
operational threats to the business; second, we maintain and 
regularly update a detailed set of security controls to 
mitigate risk; third, we use a compliance framework to ensure 
that controls are designed appropriately and are operating 
effectively.
    A key part of this process is the Microsoft Security 
Development Lifecycle [SDL], which helps to improve security 
and privacy protections in our software and our services. The 
SDL consists of processes and tools designed to reduce the 
number and severity of vulnerabilities in software products, 
manage risk in computing environments, ensure appropriate and 
agile response when incidents occur, and help protect people 
and their personal information by imposing mandatory 
engineering practices related to security and privacy. By 
building and managing resilient infrastructure with trustworthy 
people, we can further ensure a high availability in 24/7 
support in our service level agreements.
    While the cloud is getting ready for the Government, the 
Government must get ready for the cloud. Agencies continue to 
struggle to identify, manage, and account for the security of 
data and systems. Moving to the cloud does not eliminate an 
agency's responsibility for its data. To adapt to the cloud, an 
agency must clearly identify and communicate its requirements 
and expectations to the cloud provider, who, in turn, must 
indicate how those requirements and expectations will be met.
    Progress is being made. The Federal Risk and Authorization 
Management Program [FedRAMP], is an important initial effort to 
create efficiencies and define responsibilities. This program 
enables common assessments of cloud service providers, allowing 
a cloud provider to certify once and have that certification 
shared among the agencies. In addition to increased 
efficiencies, FedRAMP can ensure better transparency into cloud 
provider practices.
    In addition to managing its own systems, the Government has 
a policy role to play. In this regard, it must ensure that 
privacy protections for citizens keep pace with technological 
changes. Congress enacted the Electronic Communications Privacy 
Act almost 25 years ago. Dramatic technology advancements, 
including the shift to cloud computing, require ECPA, as it is 
known, to be updated and aligned with reasonable privacy 
expectations. Additionally, industry and Government must create 
more robust identities for Internet use, particularly as we 
adapt to the cloud.
    There are over 1.8 billion Internet users worldwide. The 
mechanisms used to identify people and devices on the Internet, 
even when sensitive data or critical infrastructures are 
involved, is weak. And as the Government offers more citizen 
services online and individuals store more sensitive 
information in the cloud, electronic identifications will 
become increasingly important. The recently released draft 
National Strategy for Trusted Identities in Cyberspace 
represents significant progress in the dialog about how to 
create trust in online transactions, but much remains to be 
done.
    In closing, clarity and transparency about Government 
requirements and cloud provider offerings is critically 
important. The more precise and transparent we are, the greater 
the trust we will build and the greater the opportunity we 
create.
    Thank you for your important leadership on the issue of 
cloud computing, and I look forward to working with you on this 
important topic.
    [The prepared statement of Mr. Charney follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.052
    
    [GRAPHIC] [TIFF OMITTED] 58350.053
    
    [GRAPHIC] [TIFF OMITTED] 58350.054
    
    [GRAPHIC] [TIFF OMITTED] 58350.055
    
    [GRAPHIC] [TIFF OMITTED] 58350.056
    
    [GRAPHIC] [TIFF OMITTED] 58350.057
    
    [GRAPHIC] [TIFF OMITTED] 58350.058
    
    [GRAPHIC] [TIFF OMITTED] 58350.059
    
    [GRAPHIC] [TIFF OMITTED] 58350.060
    
    [GRAPHIC] [TIFF OMITTED] 58350.061
    
    [GRAPHIC] [TIFF OMITTED] 58350.062
    
    [GRAPHIC] [TIFF OMITTED] 58350.063
    
    Chairman Towns. Thank you very much, Mr. Charney.
    Mr. Burton.

                   STATEMENT OF DANIEL BURTON

    Mr. Burton. Thank you, Chairman Towns, Chairwoman Watson, 
Ranking Member Issa, members of the committee. Thank you for 
holding this hearing and inviting me to share my views.
    As the senior vice president for global public policy at 
Salesforce.com, I am deeply involved in discussions with 
Government about cloud computing, and I applaud the efforts of 
this committee and the subcommittee to shed light on this 
effort.
    Salesforce.com is a leading enterprise cloud computing 
company whose applications allow organizations to input, store, 
process, and access data about their customers over the 
Internet. In addition, we provide a cloud collaboration tool 
called Chatter and a cloud technology platform called 
Force.com. Several U.S. Federal agencies already use 
Salesforce, including the Army, HHS, NASA, GSA, the State 
Department, the Census Bureau, and many others.
    In my remarks, I will make reference to the Salesforce 
enterprise cloud computing model, not the consumer cloud 
computing model popularized by companies like Amazon and eBay.
    Descriptions of cloud computing are like the parable of the 
blind men and the elephant. One blind man grabbed its trunk and 
said it resembled a giant snake; another its legs and said it 
was a tree; a third its tusks and said it was an enormous 
walrus, and so on. This parable will sound familiar to anyone 
who follows cloud computing. Some companies state that since it 
involves third-party data centers, they are cloud providers; 
others say that since it uses subscription payments, they are 
cloud providers; still others say that since it is accessed 
over IT networks, they are cloud providers.
    While each of these descriptions is true as far as it goes, 
by themselves these discreet services do not constitute cloud 
computing. Nor can the companies that provide these discreet 
services be called cloud computing providers any more than an 
elephant can be called a snake, a tree, or a walrus.
    True cloud computing consists of a combination of third-
party data centers, subscription payments, Internet access, and 
something known as multi-tenant architecture, which NIST notes 
in its definition.
    A good analogy for multi-tenancy is a skyscraper. Just like 
a skyscraper allows many occupants to run their businesses 
discreetly in the same building, multi-tenant cloud computing 
allows many users to run their applications discreetly on the 
same computing platform. Although users share the underlying 
infrastructure, they can only view the data and applications 
that pertain to them. In this way, multi-tenant cloud computing 
is like online banking; it lets a number of people use their 
accounts simultaneously, while keeping their information secure 
and private.
    The great benefit of multi-tenancy is that it can satisfy 
the needs of numerous organizations on a single computing 
stack. Salesforce, for example, processes the data and 
applications for its 77,000 customers on just a few thousand 
serves. A single tenant computing model, which is sometimes 
referred to as a private cloud, could require several hundred 
thousand servers to manage a customer base this size.
    For Government, multi-tenant cloud computing offers cost 
savings, flexibility, fast deployment, and lower risk of 
project failure. Traditional Government IT systems require up-
front investments in hardware and software, and can take years 
to implement. As a result, they are often out of date and over-
budget by the time they are deployed. Multi-tenant cloud 
computing eliminates large up-front costs and lets Government 
agencies start with a few users and scale rapidly so there is 
much less chance of waste and failure.
    I understand that cost data ownership, security, and 
interoperability are of particular interest to this committee. 
Most studies conclude that cloud computing offers important 
cost savings. A recent Brookings study concluding that the cost 
savings for Government average between 25 and 50 percent. 
Salesforce cast studies support this conclusion.
    As for ownership of data, Salesforce claims no rights to 
the information its customers submit to our cloud services. We 
use and process this information only as our customers instruct 
us to or to fulfill contractual and legal obligations. If a 
customer decides it no longer wants to use our cloud services, 
we make their information available to them in a format that 
allows them to move it elsewhere.
    The Salesforce security management system is based on 
internationally accepted security standards like ISO27001. 
Perhaps the most compelling evidence of our security is the 
fact that over 77,000 organizations around the world, including 
very large institutions in highly regulated sectors like 
financial services, health care, and government, trust their 
information on cloud applications to Salesforce.
    When it comes to interoperability, the proof is in 
performance. Over 50 percent of the transactions we process are 
handled automatically. In other words, about 150 million times 
per day our computers seamlessly operate with outside computers 
without human involvement.
    I appreciate the committee's efforts to advance the 
Government's ability to take advantage of this important 
technology and look forward to your questions.
    [The prepared statement of Mr. Burton follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.064
    
    [GRAPHIC] [TIFF OMITTED] 58350.065
    
    [GRAPHIC] [TIFF OMITTED] 58350.066
    
    [GRAPHIC] [TIFF OMITTED] 58350.067
    
    [GRAPHIC] [TIFF OMITTED] 58350.068
    
    [GRAPHIC] [TIFF OMITTED] 58350.069
    
    [GRAPHIC] [TIFF OMITTED] 58350.070
    
    [GRAPHIC] [TIFF OMITTED] 58350.071
    
    [GRAPHIC] [TIFF OMITTED] 58350.072
    
    [GRAPHIC] [TIFF OMITTED] 58350.073
    
    Chairman Towns. Thank you very much, Mr. Burton.
    Let me just say to the committee members that we have three 
votes, and we will hear from Mr. Bradshaw and then I will 
recess the committee, and we will return 10 minutes after the 
last vote.
    Mr. Bradshaw.

                   STATEMENT OF MIKE BRADSHAW

    Mr. Bradshaw. Thank you, Mr. Chairman, Chairwoman Watson, 
Ranking Member Issa, and members of the committee. I lead the 
Google team that provides cloud computing services to the 
Federal Government, and I am pleased to be here.
    Federal IT is at a crossroads. Down one path, the adoption 
of cloud computing, we see more competition and innovation; 
down another path, which keeps IT tethered to the traditional 
desktop computing model, we have more of the status quo, 
meaning fewer choices and less competition. If there is one 
thing I want to leave you with today, it is this: the cloud is 
secure, the cloud saves taxpayer money, and the cloud can make 
Government more efficient. We believe Federal IT procurement 
policy should encourage competition and choice.
    As you have heard today, there are three basic types of IT 
infrastructure: cloud, there is legacy, and a hybrid model that 
tethers the cloud to legacy systems.
    Google offers cloud solutions that are used by 2 million 
businesses. A growing number of State and local governments, 
from Los Angeles to Orlando, use the cloud, as do Federal 
agencies, including the Departments of Defense, Energy, and 
Interior, as well as NASA, the SEC, and the GSA.
    I would like to focus on three benefits from Federal 
adoption of the cloud: one, enhanced security; two, savings for 
taxpayers; and, three, more competition and innovation.
    First, the cloud offers security advantages over legacy and 
tether cloud alternatives. Under legacy computing models, we 
store critical data on our computers and servers either at work 
or at home. This is the equivalent of keeping cash under our 
mattress. Storing data securely in a multi-tenant cloud is like 
keeping cash in a bank. Cloud providers are security 
professionals, and they can offer better security than 
customers do on their own.
    There have been several examples where Government laptops 
and hard drives were lost or stolen, compromising the sensitive 
personal information of hundreds of thousands of individuals. 
In fact, GAO confirmed in 2009 that recent data losses 
occurring at Federal agencies have been the result of physical 
thefts or improper safeguarding of systems.
    An important security benefit of full cloud model is that 
you can control security updates much more consistently and 
easily. Research shows most organizations take between 25 to 60 
days to deploy security patches, and some CIOS admit it can 
take up to 6 months. In the cloud, everyone gets security 
updates as soon as they are available, not weeks or months 
later. Attacks come frequently, and cloud computing allows us 
to react quickly.
    Hackers do not care about the labels assigned to cloud 
computing, whether the cloud is public or private or otherwise. 
Hackers will exploit security vulnerabilities where they find 
them. That is why security must be judged based on an 
examination of specific security controls in place by a given 
cloud computing implementation.
    At Google, we protect data by shredding and splitting it 
across numerous servers and data centers, making an attack much 
harder because no user's data resides on a single disk or 
server. The data is replicated and spread across different 
locations. So if a hurricane or an earthquake strikes one 
place, the application keeps running elsewhere. This is 
important for backup and disaster recovery. It was a key 
consideration for the city of Los Angeles because of their 
location in an earthquake zone. Backup and recovery solutions 
are built into Google's cloud architecture, and it comes at no 
extra cost.
    Second, the cloud can save taxpayer dollars. This April, 
Brookings found that the Government agencies that switched to 
some form of cloud computing saw up to 50 percent savings. Last 
year, Forrester calculated that Google's cloud-based email 
service was one-third the cost of legacy email. To put that in 
context, the Federal Government spends $76 billion per year on 
IT, with $20 billion of that devoted to hardware, software, and 
file servers.
    Other cost savings come from improving productivity, 
enabling more Federal employees to telework, and reducing 
energy consumption.
    Third, introducing more choices into the Federal 
marketplace will intensify competition, which in turn will 
drive innovation up and prices down. The Federal Government is 
embracing cloud computing, and we support the administration's 
effort to drive the adoption of the cloud, including FedRAMP. 
We strongly support the effort to accelerate the process.
    Naturally, legacy providers would benefit if they didn't 
have to compete with the cloud, so it is not surprising that 
some may try to slow this transition by fomenting fear of cloud 
security. This overlooks the security problems we have seen in 
legacy IT systems and it fails to recognize how these problems 
can be solved by the cloud.
    Ms. Watson [presiding]. We are out of time now, so we are 
going to recess and we will reconvene 10 minutes after the last 
vote. Thank you so much.
    Mr. Bradshaw. Thank you.
    [The prepared statement of Mr. Bradshaw follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.074
    
    [GRAPHIC] [TIFF OMITTED] 58350.075
    
    [GRAPHIC] [TIFF OMITTED] 58350.076
    
    [GRAPHIC] [TIFF OMITTED] 58350.077
    
    [GRAPHIC] [TIFF OMITTED] 58350.078
    
    [GRAPHIC] [TIFF OMITTED] 58350.079
    
    [GRAPHIC] [TIFF OMITTED] 58350.080
    
    [Recess.]
    Chairman Towns [presiding]. Mr. Combs.

                    STATEMENT OF NICK COMBS

    Mr. Combs. Chairman Towns, Ranking Member Issa, thank you 
for the opportunity to address this important session.
    Prior to my current role as CTO of EMC Federal, I served 
more than 25 years in Federal Government, primarily in the 
Army, DOD, and the intelligence community, so I echo the 
remarks of Mr. Issa about concerns with security.
    During my career in Government and public sector, I have 
personally experienced many of the IT challenges facing Federal 
agencies today. Cloud computing is the buzz word of the day in 
IT, but the characteristics the cloud brings are what is 
important for Federal organizations. IT environments must be 
flexible, on-demand, efficient, and resilient.
    Organizations must change, and the IT infrastructures that 
support them must be able to keep pace. At no other time has it 
been more important to change our IT landscape, as 
organizations are experiencing unprecedented levels of 
information growth and are under constant pressure to deal with 
the costs associated with maintaining our legacy IT 
environments.
    Many Federal organizations have already begun to build the 
bridge to the cloud by adopting some form of virtualization. In 
fact, virtualization has become the foundation of the cloud 
and, in my view, is a great enabler of cloud services across 
the various deployment models.
    Cloud computing is virtualization taken to its most logical 
extreme, creating the ultimate in flexibility and efficiency, 
and revolutionizing the way we compute, network, store, and 
manage information. Cloud computing has the potential to make 
the biggest impact in IT since the development of the 
microprocessor, but it is not going to happen overnight. This 
will be a journey, but we will realize benefits at many points 
along the way. In the end, we will be able to provide 
organizations with much greater flexibility to ensure we can 
meet the demanding needs of our Federal Government.
    Many challenges and questions are yet to be fully answered, 
including acquisition, availability, performance, scalability, 
solution maturity, vendor lock-in, and, of top concern, 
security. I have addressed many of these in my written 
statements; however, due to time constraints, I will focus on 
security. We have an opportunity to get it right with cloud 
computing by engineering security into the solution, not 
bolting it on, as has been in the past.
    Admittedly, with cloud computing sophisticated automation, 
provisioning and virtualization technologies, there is 
significant security implications. These risks require that we 
look at security in a whole new way. While perimeter and point 
security products will still be used by organizations, 
companies such as EMC and VMware are embedding security 
controls and security management in the virtual layer, creating 
an environment in the virtual world that is safer than the 
physical world today. Industry must continue to develop and 
deliver technology components that support centralized, 
consistent management of security across the technology stack.
    The level of transparency that cloud computing vendors 
provide is critical when utilizing private sector partners. 
While there is a lot of talk about service level agreements 
helping to satisfy Federal security needs, SLAs alone are 
inadequate. The Government must take a trust, but verify 
approach and cloud vendors should be required to provide the 
tools and capabilities to allow customers visibility into those 
clouds to ensure the SLAs are being met.
    Fundamentally, security must be risk-based and driven by a 
flexible policy that is aligned to the business or mission 
need. The need for common framework to ensure that security 
policies are consistently applied across the infrastructure is 
critical to successful risk management. That is one of the 
principle reasons that EMC supports updating the Federal 
Information Security and Management Act [FISMA], important 
legislation that will update the law to enable more operational 
risk management.
    Technologies exist today to deliver private cloud 
environments inside Federal organizations to dramatically 
improve IT efficiency and still provide the security required 
to protect sensitive information within the Government 
enterprise. Multi-tenant federated clouds can be deployed where 
similar security requirements exist. However, placing 
information on a public cloud today should be limited to public 
facing information only, and then only if the providers can 
prove the level of auditing and protection procedures are 
implemented to deal with breaches of sensitive information.
    Ultimately, cloud computing offers great potential for 
reducing cost and increasing efficiency and transparency 
throughout the Federal Government, and Federal departments and 
agencies should be encouraged to embrace that potential.
    I again thank the committee for allowing EMC and me to 
contribute to this important effort. I look forward to taking 
your questions.
    [The prepared statement of Mr. Combs follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.081
    
    [GRAPHIC] [TIFF OMITTED] 58350.082
    
    [GRAPHIC] [TIFF OMITTED] 58350.083
    
    [GRAPHIC] [TIFF OMITTED] 58350.084
    
    [GRAPHIC] [TIFF OMITTED] 58350.085
    
    [GRAPHIC] [TIFF OMITTED] 58350.086
    
    [GRAPHIC] [TIFF OMITTED] 58350.087
    
    [GRAPHIC] [TIFF OMITTED] 58350.088
    
    [GRAPHIC] [TIFF OMITTED] 58350.089
    
    Chairman Towns. Thank you very much for your testimony, Mr. 
Combs.
    Mr. Ganger.

                  STATEMENT OF GREGORY GANGER

    Mr. Ganger. Thank you for this opportunity to testify along 
with the others. I am a professor of electrical and computer 
engineering at Carnegie Mellon University, where I am also the 
director of a research center focused on issues like cloud 
computing, and have been for over a decade. I hope that my 
independent voice from an elite educational institution can 
help with clarifying the issues being explored today.
    You have heard from a number of folks already today, and 
obviously, from the questions, investigated the issues 
yourselves as well; and I will attempt to avoid being 
needlessly redundant. But I will underscore a few important 
points and raise a few new ones.
    As we have heard and as you have read, cloud computing is a 
buzz word for using others' computers together with yet others 
in order to achieve efficiency, instead of doing everything 
yourself. It is a natural evolution as a part of a service-
based economy. In fact, as Mr. Issa noted, it is a bit of a 
return to the past in some ways. I won't get into the details 
of it now, but there is actually a good reason why it has gone 
back and forth a little bit as engineering technology and 
economies of scale have changed.
    One aspect of the definition of cloud computing that I want 
to make sure doesn't get lost is the differentiation between a 
private cloud and a public cloud, which has to do with who 
shares the cloud. A private cloud is something that an 
organization does itself and might be shared amongst the sub-
organizations of that organization. So in the Federal 
Government imagine all the agencies sharing a cloud. As 
contrasted with a public cloud that might be offered to many 
organizations to share, as is usually thought of when one hears 
the term cloud computing because of the Internet analogy of 
everybody being able to access the Internet.
    But the private cloud is something that we don't want to 
lose sight of because it is going to play a part of the 
approach that gets taken with the breadth of Federal IT 
functions. In fact, this is another thing that was brought up 
earlier, this notion of moving to a centralized management 
site. That is one step toward a private cloud approach.
    And there are some private cloud initiatives that are going 
on in the Government right now. For example, the NBC of the 
Directorate of the Interior has some cloud computing functions 
and there is also an activity called Nebula that NASA is doing 
for scientific activities.
    The benefits of cloud computing, when done well, can be 
huge. We have heard a number of examples. I liked the example, 
in particular, of IBM going from 235 data centers to 12. In my 
written testimony I talk about several others, including HP 
going from 85 data centers to 6 over the course of the last 4 
years and reporting from that 60 percent reductions in their 
data center costs across the board, while at the same time 
increasing the amount of computing and storage that they are 
doing. So the savings are real and they are large.
    As with most things, your mileage may vary, and this was 
brought up multiple of you already, and just how much you save 
is going to depend, for example, on how efficient the function 
that you are moving was already. And the efficiency of existing 
implementations of functions varies widely, so naturally the 
savings you are going to get is going to vary as well.
    But one big benefit that I haven't heard talked about as 
much that you don't want to lose sight of as well is the speed 
of deploying a new application. In the traditional model, where 
you have to procure, buy, deploy, set up a set of computers 
before you can even start to develop the application that you 
are trying to deliver, and that process may take many months, 
18 months was the example that Mr. Kundra used, comparing that 
to the notion of renting some computing utility and getting 
started right away is a sea change in terms of how quickly you 
can move in a new direction.
    There are risks. It is natural to address them with 
questions, which is why I started with the benefits. Security 
is a very natural one. It is very important, in talking about 
security, to not start from the mentality that doing it 
yourself means that it will be done perfectly. There are too 
many examples where that is not the case, and, in fact, having 
a collection of security experts try to do the job for a larger 
collection of people, rather than having each of those people 
do it themselves, makes a lot of sense.
    You get more ability to move forward quickly when you have 
the experts doing it for people rather than everybody doing it 
themselves. It doesn't mean that everything is going to want to 
migrate to a central place, but it is going to mean that a lot 
of things are going to make sense to that kind of 
centralization.
    Lock-in fears mean that standardization is going to be 
critical. Resistance to change is going to mean that change 
management and new training is going to be critical, as well as 
centralized knowledge sharing portals and information sharing. 
And IT culture changes are going to mean that the IT staff are 
going to have to be retrained to new roles as well. They are 
not going to go away; you are still going to need expert IT 
staff to manage the interaction between any given agency, for 
example, and the cloud computing provider, but their roles are 
going to change, they are going to move closer to the 
applications folks.
    But the potential is great; it needs to be embraced. I am 
thrilled to see that is happening, and thank you for letting me 
be here and I am happy to answer any questions that you have.
    [The prepared statement of Mr. Ganger follows:]
    [GRAPHIC] [TIFF OMITTED] 58350.090
    
    [GRAPHIC] [TIFF OMITTED] 58350.091
    
    [GRAPHIC] [TIFF OMITTED] 58350.092
    
    [GRAPHIC] [TIFF OMITTED] 58350.093
    
    [GRAPHIC] [TIFF OMITTED] 58350.094
    
    [GRAPHIC] [TIFF OMITTED] 58350.095
    
    [GRAPHIC] [TIFF OMITTED] 58350.096
    
    [GRAPHIC] [TIFF OMITTED] 58350.097
    
    [GRAPHIC] [TIFF OMITTED] 58350.098
    
    [GRAPHIC] [TIFF OMITTED] 58350.099
    
    Chairman Towns. Thank you very much.
    Let me thank all of you for your testimony.
    I guess I just want to ask all of you this question, and 
you can sort of answer it as briefly as you possibly can. What 
do you see as the greatest benefit and the greatest risk to the 
Federal Government in terms of cloud computing? If you just go 
right down the line and sort of be as brief as possible.
    Mr. Charney. I see a couple of huge benefits. One, of 
course, we have talked about, which is cost savings. But the 
other huge benefit, I think, is that the aggregation of data 
will allow, in appropriate circumstances, much deeper analysis 
of data. When you think about how we are going to do health 
care in the future, for example, the ability to analyze a lot 
of data and see trends and other things could be hugely 
valuable to the Government.
    In terms of risk, it really does come back to the things we 
have talked about: security, privacy, and reliability. We are 
going to be dependent on this cloud, and if you can't access 
this cloud, or if cyber criminals go after the cloud because 
the aggregation of data presents a rich target, or people don't 
have faith that the data in the cloud is both protected and not 
improvidently used by the cloud provider, we will lack trust.
    Mr. Burton. Yes, I think the benefits of cloud computing 
are enormous, and that is why it is really taking off in the 
private sector; and to look at those benefits: cost advantages, 
speed advantages, scale advantages, ease of use advantages, 
customization advantages, and, not to be overlooked, tremendous 
innovation advantages, because once people are on a cloud 
platform, you can easily develop new applications, you can 
deploy them instantly, you can share them with other agencies.
    If you look at risk, usually at the top of the risk list is 
what this committee has focused on, and that is concerns about 
security and privacy.
    Mr. Bradshaw. I think there are great advantages to cloud 
computing. Innovation, innovation of features and 
functionality, but, more important, innovations around 
security, our ability to react much more quickly now to 
security threats. There are great cost savings as well for the 
taxpayer.
    As far as risk, I do think we, right now, are in the risk 
of trying to label cloud computing a certain way so that we 
don't understand the security issues in it. We label it and 
dismiss it based on labels versus really what the security 
requirements are for the environment.
    Mr. Combs. Thank you, Mr. Chairman. I agree with all the 
comments that have previously been stated, but the greatest 
benefit, I think, is speed to delivery of capabilities, like 
Mr. Ganger brought up. Today, it takes far too long to 
implement new capabilities in organizations. With cloud 
computing we can rapidly implement capabilities and, therefore, 
keep up with the changing needs of the Government.
    As far as the greatest risk, I have to go back to my 
intelligence community days, that is the loss of the 
information. In the intelligence community, in the Department 
of Defense realms, that loss of information can mean the loss 
of lives. In the commercial world, that loss of information can 
be the loss of intellectual property and lots of money.
    So those are the greatest benefits and the greatest risks 
as I see them. Thank you.
    Mr. Ganger. I would say that the greatest benefit, as most 
have noted, is efficiency, efficiency both in terms of cost and 
in terms of the ability to roll out a new application, a new e-
Government approach in each of the individual applications that 
one wants to get started, both of those forms of efficiency.
    In terms of the greatest risk, I guess I am going to depart 
from a lot of people here and say that I would worry that the 
greatest risk is entrenchment and the difficulty that one has 
in making a transition from a comfort level that one has with 
the way they do things currently to something very different.
    And given how widespread the IT functions of the Federal 
Government are already, we heard about 1,100 data centers, 
getting all those people around the idea of looking at cloud 
computing and seriously considering not doing it all 
themselves, it is a tough sell to do that with people, to get 
them to really seriously consider doing that. The security 
aspect is one of the concerns that will get raised, and there 
are legitimate security concerns, but the technical security 
concerns, to me, seem smaller than the entrenchment concerns 
that will be rallied around, for example, the security word.
    Chairman Towns. Thank you very much.
    I now yield 5 minutes to the ranking member from 
California.
    Mr. Issa. Thank you, Mr. Chairman.
    Mr. Ganger, I am going to followup with you as the honest 
broker. Eleven hundred data centers. In your opinion, is there 
any reason that this committee shouldn't drive the bureaucracy 
toward, let's say, 200 data centers and force people who have 
8, like GSA, to have 8 that are co-located within those 200 
centers? And wouldn't that represent billions of dollars in 
savings and a consolidation toward a private cloud--which is 
the second question, since you are writing--which is aren't we 
big enough at $80 billion worth of total IT services, tens of 
billions of dollars worth of specific software support and $20 
billion worth of infrastructure support, aren't we big enough 
to own our own cloud?
    I don't want to quote, but I will, the Rolling Stones, 
1967, when they said ``Get off of my cloud,'' but why would we 
get onto somebody else's cloud to begin with? Why wouldn't we 
say we are big enough to go alone or to be co-located with 
other locations, but have complete segregation so that security 
is designed in from the door on?
    Mr. Ganger. OK, so I will try to take them in the order 
that you gave them.
    Mr. Issa. No, no, take them in the order best for you.
    Mr. Ganger. OK. So do you drive data center reductions? I 
don't have a lot of insight into what the 1,100 are doing. It 
would shock me to hear that an analysis of the 1,100 doesn't 
lead to being able to do 200, for example.
    Mr. Issa. Earlier testimony, it took a long time to find 
out how many they had and where they were in some cases.
    Mr. Ganger. Which means, by the way, that it is going to 
take longer to do the consolidation than one might hope, right, 
because there is going to have to be a lot of learning about 
what functions those different data centers are doing in order 
to make a consolidation actually work.
    Mr. Issa. But just shared bandwidth efficiency, facilities 
advantages, all of that would be in the hundreds of millions of 
dollars, enough to pay for the consolidation in a short period 
of time.
    Mr. Ganger. Yes, absolutely, I agree. Huge advantages to be 
had there. And I would be really surprised to learn that type 
of consolidation couldn't be done and that those advantages 
couldn't be realized. The corporate world has done it and we 
have seen two examples of very large corporations that have 
gone from two and three digit numbers of data centers to single 
and 12 was the second example numbers of data centers.
    In terms of is the Government big enough to do a private 
cloud, there is no question the Government is big enough to do 
a private cloud. The question that you would have to ask 
yourself isn't whether you are big enough to do it, it is 
whether you have the expertise to do it for all of the 
different types of cloud technologies that you might need to do 
it for.
    Mr. Issa. OK. I am going to move to the cloud folks for a 
moment.
    Mr. Burton, you offer a public cloud solution that is 
already purchased by agencies of the Government, and they buy a 
product as a COTS product, basically. So that can proliferate 
with vendors offering them, and the only problem, of course, is 
certifying that the data they put on to your cloud is in fact 
safe, secure, and so on, right? Would you say that there are 
things like Mr. Combs might mention, the NSA or the CIA, that 
never really should be customers of yours, at least not with 
the same computer and the same location that are dealing in the 
clandestine world?
    Mr. Burton. Yes, I think without a doubt not only in the 
Federal Government, in the private sector there are certain 
data sets that are so secret, so sensitive that they will never 
go on to a multi-tenant cloud structure.
    Mr. Issa. There is a company in Atlanta called Coca-Cola. I 
suspect that is at least one formula you will never host.
    Mr. Charney, in light of that, won't there always be some 
private computing facility-based, like some of our labs 
activities, where even the hard drives have to be removed 
between uses? So, in a sense, isn't this committee looking at 
the migration of public, private, and legacy, with an 
inevitability that one size doesn't fit all?
    Mr. Charney. I agree with that completely. I mean, there 
will be cases where organizations, Government agencies want to 
run an on-premises system and control it very tightly, like 
some of the intelligence communities. There will be places 
where the Government is a community of interest and can share a 
cloud, and there may be places for public information that a 
public cloud service is not a big concern because it is 
information you want to share anyway. The key is customer 
choice and mapping the cloud model to the risk model.
    Mr. Issa. Mr. Bradshaw, I understand that you are a super 
salesman, among other things. You would like to sell as much of 
your product as you can, I am sure. But wouldn't you also agree 
that there is a segment that could be moved sooner, rather than 
later, to public cloud, a segment that needs to have that 
transition, and then a segment that will never, in the 
foreseeable future, make that transition?
    Mr. Bradshaw. I absolutely agree with that. We have aimed 
our initial offering at the sensitive, but unclassified, level 
to meet that or exceed it. But we do agree there are some 
things that we would not recommend you move to the public 
cloud.
    Mr. Issa. And I will close with one thing on behalf of the 
chairman and myself, both. Isn't one of the challenges to a 
truly transparent cloud, when it is pointed toward the public, 
that portion of cloud computing, the fact that all of our 
various Government agencies have failed to have standards that 
are interoperable and easily searchable so that you can know 
that a name or a particular cell in a data base will in fact 
correspond not just, but including Web sites?
    Mr. Bradshaw. I do believe it is very difficult to put 
standards in place that meet the requirements of all the 
individual agencies and individual bureaus within the agencies, 
and take advantage of information technology at the same time. 
That is a big challenge. But I do think we can use the current 
regulations that are in place, get a great understanding of how 
things compare, and then all of us, we have security experts in 
our company, let's take advantage of those and work with you to 
continuously update these through continuous monitoring and 
things like that.
    Mr. Issa. Thank you.
    Anyone else before the chairman reclaims my time?
    [No response.]
    Mr. Issa. Thank you all.
    Chairman Towns. Thank you very much.
    I now yield 5 minutes to the gentlewoman from California.
    Ms. Watson. Thank you.
    As I mentioned in my opening statement, in light of the 
recently reported cyberattacks involving China and other nation 
states, I would like to hear some specifics from each one of 
our vendors about how we would protect our particular systems, 
and I would like specifics on how your companies plan to 
demonstrate compliance with the requirements on a regular 
basis. And I would just like you to go down the line.
    And then I am going to ask, since we are not going to have 
time within this session to hold additional hearings in our 
subcommittee, how you would provide this information and would 
you give us kind of a summary in writing to our committee? And 
then we will submit that to your committee.
    So just tell us in your own words about what you, as an 
individual vendor, would do to protect the security.
    Mr. Charney. I think there are really two parts to the 
question. First, in terms of how we protect security, the real 
key is having a documented information security program that 
looks at the assets you want to protect, what the threats to 
those assets are, and then you build and test a set of controls 
to protect those assets.
    But the China question is a little bit difficult in the 
sense that one of the changes we have seen over the last 20 
years is a major change in the threat model. When I was at the 
Justice Department prosecuting cyber crimes in 1991 and 1992, 
at the beginning of my career there, a lot of the hackers were 
young students exploring networks.
    Now we have what we call the advanced persistent threat; we 
see more and more nation state activity on the Internet, we see 
more organized crime activity on the Internet, we see a black 
market for vulnerabilities. A regular documented information 
security program that might be adequate for most commercial 
purposes may not be completely adequate for an advanced 
persistent threat.
    This is why, for example, as I said earlier, I don't think 
the intelligence community should be parking its information on 
even public or shared tenant clouds. The advanced persistent 
threat is going to require a much more careful analysis and 
different cybersecurity strategies. I have, in fact, written a 
paper on this very point and would be happy to share it with 
the committee.
    Mr. Burton. Thank you for that question, Chairwoman Watson. 
Security is something that our smallest customers take very, 
very seriously; whether you are a corner pizza store 
maintaining your customer data or a multinational bank or 
health care company or an agency of the Federal Government.
    Ms. Watson. Let me be more specific. How do we have 
assurance that our Federal information within our systems can 
be protected? And I know this is not the place where you can 
give direct answers.
    Mr. Burton. I will respond to that.
    Ms. Watson. Good.
    Mr. Burton. Each of our customers can come in and do 
security reviews with Salesforce, and they do not go on to our 
platform until they are satisfied with our security. We comply 
with major international security standards, ISO27001, SAT Type 
2 Systrust. All of those are available. We feel that without 
trust no one is going to use Salesforce.
    So we have site. Anyone can look at it, this committee can 
look at it, Trust.Salesforce.com, and if you look at that site 
you can see what the performances of our system every single 
day. I looked at it this morning. We processed 315 million 
transactions yesterday, each one in about 300 milliseconds on 
that site. You can see the types of security attacks we are 
facing; you can see all of our credentials.
    If you want to lock down your security, it provides you who 
to talk to, how to get at that. So we feel that not only 
security standards, but transparency is critical to the whole 
cloud model, and that is why we have this trust site that is 
available for anyone to look at.
    And I think just the one question, to come back really, I 
think, to a comment Mr. Issa raised, is, yes, there, are some 
data sets that are so sensitive, so secret that they should be 
kept outside of a cloud environment.
    But I think if you look at the vast majority of the data 
that the U.S. Federal Government processes and stores, it falls 
into a lower level of security, and I think that is perfectly 
adequate for a strong vendor with good security to manage on a 
multi-tenant platform in a cloud.
    Mr. Bradshaw. Thank you. Google has made a commitment at 
the executive level of the corporation to meet Federal security 
requirements. We have completed and submitted to the Government 
our FISMA certification package and we are waiting to hear. We 
do meet the security and privacy requirements that are laid out 
in the Federal statute under FISMA and we make those findings 
available upon request.
    I think what we also do, we are so focused on security. We 
all know this is a growing threat for everybody. We look at two 
areas, one is reducing the threat environment. So we are very 
focused on bringing down things that had been exploited in the 
past, trying to limit that, limit the doors that have made 
these threats possible; and then looking at moving some 
appropriate data to an environment where we can take our 
security professionals and we can take just multiple layers of 
security and protect that data for you.
    Ms. Watson. You are so out there, that is why I mentioned 
Google, because I say to myself would you Google that, please, 
quickly. We know the problems that all of you are facing, so I 
just want to get some ideas how you are addressing them.
    Mr. Combs.
    Mr. Combs. Thank you, ma'am. Today's security architectures 
are nothing more than a broken safety net of point security 
solution products. We have to move from point security products 
to an information-centric approach to managing our data. It is 
all about two things: it is about identities.
    Those systems and processes that either need to have access 
or be restricted access to our resources, and the information. 
That information must be either available or restricted however 
an organization's policies defines. That gets into your second 
part, which is Government risk and compliance.
    What we are doing at EMC is we have acquired technologies 
and we are further developing them to allow portlets for 
organizations to look inside our cloud offerings and to ensure 
that we are providing the Government the risk and compliance 
capabilities that matches their requirements.
    Ms. Watson. What I am going to advise my staff to do is 
send letters to all of you, and you can respond to the 
questions that we have in your letters. So you will get 
something and we will try to do it as soon as possible.
    Thank you so very much, and thank you, Mr. Chairman, for 
the time.
    Chairman Towns. Thank you very much.
    I now yield to the gentleman from Utah, Mr. Chaffetz.
    Mr. Chaffetz. I like the enthusiasm, Mr. Chairman. I 
appreciate that.
    Thank you all for being here, I appreciate it. Full 
disclosure: I think I have been a consumer of all of your 
products and services, with the exception of the parallel data 
lab. I can't think of something, although you probably have 
something I have consumed along the way, all with great 
success. You are obviously market leaders and we appreciate 
your perspective here, and we won't do it justice in the 5-
minutes, so if there is additional information you want to 
share with us, please know that we would love to have you 
followup on that.
    Mr. Bradshaw, starting with you if I could, in your written 
testimony you say, ``The most important component of feeling 
comfortable with one's data in the cloud is trusting a cloud 
services provider and the practices and policies they have in 
place.'' Ronald Reagan famously said once, trust but verify.
    How does that work in a government-type model? Because the 
second part of my questions is how does Google, which is so 
unique in all the world, how does your business model fit with 
government types of services, where you have relied a lot on 
getting a lot of eyeballs and then converting those into 
advertising dollars? How does that work in a business model 
with the Federal Government or State government?
    But going back to this, OK, it is great to say, hey, trust 
us, that is the most important thing, but how do we gain a 
comfort level that information is secure?
    Mr. Bradshaw. I agree with you on that. First of all, I am 
in a group called Enterprise, which is a separate group from 
the consumer group you are very familiar with. We actually look 
at the consumer products and determine how we can change them 
so they fit into a government or into a commercial environment. 
So the products are slightly different and they are modified 
for that reason.
    As far as trust, we understand this is the biggest thing 
for you on security and privacy, so we try to be as transparent 
as possible. I think sometimes we make sure we put something 
out in a blog as soon as we find it so that you will understand 
what kind of problem we have. I think the benefit of that to 
you, and to me as well, is that the technology allows us to 
very quickly react to some of these attacks that we have seen, 
look at the situation, and then correct it, and immediately 
make that fix available to a lot of people. So, again, this is 
where the innovation just really plays to this increasing 
threat model we are all seeing.
    Mr. Chaffetz. And that is where I think one of the 
interesting questions going forward, is how do those cloud-
oriented companies, and in their business model, how do they 
make that work. We will have to explore that further.
    The GAO, in their report, reported that 23 out of 24 
agencies identified multi-tenancy as a potential information 
security risk. Do you find that? Is that baseless or is that 
something you would concur with?
    Mr. Bradshaw. I don't concur with this. I think we have 
many examples where we have multi-tenant application solutions 
that we use and we are very comfortable with, such as an ATM, 
you know, a banking system where multiple people are in the 
same system. We are very comfortable with that. I think the 
Government has several examples where they have solutions they 
have been using for years where they are multi-tenant.
    So I think you can gain so many benefits from this 
environment, again, because we are putting the data in one 
location and we are putting multiple layers around it.
    Mr. Chaffetz. Mr. Charney, how would you address that, the 
GAO concern?
    Mr. Charney. I think multi-tenancy can be fine, but I think 
it also raises different threat models, and the ATM analogy is 
not quite right; and the reason for that is I can go up to an 
ATM machine and put in my card and take out money, and it may 
be true that my account is stored with other accounts, but the 
ATM is not a platform on which I can load software. There has 
been some research done where academics have basically hosted 
in the cloud applications designed to attack the rest of the 
cloud, and with multi-tenancy in that environment, 
virtualization becomes key to separating the data.
    So it doesn't mean multi-tenancy is dangerous; what it 
means is it presents a different threat model and you need to 
make sure you are mitigating those threats.
    Mr. Chaffetz. So what are those technologies that ought to 
be highlighted in terms of differentiating?
    Mr. Charney. I think there are a few things. The key thing, 
of course, is that you have secured development of the 
virtualization technology; that the people who are developing 
that technology are trained in security and that they use good 
development practices and security to make sure that the 
containers that are built through virtualization are in fact 
robust.
    Mr. Chaffetz. Do we possibly have enough personnel in order 
to achieve that? I mean, it is hard enough to hire as it is in 
some of these specialized fields.
    Mr. Charney. Many years ago, when Microsoft adopted the 
Security Development Lifecycle, we took the view that, 
basically, keeping it to ourselves for competitive advantage 
was the wrong approach. We decided that what we needed to do 
was share our best practices.
    And what we did was we published books on threat modeling, 
unsecured code development, and on the Security Development 
Lifecycle itself; and we published some of the tools we use in 
Visual Studio, which is our product for developers, and we have 
also made tools publicly available, like our threat modeling 
tool. We believe that there are not enough well-trained 
security experts on the planet today, and it is something the 
Government can help address as well.
    Mr. Chaffetz. Mr. Chairman, thank you.
    I can spend hours with each of you, but thank you for your 
time, and appreciate any followup. Thank you.
    Ms. Watson [presiding]. I would like now to yield 5 minutes 
to our distinguished member, Mr. Bilbray.
    Mr. Bilbray. Thank you, Madam Chair.
    I want to followup on my colleague's comments about this 
exposure, I guess it was 23 out of 24. That really kind of 
makes us focus on the task at hand when we have that kind of 
exposure, and I again would like to followup by asking why you 
think we have these risks but, more importantly, what can we do 
to address these risks and try to avoid impact by them? 
Basically, how do we armor the system and protect the system?
    Mr. Charney. I think in part there is a lot of concern 
because the technology is new and evolving. Therefore, we are 
not familiar with the risks and, undoubtedly, what will 
sometimes occur is we will learn new things along the way. I 
think there is a natural and healthy tendency to say I need to 
protect my data, and I may put it in this new environment that 
has these new threat models that I don't fully understand.
    The way to address that is through transparency; that is, 
that the cloud providers need to be transparent about how they 
run their operations and manage their information security 
program, and governments need to be clear about what their 
requirements are so that both parties to the transaction get 
greater comfort level with both what they are trying to 
protect, what they think is needed to protect it, and whether 
those controls are in place.
    Mr. Bilbray. Before we go on, let me just say, Madam Chair, 
it is kind of just reminding me of when I got here in 1995 and 
the leadership was changing after 40 years, that there were a 
lot of members of the previous majority that actually were 
terrified at the concept of having Internet between offices and 
among offices because they were worried about security. 
Literally, that was the fear at that time.
    Of course, at the same time we were still delivering 
buckets of ice, 95 years after the invention of refrigeration, 
but that fear was there even among Members of Congress as late 
as 1995, and I am sure it has been much more recent than that.
    Mr. Burton, you had a comment.
    Mr. Burton. Yes. I would very much like to comment on that 
question. Multi-tenant cloud computing is a mature technology. 
Salesforce has been doing this since its founding 10 years ago, 
and you have major banks, major health care companies running 
mission-critical applications on this platform today. Gardner 
says 25 percent of all new software sales are going to be 
softwares of service cloud computing next year.
    So I think while there are issues to consider, it is a 
mistake to say this is new, this is unproven, this is untested, 
don't go there. This has been tried and proven successfully in 
the marketplace.
    I think the key question about multi-tenancy, the key 
question about security is know your vendor. Does the cloud 
provider let you do deep security reviews? Does it have 
international security standards? Does it have transparency and 
trust so that you can go in and see what is going on? And I 
think as government agencies start exploring this, they will 
find that, in fact, there are some cloud providers that provide 
that today. There are lots of others who don't. There are lots 
of issues.
    We are going to be discussing this for some time, but I 
don't want this committee to leave with the impression that 
somehow multi-tenant cloud computing is not tested, it is new, 
it is not to be trusted, because I think the marketplace has 
already ruled on that and the marketplace is moving in a major 
way toward this new platform.
    Mr. Bradshaw. I also would like to point out I think 
something like FISMA provides a great way of evaluating the 
current systems we have against this new technology right now, 
so we can take a look at what we are facing with the current 
environment and put it right next to what we get, what benefits 
we get from it. FISMA has independent audits in there, we have 
that third-party audit, so it gives you a great way of looking 
and comparing this system to what is available to you right 
now.
    Mr. Combs. Why do we have these risks? There is no doubt 
that our adversaries can penetrate our networks and gain access 
to the resources that we have.
    Chairwoman Watson, you brought the Chinese up in your 
opening statement. It is absolutely proven time and time again 
that we cannot stop our adversaries from getting into systems 
that are available on the open Internet.
    This is why I say that moving information into the public 
cloud should be limited to the information that is public-
facing information. The internal information, the engineering, 
the intellectual property, the sensitive information that 
exists in our Government needs to be protected behind 
appropriate security measures to prevent us from getting into 
big trouble.
    Ms. Watson. Thank you.
    Mr. Issa, you will have the last comment and question, and 
then after that we will be adjourning; we have two votes or 
three votes, as I understand, at 2.
    Mr. Issa. And I will be brief.
    Mr. Combs, in a compartmented world, the term compartmented 
exists for a reason. Would you briefly, in light of a multi-
tenant environment, if, hypothetically, all of Government was 
all in the cloud and, because of government-to-government 
requirements, interlaced, what would happen to the historic 
compartmenting that we rely on in the intelligence world today?
    Mr. Combs. Mr. Issa, there are ways to bring cloud 
computing into those environments. The consolidated data 
centers that are going on within the Directorate of National 
Intelligence today, these are similar security requirements 
across the intelligence community.
    We can develop and deploy private cloud environments in a 
multi-tenant environment that will allow the security controls 
to be protected in that environment. Across NASA, NASA is going 
through a 110 data center consolidation right now. Much of 
their engineering processes today are similar, yet they have 
110 separate data centers.
    Mr. Issa. I think you have answered the question. I want to 
be brief for the Chairlady.
    Mr. Bradshaw, responsible disclosure, when companies 
discover flaws in each other's software, does your company have 
a stated policy for how that is to be done?
    Mr. Bradshaw. We do make security and privacy statements. 
We definitely try to be as transparent as we possibly can.
    Mr. Issa. No, that wasn't the question, sir. All of the 
software companies that interact get access to various portions 
of each other's source code and interface with it for purposes 
of porting software, going back and forth through data bases 
and so forth.
    Does Google have a responsible disclosure policy as to 
discoveries of opportunistic or whatever security failures? How 
do you inform Sun or somebody else that you found something 
that would be a vulnerability to the outside world if it were 
discovered? You have teams of software producers, as does 
Microsoft, as does Salesforce. What is your stated policy or do 
you have a stated policy if a software engineer discovers a 
vulnerability in somebody else's software?
    Mr. Bradshaw. I can't personally state the policy, but I 
will be glad to get that back to you.
    Mr. Issa. If you would respond to that for the record. 
Actually, if all of your companies would. It is an area of deep 
concern to me, mostly because I understand the Chinese are out 
there trying to penetrate us. I find it interesting that 
sometimes the penetrations end up in blogs and they really come 
from software engineers employed by competitors.
    And as long as we are buying from all of the companies, the 
one thing we don't want is a vulnerability created at our 
expense in a competitive environment. So if each of you would 
respond to the extent it is appropriate to your company.
    Ms. Watson. Let me ask that each of you will respond in 
writing. We have all framed the question, if that is all right 
with you.
    Mr. Issa. That would be great.
    Ms. Watson. Because that is a vote.
    Mr. Issa. OK, and I have one closing one only for the 
record, and it is for Google. The Presidential Records Act 
requires that we capture all emails of the President and their 
entire Office of the President. Could you respond for the 
record of how you are capturing Gemails that are being used in 
and around the White House by White House personnel?
    Mr. Bradshaw. I am in a group, again, that sells a product 
to the Federal Government, but it is not the Gmail system, the 
personal Gmail system. In our group, in our organization, we 
have a tool that allows you to do e-discovery as well as 
archiving for our mail product.
    Mr. Issa. And I was talking about specific examples of what 
is going on relative to use of the public Gmail. So if you 
could respond for the record. Thank you.
    Ms. Watson. All right, thank you so much for your 
questions, Mr. Issa.
    I want to thank the witnesses for your testimony, the time 
that you have spent here. We are sorry for the interruptions, 
but this is the Congress and we do have to go to vote.
    Thank you, audience, for hanging in here with us. The 
meeting is now adjourned and we will put our comments and 
questions in writing to you. Thank you.
    [Whereupon, at 2:07 p.m., the committee and subcommittee 
was adjourned.]
    [The prepared statement of Hon. Gerald E. Connolly and 
additional information submitted for the hearing record 
follow:]
[GRAPHIC] [TIFF OMITTED] 58350.100

[GRAPHIC] [TIFF OMITTED] 58350.101

[GRAPHIC] [TIFF OMITTED] 58350.102

[GRAPHIC] [TIFF OMITTED] 58350.103

[GRAPHIC] [TIFF OMITTED] 58350.104

[GRAPHIC] [TIFF OMITTED] 58350.105

[GRAPHIC] [TIFF OMITTED] 58350.106

[GRAPHIC] [TIFF OMITTED] 58350.107

[GRAPHIC] [TIFF OMITTED] 58350.108

[GRAPHIC] [TIFF OMITTED] 58350.109

[GRAPHIC] [TIFF OMITTED] 58350.110

[GRAPHIC] [TIFF OMITTED] 58350.111

[GRAPHIC] [TIFF OMITTED] 58350.112

[GRAPHIC] [TIFF OMITTED] 58350.113

[GRAPHIC] [TIFF OMITTED] 58350.114

[GRAPHIC] [TIFF OMITTED] 58350.115

[GRAPHIC] [TIFF OMITTED] 58350.116

[GRAPHIC] [TIFF OMITTED] 58350.117

[GRAPHIC] [TIFF OMITTED] 58350.118

                                 
