b"<html>\n<title> - THE NEXT IT REVOLUTION? CLOUD COMPUTING OPPORTUNITIES AND CHALLENGES</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n                        THE NEXT IT REVOLUTION?:\n              CLOUD COMPUTING OPPORTUNITIES AND CHALLENGES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                     WEDNESDAY, SEPTEMBER 21, 2011\n\n                               __________\n\n                           Serial No. 112-36\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n68-317PDF                 WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                    HON. RALPH M. HALL, Texas, Chair\nF. JAMES SENSENBRENNER, JR.,         EDDIE BERNICE JOHNSON, Texas\n    Wisconsin                        JERRY F. COSTELLO, Illinois\nLAMAR S. SMITH, Texas                LYNN C. WOOLSEY, California\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nROSCOE G. BARTLETT, Maryland         BRAD MILLER, North Carolina\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nJUDY BIGGERT, Illinois               GABRIELLE GIFFORDS, Arizona\nW. TODD AKIN, Missouri               DONNA F. EDWARDS, Maryland\nRANDY NEUGEBAUER, Texas              MARCIA L. FUDGE, Ohio\nMICHAEL T. McCAUL, Texas             BEN R. LUJAN, New Mexico\nPAUL C. BROUN, Georgia               PAUL D. TONKO, New York\nSANDY ADAMS, Florida                 JERRY McNERNEY, California\nBENJAMIN QUAYLE, Arizona             JOHN P. SARBANES, Maryland\nCHARLES J. ``CHUCK'' FLEISCHMANN,    TERRI A. SEWELL, Alabama\n    Tennessee                        FREDERICA S. WILSON, Florida\nE. SCOTT RIGELL, Virginia            HANSEN CLARKE, Michigan\nSTEVEN M. PALAZZO, Mississippi       VACANCY\nMO BROOKS, Alabama\nANDY HARRIS, Maryland\nRANDY HULTGREN, Illinois\nCHIP CRAVAACK, Minnesota\nLARRY BUCSHON, Indiana\nDAN BENISHEK, Michigan\nVACANCY\n                                 ------                                \n\n               Subcommittee on Technology and Innovation\n\n                  HON. BENJAMIN QUAYLE, Arizona, Chair\nLAMAR S. SMITH, Texas                VACANCY\nJUDY BIGGERT, Illinois               JOHN P. SARBANES, Maryland\nRANDY NEUGEBAUER, Texas              FREDERICA S. WILSON, Florida\nMICHAEL T. McCAUL, Texas             DANIEL LIPINSKI, Illinois\nCHARLES J. ``CHUCK'' FLEISCHMANN,    GABRIELLE GIFFORDS, Arizona\n    Tennessee                        BEN R. LUJAN, New Mexico\nE. SCOTT RIGELL, Virginia                \nRANDY HULTGREN, Illinois                 \nCHIP CRAVAACK, Minnesota             EDDIE BERNICE JOHNSON, Texas\nRALPH M. HALL, Texas\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              Hearing Date\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Benjamin Quayle, Chairman, \n  Subcommittee on Technology and Innovation, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..     7\n    Written Statement............................................     8\n\nStatement by Representative Ben R. Lujan, Subcommittee on \n  Technology and Innovation, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................     9\n    Written Statement............................................    10\n\n                               Witnesses:\n\nMr. Michael Capellas, Chairman and CEO, Virtual Computing \n  Environment Company; Co-Chairman, Commission on the Leadership \n  Opportunity in U.S. Development of the Cloud ``CLOUD\\2\\,''\n    Oral Statement...............................................    11\n    Written Statement............................................    13\n\nDr. Dan Reed, Corporate Vice President, Technology Policy Group, \n  Microsoft Corporation; Vice Chairman, ``CLOUD\\2\\''\n    Oral Statement...............................................    19\n    Written Statement............................................    20\n\nMr. Nick Combs, Federal Chief Technology Officer, EMC Corporation\n    Oral Statement...............................................    27\n    Written Statement............................................    30\n\nDr. David McClure, Associate Administrator, Office of Citizen \n  Services and Innovative Technologies, General Services \n  Administration\n    Oral Statement...............................................    41\n    Written Statement............................................    42\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. Michael Capellas, Chairman and CEO, Virtual Computing \n  Environment Company; Co-Chairman, Commission on the Leadership \n  Opportunity in U.S. Development of the Cloud ``CLOUD\\2\\,''.....    62\n\nDr. Dan Reed, Corporate Vice President, Technology Policy Group, \n  Microsoft Corporation; Vice Chairman, ``CLOUD\\2\\''.............    64\n\nMr. Nick Combs, Federal Chief Technology Officer, EMC Corporation    67\n\nDr. David McClure, Associate Administrator, Office of Citizen \n  Services and Innovative Technologies, General Services \n  Administration.................................................    69\n\n       Appendix II: Additional Materials Submitted for the Record\n\nRepresentative Ben R. Lujan, Subcommittee on Technology and \n  Innovation, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................    74\n\n\n \n                        THE NEXT IT REVOLUTION?\n              CLOUD COMPUTING OPPORTUNITIES AND CHALLENGES\n\n                              ----------                              \n\n\n                     WEDNESDAY, SEPTEMBER 21, 2011\n\n                  House of Representatives,\n         Subcommittee on Technology and Innovation,\n               Committee on Science, Space, and Technology,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to call, at 10:02 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Ben Quayle \n[Chairman of the Subcommittee] presiding.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                            hearing charter\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n                        The Next IT Revolution:\n\n              Cloud Computing Opportunities and Challenges\n\n                     wednesday, september 21, 2011\n                        10:00 a.m. - 12:00 p.m.\n                   2318 rayburn house office building\n\nI. Purpose\n\n    On Wednesday, September 21, 2011, the Subcommittee on Technology \nand Innovation will convene a hearing to examine the potential \nopportunities and challenges associated with cloud computing, and to \nassess the appropriate role of the Federal Government in the cloud \ncomputing enterprise. The hearing will focus on: innovation and \nefficiency opportunities associated with cloud computing; challenges \nrestraining the widespread adoption of cloud computing; and federal \ncloud computing adoption initiatives.\n\nII. Witnesses\n\n    <bullet>  Mr. Michael Capellas, Chairman and CEO, Virtual Computing \nEnvironment Company; Co-Chairman, Commission on the Leadership \nOpportunity in U.S. Development of the Cloud ``CLOUD\\2\\,'' a commission \nlaunched by TechAmerica Foundation to provide federal policy \nrecommendations for cloud computing.\n\n    <bullet>  Dr. Dan Reed, Corporate Vice President, Technology Policy \nGroup, Microsoft Corporation; Vice Chairman, ``CLOUD\\2\\''\n\n    <bullet>  Mr. Nick Combs, Federal Chief Technology Officer, EMC \nCorporation\n\n    <bullet>  Dr. David McClure, Associate Administrator, Office of \nCitizen Services and Innovative Technologies, General Services \nAdministration\n\nIII. Brief Overview\n\n    Cloud computing has significant implications for the way \nbusinesses, scientists, and governments access and use information \ntechnology (IT). It enables users to remotely access scalable, high-\npowered computing services via broadband networks from a range of \ndevices, all on-demand. Cloud computing has the potential to provide \nusers with increased computing capability, greater efficiency, and \nlower energy and infrastructure costs.\n    Cloud computing is not new. While many people may not be familiar \nwith the term, ``cloud computing,'' anyone who uses a web-based email \naccount, such as Gmail or Hotmail, or that uses file-sharing social \nnetworking sites, such as Facebook, is already a user of cloud \ncomputing services. The data and applications on these sites are hosted \non remote servers owned and operated by the service provider, rather \nthan on an individual's hard drive.\n    Cloud computing promises to provide new ways of managing \ninformation for the public and private sector. Some of cloud \ncomputing's opportunities include cost savings on IT infrastructure and \nmaintenance, increased access to high-powered computing applications \nfor both business and academic researchers, and greater data and file \naccessibility for consumers.\n    However, there are also many challenges associated with cloud \ncomputing. Cloud consumers need assurances that their data will be \nsecure in the cloud. Without confidence that security and privacy \nconcerns are addressed, users may be hesitant to adopt cloud services. \nUsers also want assurances that they will have ubiquitous access to \ncloud services. Therefore, network resiliency and broadband \naccessibility are crucial factors in determining cloud adoption. Users \nwant the ability to move their data and applications from one service \nprovider to another, so portability and interoperable standards within \nthe cloud are key issues. Additional concerns of cloud users and \nservice providers include liability and regulations governing cloud \nusage.\n    Witnesses have been asked to provide their insights on the \nopportunities that cloud computing offers to users and service \nproviders, the primary challenges facing cloud computing users and \nservice providers including security concerns, federal government \ninitiatives to adopt cloud computing services, and the appropriate role \nof the federal government in the cloud computing enterprise, including \nin the development of standards.\n\nIV. NIST Definition of Cloud Computing\n\n    The National Institute of Standards and Technology (NIST) has \nworked with various cloud stakeholders to develop a definition for \ncloud computing: ``a model for enabling ubiquitous, convenient, on-\ndemand network access to a shared pool of configurable computing \nresources (e.g., networks, servers, storage, applications, and \nservices) that can be rapidly provisioned and released with minimal \nmanagement effort or service provider interaction.'' \\1\\\n---------------------------------------------------------------------------\n    \\1\\ National Institute of Standards and Technology, U.S. Department \nof Commerce, Special Publication 800-145: NIST Definition of Cloud \nComputing (DRAFT) 2 (2011).\n---------------------------------------------------------------------------\n    To encompass all aspects of cloud computing, NIST identifies five \nessential characteristics, three service models, and four deployment \nmodels of cloud computing.\n\nEssential characteristics: \\2\\\n---------------------------------------------------------------------------\n    \\2\\  Ibid; Computer and Communications Industry Association,Public \nPolicy for the Cloud: How Policymakers Can Enable Cloud Computing \n(2011), available online at http://www.ccianet.org\n\n    <bullet>  On-demand self-service. Users can access cloud computing \n---------------------------------------------------------------------------\nservices at any time.\n\n    <bullet>  Broad network access. Services are available over the \nInternet using any web-connected device.\n\n    <bullet>  Resource pooling. Providers can serve multiple users \nsimultaneously.\n\n    <bullet>  Rapid elasticity. Cloud computing services can be scaled \nto meet user need.\n\n    <bullet>  Measured service. Cloud users only pay for the services \nthey consume, and can adjust this usage based on need.\n\nService models: \\3\\\n---------------------------------------------------------------------------\n    \\3\\ Ibid\n\n    <bullet>  Software as a Service (SaaS). Enables a user to access \nprovider applications from any device through a web browser. Users do \nnot manage or control any underlying infrastructure such as servers, \noperating systems, storage, or application settings. The infrastructure \n---------------------------------------------------------------------------\nis managed by the cloud provider.\n\n    <bullet>  Platform as a Service (PaaS). Enables a user to deploy \nuser-created or acquired applications on the cloud using programming \ntools supported by the provider. The user does not manage the \ninfrastructure (servers, storage, etc) but has control over the \ndeployed applications.\n\n    <bullet>  Infrastructure as a Service (IaaS). Enables a user to \nrent and manage cloud infrastructure from a provider, and to deploy its \nown applications and software, including operating systems.\n\nDeployment models: \\4\\\n---------------------------------------------------------------------------\n    \\4\\ Ibid\n\n    <bullet>  Private cloud. The cloud infrastructure is operated \nsolely for an organization, and may be managed by the organization or \n---------------------------------------------------------------------------\nby a third-party, and may exist on-site or off-site.\n\n    <bullet>  Community cloud. The cloud infrastructure is shared by \nseveral organizations and supports a specific community with shared \nconcerns. The infrastructure may be managed by the organizations or by \na third-party, and may exist on-site or off-site.\n\n    <bullet>  Public cloud. The cloud infrastructure is available to \nthe public at large and is owned and managed by the service provider.\n\n    <bullet>  Hybrid cloud. The cloud infrastructure is made up of two \nor more clouds (private, community, public) which remain separate, but \nshare certain technology to enable data portability between clouds.\n\nV. Cloud Computing Opportunities\n\nCloud computing promises benefits to businesses, individuals, \nresearchers, and governments.\n\nOpportunities for Business\n\n    Businesses can reduce their IT overhead by migrating computing \nfunctions to the cloud. This may lower cost barriers for startup \ncompanies by not requiring expensive IT hardware and infrastructure \npurchases in the early stages of growth. Cloud elasticity also enables \nbusinesses to pay for only the services and computing power that they \nactually use. This can prevent the problem of purchasing excess \ninfrastructure capacity that may go unused, or having too little \ninfrastructure to accomplish key work requirements. Cloud computing can \nalso enable more businesses in data-intensive fields to access high \npowered computing resources, helping to level the playing field between \nsmaller and larger companies.\n\nOpportunities for Individuals\n\n    Cloud computing can provide consumers with unlimited access to data \nfiles from remote locations using a range of Internet-connected \ndevices. Changes that users make to files and data stored on the cloud \nfrom one device or location will be updated when the user accesses \ntheir files and data from a different device or location.\n\nOpportunities for Researchers\n\n    Cloud computing can enable greater collaboration between scientists \nand researchers both domestically and internationally. It can also \nprovide scientists with more computing power allowing them to run high-\npowered simulations that were previously restricted only to those with \nsupercomputing access. Cloud computing may also reduce the amount of \ntime that researchers and scientists need to set up IT infrastructure \nand increase the time spent on performing research.\n\nOpportunities for the Federal Government\n\n    Cloud computing has the potential to reduce federal government IT \nexpenditures by a considerable margin. A major portion of federal IT \nbudgets is spent on infrastructure and maintenance. Migrating computing \nfunctions to the cloud may greatly reduce these costs helping to reduce \ntaxpayer funding for these activities.\n\nVI. Cloud Computing Challenges\n\n    There are a range of challenges that have prevented more widespread \nadoption of cloud computing. Some of these challenges include concerns \nabout security and privacy, access and network resiliency, data \nportability and standards, and liability protection. Each of these \nissues has potential policy implications for the Federal Government.\n\nSecurity and Privacy\n\n    Users of cloud services must have the confidence that their data \nand applications are secure. Different businesses and government \nagencies will require more robust security thresholds to protect more \nsensitive data. Cloud computing service providers must be able to offer \nthese tiered service levels. While cloud computing can make it easier \nfor providers to continuously update security applications, it may also \noffer a bigger ``target'' for malicious actors, requiring stronger \nsecurity standards and redundancy.\n\nNetwork Access, Availability and Resiliency\n\n    Users of cloud computing services will require access to services \nat any time from any device with an Internet connection. However, there \nare concerns that current broadband networks may not be able to provide \nconstant on-demand access if cloud adoption grows. Network outages \npreventing users from accessing applications or data on the cloud could \nhave severe effects on business and government operations. \nConsequently, lack of confidence in network reliability may inhibit \ncloud computing adoption. Lack of adequate broadband access in areas \nwhere businesses are located or in areas where users want to access \nservices remotely will likewise limit further widespread cloud \ncomputing adoption.\n\nData Portability and Standards\n\n    Users of cloud computing services require the assurance that they \ncan move their data and applications to different cloud service \nproviders if they feel a change would be beneficial to them, so \ncomputing standards to enable portability and interoperability are \ncritical to the agility of the cloud. While standards can provide for \ngreater mobility, they can also inhibit innovation if they are too \nprescriptive or have been adopted before markets determine certain \ntechnology preferences.\n\nLiability and Regulations\n\n    Lack of certainty associated with the laws and regulations \ngoverning migration of services to cloud computing has prevented more \nwidespread adoption. Different industries face different regulatory \nframeworks which exacerbate problems of uncertainty. Liability concerns \nassociated with data protection may prevent companies from migrating \ndata away from their direct control. Finally, because liability and \ndata storage regulations differ among countries, companies may be \nhesitant to expose themselves to potential lawsuits by migrating \nservices to the cloud.\n\nVII. Federal Initiatives on Cloud Computing\n\n    The Office of Management and Budget (OMB) has estimated that the \nFederal Government could move 25 percent of its IT spending to the \ncloud. In early 2011 the White House's Chief Information Officer \nreleased a Federal Cloud Computing Strategy \\5\\, known as ``Cloud \nFirst'', which requires agencies to evaluate whether using cloud \ncomputing is an option before making new IT purchases.\n---------------------------------------------------------------------------\n    \\5\\ http://www.cio.gov/documents/Federal-Cloud-Computing-\nStrategy.pdf\n---------------------------------------------------------------------------\n    In early 2010, the White House released the OMB 25 Point \nImplementation Plan to Reform Federal Information Technology Management \n\\6\\. This document described government-wide policies to maximize the \nefficiency and management of Federal IT resources.\n---------------------------------------------------------------------------\n    \\6\\ http://www.cio.gov/documents/25-Point-Implementation-Plan-to-\nReform-Federal%20IT.pdf\n---------------------------------------------------------------------------\n    As part of the OMB 25 Point Implementation Plan, the Obama \nAdministration launched a Federal Data Center Consolidation Initiative \n(FDCCI) \\7\\ to consolidate the Federal Government's data center \nenvironment by eliminating a minimum of 800 of the more than 2000 \nphysical data centers by 2015. Data center growth and affiliated costs \nare considered unsustainable and cloud computing offers a means of \nreducing the number of centers. Currently, as part of this initiative, \nmore than 350 physical data centers have been identified by agencies \nfor planned closings before the end of 2012 \\8\\.\n---------------------------------------------------------------------------\n    \\7\\  http://www.cio.gov/documents/Federal-Data-Center-\nConsolidation-Initiative-02-26-2010.pdf\n    \\8\\  http://explore.data.gov/Federal-Government-Finances-and-\nEmployment/Federal-Data-Center-Consolidation-Initiative-FDCCI/d5wm-\n4c37?\n---------------------------------------------------------------------------\n    As part of its responsibilities under the Federal Information \nSecurity Management Act (FISMA), the National Institute of Standards \nand Technology (NIST) must provide Federal Information Processing \nStandards (FIPS) and guidelines for agencies to use. As an agency \nconsiders migrations to cloud computing, NIST must develop the \nappropriate consensus standards and guidelines to ensure a secure and \ntrustworthy environment for federal information.\n    The General Services Administration (GSA) performs a coordinating \nrole in the Administration's IT Management Reform Agenda. GSA \nfacilitates access to cloud-based solutions from private sector \nproviders that meet federal requirements for federal entities, works \nwith NIST and other federal agencies to assess and authorize cloud \ncomputing services through the Federal Risk and Authorization \nManagement Program (FedRAMP), and identifies potential multi-agency or \ngovernment-wide uses of cloud computing solutions. \\9\\ GSA also manages \napps.gov as an e-commerce website for federal entities to purchase \ncloud computing products and services.\n---------------------------------------------------------------------------\n    \\9\\  Testimony of Dr. David McClure, General Service \nAdministration, before the Senate Committee on Homeland Security and \nGovernmental Affairs, Subcommittee on Federal Financial Management, \nGovernment Information, Federal Services, and International Security, \nApril 12, 2011.\n---------------------------------------------------------------------------\n    Internally, GSA has implemented an agency-wide cloud-based email \nsolution, has moved certain GSA-managed web sites (including usa.gov \nand data.gov) to cloud hosted environments, and expects to reduce its \ngovernment owned data centers from 15 to three by Fiscal Year 2015, \namong other cloud computing initiatives. \\10\\ Other federal agencies \nare making efforts towards implementing the Administration's Federal \nCloud Computing Strategy with varying degrees of progress. National \nsecurity agencies, including the Department of Defense and the \nDepartment of State, may be more hesitant about migrating sensitive \ninformation and data to a cloud environment.\n---------------------------------------------------------------------------\n    \\10\\ Ibid.\n---------------------------------------------------------------------------\n    The NIST Cloud Computing Program aims to shorten the adoption cycle \nfor cloud, which will enable near-term cost savings and increased \nability to quickly create and deploy enterprise applications. NIST aims \nto foster cloud computing systems and practices that support \ninteroperability, portability, and security requirements that are \nappropriate and achievable for important usage scenarios. \\11\\ NIST has \npublished a Cloud Computing Standards Roadmap \\12\\, Cloud Computing \nReference Architecture \\13\\, a Draft Cloud Computing Synopsis and \nRecommendations \\14\\, and has held three forums and workshops bringing \ntogether government, industry and private stakeholders in support of \nthese efforts.\n---------------------------------------------------------------------------\n    \\11\\ http://www.nist.gov/itl/cloud/index.cfm\n    \\12\\ NIST Special Publication 500-291\n    \\13\\ NIST Special Publication 500-292\n    \\14\\ NIST Special Publication 800-146\n\n\n    Chairman Quayle. Good morning. Welcome to today's hearing \nentitled ``The Next IT Revolution?: Cloud Computing \nOpportunities and Challenges.'' In front of you are packets \ncontaining the written testimony, biographies, and truth-in-\nstatement disclosures for today's witnesses. I will now \nrecognize myself for five minutes for an opening statement.\n    Good morning. I would like to welcome everyone to today's \nhearing, which is being held to examine the opportunities and \nchallenges presented by cloud computing and to analyze the \nappropriate role of federal policy in the growing cloud \ncomputing enterprise. Over the last few decades, developments \nin the IT sector have driven our country's economic growth. \nCloud computing has the potential to be the next wave. Its \nwidespread adoption offers significant opportunities for new \ninnovation and productivity gains for both the public and \nprivate sectors.\n    Users of cloud computing services will be able to access \nhigh-powered computing functions from a range of devices that \npreviously were only available to entities with large IT \ninfrastructure budgets. Cloud services will also allow \nindividuals to share information with colleagues in real time, \ndramatically increasing opportunities for collaboration.\n    The adoption of cloud computing has the potential to \nsignificantly reduce IT infrastructure and maintenance costs. \nBecause these services are elastic, individuals will only pay \nfor the computing services they consume and will no longer have \nto worry about over-investing or under-investing in IT. \nCompanies can potentially use these savings to help grow and \nexpand their businesses, while governments will be able to \nreduce their massive taxpayer-funded IT budgets.\n    Finally, cloud computing provides its users with unlimited \naccess to data and applications from any Internet-connected \ndevice.\n    While the benefits of cloud computing are vast, there are a \nwide range of challenges that will need to be addressed before \nits potential is fully realized.\n    Cybersecurity is a major concern for many users who are \nconsidering moving their computing functions to the cloud. \nUsers must have confidence that their data and applications \nwill be secure and that their privacy will be protected. \nFurther, cloud service providers will need to offer users \ndifferent tiers of security depending on the sensitivity of \ntheir data.\n    Widespread adoption of cloud computing requires broad \nnetwork access and resiliency. With increased reliance on the \ncloud for computing functions, broadband networks must be up to \nthe task of handling the massive amounts of data that will be \ntransmitted over the Internet. Users will also want assurances \nthat they will be able to transport their data and applications \nfrom one service provider to another. Therefore, the \ndevelopment of interoperable standards is a key issue. But, as \nwe have often discussed in this Subcommittee, it is important \nthat these are consensus-based standards that will not be so \nrigid that they inhibit the opportunities for innovation that \ncloud computing offers. Finally, liability will need to be \naddressed to reflect the new cloud-computing paradigm.\n    While these are only a few of the relevant issues, it \nprovides a sense of the challenges confronting industry, \nconsumers, and policymakers in determining the appropriate path \nforward for this technology.\n    We have an excellent panel of IT industry witnesses who \nwill share their insights on these topics with us. We have also \nasked each of our industry witnesses to comment on the \nappropriate role of the Federal Government in cloud computing. \nFurther, we will hear about the General Services \nAdministration's efforts to adopt cloud computing services and \nenable other federal agencies to do the same.\n    I would like to extend my appreciation to each of our \nwitnesses for taking the time and effort to appear before us \ntoday. We look forward to your testimony.\n    And I now recognize the gentleman from New Mexico, Mr. \nLujan, for his opening statement.\n    [The prepared statement of Mr. Quayle follows:]\n\n               Prepared Statement of Chairman Ben Quayle\n    Good Morning. I'd like to welcome everyone to today's hearing, \nwhich is being held to examine the opportunities and challenges \npresented by cloud computing, and to analyze the appropriate role of \nfederal policy in the growing cloud computing enterprise.\n    Over the last few decades, developments in the IT sector have \ndriven our country's economic growth. Cloud computing has the potential \nto be the next wave. Its widespread adoption offers significant \nopportunities for new innovation, and productivity gains for both the \npublic and private sectors.\n    Users of cloud computing services will be able to access high-\npowered computing functions from a range of devices that previously \nwere only available to entities with large IT infrastructure budgets. \nCloud services will also allow individuals to share information with \ncolleagues in real time, dramatically increasing opportunities for \ncollaboration.\n    The adoption of cloud computing has the potential to significantly \nreduce IT infrastructure and maintenance costs. Because these services \nare elastic, individuals will only pay for the computing services they \nconsume, and will no longer have to worry about over-investing or \nunder-investing in IT. Companies can potentially use these savings to \nhelp grow and expand their business, while governments will be able to \nreduce their massive taxpayer-funded IT budgets.\n    Finally, cloud computing provides its users with unlimited access \nto data and applications from any Internet-connected device.\n    While the benefits of cloud computing are vast, there are a range \nof challenges that will need to be addressed before its potential is \nfully realized.\n    Cybersecurity is a major concern for many users who are considering \nmoving their computing functions to the cloud. Users must have \nconfidence that their data and applications will be secure and that \ntheir privacy will be protected. Further, cloud service providers will \nneed to offer users different tiers of security depending on \nsensitivity of their data.\n    Widespread adoption of cloud computing requires broad network \naccess and resiliency. With increased reliance on the cloud for \ncomputing functions, broadband networks must be up to the task of \nhandling the massive amounts of data that will be transmitted over the \nInternet.\n    Users will also want assurances that they will be able to transport \ntheir data and applications from one service provider to another. \nTherefore, the development interoperable standards is a key issue. But, \nas we have often discussed in this Subcommittee, it is important that \nthese are consensus-based standards that will not be so rigid that they \ninhibit the opportunities for innovation that cloud computing offers.\n    Finally, liability will need to be addressed to reflect the new \ncloud-computing paradigm.\n    While these are only a few of the relevant issues, it provides a \nsense of the challenges confronting industry, consumers, and \npolicymakers in determining the appropriate path forward for this \ntechnology.\n    We have an excellent panel of IT industry witnesses who will share \ntheir insights on these topics with us. We have also asked each of our \nindustry witnesses to comment on the appropriate role of the federal \ngovernment in cloud computing. Further, we will hear about the General \nServices Administration's efforts to adopt cloud computing services and \nenable other federal agencies to do the same.\n    I'd like to extend my appreciation to each of our witnesses for \ntaking the time and effort to appear before us today. We look forward \nto your testimony.\n\n    Mr. Lujan. Thank you, Chairman Quayle. And good morning to \nour witnesses as well. I want to thank you all for being with \nus for this important hearing to examine both the benefits and \nrisks of cloud computing.\n    As you all know, and as I expect you will hear from our \nwitnesses today, cloud computing has many potential benefits. \nBy sharing IT capabilities in the cloud, individuals, \nbusinesses, and government agencies are able to leverage their \nresources more effectively. They need only pay for what they \nuse and can easily scale up or ramp down the computing power or \namount of data storage they need.\n    In addition to lowering capital investment, cloud computing \nallows people to access their files and applications from \nanywhere at any time using everything from their home computer \nto their tablet or smartphone, as long as they have broadband \nconnectivity. In addition to being convenient, the mobility \nthat cloud computing offers has the potential to increase the \nproductivity of individuals. The cloud also has the potential \nto drive innovation, not only by changing the way businesses \noperate, but also how research is conducted. I look forward to \nhearing more about how cloud computing can advance basic \nresearch from Dr. Reed later this morning.\n    However, despite all of the promise cloud computing offers, \nthere are a number of security concerns associated with moving \ninformation to a remote data server that is operated by a third \nparty and may be located in a foreign country with less \nstringent data protection laws. In fact, according to a recent \nreport, 71 percent of federal Chief Information Officers stated \nthat security concerns were preventing them from adopting cloud \nsolutions. However, the same report found that the Federal \nGovernment could save over $14 billion within the first year if \nwe were to embrace cloud computing. It is essential that we \nfind a way to ensure the security and privacy of the cloud so \nthat the Federal Government can reap the full benefits of this \nemerging technology.\n    I am pleased that the Administration is focusing its \nefforts on achieving this goal. As I understand it, this effort \nby GSA and NIST will provide federal agencies with tools to \nassess and select cloud computing services and products that \nsatisfy federal security requirements. In addition, I am \npleased that NIST has taken an active role in the development \nof cloud computing standards for the Federal Government and is \nworking closely with industry on the development of standards \nto support cloud computing infrastructure, metrics, \ninteroperability, and assurance as mandated in the America \nCOMPETES Reauthorization Act.\n    Standards are a critical component to our ability to \nrealize the true potential of cloud computing, and I am pleased \nthat NIST has hit the ground running with these efforts and is \nwell on its way to delivering the required standards.\n    I look forward to hearing from our witnesses about the \nAdministration's efforts and what we here in Congress can and \nshould do to ensure progress continues and that the federal \nagencies have the tools and resources they need to adopt secure \ncloud computing solutions which will save money.\n    I would like to again thank the witnesses for being here \ntoday. I look forward to your testimony. Thank you, Chairman \nQuayle, and I yield back the balance of my time.\n    [The prepared statement of Mr. Lujan follows:]\n\n           Prepared Statement of Representative Ben R. Lujan\n    Thank you, Chairman Quayle, and good morning to our witnesses. I \nwant to thank you all for being with us today for this important \nhearing to examine both the benefits and risks of cloud computing.\n    As you all know, and as I expect we will hear from our witnesses \ntoday, cloud computing has many potential benefits. By sharing IT \ncapabilities in the cloud, individuals, businesses, and government \nagencies are able to leverage their resources more effectively. They \nonly need to pay for what they use and can easily scale up or ramp down \nthe computing power or amount of data storage they need.\n    In addition to lowering capital investment, cloud computing allows \npeople to access their files and applications from anywhere at any \ntime, using everything from their home computer to their iPad or smart \nphone. In addition to being convenient, the mobility that cloud \ncomputing offers has the potential to increase the productivity of \nindividuals.\n    The cloud also has the potential to drive innovation not only by \nchanging the way businesses operate, but also how research is \nconducted. I look forward to hearing more about how cloud computing can \nadvance basic research from Dr. Reed later this morning.\n    However, despite all of the promise cloud computing offers, there \nare a number of security concerns associated with moving information to \na remote data server that is operated by a third party and may be \nlocated in a foreign country with less stringent data protection laws.\n    In fact, according to a recent report, 71 percent of federal chief \ninformation officers stated that security concerns were preventing them \nfrom adopting cloud solutions.\n    However, that same report found that the federal government could \nsave over $14 billion within the first year if it were to embrace cloud \ncomputing.\n    It's essential that we find a way to ensure the security and \nprivacy of the cloud so that the federal government can reap the full \nbenefits of this emerging technology. I am pleased that the \nAdministration is focusing its efforts on achieving this goal. As I \nunderstand it, this effort by GSA and NIST will provide federal \nagencies with tools to assess and select cloud computing services and \nproducts that satisfy federal security requirements.\n    In addition, I am pleased that NIST has taken an active role in the \ndevelopment of cloud computing standards for the federal government and \nis working closely with industry on the development of standards to \nsupport cloud computing infrastructure, metrics, interoperability, and \nassurance, as mandated in the America COMPETES Reauthorization Act. \nStandards are a critical component of our ability to realize the true \npotential of cloud computing and I am pleased that NIST has hit the \nground running with these efforts and is well on its way to delivering \nthe required standards.\n    I look forward to hearing from our witnesses about the \nAdministration's efforts and what we here in Congress can or should do \nto ensure that progress continues and that the federal agencies have \nthe tools and resources they need to adopt secure cloud computing \nsolutions.\n    I'd like to again thank the witnesses for being here today and I \nlook forward to your testimony. Thank you, Chairman Quayle. I yield \nback the balance of my time.\n\n    Chairman Quayle. Thank you, Mr. Lujan. I would like to \nrequest unanimous consent that the CLOUD\\2\\ Commission's report \nbe added to the record at this point. Without objection, so \nordered.\n    [The information appears in Appendix II]\n    Chairman Quayle. If there are Members who wish to submit \nadditional opening statements, your statements will be added to \nthe record at this point.\n    At this time, I would like to introduce our witnesses and \nthen we will proceed to hear from each of them in order.\n    Our first witness is Mr. Michael Capellas, Chairman and CEO \nof the Virtual Computing Environment Company. Mr. Capellas also \nserves as co-chair of the TechAmerica Foundation's Commission \non the Leadership Opportunity in U.S. Deployment of the Cloud, \nor CLOUD\\2\\.\n    Next, we will hear from Dr. Dan Reed, Corporate Vice \nPresident of the Technology Policy Group at Microsoft \nCorporation.\n    Our third witness is Mr. Nick Combs, Federal Chief \nTechnology Officer for EMC Corporation.\n    Our final witness is Dr. David McClure, the Associate \nAdministrator for the Office of Citizen Services and Innovative \nTechnologies at the GSA.\n    Thanks again to our witnesses for being here this morning, \nand as our witnesses should know, spoken testimony is limited \nto five minutes each. After all witnesses have spoken, Members \nof the Committee will have five minutes each to ask questions.\n    I now recognize our first witness, Mr. Michael Capellas, \nfor five minutes. Mr.--can you turn your mic on? Thank you.\n\n              STATEMENTS OF MR. MICHAEL CAPELLAS,\n\n              CHAIRMAN AND CEO, VIRTUAL COMPUTING\n\n        ENVIRONMENT COMPANY; CO-CHAIRMAN, COMMISSION ON\n\n  THE LEADERSHIP OPPORTUNITY IN U.S. DEVELOPMENT OF THE CLOUD \n                          ``CLOUD\\2\\''\n\n    Mr. Capellas. That would be helpful. Always takes a tech \nguy to learn how to turn the mic on.\n    So again, good morning, Chairman Quayle and Members of the \nSubcommittee. My name is Michael Capellas, and I am Co-Chair of \nTechAmerica Foundation's Commission on the Leadership \nOpportunity in U.S. Deployment of the Cloud, and I am honored \nto be invited to testify on a subject of critical national \nimportance.\n    Cloud computing has far-ranging economic implications of \nutmost relevance to U.S. job creation, productivity, and \ntechnology leadership. As many on the Subcommittee have no \ndoubt observed, cloud computing has taken on many meanings and \nthere is widespread confusion in the market about what cloud \nmeans, how to get it, what it is good for and what possible \ndrawbacks might exist. But the cloud business opportunity is \nsignificant, with analysts projecting cloud revenues to top $50 \nbillion within three years.\n    Those that follow the technology industry know that cloud \ncomputing has been around for many years. It is only recently \nthat revenue projections have sharply increased, so it is \nimportant to understand why many experts think cloud computing \nis poised to grow rapidly over the next decade and why all the \ncloud hype exists in the marketplace.\n    The application of IT in general has been the single-most \nimportant driver of U.S. productivity for over two decades. My \nobjective is to convey the Commission's finding around why \ncloud is so important in terms of U.S. competitiveness, \nincluding job creation and productivity. But first I want to \nsuggest that most of the predictions about cloud's strong \nmarket growth are wrong. I think they are wrong because they \nunderstate cloud growth and they understate the impact cloud is \ngoing to have in reshaping the IT landscape. Cloud is like \nnothing we have seen before in prior waves, and why it is \nimportant to the U.S. Government.\n    Information Technology has been synonymous with economic \nprosperity since the middle of the last century. IT has \nexperienced numerous waves of changes since that time. Previous \nIT waves include the World Wide Web, the proliferation of \nhandheld mobile and tablet Internet devices, virtualization \ntechnologies that together provide anytime, anywhere, any-\nmanner connection to data, applications, and people. Cloud \ncomputing represents the culmination of those waves, and as \nsuch, it promises to spur the most significant transformation \nwe have seen so far.\n    The Cloud will bring unprecedented opportunity to both \nusers and those engaged in the business of IT infrastructure, \nsolutions, and services. But what is at stake is significantly \nlarger than the tens of billions of dollars of revenue that \nanalysts are describing. I believe that cloud computing has the \npotential to reshape the landscape and shift wealth between \nnations. Trillions of dollars of economic wealth will be \nbalanced upon competiveness in our 24-by-7 world. Cloud \ncomputing as a foundational element of IT can make companies, \nagencies, and organizations more nimble and competitive by \nboosting productivity and increasing the speed of business. \nMoving to the cloud faster will thus become a key consideration \nas organizations seek to become more competitive.\n    As requested, let me take a minute to address the essence \nof cloud computing. Cloud computing is defined as a model for \nenabling convenient, on-demand network access to a shared pool \nof configurable computing resource--for example, networks, \nservers, storage, applications, and services--that can be \nrapidly provisioned and released with minimal management \nefforts or service provider interaction.\n    Central to cloud computing are the concepts of on-demand, \nself-service to an elastic pool of flexible resources, and \nmeasured service. In contrast to a traditional IT environment \nwhere different teams of specialists independently manage \nservers, networks, or storage, in cloud computing these \ncomponents are preassembled into highly standardized and \nautomated converged infrastructure, and the users do not have \nto know or care about where any of the components of technology \nare.\n    As an analogy, computers used to connect together over \nproprietary local networks, and it was difficult and expensive \nfor different networks to talk to each other. Information was \ngenerally compartmentalized and generally only available to a \nfew users. IP, or the Internet Protocol, was created as a \nnetwork that could span great distances, and after a few years \nof solid but not remarkable growth, the entire market rapidly \nshifted and adopted IP because it evolved to solve both the \nproblem of distance and the problem of communicating with other \nnetworks. IP thus became the de facto standard and users no \nlonger needed to care or know about where the underlying \nnetwork was.\n    As a participant in the IP technology wave, I will note \nthat IP technology development was largely led by U.S. \ncompanies and has contributed to U.S. technological leadership, \njob growth, and productivity. Standardizing on IP simplified IT \noperations, reduced costs, and spurred advances.\n    Cloud computing also promises to add other forms. Most \nsocial networks today run on clouds with thousands of e-\ncommerce sites, but the misconceptions with the cloud start \nback with agencies, and I believe that continued leadership of \nthe United States will depend on cloud computing.\n    The Commission, comprised of 71 commissioners from leading \nU.S. companies and academia, delivered detailed recommendations \nto federal officials on how to best use the cloud and how the \nU.S. Government can capitalize on the advantages of cloud while \nspurring growth and enhancing productivity.\n    The Commission identified a set of barriers as well. I \nencourage you to look at the entire set, which is 14 \nrecommendations, which have been detailed. Each of the \nrecommendations shows how the Federal Government can look and \ncan help ranging from policy to the different ways that we are \ngoing to deploy economic modeling. And with that, I thank you.\n    [The prepared statement of Mr. Capellas follows:]\n\n   Prepared Statement of Mr. Michael D. Capellas, Chairman and CEO, \n                 Virtual Computing Environment Company\n    Good morning, Chairman Quayle, and Members of the Subcommittee. My \nname is Michael Capellas and I am Co-Chair of the TechAmerica \nFoundation's Commission on the Leadership Opportunity in U.S. \nDeployment of the Cloud. I am honored to be invited to testify on a \nsubject of critical national importance. Cloud computing has far \nranging economic implications of utmost relevance to U.S. jobs \ncreation, productivity and technology leadership.\n    As many on the Subcommittee have no doubt observed, cloud computing \nhas taken on many meanings and there is widespread confusion in the \nmarket about what cloud means, how to get it, what it's good for and \nwhat potential drawbacks to cloud might exist. But the cloud business \nopportunity is significant, with analysts projecting cloud revenues to \ntop $50B within three years.\n    Those that follow the technology industry know that cloud computing \nhas been around for many years. It is only recently that revenue \nprojections have sharply increased, so it is important to understand \nwhy many experts think cloud computing is poised to grow rapidly over \nthe next decade and why all the cloud hype exists in the marketplace.\n    The application of IT has been the single most important driver of \nU.S. productivity over the past two decades. My objective today is to \nconvey the Commission's findings around why the cloud is so important \nin terms of U.S. competitiveness, including jobs creation and \nproductivity.\n    But first I want to suggest that most of these predictions about \nstrong cloud market growth are wrong. I think they are wrong because \nthey understate cloud growth and they understate the impact cloud will \nhave in reshaping the IT landscape. Cloud will be like nothing we've \nseen before. Why is this important to the U.S. government? Information \nTechnology has been synonymous with economic prosperity since the \nmiddle of the last century. IT has experienced numerous waves of \nchanges since that time. Previous IT waves include the world wide web, \nthe proliferation of handheld mobile and tablet Internet devices, and \nvirtualization technologies that together can provide anytime, \nanywhere, any-manner connection to data, applications and people. Cloud \ncomputing represents the culmination of many waves, and as such it \npromises to spur the most significant transformation we've seen to \ndate.\n    Cloud computing will bring unprecedented opportunity to both users \nand those engaged in the business of IT infrastructure, solutions and \nservices. But what is at stake is significantly larger than the tens of \nbillions of dollars that analysts are describing. I believe cloud \ncomputing has the potential to both reshape the IT landscape and shift \nwealth between nations. Trillions of dollars of global economic wealth \nwill be based upon competiveness in our 24x7 world. Cloud computing as \na foundational element to IT can make companies, agencies and \norganizations more nimble and competitive by boosting productivity and \nincreasing the speed of business. Moving to cloud faster will thus \nbecome a key consideration as organizations seek to become more \ncompetitive.\n    As requested, let me take a moment to address the essence of cloud \ncomputing. Cloud computing is defined as a model for enabling \nconvenient, on-demand network access to a shared pool of configurable \ncomputing resources (for example, networks, servers, storage, \napplications, and services) that can be rapidly provisioned and \nreleased with minimal management effort or service provider \ninteraction. Central to cloud computing are concepts of on-demand, \nself-service to an elastic pool of flexibly provisioned resources with \nmeasured service. In contrast to a traditional IT environment where \ndifferent teams of specialists independently manage servers, networking \nand storage, in cloud computing these components are pre-assembled in a \nhighly standardized and automated converged infrastructure, and the \nusers do not have to know or care about how the components are put \ntogether. As an analogy, computers used to connect together over \nproprietary local networks, and it was difficult and expensive for \ndifferent networks to talk to each other. Information was \ncompartmentalized and generally only available to a few users. IP--the \nInternet Protocol--was created as a network that could span great \ndistances, and after a few years of solid but not remarkable growth, \nthe entire market rapidly shifted to IP because it had evolved to solve \nboth the problem of distance and the problem of communicating with \nother networks. IP thus became the de facto standard and users no \nlonger needed to know or care about the underlying network. As a \nparticipant in the IP technology wave, I'll note that IP technology \ndevelopment was largely led by U.S. companies and has contributed to \nU.S. technology leadership, job growth and productivity. Standardizing \non IP simplified IT operations, reduced cost, and spurred advances like \nunified communications and high definition video over IP that we enjoy \nin our homes today.\n    Cloud computing also promises to simplify IT operations, reduce \ncosts, and increase the speed and effectiveness with which \norganizations can do business and accomplish missions. Most Americans \nalready use cloud computing in one form or another. Most social \nnetworking sites and thousands of e-commerce sites are ``running in the \ncloud.''\n    But misconceptions and concerns with cloud may impact success for \ncompanies and agencies, and I believe continued U.S. leadership in IT \nis dependent upon U.S. leadership in cloud computing. The CLOUD\\2\\ \ncommission, comprised of 71 commissioners from leading U.S. companies \nand academia, delivered detailed recommendations to federal officials \non how to best allow the U.S. government to capitalize on the \nadvantages of cloud, while spurring U.S. job growth and enhancing \noverall U.S. competitiveness in the world market. I was privileged to \nco-chair the Commission, working with industry leading experts from \nmany U.S. companies, meeting with key customers and government \nagencies, and leading meetings between the Commission and numerous U.S. \ngovernment officials. The Commission included some of the technology \nindustry's brightest minds, who put our nation's best interests above \nindividual company interests for the duration of our work effort, \ndisplaying focused and intense collaboration over a multi-month period \nresulting in a highly successful and influential outcome.\n    The Commission identified a set of common barriers spanning \ninstitutional inertial, restrictive policies, and technology concerns \nsuch as security and privacy that are currently inhibiting cloud \nawareness and adoption. Through comprehensive analysis and \ncollaboration, a set of fourteen actionable recommendations along with \na prescriptive Cloud Buyer's Guide was delivered to government IT \nofficials and the commercial market as a whole. The Commission \nrecognized the need to enable many paths to cloud computing, and \ndetermined that interim steps could be instrumental in accelerating \nmany customers' journey to cloud.\n    The first step in accelerating the adoption of the cloud and \ndriving U.S. leadership in cloud innovation is earning the trust of \ncurrent and potential cloud users. Trust in the cloud is a result of a \ncombination of factors that enable individuals and organizations \nconsuming cloud services to be confident that the services are meeting \ntheir computing needs. These needs include security, privacy, \nperformance and availability; the factors that contribute include \ntransparency of practices, accountability, resiliency and redundancy, \naccess and connectivity, supply chain provenance, life cycle integrity, \nand governance.\n    In response to industry concerns about cloud trust, the Commission \ncreated recommendations to develop and provide a standard approach to \nassessing and authorizing cloud computing services and products for use \nby Federal agencies. Specific recommendations are associated with \nrobust identity management, federal data breach laws, the promotion of \nprivacy frameworks, cloud service level transparency, transnational \ndata flows, and re-examining mechanisms for lawful access by law \nenforcement or government to data stored in the cloud via reform of the \nElectronic Communications Privacy Act. The Commission encouraged the \ngovernment to lead by example by increasing adoption of cloud computing \nand pursuing interim paths to cloud such as converged infrastructure \ndeployments and virtualized data centers. Finally, the Commission made \nrecommendations on policies mandating public disclosure of information \nabout relevant operational aspects of public cloud services, including \nportability, interoperability, security, certifications, performance \nand reliability.\n    Members of Congress are encouraged to absorb the entire set of \nrecommendations and act on them where possible. Excerpts from the \nCommission recommendations follow below, and the benefits of acting \nswiftly are clear. Cloud computing will enable companies (and \ngovernments) to move faster and be more responsive and flexible. \nCompanies will be able to try several prototypes at once, test their \nlimits, and then build and deploy new, better prototypes-all within a \nfew weeks. This may be the most important benefit of the cloud-it \nenables companies of all sizes and in all sectors, as well as \ngovernments, non-profits, and individuals, to more quickly build new \napplications and services by reducing the cost and complexity of \ndeploying and managing IT resources. Most companies and organizations \nspend the vast majority of their IT budget just maintaining their \ncurrent infrastructures and the applications that run on them. The \ncloud will enable them to devote more resources and talent to creating \nnew products and services and improving productivity. This \ndemocratization of innovation is a huge opportunity for people, \norganizations, and countries around the world. To maintain its \ncompetitive position, the United States must focus on quickly and \neffectively harnessing the full power of cloud computing, leading in \nboth the deployment of cloud and the development of new cloud services. \nThis will help American companies generate high-paying jobs and compete \nin the global marketplace.\n    Recommendation 1 (Trust in the Cloud): In recent months, senior \nU.S. officials have described threats such as cyber crime and state-\nsponsored industrial espionage as outpacing many enterprise defenses. \nIn this evolving cyber threat environment, the commission believes that \ncloud security services and solutions, if done correctly, may provide \nimproved security relative to non-cloud environments.\n    In order to implement applicable best practices and standards \naround security and information assurance, the Commission supports the \nefforts underway on programs such as the Federal Risk and Authorization \nManagement Program (FedRAMP) and NIST Security Content Automation \nProtocol (SCAP). FedRAMP is a voluntary, General Services \nAdministration (GSA) led initiative to develop and provide a standard \napproach to assessing and authorizing cloud computing services and \nproducts for use by Federal agencies. The Commission believes that a \nwell-defined FedRAMP framework will help accelerate the adoption of \ncloud in the Federal government. The NIST SCAP is a standard that \nenables the automation of reporting and verifying IT security control \nparameters. SCAP provides a ready method to capture, test and \ncontinuously monitor the controls and integrity settings required to \nachieve the respective standard and/or compliance requirements. \nSecurity metrics efforts should build upon industry and academia \ninitiatives already chartered to address standard cloud performance \nmeasurement frameworks. As the cloud is deployed by federal agencies \nand businesses in multiple sectors, cloud-related security issues will \nbecome an important element of the overall security discussion for \nthose communities. The Commission therefore recommends that cloud \nexpertise be integrated into existing information-sharing structures, \nsuch as the Information Sharing and Analysis Centers (ISACs) and the \nSector Coordinating Councils.\n    Recommendation 2 (Identity Management): Industry and government \nshould accelerate the development of a private sector-led identity \nmanagement ecosystem as envisioned by the National Strategy for Trusted \nIdentities in Cyberspace (NSTIC) to facilitate the adoption of strong \nauthentication technologies and enable users to gain secure access to \ncloud services and websites. Mechanisms to provide identity, \nauthentication, and attribution in cyberspace are essential to \naccelerating adoption of cloud computing services and improving trust \nin the cloud. (For example, identity management facilitates access \nverification, billing, law enforcement access, and other features and \ncapabilities.) Two characteristics of a robust identity management \necosystem are (1) enabling higher level transactions to occur \nelectronically and (2) enabling credentials to be utilized across \nmultiple services and websites. In addition to supporting the \ndevelopment of a private sector-led identity management ecosystem, the \ncommission also suggests specific steps that the federal government \ncould take as a user of cloud services that would contribute to \nadvancing robust identity management: Deploy, as appropriate, multi-\nfactor authentication for federal cloud applications as used by federal \npersonnel and government contractors doing government contract work. \nAnd accelerate the adoption of strong authentication, including multi-\nfactor authentication and one time passwords, to enable mobile access \nto secure federal cloud services and websites.\n    Recommendation 3: The Commission recommends a national data breach \nlaw to streamline notifications and make it simple for customers to \nunderstand their rights with regard to notification. Such a law should \ninclude preemption of state laws to provide for harmonization. In \naddition, the law should take into account the various types of \nentities that are involved in processing the covered data cloud service \nproviders, industry, government, nonprofit organizations, academic \norganizations, etc., and specifically provide that notice should be \ngiven by the entity that has a direct relationship with the parties \nwhose information was subject to the breach. Finally, the law should \nhave notification requirements based on risk of harm. Note that the \nmotivation for such legislation is not limited to cloud computing, but \nadoption of cloud computing would benefit from this action. \nSpecifically, by clarifying responsibilities and commitments around \nnotification, the law will enable cloud providers to prepare to take \nexpected steps in case of a breach and enable customers to trust the \nproviders to do so. As a complement to the above recommendations, the \nU.S. government should update and strengthen criminal laws against \nthose who attack our cyber infrastructure, including cloud computing \nservices. In addition to clarifying cyber criminal offenses and \ndefining penalties, the Federal government must commit adequate \nresources and personnel to investigating and tracking down cyber \ncriminals. As much of cyber crime is transnational, the federal \ngovernment should promote further international cooperation around \ncross-border prosecutions and identifying countries affording safe \nhavens to such criminals.\n    Recommendation 4 (Research): Government, industry, and academia \nshould develop and execute a joint cloud computing research agenda. The \nCommission recommends that government, industry, and academia take \nresponsibility for developing and carrying out a research agenda that \nwill promote U.S. leadership in the cloud by enabling innovation that \nbenefits customers and service providers. Relevant cloud-oriented \nresearch areas include, but are not limited to, usability, privacy, \navailability, integrity, confidentiality, security, cryptography, \nidentity management, energy efficiency, resource allocation, \nportability, and dependability. Government research agencies, like the \nNational Science Foundation (NSF) and the Defense Advanced Research \nProjects Agency (DARPA), should fund universities and other \norganizations to conduct long range research activities, including \nthose that build educational and research capacity and high risk, high-\nreward projects. Cooperative cloud test beds will also be a critical \nelement in advancing the overall evolution of cloud technologies.\n    Recommendation 5 (Privacy): The U.S. government and industry should \npromote a comprehensive, technology-neutral privacy framework, \nconsistent with commonly accepted privacy and data protection \nprinciples-based frameworks such as the OECD principles and/or APEC \nprivacy frameworks. The Commission recommends that the U.S. build upon \nthe work of existing, accepted privacy and data protection principles-\nbased frameworks such as the Organization for economic Cooperation and \nDevelopment (OECD) and/or Asia-Pacific Economic Cooperation (APEC) to \ndevelop and promote a comprehensive, technology-neutral privacy \nframework. The existing U.S. laws are sector specific and state \nspecific, and this approach is different than those in other regions \n(e.g., Europe). In some quarters, there is a concern that this may \nimpede the transnational flow of data with other countries, especially \nthose in Europe. These actions would help provide the certainty and \nflexibility required for continued cloud innovation and would be a step \ntoward fostering a global market for cloud services. Industry should \nembrace such frameworks and utilize them to the fullest extent \npracticable.\n    Recommendation 6 (Government/Law Enforcement Access to Data): The \nU.S. government should demonstrate leadership in identifying and \nimplementing mechanisms for lawful access by law enforcement or \ngovernment to data stored in the cloud. The Commission recommends that \nthe U.S. modernize legislation governing law enforcement access to \ndigital information in light of advances in IT in general and the cloud \nin particular. Reform of the Electronic Communications Privacy Act \n(ECPA) is critical to clarifying the legal conditions under which U.S. \ncloud providers and their customers will operate, as technology changes \nhave overtaken many aspects of ECPA as originally written. Various \ngroups such as the Digital Due Process Coalition have proposed making \ngovernment access to data stored in the cloud consistent with \ngovernment access to data stored in in-house IT systems. The U.S. \nDepartment of Commerce should conduct a study to assess the impact of \nthe USA PATRIOT Act and similar national security laws in other \ncountries on a company's ability to deploy cloud in a global \nmarketplace. This action may provide insights into how best to address \nthe uncertainty and confusion caused by national security statutes \n(e.g., PATRIOT Act) and similar laws of other nations) that are \nperceived as impediments to a global market place for cloud services.\n    Recommendation 7: Critical to improving trust in the cloud and \naccelerating adoption is the need for best practices in collecting \nforensic data and information in ways that do not result in \nsignificant, adverse impacts on individuals and/or organizations using \nthe cloud-based information. To address this, the Commission recommends \nthat the Federal CIO work with applicable agencies such as the U.S. \nDepartment of Justice and other relevant organizations to establish \nbest practices specifically addressing acceptable methods for \ncollecting forensic evidence from organizations using cloud-based \ninformation systems. In addition, cloud providers should assist their \ncustomers (e.g., individuals, commercial entities, government) with \ntechnologies to facilitate ediscovery and information retrieval \nrequirements, whether in support of regulatory compliance or litigation \nactivities.\n    Recommendation 8 (Lead by Example): The U.S. government should \ndemonstrate its willingness to trust cloud computing environments in \nother countries for appropriate government workloads. This \nrecommendation highlights the role of the U.S. government both as a \ncustomer of cloud services and as a leader in enabling trustworthy use \nof the cloud. Government agencies, in evaluating potential models for \nusing the cloud, should not assume or default to the notion that no \ngovernment workload and/or task is suitable for cloud computing \nenvironments in other countries. Instead, they should carefully \nconsider the types of data and tasks within their information and \ncommunications technology portfolios to match suitable workloads to the \ncloud computing models that achieve the required level of \nconfidentiality, integrity, and availability at the appropriate levels \nof efficiency, cost, and redundancy.\n    Recommendation 9 (Transparency): Industry should publicly disclose \ninformation about relevant operational aspects of their cloud services, \nincluding portability, interoperability, security, certifications, \nperformance and reliability. Industry and government should support \ndevelopment of metrics designed to meet the needs of different user \ngroups. These metrics should be developed in an open and transparent \nenvironment, taking into account the global nature of cloud use. The \nCommission recognizes the need for information and tools that provide \nusers with meaningful ways to evaluate the characteristics and \nperformance of various cloud implementations, whether they are \ncontemplating deployment or evaluating performance of their current \nservices. Development of metrics around key cloud attributes should be \ndriven by user needs and provider capabilities. The government and \ncommercial sector should collaborate on lessons learned, and each \nshould be careful to avoid dominating the development of these metrics. \nDifferent government and business sectors will likely demand different \nmeasures and tools.\n    Recommendation 10 (Data Portability): Cloud providers should enable \nportability of user data through documents, tools, and support for \nagreed-upon industry standards and best practices. One benefit of the \ncloud is its ability to store and process large quantities of data. For \ncustomers making the transition to cloud, this often raises questions \nabout how they access or move that data, especially in cases where they \nare switching between cloud providers. Data portability can be achieved \nin a variety of ways, and cloud providers should be transparent about \ntheir conformance with industry standards and best practices as well as \nthe documents, tools, and relevant third-party solutions they make \navailable to their customers. Customers should recognize that early \nconsideration of data portability in selecting and implementing cloud \nservices can reduce the risk of vendor lock-in. A collection of data \nportability standards, formats, and practices is vital to encouraging \nwidespread cloud adoption. Government and industry should collaborate \non facilitating the rapid development and dissemination of these \nstandards and other relevant tools. The collaboration between NIST and \nthe private sector in preparing the NIST standards roadmap under the \nFederal Cloud Computing Strategy is an excellent example of these types \nof efforts.\n    Recommendation 11 (Federal Acquisition and Budgeting): Agencies \nshould demonstrate flexibility in adapting procurement models to \nacquire cloud services and solutions. Congress and OMB should \ndemonstrate flexibility in changing budget models to help agencies \nacquire cloud services and solutions. In interviews with senior \ngovernment officials, the Commission found that the current Federal \nAcquisition Regulation (FAR) does not need alteration for agencies to \nacquire cloud services. The FAR is already flexible enough to allow \nagencies to acquire IT as a service. However, agencies should \ndemonstrate flexibility in adapting current procurement models and \nexisting contracts to take advantage of new cloud offerings. One of the \nbiggest challenges agencies may face in budgeting is predicting the \ncosts of cloud computing over the course of a fiscal year. Cloud \ncomputing is designed to scale quickly to a customer's needs, providing \nmaximum flexibility to the user. If the cloud service is based on a \npredictable subscription model (such as a standard monthly fee per \nuser), these budget projections can be easily accommodated. If the \ncloud service is based on pay-as-you-go usage, however, it can be \ndifficult to predict costs unless the user can precisely forecast \nfuture computing needs. To address this challenge, the Commission \nrecommends that the current efforts to update and streamline the OMB \n300 exhibit form and associated budget scoring include tools that \nfacilitate and encourage the new business models associated with cloud. \nOMB and Congress should communicate to agencies that it recognizes \nbudgeting for cloud is not like budgeting for traditional IT services \nand should assure agencies it will provide support and flexibility \nduring and after the transition to the cloud. To help agencies acquire \ncloud services, the Commission also recommends Congress and OMB \ndemonstrate flexibility in changing budget models. Government must find \nways to provide more flexibility for agencies to reduce and transition \nfunds in the capital expenditure accounts to the operations and \nmaintenance expenditure accounts as part of implementing innovative \ncloud solutions and achieving savings. In making decisions about \nbudgeting and acquisition, federal agencies, through the CIO Council, \nwould benefit from sharing best practices, tools for objective analysis \nof cloud performance, and ways to predict and document different \ncontributors to the budgetary impact of switching to the cloud.\n    Recommendation 12 (Incentives): Government should establish \npolicies and processes for providing fiscal incentives, rewards and \nsupport for agencies as they take steps towards implementing cloud \ndeployments. Adopting a new technology can be difficult, and the \ntransition of agencies to the cloud will require investment of time, \nresources, and political will by the federal government. In recognition \nof this, the Commission recommends that OMB establish incentives and \nprovide support for agencies beginning cloud adoption.\n    One possible incentive is to allow agencies to retain and redirect \na portion of the overall budget savings realized from cloud adoption. \nAnother approach is to provide seed money to agencies that help with \nthe initial investments required in moving to the cloud.\n    Recommendation 13 (Improve Infrastructure): Government and industry \nshould embrace the modernization of broadband infrastructure and the \ncurrent move to IPv6 to improve the bandwidth and reliable connectivity \nnecessary for the growth of cloud services. The Commission recommends \nthat the federal government and industry continue to expand deployment \nof high bandwidth networking, enhance network resilience, and advance \nIPv6 adoption to ensure ample broadband connections. Efforts such as \nthose advocated in the Federal Communications Commission's National \nBroadband Plan, including making additional spectrum available and \nexpanding opportunities for opportunistic and unlicensed spectrum use, \nare necessary to allow cloud computing to function effectively and for \nbusinesses and citizens to realize the benefits of innovative new cloud \ntechnologies. With rapidly rising demands for connectivity, the last \nbatch of IPv4 addresses, assigned earlier this year, is unlikely to \nmeet demand beyond the end of 2011. Since cloud computing depends on \nthe connection of many individuals, devices, and locations, a quick \ntransition to IPv6 is vital to ensuring the successful adoption and \noperation of cloud computing in the future.\n    Recommendation 14 (Education/Training): Government, industry, and \nacademia should develop and disseminate resources for major stakeholder \ncommunities to be educated on the technical, business, and policy \nissues around acquisition, deployment and operation of cloud services. \nThe Commission commends GSA's outreach efforts to federal agencies to \nprovide materials, expertise, and support around investigating, \nprocuring, and deploying cloud solutions. GSA could build on this work \nby creating a cloud educational portal to help agency buyers, \narchitects, administrators, and end users in understanding all aspects \nof cloud computing. Government, using existing programs in technology \neducation and workforce training,4 can facilitate and encourage \nacademic institutions and educational organizations to develop and \noffer courses relevant to cloud, in partnership with industry.\n    In a time when the government is seeking to do more with less and \nthe commercial sector is being called upon to create jobs and grow the \neconomy, now is the time to act on the cloud. Cloud computing has \nushered in vast improvements in the cost, agility and efficiency of \ncomputing. These benefits alone drive a strong business case; however, \nthe more compelling return is the opportunity to leap forward; to \ndiscover new markets and improve how we interact with, serve, and \nsupport U.S. citizens, users and other nations. The cloud holds the \npotential to unlock widespread entrepreneurism of all shapes and sizes, \nand expand the scope to do entirely new things--innovations such as \nsocial networking, which we could not fully imagine just a decade ago, \nwould not exist without IT's continued evolution to the cloud.\n    It is the hope of the Commission that the federal government, \nindustry and academia will implement these recommendations and be \nleaders in shaping how the future unfolds through the adoption of the \ncloud across the United States and around the world. Furthermore, these \nrecommendations should demonstrate that cloud computing is not a new \ntechnology that needs further validation or analysis before it can be \nsafely adopted; it is a natural evolution in computing. Those who \nrecognize this and take early advantage of the benefits it offers will, \nin the coming decades, be the leaders not in only IT but in driving the \ncloud's evolution, and therefore, in driving business and mission \nresults.\n\n    Chairman Quayle. Thank you, Mr. Capellas.\n    I now recognize Dr. Dan Reed to present his testimony.\n\n      STATEMENT OF DR. DAN REED CORPORATE VICE PRESIDENT,\n\n        TECHNOLOGY POLICY GROUP, MICROSOFT CORPORATION;\n\n                  VICE CHAIRMAN, ``CLOUD\\2\\''\n\n    Dr. Reed. Thank you, Mr. Chairman, Ranking Member Lujan, \nand Members of the Committee. My name is Dan Reed and I am the \nCorporate Vice President of Microsoft's Technology Policy \nGroup. And thank you for the opportunity to testify regarding \nthe cloud today.\n    Today's smartphone was yesterday's supercomputer and \nyesterday's national archive is today's child's digital music \ncollection. By combining the cloud with rich devices and \nsensors, the possibilities ahead are even more exciting--\nanticipatory personalized computing, remote healthcare \nmonitoring and early response, smart grids and more energy \nefficient homes, intelligent transportation systems and reduced \ncommuting times, and a new era of scientific discovery and \ninnovation.\n    As a technologist for almost 30 years working in academia \nand industry, my testimony concerns how the cloud can help \nrealize this future--accelerating scientific discovery for \nresearch, creating operational efficiencies, and enabling \ninnovation by businesses and governments. I will touch on four \nareas in my remarks emphasizing how the Federal Government can \nfacilitate these benefits.\n    I will begin with the cloud and science. Two major shifts \nare underway. First, researches are deluged by observational \nscientific data of unprecedented richness and scale. Second, \nand related, many of our most pressing technical and societal \nquestions increasingly lie at the intersection of traditional \ndisciplines. Both shifts challenge our historical approaches to \ninvestment and discovery via computing. The cloud and \nassociated tools can let scientists be scientists rather than \nbeing distracted by IT, as they often are now.\n    I believe the Federal Government can accelerate this \ntransition by encouraging the purchase of cloud services as a \ncomplement to and rather than just supporting the acquisition \nof local IT infrastructure, and equally importantly, by \nsupporting new tools that facilitate distributed collaboration \nand simplify access to multidisciplinary scientific and \nengineering data. Microsoft is acting on this belief working in \npartnership with the National Science Foundation.\n    My second point concerns the cloud's impact on business and \ngovernment. Cloud computing, as it was just noted, allows \nelastic scaling to meet varying demand both in capability and \nin management. Via the cloud, companies can be nimble and they \ncan make forward bets quickly and without large capital or IT \ncosts. This enables smaller companies to compete globally and \nit enables larger companies to explore new products and markets \nrapidly. Government, too, can benefit from cloud efficiencies \nto lower costs and deliver services in new ways. Clouds can \nalso allow data from local, state, and federal agencies, as \nwell as the private sector, to be combined and used in ways \npreviously difficult if not impossible.\n    Thus, the Federal Government should move expeditiously to \nadopt cloud capabilities beginning with those services and data \nthat directly match industry experiences and best practices, \nand it should revise policies and regulations accordingly to \naccelerate cloud deployment.\n    Third, let us consider the infrastructure needed for \nclouds. Cloud services depend on broadband communication. It is \nthe oxygen via which they breathe. In turn, digital access to \ninformation and services is an enabler of economic \ncompetitiveness--of education, of government efficiency, and of \nservice delivery. We must continue to design and deploy new \nbackbone networks that support higher data rates, develop new \nprotocols for the next generation of wireless networks, and \ndefine the standards that will shape the future of the globe-\nencircling cloud with access for all of us.\n    Fourth and finally, let me come back to research and \neducation. As this Committee well appreciates and it has helped \nenable, today's cloud technology is derived from basic \ncomputing research conducted over the past four decades. To \nensure that the United States remains at the forefront in cloud \ncomputing--and make no mistake, it is--ongoing investment and \nbasic research remains crucial. There are deep and open abiding \nquestions in the endless frontier of research in areas as \ndiverse as privacy and security, chip design, energy \nefficiency, data management, networks and reliability, user \ninterfaces, and accessibility. Equally importantly, this \ninvestment must be complemented by improvements in computing \neducation at all levels.\n    In summary, the cloud is a foundation of the 21st Century \ndigital economy. It can provide access to the world's knowledge \nbase to individuals and empower entrepreneurs and companies \nlarge and small to sell their products globally, enable \nscientists and engineers to discover and innovate, and deliver \ngovernment services quickly and efficiently.\n    Thank you.\n    [The prepared statement of Mr. Reed follows:]\n\n     Prepared Statement of Dr. Dan Reed, Corporate Vice President, \n    Technology Policy Group, Microsoft Corporation; Vice Chairman, \n                              ``CLOUD\\2\\''\n    Chairman, Ranking Member, and Members of the Subcommittee, my name \nis Dan Reed, and I am the Corporate Vice President of Microsoft's \nTechnology Policy Group. Thank you for the opportunity to share \nperspectives on the opportunities and challenges surrounding cloud \ncomputing. I appreciate the time and attention that the Committee is \nspending on this topic, and I commend you for advancing the dialogue on \ninformation technology and cloud computing to drive innovation.\n    My testimony begins by describing the advent of the cloud and its \nimportance, as a major technology inflection point with far-reaching \neffects and significant economic and competitive benefits for the U.S. \nIt summarizes some of the key technologies behind clouds, notably \nmassive data centers and infrastructure, wired and wireless networking, \nand the never-before-seen scale and access to information facilitated \nby these technologies. It then outlines the major opportunities clouds \ncan enable to (1) accelerate scientific discovery for research; (2) \ncreate efficiencies and innovation for businesses and governments; and \n(3) enrich and empower the experiences of individual citizens. Finally, \nit concludes by providing a set of recommendations and next steps for \nthe Federal government and others to allow the U.S. to benefit fully \nfrom the potential of clouds and to maintain its global leadership.\n\nI. The Advent of the Cloud and its Importance\n\n    There has been extensive coverage of clouds in the popular media, \nand, as with all new technologies, considerable excitement about the \nbenefits, as well as potential confusion. As a technologist and \ncomputing researcher for nearly 30 years, working in both academia and \nindustry, I would like to separate the technical realities from the \npublicity.\n    Reviewing the history of modern digital computing reveals a \nprevailing theme--the fundamental questions do not change, but the \ntechnological answers change repeatedly, for the costs, capacities and \nspeeds of the component technologies shift by many orders of magnitude. \nToday's smartphone was yesterday's supercomputer, and yesterday's \nnational archive is now a child's digital music collection.\n    Since the late 1940s, we have experienced a series of computing \nrevolutions, from the mainframe to the minicomputer, from the \nminicomputer to the workstation and then the PC and a variety of mobile \nand embedded devices. Each of these technological revolutions further \ndemocratized access to computing and extended its benefits. Today, I \nbelieve we are in the midst of another such revolution, enabled by \ninexpensive client devices and powerful cloud computing services.\n    Cloud services are not a sudden, new development. Each time we \nshare digital photos, shop online, use an email service, download and \nuse applications, or query a search engine, we are using the cloud. \nEvery day, the combination of wired and wireless broadband networks, \nPCs and smartphones, and online services hosted in remote data centers \nconnect individuals, deliver valuable data and insights, and drive \nbusiness efficiency and innovation.\n    Although the cloud has already reshaped our lives, a converging set \nof technology trends in infrastructure, devices and communications will \ndrive a new generation of experiences that will benefit society in ways \nwe cannot yet imagine.\n    First, there is the increasingly expansive and efficient \ninfrastructure that supports clouds. Today's cloud data centers are the \nlargest computing capabilities ever built, a consolidation of computing \nat a truly massive scale--ten or more times the size of a football \nfield for a single cloud data center. To put that fact in perspective, \none cloud data center today contains more computers than the entire \nInternet did just a small number of years ago, and it contains as much \ndigital data as would equal a substantial fraction of the text holdings \nof the Library of Congress.\n    Each of the major cloud operators, Microsoft and its competitors, \nis building a worldwide network of those data centers to support a new \ngeneration of cloud services. In doing so, they are changing the way \nthe computing industry designs and builds systems, and they are drawing \non the best practices and insights of operating infrastructure at large \nscale to make those clouds reliable 24/7, to make them secure, and to \nmake them energy efficient.\n    The second trend is the explosive growth and availability of \npowerful consumer devices. While many think that the power of the cloud \nis predominantly about the massive computing and storage capabilities \nin data centers, the truly transformative effect comes from the \nintersection and interaction of the cloud with increasingly powerful \ndevices.\n    With powerful sensors, wireless communications, and new natural \nuser interfaces, coupled with the power of the cloud, new kinds of \nexperiences emerge--for governments, for businesses and for consumers. \nRemote health care monitoring and early response, smart grids and more \nenergy efficient homes, intelligent transportation systems and reduced \ncommuting times, and a host of other possibilities are now realizable.\n    Finally, our continued investments in more powerful networking are \ncoming to fruition. Cloud services rest on the foundational investment \nthe U.S. has made in broadband networking, both wired and wireless, \nbecause communication networks are the oxygen that lets cloud services \nbreathe. Reliable, high bandwidth, inexpensive and ubiquitous \ncommunications connect us in a true global village, albeit one on which \ndemands and expectations continue to rise.\n\nII. The Opportunities Presented by Clouds\n\n    Cloud services and data management bring several exciting \nopportunities for greater efficiency, innovation and discovery in \ndomains as diverse as scientific research, business and U.S. \ncompetitiveness, and citizen empowerment.\n    Accelerating Scientific Discovery for Research. Throughout the \nhistory of science, data has been scarce and precious. Indeed, the \nmodern scientific method is defined by a careful cycle of hypothesis \nand experiment, which gathers experimental data to test the hypothesis. \nToday, the same technological economics that have given us inexpensive \ncomputing, digital cameras and ubiquitous data-generating sensors, \nallow scientists to capture data at rates and volumes heretofore \nunimaginable.\n    In almost all domains, scientists and engineers are now drowning in \na sea of data. In a few short years, they have gone from scarcity to an \nincredible richness, necessitating a significant change in how they \nmanage and extract insight from all this data. In astronomy, the Sloan \nDigital Sky Survey in January 2011 released ``the largest digital color \nimage of the sky ever made. . . . This terapixel image is so big and \ndetailed that one would need 500,000 high-definition TVs to view it at \nits full resolution.'' \\1\\ In neuroscience, the researchers working on \nmapping the connections among the neurons in the brain are finding that \nthe images necessary to make that map for a cube of mouse brain a \nmillimeter on a side require roughly one petabyte of storage; this \nimplies that similar maps of the human brain would require millions of \npetabytes. \\2\\\n---------------------------------------------------------------------------\n    \\1\\ See Sloan Digital Sky Survey Press Release of January 11, 2011 \nat http://www.sdss3.org/press/20110111.largestimage.php.\n    \\2\\ See New York Times article of Dec. 27, 2010 on the Human \nConnectome Project at http://www.nytimes.com/2010/12/28/science/\n28brain.html.\n---------------------------------------------------------------------------\n    In a parallel shift, many of our scientific, engineering and \nsocietal questions increasingly lie at the intersections of traditional \ndisciplines. Consider, for example, the recent oil spill in the Gulf of \nMexico. Understanding the complexities of oil distribution in water is \na problem related to computational fluid dynamics, but understanding \nthe impact of that oil on the marine ecosystem is a biological problem. \nIn both cases, observational data are essential. To fully understand \nthe issue, researchers from multiple disciplines--from different \ncultures, using different research tools-must unite to build models and \nanalyze data from diverse sources.\n    Increasing data volumes and the complexity of collaboration on \ninterdisciplinary problems are challenging our historical approaches to \ndiscovery and innovation via computing. Researchers and research \ninstitutions are ill-prepared for the large-scale computing \ninfrastructure management challenges posed by large data sets and \ncomplex models. The cloud and associated applications and tools offer a \npossible solution to this challenge by letting scientists be \nscientists.\n\nComputing Infrastructure.\n\n    Today researchers, graduate students, and research support staff \noften spend inordinate amounts of time maintaining the computing \nsystems needed to conduct research rather than devoting their time and \ntalents to the research itself. The cost to maintain and refresh this \ncomputing infrastructure is becoming a larger and larger burden, and \nthe economics are unsustainable, particularly at a time when our \nresearch universities are under financial stress. As a result, much of \nour research funding has focused (because of the power of computing for \nscientific discovery) on equipment replacement and repeated \ninfrastructure deployments on research campuses and in laboratories. \nYet at even the best funded research organizations, the majority of \nresearchers do not have access to the computing resources they need.\n    Cloud computing can provide software applications, computing and \ndata analytics, with remote access via familiar tools on PCs and \nsmartphones. Because the cloud is professionally managed and regularly \nupgraded, delivering computational resources on demand, one can ``pay \nas you go,'' using large-scale computational capacity and data \nanalytics only when needed. The cost to use 10,000 processors for an \nhour is the same as using ten processors for 1,000 hours, but will \ndeliver results much faster to the researcher. Organizations can buy \njust-in-time services to process and exploit data, rather spending \nscare resources on infrastructure.\n\nEnabling Computing Tools and Applications for Research.\n\n    Much of our historical investment in high-performance computing \n(HPC) has brought the benefits of advanced computing to only a subset \nof the research community. Although powerful, and offering breakthrough \ncapabilities for scientific and engineering discovery, these systems \nare often difficult to use, with steep learning curves and software \ntools that are unfamiliar to many. The key lesson of the consumer \ncomputing world is the importance of the ``killer app'' that opens \ncomputing to a new community by solving an important problem or \ncreating a new capability. Thus, for scientists to realize fully the \nacceleration enabled by the power of the cloud, they also need a full \ncomplement of powerful, yet easy to use tools that are accessible via \nfamiliar PC and smartphone interfaces.\n    To accelerate access to cloud computing for research discovery, \ndata analysis and multidisciplinary collaboration, Microsoft has formed \na deep partnership with the National Science Foundation (NSF) to \nprovide researchers with scalable cloud tools and services, accessible \nvia client PCs. Thirteen research teams from across the country, whose \nproposals were selected via the NSF peer review process, have been \nawarded funding through the program and are being given access to \nWindows Azure \\3\\ for a two-year period. In addition, a Microsoft \nsupport group, composed of software developers and researchers, is \nworking directly with the teams to help them quickly integrate cloud \ntechnology and equip them with a set of common tools, applications and \ndata collections that can be shared with the broad academic community.\n---------------------------------------------------------------------------\n    \\3\\ Windows Azure is Microsoft's cloud computing platform that \nprovides on-demand computing and storage to host, scale and manage \napplications and data through Microsoft data centers.\n---------------------------------------------------------------------------\n    The NSF awardees cover a diverse set of topics, but two examples, \nas described in the NSF announcement of the awards, illustrate the \nopportunities made possible via the NSF-Microsoft partnership \\4\\:\n---------------------------------------------------------------------------\n    \\4\\ See NSF Press Release of April 20, 2011 at http://www.nsf.gov/\nnews/news--summ.jsp?cntn--id=119248.\n\n<bullet>  University of South Carolina (Jonathan Goodall) and the \nUniversity of Virginia (Marty A. Humphrey)- Managing Large Watershed \nSystems. Understanding hydrologic systems at the scale of large \nwatersheds is critically important to society when faced with extreme \nevents, such as floods and droughts, or with concern about water \nquality. Climate change and increasing population are further \ncomplicating watershed-scale prediction by placing additional stress \nand uncertainty on future hydrologic system conditions. This project \nadvances hydrologic science and water resource management by creating \nand using a cloud-enabled hydrologic model and data processing \nworkflows to examine the Savannah River Basin in the Southeastern \nUnited States. This will provide the detail and scale necessary to \naddress fundamental research questions related to quantifying impacts \n---------------------------------------------------------------------------\nof climate change on water resources.\n\n<bullet>  Virginia Tech (Wuchun Feng)- Conducting Intensive \nBiocomputing. With DNA sequencers in the life sciences able to generate \na terabyte--or one trillion bytes--of data a minute, the size of DNA \nsequence databases will increase 10-fold every 18 months . . . This \nresearch team aims to create a new generation of efficient data \nmanagement and analysis software for large-scale, data-intensive \nscientific applications in the cloud. They will leverage recent \nexperience in delivering reliable computing over volatile cloud \nresources to further enhance the robustness of data management and \nanalysis software. They will strive to eliminate the need to assume \n``no hardware failures'' or ``very infrequent failures'' as is the case \nwith traditional HPC data-management techniques.\n\n    Working in collaboration with the NSF teams, Microsoft has \ncontinued to develop client tools to leverage the power of the cloud \nand empower the research community. One example is an addition to \nMicrosoft's Excel spreadsheet software, called Excel Datascope. \nDirectly from Excel, a user can share data with collaborators around \nthe world, discover and download related data sets, or sample from \nextremely large data sets in the cloud. It also provides new data \nanalytics and machine learning algorithms, the execution of which \ntransparently takes place on Windows Azure.\n\nDriving Efficiencies, Innovation and Agility for Businesses and \nGovernments.\n\n    The business questions are the same for any young entrepreneur or \nseasoned CEO. \\5\\ How do I differentiate myself from my competition? \nHow do I best deploy my resources and maximize the return on my \ninvestment? How can I be nimble? How can I survive and flourish? To \nanswer these questions, a leader must understand and use the disruptive \neconomic and technological forces of his or her time.\n---------------------------------------------------------------------------\n    \\5\\ The business-related topics in this section were also discussed \nin a supplemental advertorial by Dr. Daniel A. Reed in the June 2011 \nissue of Harvard Business Review.\n---------------------------------------------------------------------------\n    The cloud offers small and large companies alike new opportunities \nto focus on core capabilities, compete in new ways in new markets, \nreduce capital costs, and increase efficiencies.\n    Before the cloud, a small company could only create an Internet \npresence or harness IT capabilities by buying and building IT \ninfrastructure and hiring IT support staff, a daunting and financially \nchallenging prospect for many. Large companies who used IT to support \ntheir businesses in new or increased ways faced the same challenges. \nThe best and worst experience that could happen to a company was that \nits latest ``widget'' would be suddenly popularized in the media, and a \ndeluge of queries or orders would appear in a short time frame, \noverwhelming its IT infrastructure.\n    Cloud computing allows elastic scaling to meet varying demand, not \nonly in the capability but also in the management of that \ninfrastructure. With cloud computing, companies of all sizes can be \nnimble and make forward bets--quickly and without large capital costs. \nThis enables those smaller companies to compete globally with companies \nof all sizes, fostering an environment of innovation and growth, and \nenables larger companies to scale and handle burst demand, as well as \nexperiment with new products, approaches, or business models.\n    Moreover, by reducing infrastructure cost and IT staff \nrequirements, the cloud also lets companies focus on their core \ncompetencies, delivering their unique products and services to their \ncustomers. The lesson of business over time has been that success \naccrues to those companies who focus on their differentiated \ncompetencies, and partner with the other companies who specialize in \nancillary or support services. The core competency of healthcare \nproviders, manufacturers, retailers and others is not the management of \nIT infrastructure.\n    Further, the cloud offers unique opportunities to support global, \nmulti-party and neutral collaborations-allowing a diverse set of \nscattered experts to bring their expertise to bear on a joint activity. \nNo matter how large a business is, there is both a collaborative as \nwell as a competitive environment with other companies or entities. The \nability to share and extract insights from information by virtue of \npartnerships with multiple parties is a powerful concept. This is \nparticularly important in this time of converging industry sectors-\nsmart vehicles are bringing auto manufacturers, energy utilities, and \nentertainment companies together. Collaboration among these diverse \nparties raises a host of issues--extracting the relevant data, \ncorrelating concepts, bridging cultural and technological divides, and \nalleviating competitive concerns. The cloud allows all these parties to \naccess the data in neutral ways, using shared or separate tools, and to \ncollaborate using many different models for responsibility, data \nownership, and service delivery.\n    Just as it does for businesses, the cloud can enable local \ngovernments and federal agencies to focus on their core competencies \nrather than IT and to act nimbly. Rarely is IT a government service \nitself; it is an enabler that allows government to conduct essential \noperations and deliver services. Government can take advantage of the \nefficiencies of the cloud to lower operating costs for government \nservices, to deliver new services in more nimble and adaptive ways, and \nto partner with other organizations.\n    The city of Miami, for instance, is using Microsoft's Windows Azure \ncloud platform for Miami311, an online service that allows citizens to \nmap some 4,500 non-emergency issues in progress. The 311 package \ncombines multiple IT capabilities, including mapping, communications, \nweb-based interfaces, and databases and systems for tracking calls and \nresponses. These combined capabilities have enabled the city to \ntransform what had been a difficult-to-use list of outstanding service \nrequests into a visual map that shows citizens each and every \n``ticket'' in progress in their own neighborhood and in other parts of \nthe city.\n    Clouds, together with data-generating sensors, provide the \nmechanisms to combine and analyze large data sets in new ways and \nextract insights. Consider all the data that has been collected by the \nU.S. government, much of which has been used sparingly or by single \nprograms or agencies. Clouds could allow data from different agencies, \ndifferent levels of government, state or federal, and even the private \nsector to be combined and used in powerful ways. One could think about \nconnecting historical earthquake data with local information about \nbuilding codes and private information about insurance policies, or \nusing health data to analyze populations and respond to flu outbreaks \nor emergencies in real time.\n    One example of combining input from multiple government \norganizations is the Pew Voting Information Project. This project is \nbuilding on Microsoft's cloud to provide official, customized data for \nvoters on relevant information, such as polling place locations, \nincluding maps and directions, along with a list of candidates and \nissues on the ballot. The cloud implementation allows Pew to scale up \nthe process of merging data from multiple sources and to facilitate \ninterfaces and tools that allow others to create and disseminate \napplications that build on this information.\n\nEnriching Experiences to Empower Individual Citizens.\n\n    Today, most of us own hundreds of computers, from PCs and \nsmartphones to embedded devices in our cars, home appliances, and \nentertainment systems, and we interact with thousands of others \nembedded in society's everyday supporting infrastructure, from health \nmonitors to traffic sensors. The number of such devices is soon \nprojected to exceed 50 billion, most connected to the Internet, \ncommunicating device-to-device, device-to-cloud, and cloud-to-device. \nThe future is a seamlessly connected world of devices and services.\n    Today, we can already see glimpses of this. While in transit, I can \nuse my smartphone to connect to Microsoft's Bing search engine and ask \na question. With the location from the smartphone's GPS, speech-to-text \ntranslation and location-specific data, Bing can return an answer--the \nnearest movie theater is four blocks away; click here for directions \nand to purchase a ticket. Such tailored, contextually appropriate \nexperiences are only possible through the combination of devices, \nsensors and diverse cloud services.\n    In the future, my smartphone and the cloud might well cooperate \nwith my plug-in hybrid car. The appointments in my smartphone's \ncalendar, together with traffic data and my car's continuously \nmonitored energy usage will allow the cloud to plan my driving route \nand charging plan, even alerting the utility as to the expected energy \nload from all cars being charged. While this might sound like science \nfiction, scenarios like this are being explored today, enabled by the \ncombination of devices, networks and clouds.\n\nIII. The Next Steps: Recommendations for Moving Forward\n\n    To realize the opportunities that the cloud creates for research, \nbusiness, government, and individuals, there are specific steps the \nU.S. government should consider in four areas.\n    1. Deploy the Cloud for Government and Research Use. The U.S. \ngovernment, including research agencies, should be at the forefront of \ndeploying the cloud in innovative and effective ways.\n    The federal government is actively exploring and implementing cloud \nsolutions across many agencies. In so doing, it is discovering, as has \nthe private sector, that clouds provide operational efficiencies and \nnew sources of value. The federal government should move expeditiously \nto adopt cloud capabilities, beginning with those services and data \nthat directly match industry experiences and best practices. NIST can \nand is playing a valuable role in disseminating cloud best practices \nacross the U.S. government, in defining standards for cloud security \nand in working with other groups to foster understanding of \nopportunities afforded by clouds. In addition, the government should \nexplore how clouds could allow data from different agencies, different \nlevels of government, and even the private sector, to be combined and \nused in powerful new ways.\n    Second, and specifically, federal research agencies should embrace \nthe cloud to host large-scale data sets, accelerate scientific \ndiscovery and create new opportunities for data intensive exploration \nand multidisciplinary collaboration. In addition, the federal rules for \nallowable research expenses should encourage and enable the use of IT \nservices, such as the cloud, where appropriate, rather than duplicative \npurchase and maintenance of IT infrastructure.\n    Finally, federal research agencies should also support the \ndevelopment and implementation of new algorithms and tools that \nsimplify access to the burgeoning scientific data archive, facilitating \ncollaboration and ease of use. These tools would reduce the time \nresearchers, staff and students spend on IT management, allow more \nscientists to tap the power of the cloud and more easily build and \nshare analyses and insights. The tools and techniques developed by and \nfor researchers analyzing and interpreting large quantities of \nheterogeneous data have potentially broad applicability in domains as \ndiverse as health, security, energy, and business analytics.\n    2. Ensure Adequate Wired and Wireless Connectivity. The web and \ncloud services depend on broadband communications. Without them, \nservice and information sharing are impossible. Concomitantly, ensuring \nreliable wired and wireless connectivity, with adequate bandwidth and \nlatency, is critical to ensuring successful adoption of the cloud and \nrealization of its benefits. The phenomenal growth of digital data, the \nrise of streaming media services, and the explosive growth of Internet-\nconnected devices are all straining our nation's broadband \ninfrastructure.\n    It is critical that we continue to design and deploy new backbone \nnetworks that support higher data rates, develop and deploy new \nprotocols and infrastructure for the next generation of wireless \nnetworks and define the global standards that will shape the future of \nthe globe-encircling cloud. We must also remember that digital access \nto information and services is increasingly the enabler of economic \ncompetitiveness, of lifelong education in a rapidly changing world, and \nof government efficiency and service delivery.\n    These are technology challenges, requiring new semiconductor \napproaches and device designs, optical networks and switches, and \nsoftware and adaptive spectrum management. They are also policy \nchallenges, where the growth of demand and shifting expectations \nchallenge our existing approaches to network regulation, construction, \ndeployment and operation. We need to adopt a new model that fosters \ninnovation and rapid, large-scale deployment, recognizing that the pace \nof change is quickening.\n    3. Foster Continued Support for Computing Research and Education. \nToday's cloud technology-software and services, servers and storage, \nPCs and smart phones, wired and wireless networks-is derived from basic \ncomputing research conducted by universities, government laboratories, \nand companies over the past four decades. Yet each new computing era \nbrings new questions and new research opportunities and needs. Clouds \nare no exception.\n    To ensure that the U.S. continues to remain at the forefront of \ncloud technology, continued investment in basic research is critical. \nThere are deep and open questions in areas as diverse as the future of \nsilicon scaling and system-on-a-chip design, energy-efficient system \ndesign, primary and secondary storage, data mining and analytics, wired \nand wireless networks, system resilience and reliability, privacy and \nsecurity, and user interfaces and accessibility, to name just a few. \nInsights and innovations from this research will spawn new companies, \ncreate jobs and reshape our future.\n    In addition to continued research investment, it is critical to \nsupport the pipeline that produces researchers, and others who will \nable to invent new uses of the cloud and information technology. The \nBureau of Labor Statistics estimates that the computing sector will \nhave 1.5 million job openings over the next ten years, yet the number \nof graduates receiving Bachelors, Masters or Ph.D. computer science \ndegrees in 2009 was approximately 45,000. While the number of degrees \nis trending upward, it falls far short of where it needs to be to meet \nthe demand. For example, in May, Microsoft had 4,551 unfilled job \nopenings, of which 2,629 were for computer science positions.\n    To meet this current and future demand, the U.S. must strengthen \nthe quality of and access to computing education at all levels, \nparticularly K-12. Such efforts, by federal, state, and local \ngovernments, as well as by companies and non-profit organizations, will \nnot only provide a more capable and larger workforce for IT research \nand operations, but also raise the overall computing-related \ncapabilities of the population. Strong analytical thinking and \nunderstanding of technological systems will be necessary for many \ncareers as IT continues to permeate more and more aspects of society.\n    Consistent with these concerns about the IT workforce and computing \neducation, Microsoft is a founding member of the Computing in the Core \ncoalition, which supports computer science education, particularly at \nthe K-12 level. To tackle these challenges, the coalition advocates for \ncoordinated efforts on a number of fronts: improving the training, \ncertification, and support for K-12 computer science teachers, as well \nas increasing their numbers; improving the available standards and \nassessments, and developing appropriate courses, for K-12 computer \nscience courses; ensuring that computing courses count toward a \nstudent's core graduation requirements; and expanding access to and \nparticipation in computing courses by under-represented populations.\n    4. Revise Policies in Light of Technology Change. Every new \ninformation technology shift brings change. In each case, the benefits \nof change accrue to the prepared and adaptable. Many of our current \npolicies and regulations have not kept pace with new technology \ndevelopments, and their revision is important to accelerating the \nimplementation and benefits of cloud.\n    Many such issues are discussed in the report of the Commission on \nthe Leadership Opportunity in U.S. Deployment of the Cloud (CLOUD\\2\\), \nwhich has been described by another witness at this hearing. For \nexample, policies around the Electronic Communications Privacy Act, \nprocesses for pursuing and prosecuting cybercriminals, privacy \nframeworks, and transnational data flows require reconsideration in \nlight of current technologies and in recognition that technology is \nrapidly evolving.\n    The best approach in a time of rapid technological change is to \nestablish policy goals and a flexible framework for achieving them, and \nto avoid focus on specific technological approaches that could chill \ninnovation or quickly become outmoded.\n                                  ***\n    The cloud is the foundation of the 21st century digital economy. \nThis is an exciting time, when the future becomes the present. Access \nto the power of the cloud can be a great equalizer, providing access to \nthe world's knowledge base to individuals, anywhere, anytime; \nempowering entrepreneurs and companies large and small to sell their \nproducts and ideas globally; and enabling scientists and engineers to \ndiscover and innovate in ways that will define the future.\n    Will we come together and take the steps necessary to prepare and \nenable this vision for the future? I believe we can and we will. \nWorking together, the private and public sectors can ensure U.S. \ncompetitiveness and cloud adoption in the short term, and realize the \nbenefits that result from the cloud's new capabilities and experiences \nin the long term.\n    In conclusion, let me thank you for this Committee's longstanding \nsupport for scientific discovery and innovation. I would be pleased to \nanswer any questions you might have.\n\n    Chairman Quayle. Thank you, Dr. Reed. I now recognize Mr. \nCombs for five minutes.\n\nSTATEMENT OF MR. NICK COMBS, FEDERAL CHIEF TECHNOLOGY OFFICER, \n                        EMC CORPORATION\n\n    Mr. Combs. Chairman Quayle, Ranking Member Lujan, and other \ndistinguished Members of the Subcommittee, thank you for the \ninvitation to address both the opportunities and challenges \nassociated with cloud computing.\n    My name is Nick Combs and I am the Chief Technology Officer \nfor EMC Corporation's Federal Division. Prior to joining EMC, I \nspent 25 years in the Federal Government, including senior \npositions in the Department of Defense and the intelligence \ncommunity. Over the course of my career, I experienced many of \nthe IT challenges facing organizations today, particularly as \nenterprises transition to cloud services.\n    For today's testimony, I was asked by the Subcommittee to \ndiscuss some of the major cybersecurity challenges facing cloud \nservice providers and adopters.\n    During the past couple years, the frequency, volume, and \nimpact of cyber attacks has reached pandemic levels. Those \nattacks are resulting in real economic harm, as well as posing \nvery significant national security challenges. Because the \nInternet is used by everyone everywhere, by large and small \ngovernment and commercial organizations, there are multiple \navenues of exploitation. The targets of more advanced cyber \nattacks now include organizations as diverse as pharmaceutical \nand automotive companies to the defense industrial base and \ngovernment agencies, and yes, even information security \ncompanies.\n    As you may know, RSA, the Security Division of EMC, \nannounced on March 17 of 2011 that it detected a sophisticated \ncyber attack on its systems. The attack on RSA was a stark \nreminder to us and for the entire information security \ncommunity that no one is immune from cyber attacks. The attack \nalso reflects the sophistication of advanced attackers in \nunderstanding the interconnections and the interdependencies \norganizations have in our network world and how to exploit \nthose relationships to achieve their goals.\n    And this brings us to cloud computing, which is \nfundamentally changing the way that organizations think about \nIT. There is a lot of confusion in the market today, especially \naround what type of clouds and what type of data is appropriate \nto go into those clouds, whether it is public, private, \ncommunity, or hybrid, CIOs must have the information available \nto make risk-based decisions on what information should be \nplaced into what types of clouds. Most security architectures \nof today are nothing more than a broken safety net of point \nsecurity solutions products.\n    During the next several years, cloud computing adoptions \ncould enable organizations to improve information security by \nreplacing the disparate and legacy IT systems that are so \ncommon today. Instead of having IT and information security \norganizations protecting stovepipe systems, organizations are \nable to implement centralized monitoring, management, and \nsecurity solutions. Security is also being built into the \ninformation infrastructure that makes the foundation of the \ncloud, including virtualization and data storage platforms.\n    Cloud computing holds special promise for smaller \norganizations which left to their own device cannot always \nafford the advanced expertise and technologies necessary to \nprotect against today's threats. Those organizations, by \nconsuming IT services from cloud providers, can gain the \nbenefits of advanced security in an affordable way.\n    Through the cloud, organizations can centrally manage their \nIT systems and provide uniform policy implementations. They \nwill reduce the operating and management cost, thus freeing up \nresources to address other needs.\n    EMC supports the Administration's ``cloud-first'' strategy, \nand along with the ongoing data center consolidation efforts, \nwe believe that the policies, if fully implemented, will save \nthe Federal Government billions of dollars in IT budgets \nannually. In this skyrocketing budget deficits and new budget \ncaps, now is the time for Federal Government agencies to \nadopt--to accelerate their adoption of cloud infrastructure and \nservices.\n    Many federal agencies have already begun to build the \ncloud--the bridge to the cloud by adopting some form of \nvirtualization. For example, right here in the House of \nRepresentatives, your IT organization has utilized \nvirtualization in its transition to the cloud. Technologies and \nbest practices exist today to deliver private cloud \nenvironments inside federal organizations to gain dramatic IT \nimprovements and IT efficiency while also providing the \nsecurity required to protect the sensitive information within \nthe government enterprise.\n    Security must be--must evolve to become much more centered \naround the users and on the information they are accessing. For \nthat reason, emerging technology practices such as adaptive \nauthentication and data loss preventions are both widely used \nin the commercial world and should be increasingly used in \nFederal Government agencies.\n    As I conclude my testimony, I would like to comment on the \nrole of NIST in advancing cloud computing and trust in the \ncloud. Through its cloud computing workshops, NIST has already \nplayed a vital role in bringing together the public and private \nsectors to zero in on security interoperability and portability \nchallenges related to the cloud. Congress should also allow \nfederal agencies to select the cloud deployment models that \nbest fit the business needs and security needs rather than \nfavoring one cloud model over the other.\n\n    I again thank the Committee for allowing me to contribute \nto this hearing today. Thank you and I look forward to your \nquestions.\n    [The prepared statement of Mr. Combs follows:]\nPrepared Statement of Mr. Nick Combs, Federal Chief Technology Officer, \n                            EMC Corporation\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Chairman Quayle. Thank you, Mr. Combs. I now recognize Dr. \nMcClure to present his testimony.\n\n                STATEMENT OF DR. DAVID MCCLURE,\n\n      ASSOCIATE ADMINISTRATOR, OFFICE OF CITIZEN SERVICES\n\n  AND INNOVATIVE TECHNOLOGIES, GENERAL SERVICES ADMINISTRATION\n\n    Dr. McClure. Thank you, Chairman Quayle and Congressman \nLujan. It is a pleasure to be here, and I would like to applaud \nthe Subcommittee's leadership in expanding the dialogue and \nunderstanding of new cloud technologies, and the risks and the \nrewards they offer for modernizing the government's IT.\n    As you have heard from the other witnesses today, cloud \ncomputing really offers a compelling opportunity to \nsubstantially improve the efficiency, agility, and performance \nof federal IT. With cloud, agencies pay only for the resources \nthey use in response to fluctuating demand, they avoid the \nexpenses of building and maintaining costly IT infrastructure, \nand ensure the appropriate level of security for data and \napplications.\n    At GSA, we are developing new cloud computing procurement \nvehicles that leverage the government's buying power, we are \nensuring effective cloud security standards are in place to \nlower risk, we are identifying and leveraging government-wide \nadoption of cloud solutions such as email and collaboration. My \nwritten statement highlights our significant progress under the \n25-point IT Reform Plan in areas like data center consolidation \nanalysis and cost-modeling, more robust government-wide \nsecurity approaches under the soon-to-be-launched FedRAMP \nprogram, and efficient procurement vehicles.\n    Let me summarize my written statement provided to you with \nthree key points. First, agency executives should focus on the \ndesired government, business, or mission outcome driving cloud \nadoption rather than cloud technology itself. We know there are \nopportunities for improving the cost-effectiveness and \nefficiency of IT used in the Federal Government. CIOs need to \ndevelop and deploy effective cloud solution strategies that \naddress pressing agency needs taking into account cost savings \nand expected performance improvements. Agencies must analyze \nbusiness needs and identify cloud solutions that best fit their \nrequirements by making cloud adoption part of an overall IT \nportfolio management and sourcing strategy.\n    In short, cloud readiness assessments and prudent \ndecisional roadmaps are essential to move forward both \ndecisively and expeditiously in cloud computing.\n    Second, while early, we definitely are seeing concrete \nbenefits from the adoption of cloud computing solutions in the \nFederal Government, particularly for low- and moderate-risk \ndata areas. At GSA and USDA, for example, we expect to see \nemail costs cut by 50 percent, and many other agencies are \nprojecting similar results.\n    The benefits are not just around cost reduction. Cloud \ndeployments allow for much faster deployment of systems and \napplications. Provisioning can occur in hours or days as \nopposed to traditional months or years. It can increase \nproductivity, it gives agencies greater flexibility and \nscalability, it enhances our sustainability postures, and it \nimproves self-service capabilities. As agencies consolidate \ntheir virtual data centers, cloud provides an ideal path \nforward.\n    Third, while the path forward for cloud computing is \npositive, we still must pay attention to the inherent risk \nassociated with its use, as is the case in virtually all \ntechnology areas. The risks generally revolve around the \nevolution of some key standards designed to address technical, \noperational, and managerial risk associated with computing in \ngeneral. Let me mention three key standard areas.\n    Number one is establishing baseline security standards that \nmust be met by cloud service providers. We are taking steps to \nachieve this via our FedRAMP program, which we have designed \nwith extensive industry and government-wide participation and \nfeedback. We are establishing a common set of baseline security \nassessments and continuous monitoring requirements for cloud \ncomputing using NIST standards. We are providing a common, \nconsistent, security-risk and authorization process that can be \nleveraged across agencies, the use-once-and-often approach.\n    Certifying qualified, independent, third-party assessors is \nanother area where we are spending a great deal of attention so \nthat we can bring some consistency and uniformity in how cloud \nsecurity assessments are done. And we are shifting the risk \nfrom annual reporting under FISMA to more robust continuous \nmonitoring providing real-time detection and demonstration of \nsuccessful mitigation of vulnerabilities.\n    The other two standards areas involve interoperability and \ndata portability. NIST is taking the lead in these two areas. \nIt is aggressively pursuing use-case study approaches that can \nadequately demonstrate the utility of proposed standards in \ntest scenarios so that market solutions can proceed and be \nmoved into the Federal Government. These two things can help \nprotect against vendor lock-in and ensure data reconstitution \nshould an agency decide to move its services to another \nprovider.\n    Thank you, Mr. Chairman. That concludes my statement. I \nwould be glad to respond to any questions.\n    [The prepared statement of Mr. McClure follows:]\n\n   Prepared Statement of Dr. David McClure, Associate Administrator,\n        Office of Citizen Services and Innovative Technologies,\n                    General Services Administration\nChairman Quayle and Members of the Subcommittee:\n    Thank you for the opportunity to appear before you today to discuss \nthe General Service Administration's (GSA) leadership role in ongoing \nefforts to enable and accelerate adoption of cloud computing across the \nfederal government. Cloud adoption is a critical component of the \nAdministration's plan to improve management of the government's IT \nresources. The reforms underway are enabling agencies to use \ninformation more efficiently and effectively, delivering improved \nmission results at lower cost.\n    Cloud computing offers a compelling opportunity to substantially \nimprove the efficiency, agility and performance of the federal \ninformation technology portfolio. It allows agencies to pay only for \nthe resources they use in response to fluctuating demand, avoid the \nexpenses of building and maintaining costly IT infrastructure, and \ncontrol the appropriate level of security for data and applications. \nCloud computing is also a key technology for achieving cost effective \nIT. In fact, agencies have already started to realize numerous benefits \nas they begin to adopt cloud computing across their programs. These \ninclude cost reduction, faster deployment of systems and applications, \nincreased productivity, greater flexibility and scalability and \nimproved self-service capabilities. As agencies consolidate and \nvirtualize their data centers, cloud provides an ideal path forward to \nachieve needed results while substantially lowering costs--an essential \nfocus given federal budget constraints.\n    GSA is playing a leadership role in facilitating easy access to \ncloud-based solutions from commercial providers that meet federal \nrequirements, enhancing agencies' capacity to analyze viable cloud \ncomputing options that meet their business and technology modernization \nneeds, and reducing barriers to safe and secure cloud computing. We are \ndeveloping new cloud computing procurement options with proven \nsolutions that leverage the government's buying power, ensuring \neffective cloud security and standards are in place to lower risk, and \nidentifying and leveraging government-wide uses of cloud computing \nsolutions such as email. These are highlighted on our web page \nInfo.Apps.gov, which provides useful information about cloud computing \nand available solutions.\n    The Administration's efforts to apply rigor to information \ntechnology management and foster cloud adoption is framed by several \nkey guidance documents and policies, including the OMB 25 Point \nImplementation Plan to Reform Federal Information Technology Management \nand the Federal Cloud Computing Strategy issued by the federal CIO's \noffice. The initiatives being implemented in response to these \ndocuments are making significant progress tackling long standing \nchallenges in the way IT is acquired and managed. These reforms are \nalso meeting the Administration's goals to make government more \nresponsive, operationally effective, cost efficient, transparent, \nparticipatory, collaborative, and innovative for the citizens it \nserves.\n\nThe Subcommittee asked that I address the four questions outlined \nbelow.\n\n    (1)  Please provide an overview of how the General Services \nAdministration (GSA) is implementing the Office of Management and \nBudget's (OMB) 25 Point Implementation Plan to Reform Federal \nInformation Technology Management, the OMB Federal Data Center \nConsolidation Initiative, and the Federal Chief Information Officer's \nFederal Cloud Computing Strategy.\n\n    GSA plays a central role in realizing the goals set forth in the \nAdministration's initiatives and strategies to reform IT management, \nconsolidate data centers and implement cloud computing. Below are the \nprimary initiatives underway to achieve the policy goals of Data Center \nConsolidation, the Cloud Computing Strategy and the specific objectives \nof the 25 Point Plan.\n    Below is an overview of the work we are conducting to support \nspecific objectives of the Federal IT Reform Strategy. Each objective \nof the 25 Point IT Reform Plan for which GSA is directly responsible is \nidentified in bold; the specific section is in parenthesis.\n\nComplete detailed implementation plans to consolidate at least 800 data \ncenters by 2015 (#1)\n\nCreate a government-wide marketplace for data center availability (#2)\n\n    The Federal Data Center Consolidation Initiative (FDCCI), managed \njointly by GSA and OMB, is charged with reversing the federal \ngovernment's explosive data center growth to optimize and improve \nefficiency of federal IT infrastructure. The FDCCI is chartered to \nengage with agencies, support and facilitate agency data center \nconsolidation planning, and to provide tools to federal partners.\n\nUnder the FDCCI, GSA is accomplishing the following:\n\n    <bullet>  Working with a government-wide task force co-chaired by \nDHS and DOI that meets monthly and includes representatives from all 24 \nCFO Act agencies.\n\n    <bullet>  Assisting agencies to maximize the return on investments \nfor data centers to remain in their inventory after consolidation\n\n    <bullet>  Ensuring consistent data collection of the federal data \ncenter inventory by developing and disseminating standard templates to \ncollect, manage, and analyze agency data center inventory data.\n\n    <bullet>  Collaborating with industry on best practices and \nsolutions for key data center consolidation issues.\n\n    <bullet>  Developing a comprehensive data center Total Cost Model \nfor agencies to use to analyze alternative consolidation scenarios, \nenable data-driven decision-making for infrastructure cost and \nperformance optimization.\n\n    <bullet>  Pursuing development of a data center marketplace that \nwould help optimize infrastructure utilization across government by \nmatching agencies with excess computing capacity with those that have \nimmediate requirements. A working group is addressing consensus-\nbuilding, requirements gathering, and other key facets necessary to \nensure the marketplace's success.\n\nStand up contract vehicles for secure IaaS solutions (#4)\n\n    IT infrastructure represents a multi-billion dollar investment that \nrequires constant maintenance, expensive technology upgrades, and \ndedication of valuable personnel. Agencies are faced with outdated \ninfrastructure requiring ongoing, major investments to keep pace with \ngrowing demand and rapidly changing technology. Servers across both \ngovernment and industry are highly underutilized. To address these \nissues, GSA's Federal Acquisition Service (FAS) established a Blanket \nPurchase Agreement (BPA) with 12 companies (many with multiple \npartners) that offer cloud storage, computing power, and cloud-based \nwebsite hosting as commodity services that enable agencies to optimize \ntheir infrastructure and achieve substantial, long-term cost savings. \nUnder these Infrastructure as a Service (IaaS) contracts, agencies pay \nonly for what they need, define performance requirements, have the \nflexibility to respond to changing demands, benefit from commodity \npricing, and are assured of secure solutions. At present, four \ncontractors are offering services under the BPA, with the remaining \ncompleting the security authorization process. DHS has recently awarded \na task order under this BPA for the consolidation and migration of its \npublic facing websites to a cloud hosting service.\n\nStand up contract vehicles for commodity services (#5)\n\n    Working closely with email and collaboration experts from across \ngovernment, GSA developed a government-wide contract vehicle to help \nagencies move email and collaboration solutions to the cloud. The Email \nas a Service (EaaS) BPA is an active procurement managed by FAS; \nresponses are currently being evaluated. It will offer federal \ncustomers a streamlined procurement vehicle to commercially available \ncloud email solutions that best fits their agency's needs. Based on \ninformation from Forrester Research, average cost savings for agencies \nmigrating to cloud-based email are expected to be $11/mailbox/month, $1 \nmillion in annual savings for every 7,500 users, or approximately 44% \nover existing on-premise email solutions. The BPA will offer a range of \nemail services in public, private, and highly secured clouds, making \navailable robust, feature-rich, secure email and collaboration service \noptions similar to those currently being implemented at GSA, USDA, \nUSAID, DOE, and other agencies. It can meet the needs of the 15 \nagencies that have identified 950,000 e-mail boxes they plan to move to \nthe cloud under the Administration's IT Reform effort.\n\nLaunch an interactive platform for pre-RFP agency-industry \ncollaboration (#25)\n\n    To streamline the procurement process and enhance communication \nwith industry, GSA is establishing ``cross-trained'' program teams and \nimproving the way requirements are defined. GSA is working to establish \nan interactive platform for pre-RFP agency-industry collaboration. \nBased on input from government and industry, alternatives for design \nand delivery of an online collaboration tool have been examined and \nrated. Candidates for the tool included existing government systems and \ncommercial collaboration tools.\n    GSA not only is fostering adoption of cloud computing government-\nwide, but as required under the Cloud First policy, has recently \ncompleted a major cloud migration of our internal email and \ncollaboration solution that demonstrates the significant potential of \ncloud solutions to achieve substantial cost savings. In approximately \nseven months, we moved 17,000 users to Google Apps for Government. \nSavings over the next five years are projected to be over $15M. Not \nonly have we reduced costs, but we have also made significant gains in \nenvironmental sustainability--we shut down 45 servers, which is \nequivalent to taking 60 cars off the road. The lessons learned from our \ncloud implementation have been captured and are being shared with \nagencies across the government as they seek to achieve similar success.\n\n2. Please provide an overview of the costs associated with implementing \nthese plans at GSA, and provide a description of both the short-term \nand long-term budgetary impacts of these changes.\n\n    To date, GSA's Federal Cloud Computing Initiative has been funded \nunder the e-Government program administered by the Federal Chief \nInformation Officer. In FY10 and FY11 GSA's Federal Cloud Computing \nInitiative (FCCI) Program Management Office (PMO) budget of $4.8 \nmillion was allocated to five primary tasks:\n\n    <bullet>  Establish procurement vehicles that allow agencies to \npurchase IT resources as commodities--resulting in the award of the \nInfrastructure as a Service (IaaS) Blanket Purchase Agreement under GSA \nSchedule 70\n\n    <bullet>  Address security risks in deploying government \ninformation in a cloud environment--resulting in the development of the \nFederal Risk Authorization Management Program (FedRAMP)\n\n    <bullet>  Establish a procurement vehicle that allows agencies to \npurchase cloud-based e-mail services--resulting in the issuance of the \nEmail as a Service (EaaS) procurement that is currently underway Work \nwith agencies to consolidate their data center asset--resulting in the \nFederal Data Center Consolidation Initiative that works with agencies \nto inventory their data center assets and to identify targets for \nconsolidation and optimization Create apps.gov, an on-line storefront \nthat provides access to over 3,000 cloud-based products and services \nwhere agencies can research solutions, compare prices and place on-line \norders using GSA's eBuy system.\n    This initial funding provided by the e-Gov Fund allowed GSA to \naccomplish significant results. However, there are key activities that \nstill need to be accomplished to realize the significant, additional \npotential cost savings and productivity improvements that GSA can help \nagencies achieve. The continuation of these cost-saving initiatives is \ndependent on FY12 eGov Fund budget levels and decisions.\n\n3. What cybersecurity steps is the GSA taking to protect federal data \nand communications in the cloud? To what extent does GSA work with NIST \non the development of cybersecurity standards for federal cloud \ncomputing use?\n\n    The primary goal of the Administration's Cloud First policy is to \nachieve widespread practical use of secure cloud computing to improve \noperational efficiency and effectiveness of government. Currently, each \nagency typically conducts its own security Certification and \nAccreditation (C&A) process for every system it acquires, leading to \nunnecessary expense, duplication and inconsistency. According to the \n2009 FISMA report to Congress, agencies reported spending $300M on C&A \nactivities alone.\n    Working in close collaboration with DHS, NIST, DoD and OMB and the \nFederal CIO Council, GSA is leading establishment of the Federal \nAuthorization Risk Management Program (FedRAMP) to accelerate adoption \nof secure cloud solutions by agencies across government.\n\nKey benefits include:\n\n    <bullet>  Provides a single, consistent security risk assessment \nand authorization that can be leveraged across agencies--an ``approve \nonce, and use often'' approach\n\n    <bullet>  Establishes a common set of baseline security assessment \nand continuous monitoring requirements using NIST standards\n\n    <bullet>  Approves and makes available qualified, independent third \nparty assessors, ensuring consistent assessment and accreditation of \ncloud solutions and based on NIST's proven conformity assessment \napproach\n\n    <bullet>  Shifts risk management from annual reporting under FISMA \nto more robust continuous monitoring, providing real-time detection and \nmitigation of persistent vulnerabilities and security incidents.\n\n    There is strong support and demand for FedRAMP from agencies \nseeking to adopt cloud services, as required by the Administration's \nCloud First policy, and from industry. FedRAMP's processes, policy, \ngovernance, and technical security standards have all been arrived at \nvia a consensus-based approach that includes agencies' Chief \nInformation Security Officers, the Federal CIO Council, National \nInstitute of Standards and Technology (NIST), Department of Homeland \nSecurity (DHS), Department of Defense (DoD), National Security Agency \n(NSA), and numerous industry organizations. This new program is \nexpected to be initially launched this Fall.\n\n4. What other challenges face federal agencies in adopting cloud \ncomputing services, and what steps is the GSA taking to overcome these \nchallenges?\n\n    Considerable progress has been made in adopting successful cloud \nsolutions. Cloud computing is now an accepted part of the federal IT \nlexicon. However, there continues to be a need for more thorough \nunderstanding of the cloud's deployment models, unique security \nimplications, and data management challenges. Agency executives should \nnot focus on cloud technology itself; rather, they should focus on the \ndesired outcome driving the need for cloud adoption. CIOs need to work \nwith their line of business executives and program managers to develop \nand deploy effective cloud roadmaps that address pressing agency \nmission needs, taking into account costs savings and expected \nperformance improvements. Agencies should analyze business needs and \nidentify cloud solutions that best fit their requirements by making \ncloud adoption part of an overall IT portfolio management and sourcing \nstrategy. NIST is currently working on a Cloud Computing Technology \nRoadmap that will be released in November. If linked to cloud provider \nproducts and services, it would greatly assist in this decision-making.\n    Cultural resistance is also a major challenge. Cloud adoption \nrequires moving away from managing physical assets to buying services. \nAs GSA's own experience has shown, these issues can be effectively \naddressed. Critical success factors include robust communication, \npractical training and emphasis on the benefits of cloud, and \nespecially on the control agencies gain by buying what they need and \ndefining performance metrics that are tied to desired performance \nresults. GSA found that having a group of early adopters fostered buy-\nin and enthusiasm, and provided a ready corps of skilled users.\nConclusion\n    Mr. Chairman, General Services Administration is leading the \nAdministration's charge to make government more open, transparent, and \neffective for the citizens it serves. In our increasingly data-centric \nand network--based world and workplace, effective and efficient \nprocurement and implementation of information technology will be \nparamount in making sure the federal government closes the IT \nperformance gap between it and the private sector. Cloud computing and \ndata center consolidation are key initiatives that should be pursued \naggressively to achieve needed costs savings and improve effectiveness \nof government operations.\n    Thank you for the opportunity to appear today. I look forward to \nanswering questions from you and Members of the Subcommittee.\n\n    Chairman Quayle. Thank you, Dr. McClure, and I want to \nthank all the witnesses for their testimony today.\n    Reminding Members that Committee rules limit questioning to \nfive minutes, the Chair will at this point open the round of \nquestioning, and I will recognize myself for five minutes.\n    Mr. Capellas, when looking at the data from the last 10, 20 \nyears like you pointed out, a lot of the job creation was \noccurring in the IT sector, but it was also occurring with \ncompanies that are five years or younger, the startup IT, the \nstartup companies. In Phoenix where I am from, we have a lot of \nthe larger players like Honeywell, Intel, and some of the \nbigger players. We also have some smaller ones as well, but \nwhere do you think the opportunities for new service and \napplication providers in the IT sector are going to come from? \nDoes cloud computing offer a unique area for more startup \ncompanies to really be created in advance in that realm?\n    Mr. Capellas. So what we are going to see--great question \nby the way. What we are going to see, I think, is something \ndifferent than we have seen in the past, and we are going to \nhave a bifurcation of the two sides of IT. The cloud basically \nsays I don't have to care or know where the physical or \nunderlying infrastructure is, and today, if you think about \nmost cases, most IT shops, 70 percent of all costs go on \nphysical hardware and only 30 percent on the real innovation, \nwhich is the application side. And when you think about what \nother business would you have where you spend 70 percent to \nkeep the lifeline and 30 percent to really drive innovation?\n    What is happening today in the industry is a level of \nindustry verticalization we haven't seen before, so I will be \nrespectful to all the players in the industry. If you are a \nHewlett Packard, you are starting--you are building an entire \nconversion infrastructure from servers to storage to capacity \nand you are going to buy that as a physical. If you are IBM, \nyou have got your stack; if you are Oracle, you have got your \nstack; if you are EMC and Cisco in partnership with VM where \nyou have got your stack; and it is much more tightly bundled. \nThe big players will capture a much larger share of the \nphysical side of the infrastructure because the end user will \nwant to buy it from one place. And that is the beauty of it. \nYou don't have to know or care.\n    The second big piece of this is of that physical piece, 30 \npercent of all IT resources are just screwing the pieces \ntogether to make a match. So what will happen is the job \ncreation will come from the large players going to the physical \nside with vertical consolidation. Now, what that--on the good \nside of that says is then there will be a lot more people who \nare able to write much quicker applications. The whole world of \napplication development will change.\n    And so one of the fun things I do is the average person has \nthree connected devices and over 100 applications that they do \non their smartphone and there are 500,000 smartphone \napplications because those applications can be generated very \nquickly because the physical infrastructure is there. So to \nanswer your question very specifically, I think the large \nplayers who are vertically integrated will create the job \ngrowth, and it is imperative that U.S. companies continue to \nsucceed as the foundation of the critical infrastructure and \nthere will probably be fewer levels of innovation at the \nphysical layer. But that will spawn a whole new generation of \napplication developers and smaller companies can write quicker, \nlighter applications and those frameworks will be available \nbecause you can then drop those applications onto the physical \ninfrastructure that is in place. And you will see in the world \nof business and other applications the same kind of just \nmassive rollouts you have seen with the--with everybody who has \ngot their, you know, iPhone. And how many of you could even \ncount how many applications you have on your own phone? You \nprobably paid a $1.99 on average for them.\n    So application development becomes a foundational piece. It \nopens up for lots of great innovation. That innovation allows \nIT spending to be placed where it belongs most, which is on \nbeing creative and the big guys take over running the physical \ninfrastructure.\n    Chairman Quayle. Okay. And then I wanted you to expand on--\nbecause I would want to get an understanding is that the \ncommissioner states that one of the things we should do is \nprovide incentive for people to migrate to the cloud.\n    Mr. Capellas. Yes.\n    Chairman Quayle. My question is if you are going to save--a \ncompany is going to save money and increase efficiency, isn't \nthat incentive enough to have people moving--migrating to the \ncloud rather than--why do we need additional incentives to push \npeople to the cloud?\n    Mr. Capellas. A bit of our recommendation relates \nstrictly--is focused on the manner of our procurement of the \nFederal Government and agencies.\n    Chairman Quayle. Okay.\n    Mr. Capellas. If you think today the way agencies work is \neach of the departments has to measure against a unit of \nmeasurement. So if I have a personal computer, I can say I want \nit from company A, B, or C. If I want a server company A, B, or \nC but I want to buy a unit of computing, which can be shared, \nthere is no benchmark, and so as a result, there tends to be a \nrollover of individual departments acting to simply get five or \nten percent better than they used to be and groups not wanting \nto share.\n    At a fascinating exercise, which was brought about by Vivek \nKundra, who brought us in to sort of say would you talk to the \nwhole group and to see how many data centers could be shared by \nagencies crossing buying in a different way. So one of the \nincentives is to be able to say how about we put an incentive \nin place that says you will get to reinvest in your budget \ncycle what you saved in order to get more collaboration across \ngroups but also to change the paradigm to simply buying \nsomething at five percent more.\n    Chairman Quayle. Okay. Thanks. And Dr. Reed, really \nquickly, one of the things that I have been talking with a lot \nof people within the research area is the lack of collaboration \nthat has occurred. Do you think that the more people going to \nthe cloud will actually increase collaboration, not just \nbetween the public and private sectors, but also within \nresearchers who are working on tandem projects from different \nuniversities? Because you have been in the universities for a \nwhile even though it was UNC--I am a Dukie so we still count \nthat as a university. But could you just explain that very \nbriefly?\n    Dr. Reed. Certainly. I think it is actually--it is the \nresearch version of part of the answer to the question that \nMike was mentioning as well, which is many of the value \npropositions that exist by virtue of the rise of scientific \ndata--and the reason why we have had explosive growth of \nscientific data is the same reason all of us have cheap digital \ncameras and lots of digital photos is because those kinds of \nsensors have made it very possible to capture large volumes of \ndata economically. I exaggerate a bit, but that is \nfundamentally the technology piece.\n    What has happened in the research world is an analog \nactually of many other phenomena. It is true in industry and I \nthink in government that much of the value lies actually in the \nintersection of data from multiple disciplines. And because \nthose data tend to be held in silos within individual \norganizations, research universities, or federal agencies, it \nis extraordinarily difficult to cross-fertilize them and look \nat their intersection.\n    One of the things that the cloud brings to the table is the \nability to host that data and make it broadly available so that \none can extract insight. I think that is true in an \nentrepreneurship level where the ability to mine insight from \ndata actually has economic value. It is certainly true in the \nresearch world as well. And so the ability to attack complex \nproblems--because the traditional model of success in academia \nis depth in their own area, and yet many of the problems we \ncare about cross not only technical domains but they cross \nsocial and other domains. The ability to bring people together \nto reason is one of the powers of the cloud.\n    Chairman Quayle. Okay. Thank you very much.\n    I now recognize Mr. Lujan for five minutes.\n    Mr. Lujan. Thank you, Mr. Chairman.\n    And Dr. Reed, I appreciate again the panel's attention to \nthe cost saving that is going to take place associated with IT \ntools, hardware and software. But I want to zero in on total \ncost, specifically energy. And can you briefly talk about what \ncloud computing means to smart grid application across the \ncountry as we talk about energy efficiency and lowering utility \ncosts, energy consumption costs for businesses small and large, \nfor people all around America and what this means to that?\n    Dr. Reed. Certainly. Let me start with the cloud itself. \nOne of the interesting things that has happened in the back-end \ninfrastructure is the growth of that infrastructure at scale \nhas driven an enormous focus in the industry on reducing the \nenergy consumption of data centers themselves--more efficient \npackaging and cooling and other things. That is one of the \nenabling pieces, and so it is important not to forget energy \nefficiency there.\n    But if one looks at the larger question you are posing \nabout how does analysis of data enable new possibilities? It is \nactually related to the Chairman's question in an interesting \nway, because if you think about the broad sort of issues about \nhow being able to capture data appropriately, anonymized, \nprivate, and secure from individual homes, the future of hybrid \nand smart vehicles that are electrically powered where you \ncould take that information and do intelligent route planning \nso that--reduce the energy consumption for the vehicles and the \ndemand on the electrical grid by planning routes accordingly to \ngive drivers advice about routes. Similar sorts of issues begin \nto accrue in the home about being able to plan when you turn on \nappliances, how you manage that energy, and then the same sort \nof things apply largely at the large-building scale whether \nthey be federal or private buildings where understanding the \nbehavior patterns make it possible to do some new things.\n    So what brings those two things together? One is this \nincredible world of sensors, and that is part of what the smart \ngrid is about. The other is the ability to analyze data at \nunprecedented scale and generate and extract trends and \nbehavior. It is true in healthcare; it is true in smart grids \nand energy; it is true in transportation; it is true in all \nkinds of other business, competitive worlds. It is the insight \nfrom the data that that makes possible.\n    Mr. Lujan. I appreciate that and especially with the \nconversation around the smart grid, recently there was a \nconversation in New Mexico that someone described the smart \ngrid as the Internet for electricity. As you talk about the \nconnectivity and really what it means to integrate, but it is \nreally lower cost.\n    Along those lines, I would be interested in hearing your \nthoughts or any of the panel on what can be done with NIST or \nwith the market as a whole as we talk about containing costs. \nSo the cloud will allow us to lower utility consumption right \nnow so on the desktop, the hardware that we are using as \nindividuals, what can be done to lower the utility consumption, \nlowering cost for the data centers where we are having to spend \nso much money right now on the cooling? Because those \ntemperatures when you walk into a server, we all--or data \ncenter, you all know that it is cooled. What is preventing us \nfrom getting to the point where those things can run at 72 to \n76 degrees, lowering consumption costs without using outside \nair on the cooling as opposed to doing it inside? That way we \nare lowering costs for the government, the taxpayer, for you \nall and for businesses everywhere.\n    Mr. Capellas. Well, that--please, go ahead.\n    Dr. Reed. Well, I was going to say that is exactly what is \nhappening. Please.\n    Mr. Capellas. It is a couple of real simple things. The \nfirst one, you know, I always love, you know--one of my \nfavorite things is unfortunately sense isn't common. Common \nsense tells you whenever you consolidate a huge number of \nservers which are very inefficient--so when you have all these \nsmall boxes running out there, the best you can hope for is 30 \nto 35 percent utilization. That is the best and--whether that \nis servers or storage. When you run these big virtualized \nmachines because the way a cloud works is it says I am going to \ngo grab a piece of capacity, I am always running at a higher \nlevel, you are going to 80 or 90 percent capacity utilization. \nSo the first question is you have a whole lot more efficiency \nand a whole lot less boxes.\n    The second one is just the natural evolution of technology. \nWe have designed into these next-generation boxes. They are \nmuch more environmentally friendly simply because we have taken \npower consumption as a fundamental design to lower it. So part \nof it is just the natural curve. The second place is just the \nmuch higher utilization that you get off the consumption.\n    Mr. Lujan. I appreciate that, Mr. Capellas. Anyone else? \nMr. McClure?\n    Dr. McClure. No, please, go ahead.\n    Mr. Combs. I would just like to add, you know, an example \nof EMC's first phase in virtualization doing exactly what \nMichael was talking about, we had $74 million in data center \nequipment savings the first year. 12 million of that was in \npower and space cooling alone. And that was just in the very \ninitial stage, which only represents about 20 percent of the \nsavings that we have gained over our corporation's transition \nto the cloud. The best practices are out there. Industry is \nalready doing this. The Federal Government can just look to \nindustry and the successes that we have had in industry and \napply those within the government.\n    Dr. McClure. And I would agree. I think, you know, exactly \nthe case at GSA and around the government, the average server--\nif you put it in real terms, the average server utilizes about \n4 tons of carbon dioxide waste annually. Every server is the \nequivalent of--if you retire a server, on average, you are \ntaking one and a half cars off the streets. So we point to over \nhalf a million dollars in savings by just doing virtualization \ntechnologies in our data centers. Up to 60, 70 cars taken off \nthe road, you know, these are real terms that is showing that \nyou are having an impact on sustainability in a real way. And \nthe adoption of new technologies I think is absolutely \nessential as we go forward because the technology improvements \nwill continue to occur.\n    Mr. Lujan. Thank you, Dr. McClure. I notice that time has \nrun out. I think we will get another chance to ask a few \nquestions here, but I really appreciate the attention to the \ncost savings that we will yield from energy consumption as well \nfor businesses all over the country as well as residential. \nThank you.\n    Thank you, Mr. Chairman.\n    Chairman Quayle. Thank you, Mr. Lujan.\n    The Chair now recognizes the Chairman of the Full \nCommittee, the gentleman from Texas, Mr. Hall.\n    Chairman Hall. Mr. Chairman, thank you.\n    Dr. Reed, in your testimony, you state that the need to \nadopt a new network policy model that fosters innovation and \nlarge-scale deployment indicates that you think that they don't \nalready have that. I guess my question is what way do you see \nthe current model as inadequate and what changes would be \nrequired to foster innovation and large-scale deployment?\n    Dr. Reed. So it is really a comment on the fact that if one \nlooks at any set of computing technologies that it is the \nratios of speeds and capacities that determine the efficacy. So \nif we look at the rise of consumer devices, the speed and power \nconsumption of the devices, their performance, their form, \nfactor, and mobility really made some things possible.\n    One of the challenges we face in networks, there are two \nfundamentally in my judgment, and they are related in the \nspirit that I said networking is the oxygen that lets cloud \nservices breathe because it is the conduit of the information \nand services from the data center to the consumer, whether that \nconsumer be a government agency, a company, or an individual. \nThe rate of growth and scale of the data that is being produced \nis challenging the speed of the broadband networks that we have \ndeployed in this country. It is the electronic analog of saying \nwe have too many cars on the road; we need to address the \nissue. So the ability to deliver that data reliably and at high \nvolume across the country and indeed the connections of the \nrest of the world is a big piece of that.\n    The other is the pressure that we are all experiencing in \nwireless communications and the explosive growth of the number \nof devices and the expectations that we all have for not only \naccess to data but the ability to deliver multimedia, audio and \nvideo to those devices is stressing many of the historical \napproaches that we have had, the spectrum allocation and \nmanagement.\n    So what I am really saying is we have to face both of those \nissues and work together to address the need not only to \ncontinue to expand the speed and coverage that we have for our \noptical and wired networks but continue to work together to \naddress the access issues that will deliver those just-in-time \nservices. Because that smart grid vision of the world depends \non wired and wireless access to that information to be able to \nmake those intelligent decisions.\n    Chairman Hall. Well, you say that we have to address--I \nguess if you told me I didn't get your answer as to how, what \nkind of changes would be required? What special changes would \nyou make?\n    Dr. Reed. So it is a good question. I will try to be a bit \nless circular in my answer. I apologize.\n    We have to build out more networks and we have to find \nmechanisms to make that happen more rapidly. On our wired \nnetworks, if you think about the speeds that we normally \ndenominate units in, we talk in units of the Broadband \nTranscontinental Network in units of 10 or 40 gigabytes per \nsecond. When you consider the fact that a large cloud data \ncenter contains a nontrivial fraction of the text holdings of \nthe Library of Congress, you see the problem. There is a \nmismatch there in the ability to deliver versus the volume of \ndata. So we need to accelerate construction.\n    What I was also advocating is we continue to need to \nadvance the state of the art of the technology. How do we move \nbeyond the current rates? How do we address in the spectrum \nareas some more nimble ways that would allow high bandwidth \ndata sharing? We are going to have to change some of the \nstandardization process, we need to invest in research, and we \nneed to find the economic incentives that will drive the \nprivate sector to continue to build out those networks.\n    Chairman Hall. Thank you. I yield back my time, Mr. \nChairman.\n    Chairman Quayle. I thank Chairman Hall for his questions.\n    The Chair now recognizes the gentleman from Illinois, Mr. \nLipinski, for five minutes.\n    Mr. Lipinski. Thank you, Chairman Quayle. Thank you for \nholding this hearing today on this important issue. It is \nsomething I have been interested in for a while, even before \nthe Administration announced their ``cloud-first'' policy, \nbecause I really think, as you talked about here today, that \nthe cloud will have positive impacts on how the Federal \nGovernment researchers and the world will operate in the \nfuture. But I want to make sure that our implementation is done \nintelligently and we capitalize on the benefits while \naccurately assessing and mitigating the risks.\n    So the first question I have is probably best for Mr. \nCapellas, Mr. Combs, and Dr. Reed. What are the challenges to \nensuring, first of all, the physical security of the servers \nand the security of the data stored in the cloud and how would \nyou recommend we address these challenges? We need to gain the \npublic's trust, but we also need to make sure that we do have \nadequate security in the cloud. I had a couple amendments on \nappropriations bills. I was just trying to address this issue. \nI have concerns, especially if we are talking about the, you \nknow, obviously the Federal Government with our appropriations \nbills if we are going to go to cloud computing is where these \nservers are placed in other countries, perhaps, if there are \nany risks to that? But just more generally, what are the risks? \nHow do we do all that we can to maintain both the--like I said, \nthe physical security of the servers and also, then, the data \nsecurity?\n    Mr. Capellas. Okay. We are going to tag team this right \ndown the row.\n    Mr. Lipinski. All right. Very good.\n    Mr. Capellas. Very highly logical, we are simply going to \ngo from right to left as we sit.\n    I will start off at kind of 100,000 feet. So the first one \nis the question of cybersecurity and I know there has been, you \nknow, multiple testimonies which I diligently read last night. \nThe problem is enormous. The threats are now extremely \nsophisticated. We are no longer thinking about, you know, the \nguy in the garage but, you know, some of the most advanced \nminds in computer science and engineering in terms of very \nsystemic threats. So one, it is real.\n    The second is to realize that because we never built the \noriginal systems as they sit, don't think that by moving to \nanother system or the cloud that it inherently says that what \nwe have is fail proof because it is not. Every single security \nbreaks at one point. The science of security says that you have \ndata moving in three pieces in a system: one, data at rest \nwhere is it physically stored and is being used or the data \nis--think of it the data on your PC has records into it. The \nsecond one is called data in motion when the data is moving on \na network, which is actually quite secure because we can \nanalyze that network, we can see its patterns, we can see \ntrends, we can analyze it.\n    The third one when it is in use by an application or \nserver, in which case that server is under control. The real \nrisk to security is data that is at rest when it is sitting \nthere. The second big risk--and this will happen and a \nprediction will be is that we will have a major disruption to \nthe Internet over the next 18 months is not particularly bold.\n    So the question is, when you think about a cloud, is it \nmore or less secure? So the security answer says that you have \nto have an end-to-end view of how you think of all pieces with \nreally the emphasis on how the data is sitting when it is at \nrest. And the second one is how do you mitigate interruption? A \ncloud by its definition says I am using resources. And as those \nresources are consumed, if I have a node or a computer that \ngoes down, I can shift it to another one, isolate that node, \nand shut it down. You cannot do that in the convention.\n    So theory number one is the cloud itself, by being able to \nutilize different resources really mitigates the risk that you \ntake your whole network down. Pretty simple answer. If I have \ngot four people sharing the workload, I lose one, the other \nthree pick it up. If I got one person doing the work and he \ngets hurt, I am dead. All right? So the theory of the cloud \nsays allocation of resources. So properly designed, denial of \nservice is less risk.\n    The second point, then, is data at rest. I can tell you \nright now having data centrally stored in a physical location \nunder control of all of the analytical tools is much less risky \nthan having data spread over many machines or PCs or small \nservers which are open to a network because it will always \nbreak. And you understand how attacks happen. You know, you \nprobe the network to find the weakest link. Once you find the \nweakest link, you enter there.\n    So the basic premise I would have is we have an enormous \nproblem, networks break at their weakest link and attack data \nat rest. The cloud, when properly designed, allows you to \noffset the denial of service by being able to distribute the \nworkload and secondarily the central storage of data is in its \nessence far more reliable again when properly--and so I think \nthe answer is how do we use the cloud to make it more secure, \nnot less secure?\n    Dr. Reed. So I think one of the things that is important to \nremember is that nothing in this world is absolute and it is \nall about assessing risks and benefits. And I think the cloud \nis no exception.\n    I think one corollary of that is we tend to equate through \nmost of our lives location with security and that is a piece of \nthe story, for sure, but it is by no means the only piece of \nthe story. What it really means with any important asset--and \nclouds are no exception--is that one really thinks about a \nmultifactor protection mechanism. There are certainly physical \nsecurity issues that have analogs in our traditional approach \nto protecting things to physical security around a data center, \nthe vetting of the people who manage and operate the data \ncenter for their reliability and trust. Then there is a whole \nset of best practices and operational mechanisms that one uses \nto manage that. And of course there are legal recourse that \nultimately comes into play when there are data breaches.\n    There is a perpetual cat-and-mouse game in the computing \nbusiness between the attackers and the protectors. And what \nthat means is we have to continually advance the state of the \nart. And that means Microsoft--and I know I speak for my \ncolleagues here--we are continuing to invest in advancing the \nstate of that technology. But it is a nuanced and complicated \nissue.\n    I would suggest one concrete thing to consider which is an \nissue that the Cloud Commission Report mentioned explicitly and \nthat is a need to revise some of our data breach laws because \nright now it is somewhat difficult to distinguish between the \nbreach of an individual account and the possibility of breaches \nof many more of those. And they are fundamentally treated in \nvery similar ways, and that means that it is very difficult to \ntake sometimes the kind of concerted legal action between the \nprivate sector and government to deal with malicious behavior \nwhen it does occur.\n    But it is a multifactor problem. Like all things, there is \nno silver bullet. It is a vigilance and continuing to advance \nand multifactor approach.\n    Mr. Combs. Thank you for your question.\n    I started my career 28 years ago at NSA working on \nencryption systems, so security is something I have always been \ncritically interested in my entire career. Today--as I stated \nin my testimony, today's security architectures are--most of \nthem are based around point security products. We have to move \nto a secure ecosystem. In any secure environment, you have the \nidentities, those people and processes that you either want to \ngive access to or deny access to your resources.\n    At the other end of the spectrum you have the data. That \ndata must either be available or restricted, however an \norganization's security policies exist. In between those two \nenvironments, you still have the brick-and-mortar. You have the \napplications, the networks, the storage, the servers. We have \nto have a way of applying consistent security policy across the \ntechnology stack. That is what we have to do to implement \nsecurity in the cloud.\n    And it is the secure ecosystem. It is moving the things in \nidentities, right, the physical protection of the environment \nto a risk-based authentication. Why is an engineer going to the \nfinancial resources of a company? They shouldn't be going \nthere. Look at the patterns of the users of the information and \nthen you need to flag it or restrict access to it. Technology \nexists to do that today.\n    Data loss prevention capabilities, right, they can be \nrapidly--they are widely adapted in the commercial world. If \nyou have ever had to put your--back to identification, if you \never had to put your ZIP code in the gas station, you are using \nadaptive authentication. It is widely deployed. You can use \nthat within the government on your own policies to provide \naccess.\n    And then restrict the information going out. The \nintelligence analyst, Bradley Manning in Iraq, right, had \naccess, had the appropriate access to the environments and had \nappropriate right to go look at a cable, but there is no reason \nhe should have downloaded 250,000 cables, right, to his CD-ROM. \nYou can set policies around the data to prevent that. And in \nthe absence of a policy, set a standard policy.\n    These capabilities exist and we look forward to working \nwith the government to implement them.\n    Mr. Lipinski. Thank you.\n    Chairman Quayle. Thank you, Mr. Lipinski.\n    The Chair now recognizes the gentleman from Illinois, Mr. \nHultgren, for five minutes.\n    Mr. Hultgren. Thank you, Mr. Chairman. Thank you all for \nbeing here, too. I apologize. I have a couple of committees \nmeeting at the same time so I am a little bit late here.\n    So I do know you have addressed some of my questions, but I \nwould like to ask and get your thoughts on this. I know on \nMonday morning's Politico this week, the President of \nInformation Technology Industry Council, Dean Garfield, was \nquoted, ``There are certain things Congress can do to help \ncloud computing and there are certain things they should not do \nat all.'' I would just ask if you could talk a little bit more \nof what are the things we should be doing? And I think you have \ntouched on that a little bit with Chairman Hall's question and \nalso Congressman Lipinski's question but maybe even more \nfocused. What shouldn't we be doing? I mean where could we \nactually do more harm than good, which I think can happen here \nsometimes. So I would just appreciate thoughts you might have \non that.\n    Mr. Capellas. So I think what Congress--I am not sure what \nI am--to tell you what you shouldn't do but I will try to be \nproactive on it. The first one foremost is I think that there \nis a policy around the acquisition and how dollars are spent \nrelative to it. And those tend to come up with each agency \nmeasuring a single point of unit like I was talking about \nbefore, you know, one computer, one PC. So somehow relaxing \nwhere there could be more cost collaboration relative to how \nmoney is spent. For example, you take four agencies together \nand create one cloud that is secure and private is better than \neach one doing differently and recognizing that perhaps that \ninvestment will be done in a way that is different from the \nnormal. And I can't tell you how many times we get involved \nwith very meaningful projects that have ROI only to get caught \nup in the actual procurement.\n    I do want to acknowledge the work of the GSA, which has \nbeen extraordinary in terms of moving in a fast way, and I \ndon't do that just because he is my colleague because it is \nvery real.\n    The second one that I would say is--and there has not been \nvery many references to NIST--standardization is the key. All \nright. Now, obviously this group is probably not going to sit \naround and determine, you know, what the technical standards of \nfeeds and speeds are, but to continue the promotion of \nstandards, there was one that we addressed on, you know, the \ncloud is so much about trust and that trust is the end user. \nAnd we make several recommendations about what policies can be \ndone relative to trust won by other governments trusting so \nthat we can have global clouds, and the second one was already \nreferred to as--when we know we have a breach and it is done, \nboth companies should be required to have transparency in what \nthey report, but there has to be some teeth in the law that \nallows them to go after the people who are really the bad guys.\n    And so if I had to sort of summarize standards, acquisition \npolicy, cross-border, and finally put some teeth into the laws \nthat are required to enable that we have trust.\n    Mr. Hultgren. Any others have thoughts of what we should be \ndoing or, again, what we shouldn't be doing? And we need to \nhear from you what we shouldn't be doing and, you know, so I \ndon't ever want you to feel like you can't tell us what we \nshould stay away from because I think we need to hear that as \nwell if there are places where we can meddle that I think we \ncan cause more trouble.\n    Mr. Capellas. Can I add one more?\n    Mr. Hultgren. Absolutely.\n    Mr. Capellas. I would also encourage you to read the \nreport. Seventy-one companies, hours and hours of testimony, I \nhave been doing this a long time like my colleagues. I have \nrarely seen people put their personal companies' interest aside \nand sort of come up with a report that is meaningful. Of \ncourse, I was the Co-Chair, so what am I going to say. But I do \nencourage you. It is an enormous amount of work by some of the \nbrightest minds, and I do encourage you to read it.\n    Mr. Hultgren. We will.\n    Dr. McClure. If I can add as the government witness here, I \nthink what you could really do to help tremendously is to tie \nthis cloud agenda to improving the performance of government, \nsaving money, improving service delivery. Those are the things \nthat I think the American public really cares about. It is not \nabout how many virtualized servers do we have sitting in data \ncenters? I would agree with Michael the other push--the other \ntwo pushes are in the standards area, not the long-term \ndecades-long standards approach but the more aggressive fast-\npaced approach that NIST is adopting in this area.\n    And the third thing is in a time when we are--we know we \nare under fiscal constraint and budgets are certainly going to \nbe reduced, we must recognize that innovation still has to take \nplace. And in many agencies, it is about allowing investment to \nactually get these capabilities in place. While it requires \nspending long-term, we are going to gain from it. So we can't \nlose sight of that either.\n    Dr. Reed. I might add one last thing which is something I \nbriefly mentioned in my opening remarks. In cloud computing, \nthere is no doubt that the United States is the world leader \nright now. It is ours to lose in the future. And there is a \nmajor transformation taking place in the computing industry. It \nseems like they happen every other week, but this is a major, \nmajor one that will change lots of the ways that we think about \nnot only the consumer side but the production side of \ncomputing. And so the first do-no-harm rule I absolutely \nbelieve because in these competitive times, it is important \nthat we maintain that preeminence.\n    Mr. Hultgren. Great. Thank you very much. My time has \nexpired. I yield back. Thank you, Chairman.\n    Chairman Quayle. Thank you, Mr. Hultgren.\n    We will now move into the last round of questioning, and I \nwill recognize myself.\n    And Mr. Combs, this is actually a good segue from the last \nquestion, but how does the fundamental architecture of cloud \ncomputing influence the type of standards that are necessary? \nAnd then also when do you think that the standards should \nactually be put into place so that it wouldn't actually thwart \nany sort of innovation within the cloud? Because that would be \nthe--really the last thing that we need. And then maybe touch \nbriefly on some of the standards within the cloud that could be \nharmful in terms of actually beings barriers to entry for \ntrade. And so how would we deal with all of those to make sure \nthat we are not affecting trade, affecting innovation, but \nstill coming up with the proper standards so that the cloud can \nbe what it can be?\n    Mr. Combs. Well, one of the biggest problems, right, is \ninteroperability and data portability around clouds. One of the \nconcerns about the government is being able--is getting vendor \nlock-in, right? So one of the reasons that EMC is a full \nsupporter of open-based standards, we think that any technology \nthat is implemented into a cloud environment should be based on \nopen architectures. How do you connect to storage in the cloud? \nSimple SOAP and REST protocols exist to be able to access data \nanywhere in the cloud. If you enforce those, you create \ninnovation. Industry is going to bring this innovation. The \ngovernment is not going to develop it. So--but enforcing the \nopen standards and not getting into proprietary stacks is \nprobably the best way to continue evolution.\n    I think Dr. McClure might be able to add a little bit there \nas well.\n    Dr. McClure. You know, I agree, I think open architectures \nare absolutely key and I do believe that there are actually \nstandard protocols that exist, SOAP, otherwise, that are easily \nworkable into cloud environments. We have an enormous amount of \nwork being done by NIST and industry partners to aggressively \ntake a lot of existing standards and begin to move them into \nthis environment rather than recreating whole new sets of \nstandards, which is what we don't want to do to slow this down. \nSo again, the aggressive approach that NIST is taking I think \nis the right way. Use case demonstrates standards viability and \nallow market solutions to adapt to them as fast as we can.\n    Chairman Quayle. Great, thank you. I now recognize Mr. \nLujan for five minutes.\n    Mr. Lujan. Thank you, Mr. Chairman.\n    Mr. Combs, even though it is your position that government \nwon't develop the innovation, what happens if you don't have \ngovernment as a client?\n    Mr. Combs. What happens if we don't have government as a \nclient? Well, I think----\n    Mr. Lujan. Will cloud computing advance and make the \nadvances that we are seeing now, will we reap the full benefits \nof what this could potentially be sooner rather than later?\n    Mr. Combs. Well, as I testified last year before the \nGovernment and Oversight Committee, if you put something out in \nthe public cloud today, in my opinion, the risk is too high for \nsensitive government data to go there. I think we have proven \nit doesn't take a security or a cloud expert to pick up the \nWashington Post and see the number of companies that have been \nbreached, right? So I think there is always going to be a \nmarket for the Federal Government to maintain the sensitive \ndata within private clouds in their organizations. So I think \nthere will always be a marketplace.\n    I think Microsoft has been very successful in standing up a \nprivate cloud to support the Federal Government, right? I think \nyou will continue to see organizations stand up these \ncapabilities to protect the sensitive nature of the data in the \nfederal marketplace.\n    Mr. Lujan. So a federal client is critical to the \ndevelopment of cloud or the future of cloud or it is an \nimportant customer?\n    Mr. Combs. I think it is an important customer to continue \nto evolve the security required to meet what is called multi-\ntenancy in cloud. I think it is very easy to have community \nclouds--we will say--give the Department of Defense----\n    Mr. Lujan. Um-hum.\n    Mr. Combs. --and the intelligence community or civil \nagencies, the FBI, law enforcement community. It is very easy \nto set multi-tenant security boundaries around similar types of \ndata. But what I want to put--do you think Coca-Cola and Pepsi \nis going to have their intellectual property on the same cloud? \nIt is probably not going to happen. So there is just this \nsensitive data in the commercial world that exists as there is \nin the Federal Government.\n    Mr. Lujan. Absolutely.\n    Mr. Combs. But the Federal Government will help drive the \nsecurity around protecting information in the cloud.\n    Mr. Lujan. I appreciate that.\n    Dr. McClure, in your testimony you note that the \ncontinuation of GSA's cloud computing cost savings is dependent \non fiscal year 2012 E-Gov Fund budget levels. Can you tell us \nwhat the fiscal year 2012 budget level request included for the \nE-Gov Fund and how that compares to funding levels currently \nproposed in the House and the Senate?\n    Dr. McClure. Absolutely. And I am glad you are bringing it \nup. The E-Gov Fund has been the instrument by which the Federal \nGovernment over the last 3 fiscal years has fueled innovation \nlike cloud computing. GSA has been the steward of a lot of \nmonies and actually uses E-Gov funds to run the Cloud Computing \nProgram Management Office, to produce the FedRAMP program and \nactually help and assist OMB in the data center consolidation \nanalysis and produce things like the total cost model that the \nagencies are using now.\n    The requested funding in '12 was for $34 million. The House \nmark came in at 15.8 million, which is a little bit less than a \nhalf, 50 percent reduction in that fund, and the Senate mark \ncame in at 7.4, which is only a fifth of the money. When anyone \ngets less money than being requested, something has got to \ngive. So that is our challenge I think is we are trying to use \nthis fund to fuel innovation, to do cross-agency government-\nwide work, not single-agency work. This is not GSA money. And \nif we reduce the funding levels down to those levels, you will \nhave essentially what I could equate to as O&M work going on on \nexisting projects rather than fueling new creative ways to save \nmoney for the government.\n    Mr. Lujan. I appreciate that, Dr. McClure.\n    And Mr. Chairman, I hope that is an area that we might be \nable to work together with colleagues on both sides of the \naisle is if we talk about the importance of this, what it means \nto business, cost savings all around, and also the taxpayers \nthat this is a place important for investment.\n    The last line of questioning that I have, and I may only \nget to hear one answer and I will submit it to all of you for a \nresponse--and maybe I will just start with you, Mr. Capellas, \nis you stated that the physical underlying infrastructure is \nnot important necessarily to the consumer, and I can appreciate \nthat from the end consumer, but from a security perspective, I \nhave a question around that that I would suggest that we should \ncare where the components are. And what I am getting to is, \none, would there be anyone that disagrees that we have enough \ndomestic real estate associated with data server facilities to \nhouse our data centers? And two, shouldn't we be looking to \nincrease our capacity with domestic data centers on U.S. soil, \nespecially as we talk about the security of U.S. information?\n    Mr. Capellas. So the first one is the--I think what is \nimportant is that the user shouldn't have to know or care where \nit is----\n    Mr. Lujan. Um-hum.\n    Mr. Capellas. --right? So that is--in terms of use----\n    Mr. Lujan. I appreciate that.\n    Mr. Capellas. From a security point of view, do we have \nenough real estate? We certainly have plenty of real estate. \nThe question that we have as we start to develop these clouds \nis we have to understand that there are going to be some \nworkloads--and that is how the cloud starts to think about what \ntasks are you trying to do on a workload--where it is not going \nto be relevant to where the data resides. I simply--I want a \nbrowser that I want to look at some price catalog. And I think \nwe have to be sensitive and take a leadership point of view \naround the globe and so it says some workloads are going to \nreside in different places and we need to be savvy enough to \nsay that those different workloads are going to be in different \nplaces. Other workloads are going to be critical to our \nnational security, and those workloads need to take place in \nsecure ways and secure places we know. And I think it is to \nhaving the wisdom to know which goes in which place that where \nwe can share it globally, where we must lead and have it \nlocally, and to know the difference between the two, because if \nwe get too rigid on either side, then I think that is when we \nstart to break down and we create mistrust.\n    One of the things that the report does call out is we need \nto be cautious that if we get overly sensitive to not being \nable to want to have some global distribution that countries \naround the world will cease to have confidence in us, \nparticularly relevant to some of the nature of some of the laws \nwe have on the books today relevant to how data is viewed by \nlaw enforcement.\n    So I will summarize. It is--we have plenty of real estate. \nA little of what my colleague Dr. Reed said is it is ours to \nlose. We need to think about the workloads and be sensitive to \nwhere global workloads are fine but to make sure that for those \nworkloads that we really care about, that we do take the \nleadership in the United States and drive it here.\n    Mr. Lujan. I appreciate it.\n    Thank you, Mr. Chairman.\n    Chairman Quayle. Thank you, Mr. Lujan.\n    I would like to thank the witnesses for their valuable \ntestimony and the Members for their questions. The Members of \nthe Subcommittee may have additional questions for the \nwitnesses, and we will ask you to respond to those in writing. \nThe record will remain open for two weeks for additional \ncomments and statements from Members. The witnesses are \nexcused. Thank you all for coming. This hearing is now \nadjourned.\n    [Whereupon, at 11:15 a.m., the Subcommittee was adjourned.]\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n<SKIP PAGES = 000>\n\n                   Answers to Post-Hearing Questions\nResponses by Mr. Michael D. Capellas, Chairman and CEO,\nVirtual Computing Environment Company\n\nQuestions submitted by Chairman Ben Quayle\n\nQ1.  What steps can the U.S. government take to make sure other \ngovernments don't implement cloud computing standards that advantage \ntheir own domestic industries and serve as barriers to free trade.\n\nA1. The U.S. should examine its own policies to ensure that U.S. \ncompanies or companies with U.S. influence and/or jurisdiction are not \nsubject to U.S. based policies that serve as a barrier to their own \nsuccess. In general, the U.S. government should encourage free trade \nand adopt international security and privacy frameworks rather than \ncreating a standalone U.S. framework that can be positioned against \nU.S. owned or partially owned industries. As an example, the Patriot is \nalready being publicly targeted by EU entities to promote EU cloud \ncomputing offerings. At least one EU company has publicly discussed a \ncloud offering where they will guarantee that data will not reside in \nthe US, enter into infrastructure owned by U.S. entities or be subject \nto U.S. government confiscation. The U.S. should seek to influence and \nadopt existing international frameworks rather than creating a distinct \nframework for the U.S.\n\nQuestions submitted by Representative Ben Lujan\n\nQ1.  What does the federal government need to do to ensure the security \nand privacy of a person or organization's information is protected?\n\nA1. The industry should develop a service catalog (or service catalogs) \nfor various categories of information, using industry standard language \nand metrics. Where the information is permitted to reside is based upon \nthe categorization of data, the level of secureness of the data, and \nthe policies associated with the service providers in the host nations. \nPolicies should not overly restrict data based upon location. It is \nmore important to ensure appropriate data security measures (advanced \nencryption, etc.) are applied to sensitive data.\n\nQ2.  Why is strong identity management so important to accelerating the \nadoption of Cloud computing?\n\nA2. In order for cloud computing to be successful and deliver the full \nbenefits envisioned, it needs to be trusted and it needs to be secure. \nOne of the most significant threats to infrastructure today is \nrepresented by identity theft, where hackers and evildoers gain access \nto information by pretending to be something they are not. In order to \nminimize the threat of identity theft, whether it be person or machine \ncredentials, strong authentication and access controls are required. \nMeasures like dual factor authentication can ensure that a user of \nentity is who they say they are, and that they have access rights to \nthe information they are trying to access.\n\nQuestions submitted by Representative Randy Neugebauer\n\nQ1.  What is the industry doing to establish best practices to protect \nand secure users' data and privacy rights? If standards are adopted how \ncan we give them enough flexibility to allow the industry to evolve?\n\nA1. The industry recognizes the potential for cloud computing to \nprovide a more secure and easily protected model for computing than \nwhat exists today. Security threats are constantly evolving and as a \nresult, the state of the art in security also evolve rapidly. The \ngovernment should allow the market to evolve and advance security \nmeasures with minimal involvement. Government should refrain from \nimposing any security requirements on industry, recognizing that not \nall data has strict security requirements. The government should focus \nefforts on being aggressive in requiring industry to both report on \ntheir security provisions and, more importantly, to quickly disclose \nany security breaches. Having to disclose security breaches is the best \nway to protect other users, encourage providers to adopt the best \nsecurity they can, and compete in the market based upon track record.\n\nQ2.  How quickly have industries and businesses converted to cloud \nservices? What factors might be inhibiting large scale moves away from \ntraditional IT services to cloud services?\n\nA2. Industry is moving very quickly to cloud, and the march is \ninevitable. Barriers are largely centered around organizational inertia \nand internal turf resistance. Cloud computing requires transformation \nof technology, people and processes. While transformation presents \nimmense opportunity, it can also be perceived as a threat by those who \nresist change of any kind. In many cases, running a vastly more \nefficient and responsive IT organization means having less headcount \nand less budget and is therefore seen as a step backward in authority \nor standing. As cloud gains more traction, organizations that are slow \nto move to cloud will be at a competitive disadvantage, and this will \nserve to dissolve existing barriers.\nResponses by Dr. Daniel A. Reed, Corporate Vice President,\nMicrosoft Corporation's Technology Policy Group\n\nQuestions submitted by Chairman Ben Quayle\n\nQ1.  What steps can the U.S. Government take internationally to ensure \nthat other countries do not implement cloud computing standards that \nadvantage their own domestic industries and serve as barriers to free \ntrade?\n\nA1. There are two important things that the U.S. government can \ncontinue to do internationally to ensure that other countries do not \nimplement cloud computing standards that advantage their own domestic \nindustries and serve as barriers to free trade. First, the U.S. \ngovernment can monitor other nations' promulgation of national \nstandards and other technical measures and, via the U.S. Trade \nRepresentative, can express concerns if such standards appear to \nviolate World Trade Organization rules or to be designed to benefit \nunfairly a nation's indigenous industries. The second, related, step \nthe U.S. government can take is to lead by example. The government can, \nwhen considering its use of cloud services and associated standards, \nengage in the sort of behavior that it hopes to see in other nations. \nThis includes recognizing the diversity of data and services that could \nmove to the cloud and deploying standards and requirements in ways that \nallow federal agencies to access a variety of options to meet the \nperformance, security, and other needs of specific deployments. This \ncan be complemented by U.S. companies' participation in international \nactivities related to standards and best practices, with the support of \ngovernment expertise such as from the National Institute of Standards \nand Technology.\n\nQ2.  It is important to let new business models like cloud computing \nflourish, yet at the same we cannot allow unscrupulous actors to use \nnew technologies for infringement. Do you believe that Congress should \nact in this area to address criminal and infringing behavior as applied \nto cloud computing? If so, what steps would actions would you \nrecommend?\n\nA2. Cloud computing is a major technology inflection point with far-\nreaching effects on the capabilities and empowerment of businesses, \ngovernments, scientists, and individuals, and significant economic and \ncompetitive benefits for the U.S. In addition, some individuals with \nthe intent to defraud or infringe will seek to exploit the cloud. As \nnew concerns with new forms of infringement arise, Microsoft believes \nthat Congress should respond not by focusing on any specific technology \n(such as cloud computing) but rather by examining whether existing laws \nare adequate to address evolving forms of infringing behavior. \nSimilarly, for criminal behavior related to cloud computing, the focus \nshould be on examining evolving forms of attacks on computer systems \nand networks, including cloud computing services, and updating and \nstrengthening criminal laws against those responsible, as noted in the \nCLOUD\\2\\ Commission report, Recommendation 3.\n\nQ3.  In your response to Mr. Hultgren's question about which actions \nthe government should not be taking in the cloud computing enterprise, \nyou stated that you believe in the ``first do-no-harm rule.'' Can you \nprovide examples of government cloud computing actions that could \npotentially be harmful? Are there any specific principles government \nshould follow when determining whether action is appropriate?\n\nA3. Some of the policy challenges created by the cloud relate to the \nexponential rate of change we are seeing in our technological \ncapabilities. This pace can conflict with the pace at which government \nand society can evaluate the implications of the deployment of these \nnew technologies. The best approach in such times is to establish \npolicy goals and a flexible framework for achieving them, and to avoid \nfocus on specific technological approaches that could chill innovation \nor quickly become outmoded.\n    A specific example of flexibility that the U.S. government should \nembrace related to cloud computing can be seen in the above answer to \nRep. Quayle's first question. Imposing overly constraining requirements \nor standards around all possible U.S. government uses of cloud could \nhave a chilling effect on other nations' openness to cloud deployment, \nwhile nuanced approaches by the U.S. that recognize the different needs \nof various types of cloud applications would set a positive example for \nothers.\n\nQuestions submitted by Representative Ben Lujan\n\nQ1.  Security and privacy are often cited as concerns for cloud \ncomputing. Specifically, there is concern about the transnational flow \nof data and the possibility that confidential or proprietary \ninformation might be hosted in a data center located in a foreign \ncountry. What does the federal government need to do to ensure that the \nsecurity and privacy of an individual or organization's information is \nprotected?\n\nA1. Security is a multifactor challenge. The physical location of a \ndata center (and the steps taken to provide security for its physical \nplant) is only one component of many that help control access to data. \nIndividuals and organizations need to understand the nature of the \nvarious types of data they handle and what their expectations are for \nits access and control before developing requirements for where it will \nbe stored and processed. Decisions about the geolocation of data will \nhave implications not only in terms of security, but also in terms of \nefficiency, redundancy, cost, and resiliency.\n    One potential role for the federal government in this space is to \nlead by example. Agencies can, when evaluating their potential use of \ncloud services, recognize the different types of data they holds and \ndeploy targeted security and privacy requirements for different classes \nof information and applications. The government can also, in assessing \nsecurity, recognize that it is critical to focus on how data is \nsecured--i.e., are there adequate processes in place to protect the \ndata against an evolving threat landscape. In the context of this \nevolving landscape, it can also continue to support basic research in \ncybersecurity, as new defenses and approaches will be needed in the \nfuture.\n\nQuestions submitted by Representative Randy Neugebauer\n\nQ1.  What is the industry doing to collaborate or establish best \npractices that will ensure that users' data will be secure in the cloud \nand privacy rights will be protected? Are there any areas which require \nCongressional direction to ensure a high level of safety in this \nregard? If standards are adopted, how can we ensure that they give \nenough flexibility to allow the industry and the technology to evolve?\n\nA1. Microsoft and other companies are engaged in a variety of \nactivities related to best practices around security and privacy. One \nexample, in which Microsoft is a participant, is the Software Assurance \nForum for Excellence in Code (SAFECode), a global, industry-led effort \nto identify and promote best practices for delivering more secure and \nreliable software, hardware, and services. Another is the privacy, \nconfidentiality, and compliance framework for data governance that \nMicrosoft has developed and publicly released so it can be adopted and \nimplemented by organizations of all sizes.\n    In thinking about Congressional action, it is important to \nrecognize that consumer expectations regarding online privacy are \ncontinually evolving as the technology evolves. For this reason, and to \nallow companies the flexibility to innovate, Congress needs to be very \ncareful when considering legislation related to privacy and security. \nHowever, there are two areas with regard to online privacy where \nMicrosoft has supported the idea of federal legislation. One is a \ncomprehensive federal privacy law; and more information on Microsoft's \nview on the policy context for such a law is at http://\ngo.microsoft.com/?linkid=9768689. The second is the updating of the 25-\nyear-old Electronic Communications Privacy Act to maintain a balance \nbetween the privacy expectations of users and the needs of law \nenforcement in a way that reflects how people use information \ntechnology, including the cloud, today. In this area, Microsoft is a \nmember of the Digital Due Process Coalition (http://\ndigitaldueprocess.org/).\n\nQ2.  In a broad sense, how quickly have industries and businesses \nconverted to cloud computing services? What factors, if any, might be \ninhibiting large scale departure from traditionally internal IT \nservices to cloud computing services to save on overhead costs?\n\nA2. Many industries and businesses have embraced cloud services. A \nparticular niche that innately appreciates the value of cloud is start-\nup technology businesses, which value the inherent flexibility of \ncloud--the ability to scale up or down their information technology \nresources depending on demand or current business phase, and the \nability to shift expenses from up-front costs to purchase information \ntechnology hardware to pay-as-you-go-only-for-what-you-use models. In \ngeneral, many industries and government are moving forward with cloud \nservices. In some cases, they are replacing existing information \ntechnology systems with capabilities that are similar but are deployed \nusing the cloud (e.g. email). In other cases, they are exploring how \ncloud actually will provide new capabilities and opportunities, e.g. \nfor global, multi-party and neutral collaborations, or for flexible and \nrapid exploration of new products and services by existing businesses. \nWhile these latter applications may be emerging more slowly, they will \nhave a significant impact on many sectors and on our economy as a \nwhole.\nResponses by Mr. Nick Combs, Federal Chief Technology Officer, EMC \n        Corporation\n\nQuestions submitted by Chairman Ben Quayle\n\nQ1.  What steps can the U.S. Government take internationally to ensure \nthat other countries do not implement cloud computing standards that \nadvantage their own domestic industries and serve as barriers to free \ntrade?\n\nA1. It is important for the U.S. Government to advocate for alignment \nof cloud computing standards (in areas such as interoperability, \nmobility and security) that align with current and evolving global \nindustry standards. The U.S. Government should also push back on \ncountries that try to impose domestic or indigenous standards in bi-\nlateral and multi-lateral trade negotiations. For example, there are \nefforts by some countries to advance specific information security or \nencryption requirements that could deter the adoption of cloud \ncomputing infrastructure and services provided by multi-national \ncorporations in those markets. In addition, it is important for the \nU.S. government and other governments internationally to resist \nmandates or laws that would require a specific cloud deployment model. \nThe U.S. Trade Representatives and the U.S. Department of Commerce can \ncontinue to play important roles in advancing effective policies in \nthese areas internationally.\n\nQuestions submitted by Representative Ben Lujan\n\n\nQ1.  Security and privacy are often cited as concerns for cloud \ncomputing. Specifically, there is concern about the transnational flow \nof data and the possibility that confidential or proprietary \ninformation might be hosted in a data center located in a foreign \ncountry. What does the federal government need to do to ensure that the \nsecurity and privacy of an individual or organization's information is \nprotected?\n\nA1. When implemented correctly, cloud environments can be much more \nsecure than today's IT environments. The level of transparency cloud \nvendors provide is a critical aspect when choosing a cloud partner. Via \nthe regular procurement and contractual process, U.S. federal agencies \nshould take a trust-but-verify approach. Cloud vendors should be \nrequired to provide the tools and capabilities to allow customers \nvisibility into their cloud environments to ensure compliance with \nthose SLAs. SLAs should be clearly defined and monitored by government \ncustomers to ensure maximum service value is received for budget \ndollars spent. For instance, SLAs in areas of performance, \navailability, backup and recovery, archive, continuance of operation, \nand disaster recovery must be clearly stated, measured, and monitored \nby the government agencies. Additionally, government risk and \ncompliance capabilities need to be deployed and dashboards provided to \nthe customer to ensure that our information is protected and the \npolicies are being followed.\n\nQuestions submitted by Representative Randy Neugebauer\n\nQ1.  What is the industry doing to collaborate or establish best \npractices that will ensure that users' data will be secure in the cloud \nand privacy rights will be protected? Are there any areas which require \nCongressional direction to ensure a high level of safety in this \nregard? If standards are adopted, how can we ensure that they give \nenough flexibility to allow the industry and the technology to evolve?\n\nA1. Best practices such as risk-based authentication should also be \nimplemented in cloud environments and we think that that approach fits \nwell within the President's National Strategy for Trusted Identities in \nCyberspace (NSTIC) which was released earlier this year. This important \neffort, which is being coordinated by the NSTIC Office at NIST in \ncollaboration with the private sector, should be supported by the U.S. \nCongress.\n    NIST has played an instrumental role in the development of the \nAuthorization Management Program (FedRAMP) and NIST Security Content \nAutomation Protocol (SCAP). FedRAMP is a voluntary, General Services \nAdministration (GSA)-led initiative to develop and provide a standard \napproach to assessing and authorizing cloud computing services and \nproducts for use by Federal agencies. The NIST SCAP standard enables \nthe automation of reporting and verifying IT security controls. SCAP \nprovides an effective method to capture, test and continuously monitor \nthese controls.\n    Both of these initiatives are important steps in the transition of \nthe Federal Government from the old FISMA focus on compliance, to \nbetter operational risk management and continuous monitoring under the \nnew FISMA. This process is critical for improving cyber security today \nas well as positioning the federal government to fully utilize the \ntransition to the cloud to help improve cyber security. Congress should \nupdate FISMA.\n    Congress should reduce the regulatory complexity that businesses \nand critical infrastructure organizations have to deal with complying \nwith myriad state data breach disclosure laws in the U.S. In an \nadvanced threat environment, it does not make sense to have \norganizations devoting their resources and focus to complying with 46 \nseparate state laws on breach notification when they need to invest \nmore time and resources in managing operational cyber security risks. \nSimplifying the compliance requirements with a reasonable and uniform \nfederal standard (with preemption of the existing state laws) would \nallow security organizations to focus more on risk management.\n\nQ2.  In a broad sense, how quickly have industries and business \nconverted to cloud computing services? What factors, if any, might be \ninhibiting large scale departure from traditionally internal IT \nservices to cloud computing serves to save on overhead costs?\n\nA2. A shift to cloud computing is a journey that occurs in phases. \nEMC's own journey to the cloud has provided significant savings and \nefficiency. In both industry and government, we are seeing data center \nconsolidation move forward--with the associated cost savings--in tandem \nwith organization' transition to cloud infrastructure and services.\nResponses by Dr. David L. McClure, Ph.D., Associate Administrator, \n        Office of\nCitizen Services and Innovative Technologies, General Services \n        Administration\n\nQuestions submitted by Chairman Ben Quayle\n\nQ1.  What steps can the U.S. Government take internationally to ensure \nthat other countries do not implement cloud computing standards that \nadvantage their own domestic industries and serve as barriers to free \ntrade?\n\nA1. The National Institute of Standards and Technology (NIST) has the \nlead federal role in standards setting. NIST is actively encouraging \nthe establishment of international, consensus based standards, which is \none of the primary recommendations of the recently published NIST Cloud \nComputing Roadmap. In fact, the NIST definition of cloud computing was \nthe U.S. contribution to the International Committee for Information \nTechnology Standards (INCITS). International standards are critical to \navoid development of country specific standards that may create \nbarriers to trade. The broad adoption of international standards \nensures a level playing field and fair trading conditions for all \nproducts and services, both in the U.S. and overseas.\n\n    In addition, the Department of Commerce, Department of State, and \nother Federal agencies are working on policies that will ensure that \ndifferences between the U.S. approach to data privacy and security, and \nthose of our international partners, do not become barriers to the \nglobal free flow of information. This approach involves the development \nof domestic policy recommendations and engagement with industry and our \ntrading partners.\n\nQuestions submitted by Representative Ben Lujan\n\nQ1.  Security and privacy are often cited as concerns for cloud \ncomputing. Specifically, there is concern about the transnational flow \nof data and the possibility that confidential or Proprietary \ninformation might be hosted in a data center located in a foreign \ncountry. What does the federal government need to do to ensure that the \nsecurity and privacy of an individual or organization's information is \nprotected?\n\nA1. The Federal Risk and Authorization Management Program (FedRAMP) has \nbeen established to provide a standard approach to Assessing and \nAuthorizing (A&A) cloud computing services and products. Leveraging a \ncommon security approach and baseline will not only allow for greater \nefficiency, but will ensure the entire Federal Government and Cloud \nService Providers are working together to ensure government and citizen \ninformation stored in the cloud is protected and privacy concerns are \naddressed. Government contracts for cloud computing services and \nsolutions require compliance with the Federal Information Security \nManagement Act of 2002 (FISMA). FISMA establishes a strict set of legal \nrequirements for information security that apply to all federal \ninformation systems, including those implemented through cloud \ncomputing. These requirements and guidelines apply regardless of where \ndata is stored. It is essential that federal acquisition professionals \nand contracting officers be knowledgeable in the latest requirements \nand take advantage of common contract language that is helpful to \naddress key issues specific to cloud computing solutions.\n    With respect to privacy, the Federal CIO recently released the \nFedRAMP Memorandum, which indicates that the CIO Council will ``publish \nthe standardized baseline of security controls, privacy controls, and \ncontrols selected for continuous monitoring'' from NIST SP 800-53. See \nMemorandum for Chief Information Officers, Security Authorization of \nInformation Systems in Cloud Computing Environments, Dec. 8, 2011, p 5. \nThe controls at issue are based on existing Federal privacy law. Under \nthis provision, Federal agencies should take steps to ensure that they \nconsider and implement the appropriate controls before releasing \nsensitive or personal information into a cloud solution. The Memorandum \nalso requires previously deployed solutions to meet these requirements \nwithin a fixed period of time, which should mitigate the risks you \nidentified.\n\nQuestions submitted by Representative Randy Neugebauer\n\nQ1.  What is the industry doing to collaborate or establish best \npractices that will ensure that users' data will be secure in the cloud \nand privacy rights will be protected? Are there any areas which require \nCongressional direction to ensure a high level of safety in this \nregard? If standards are adopted, how can we ensure that they give \nenough flexibility to allow the industry and the technology to evolve?\n\nA1. Cloud policies and standards are being developed in collaboration \nwith industry and other stakeholders to ensure acceptable balance of \nrisks and benefits of cloud computing. Congress should continue to \nencourage cloud adoption by ensuring sufficient resources are invested \nin programs such as FedRAMP and Cyberscope. The Cloud Security Alliance \nworks with industry and governments across the world regarding best \npractices for cloud security. Their mission statement is: To promote \nthe use of best practices for providing security assurance within Cloud \nComputing, and provide education on the uses of Cloud Computing to help \nsecure all other forms of computing.\n\nQ2.  In a broad sense, how quickly have industries and businesses \nconverted to cloud computing services? What factors, if any, might be \ninhibiting large scale departure from Traditionally internal IT \nservices to cloud computing services to save on overhead costs?\n\nA8. Data collected on both industry and public sector movement to cloud \nsolution indicates steady, pervasive interest and broad adoption as an \ninevitable technology market direction. Key barriers and mitigations \nare shown in the table below.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n             Additional Materials Submitted for the Record\n\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n\n                              <all>\n\n\n\n\x1a\n</pre></body></html>\n"