[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]




                               before the

                       INFRASTRUCTURE PROTECTION,
                       AND SECURITY TECHNOLOGIES

                                 of the

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION


                            OCTOBER 6, 2011


                           Serial No. 112-50


       Printed for the use of the Committee on Homeland Security


      Available via the World Wide Web: http://www.gpo.gov/fdsys/



73-737 PDF                WASHINGTON : 2012
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 


                   Peter T. King, New York, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Daniel E. Lungren, California        Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Michael T. McCaul, Texas             Henry Cuellar, Texas
Gus M. Bilirakis, Florida            Yvette D. Clarke, New York
Paul C. Broun, Georgia               Laura Richardson, California
Candice S. Miller, Michigan          Danny K. Davis, Illinois
Tim Walberg, Michigan                Brian Higgins, New York
Chip Cravaack, Minnesota             Jackie Speier, California
Joe Walsh, Illinois                  Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania         Hansen Clarke, Michigan
Ben Quayle, Arizona                  William R. Keating, Massachusetts
Scott Rigell, Virginia               Kathleen C. Hochul, New York
Billy Long, Missouri                 Janice Hahn, California
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
            Michael J. Russell, Staff Director/Chief Counsel
               Kerry Ann Watkins, Senior Policy Director
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director



                Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas             Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair    Laura Richardson, California
Patrick Meehan, Pennsylvania         Cedric L. Richmond, Louisiana
Billy Long, Missouri                 William R. Keating, Massachusetts
Tom Marino, Pennsylvania             Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex              (Ex Officio)
                    Coley C. O'Brien, Staff Director
                    Alan Carroll, Subcommittee Clerk
        Chris Schepis, Minority Senior Professional Staff Member

                            C O N T E N T S



The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies...................................................     1
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security..............................................     3

                                Panel I

Mr. Richard Spires, Chief Information Officer, U.S. Department of 
  Homeland Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     6
Mr. David McClure, Ph.D., Associate Administrator, Office of 
  Citizen Services and Innovative Technologies, U.S. General 
  Services Administration:
  Oral Statement.................................................    12
  Prepared Statement.............................................    14
Mr. Gregory C. Wilshusen, Director of Information Security 
  Issues, Government Accountability Office:
  Oral Statement.................................................    18
  Prepared Statement.............................................    19

                                Panel II

Mr. James W. Sheaffer, President, North American Public Sector, 
  Computer Sciences Corporation:
  Oral Statement.................................................    38
  Prepared Statement.............................................    40
Mr. Timothy Brown, Senior Vice President and Chief Architect for 
  Security, CA Technologies:
  Oral Statement.................................................    43
  Prepared Statement.............................................    45
Mr. James R. Bottum, Vice Provost for Computing and Information 
  Technology and Chief Information Officer, Clemson University:
  Oral Statement.................................................    52
  Prepared Statement.............................................    54
Mr. John Curran, Chief Executive Officer, American Registry of 
  Internet Numbers:
  Oral Statement.................................................    62
  Prepared Statement.............................................    64


Questions From Honorable William Keating For Richard Spires......    73



                       Thursday, October 6, 2011

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:02 a.m., in 
Room 311, Cannon House Office Building, Hon. Daniel E. Lungren 
[Chairman of the subcommittee] presiding.
    Present: Representatives Lungren, Walberg, Marino, Clarke, 
Richardson, Keating, and Thompson.
    Also present: Representative Duncan.
    Mr. Lungren. We have been informed that we are probably 
going to have votes at 8--I mean, at 10:20, or something, and 
then have about four or five votes, and so we will have a delay 
for our hearing for about 45 minutes. So we are going to try 
and get started very quickly, get our opening statements in and 
begin your testimony, and then we will have to break and beg 
your indulgence on that.
    The Committee on Homeland Security Subcommittee on 
Cybersecurity, Infrastructure Protection, and Security 
Technologies will come to order. The subcommittee is meeting 
today to examine the security implications of cloud computing. 
I would recognize myself for an opening statement.
    We welcome our witnesses today and look forward to their 
testimonies regarding cloud computing phenomena. According to 
NIST, cloud computing delivers I.T. services and applications 
to users by enabling ubiquitous, convenient, on-demand network 
access to a shared pool of configurable computing resources.
    Cloud computing enables organizations and individuals to 
access website data and on-line programs without concern about 
the server's physical location, thereby promising cheaper, 
faster, more flexible, more effective information technology. 
Most organizations already utilize some form of cloud 
computing. On-line shopping and banking are prime examples of 
how cloud computing has transformed the way in which companies 
interact with and provide on-line services to customers.
    Improved technologies over the years have increased our 
computing capabilities and reduced costs. This new cloud 
technology also promises greater I.T. capability at reduced 
    The administration has issued a Cloud First policy to 
accelerate the pace at which Government evaluates safe and 
secure cloud computing options before making any new I.T. 
investment. Republican Members of Congress, and I hope our 
Democratic colleagues, are always looking for ways to reduce 
Government spending, so any savings from cloud computing would, 
indeed, be welcome.
    However, in spite of this projected I.T. savings, we cannot 
ignore our responsibility as Members of this Cybersecurity 
Subcommittee to assure that Government information will be 
secure in the cloud. GAO reported last spring that security 
incidents at Government agencies rose 650 percent over the last 
5 years.
    Our concern is the cloud offers--that the cloud offers a 
rich target for hackers, criminals, terrorists, and rogue 
nations. With cyber-espionage affecting every sector of our 
economy, aggregating important information in one location is a 
legitimate security concern. You might say it is a target-rich 
    Security implications cannot be an afterthought. Obviously, 
they need to be considered as cloud technology is being 
developed and deployed.
    Yesterday we Republicans released our House task force 
recommendation for cybersecurity legislation. We intend to work 
with our colleagues on the other side of the aisle because this 
is not a partisan issue; it is one that we need more work on, 
and I do believe there is a bipartisan commitment to provide 
that work. Speaker Boehner has made cybersecurity a top 
priority, and our committee will be a key player in drafting 
House legislation.
    So as we address our numerous cyber vulnerabilities we must 
scrutinize new technologies and their attendant risks to ensure 
that further vulnerabilities will not be created. Cloud 
advocates argue that even sensitive data can be secure in the 
cloud. They argue that the cloud providers have the resources 
to invest at sophisticated security--in sophisticated security 
systems if necessary.
    Different security levels can be designed for the various 
cloud configurations. The private cloud is appropriate for 
classifying the most sensitive of personnel data, we are told. 
Sensitive data can be--can use the hybrid model; nonsensitive 
data can use the public cloud.
    While I.T. savings are important, we cannot ignore the 
information security risk created by cloud technology. 
Assessing those risks responsibly will be critical if cloud 
computing is ever going to be widely accepted.
    The Federal cloud computing strategy is designed to ensure 
the security of Government information and establish a 
transparent security environment between cloud service 
providers and the Federal Government. NIST and the General 
Services Administration have developed the Federal Risk and 
Authorization Management Program, FedRAMP, to facilitate and 
lead the development of standards for security, 
interoperability, and portability.
    The strategy states that the transition to a cloud 
computing environment is an exercise in risk management that 
entails identifying and assessing risk and taking steps to 
reduce it to an acceptable level. We look forward to the 
testimony of Dr. McClure, from GSA, will outline this important 
FedRAMP program.
    Today we intend to examine the benefits and risks of cloud 
computing, and hopefully identify its security implications. I 
look forward to the testimony of all of our witnesses this 
morning regarding this new cloud technology.
    I would now recognize the Ranking Member of the full 
committee, Mr. Thompson, for any statement that he might make.
    Mr. Thompson. Thank you very much, Mr. Chairman. Before I 
begin my statement, let me take off on your comments about the 
Republican caucus' release of its cyber task force 
recommendations yesterday.
    As you know, cyber is an emerging homeland security threat 
that warrants timely bipartisan action from Congress. The 
stakes are high and Federal networks alone have seen a 650-fold 
increase in cyber attacks over the past 5 years.
    As you know, the President has submitted to Congress a 
comprehensive plan, including a legislative proposal. Taking 
your comments that you look forward to a bipartisan effort on 
this issue, I can assure you from our side of this committee, 
we will do just that.
    With respect to this morning's hearing on security 
implications of cloud computing, cloud computing can and does 
mean different things to different people. The National 
Institute of Standards and Technology, NIST, has published a 
definition that provides a starting place for discussing and 
defining security needs, but not everyone agrees with or 
conforms to NIST's definition. So as of today, the Federal 
Government and industry have not reached agreement about how 
uniform rules and standards that should be adopted to secure 
the information in the cloud.
    This is not something that can be left up in the air. While 
I embrace technological progress, I also know that every new 
technology presents great possibilities as well as great 
challenges. In our eagerness to jump on the bandwagon we often 
forget to ask about the destination of the wagon, the cost of 
the journey, and the roads which we will take along the way.
    As we embark on this new journey of migrating information 
to the cloud we must not repeat mistakes of the past. We must 
be about some of the claims that are made.
    For instance, I am told that the cloud will produce cost 
savings and create efficiencies. I am told that these benefits 
will be achieved by eliminating the need for data centers, 
computer hardware, and other public and private sector 
operations that employ thousands of people. I have to ask about 
these displaced people.
    While every new technology creates displacement, it also 
provides opportunities. So we must ask what new opportunities 
will be provided and who will benefit?
    Finally, as cloud computing increases the Federal 
Government's ability to communicate effectively, we must ask 
how to increase the ability to communicate will affect the 
security of Government operations.
    Mr. Chairman, without clear standards and uniform rules we 
cannot begin to evaluate how the security of Government data 
will be affected by cloud computing. Additionally, we must 
remember that cloud computing must be aligned with the Federal 
Information Security Management Act, FISMA.
    Given that the Federal Government currently uses the 
services of external vendors to manage its cloud operations, we 
must ask how these businesses will comply with FISMA 
regulations governing auditing and security requirements. 
Industries cannot effectively compete without understanding the 
potential regulatory environment that will be caused by 
widespread use of cloud computing in the Federal Government.
    Mr. Chairman, there are many questions that must be 
resolved. However, I am certain that our witnesses today will 
be able to shine some light on the cloud.
    I yield back.
    Mr. Lungren. Thank you very much, Ranking Member, for that 
poetic opening statement.
    When the Ranking Member of the subcommittee appears we will 
give her an opportunity to make her opening statement. Other 
Members of the committee are reminded that opening statements 
may be submitted for the record.
    We are pleased to have a very distinguished panel of 
witnesses before us today on this important topic.
    Richard Spires was appointed as the chief information 
officer of the Department of Homeland Security 2009. He has 
extensive knowledge in senior level operations and information 
technology issues through working both the public and the 
private sectors. Previously oversaw I.T. responsibilities for 
the Internal Revenue Service as deputy commissioner for 
operations support, chief information officer and associate 
information officer for business systems modernization 
    Before joining the IRS he served as the president, chief 
operation officer, and director of Mantas, Inc., a software 
product vendor. He also spent more than 16 years at SRA 
International, a systems integration company.
    Dr. David McClure was appointed associate administrator of 
the U.S. General Services Administration's Office of Citizen 
Services and Innovative Technologies in 2009. Dr. McClure most 
recently served as the managing vice president for Gartner, 
Inc.'s government research team.
    Before working at Gartner, Dr. McClure served as vice 
president for e-government and technology at the Council for 
Excellence in Government. He has also had an 18-year career 
with the Government Accountability Office.
    Greg Wilshusen--is that the proper----
    Mr. Wilshusen. Perfect.
    Mr. Lungren. Thank you--is director of information security 
services at the Government Accountability Office. He has spent 
over 28 years of auditing, financial management, and 
information systems prior to this date.
    Prior to joining GAO in 1997, he was the senior systems 
analyst at the Department of Education and served as the 
comptroller for the North Carolina Department of Environment, 
Health, and Natural Resources; and held senior auditing 
positions at Irving Burton Associates, Inc. and the U.S. Army 
Audit Agency.
    Thank you, gentleman, for all being here. We have the rule 
of a 5-minute testimony. We have your written statements; they 
will be included in their totality in the record. We would ask 
you to go in the order in which I introduced you.
    So, Mr. Spires, the Chairman would now recognize you.


    Mr. Spires. Chairman Lungren, Mr. Thompson, and Members of 
the subcommittee, thank you and good morning. Today I will 
discuss the changes cloud computing is having within the 
Government and at the Department of Homeland Security. Also, I 
will discuss how DHS is addressing the security challenges 
associated with cloud computing.
    Simply, cloud computing enables Federal agencies to 
purchase on-demand I.T. services using a consumption-based 
business model. Liken cloud computing to the electric power or 
telecommunications markets: we, as customers, pay for the usage 
of the service itself, whether it be so much per kilowatt-hour 
for electric power or minutes of usage for the use of our cell 
phone. As I.T. matures, many services are becoming commoditized 
and lend themselves to such a usage-based model.
    Cloud computing is truly transforming the I.T. business 
because it does provide significant benefits to customers. The 
cloud provides scalability and rapid deployment, full 
transparency for managing operational costs, and controlling 
and reducing capital expenses.
    Further, cloud computing simplifies the overall 
administration and cost of I.T. infrastructure. Early 
projections for DHS look to yield cost avoidance savings of 8 
to 10 percent once we transition to cloud infrastructure 
    DHS is taking an aggressive approach to the use of cloud 
computing, with 12 DHS offerings either in production, awarded, 
or in the acquisition phase. DHS is currently focused on two 
deployment models: Our private cloud and the use of the public 
    For the DHS private cloud, we manage sensitive information 
within our two enterprise data centers and use our internal 
wide-area network. A few examples of DHS private cloud 
offerings include our Email as a Service, which we expect to 
have more than 100,000 users live by the end of fiscal year 
    SharePoint as a Service will support more than 90,000 users 
by the end of this calendar year. Development and Test as a 
Service provides a development and test environment linked to 
the production environment we enable--to enable successful 
deployment of new applications. We expect to provision new 
servers within 1 business day with this new capability, while 
the legacy model averaged up to 6 months.
    WorkPlace as a Service will provide secure, virtual desktop 
access that seamlessly support mobile devices, to include cell 
phones and tablets. This service will better enable a mobile 
DHS workforce to support telework and continuity of operations.
    We are embracing the use of public cloud services to manage 
nonsensitive information. DHS has successfully deployed Self 
Check in the public cloud, and over the next 2 years will 
consolidate its public-facing websites, like dhs.gov, to the 
public cloud.
    To effectively manage security risks of cloud computing DHS 
is leveraging our private cloud environment to enable services 
to manage sensitive information. The model bolsters information 
security through our defense-in-depth strategy.
    By hosting in the enterprise data centers the DHS private 
cloud can leverage the existing enterprise security controls as 
well as leverage the use of our continuous monitoring 
capabilities and trusted internet connections. By embedding 
enhanced enterprise security controls in our private cloud, DHS 
will provide security assurance exceeding that of our existing 
legacy systems.
    For public clouds there is a visibility gap between the 
provider and customer in which they cannot see into each 
other's management, operational procedures, and technical 
infrastructure. To address security concerns of public cloud 
offerings, this visibility gap must be reduced through a series 
of requirements for contractual reporting and technical 
auditing and continuous monitoring data feeds to verify that 
the provider and customer are meeting their responsibilities.
    The FedRAMP program will help Federal agencies address 
these challenges as they leverage public cloud providers or 
establish their own private cloud. Continued work on the 
information security challenges will increase the defensive 
capabilities of cloud offerings, increasing the assurance level 
and the ability for Federal agencies to use public cloud 
computing for more sensitive information.
    Looking ahead 5 years, the cloud service commodity market 
appears poised to grow exponentially. Federal CIOs must focus 
on preparing departments and agencies to welcome innovation and 
changes in the way we do business. Already, at DHS we are 
seeing reduced time to market for new capabilities, reducing 
our capital expenditures, and gaining transparency into our 
operational expenses, all while providing improved service.
    The benefits of cloud computing far outweigh the 
    Thank you.
    [The prepared statement of Mr. Spires follows:]
                  Prepared Statement of Richard Spires
                            October 6, 2011
    Chairmen Lungren, Ranking Member Clarke, and Members of the 
subcommittee, thank you and good morning. Today, I will discuss the 
changes Cloud Computing is having within the Government and industry 
and how the Department of Homeland Security (DHS) is pursuing this 
capability to enhance mission performance and gain efficiencies in 
Information Technology (IT). This testimony also will provide an 
overview of the current state of cloud computing at the Department of 
Homeland Security, outlining the Department's initiatives to move data 
to the cloud in order to implement the White House's ``Cloud First'' 
policy as specified in the ``Federal Cloud Computing Strategy'' issued 
February 8, 2011, and the ``25 Point Implementation Plan to Reform 
Federal Information Technology Management'' issued December 9, 2010. 
Finally, I will address the IT security challenges associated with 
cloud computing and how DHS is addressing such challenges.
                          moving to the cloud
    First, allow me to explain what cloud computing is and why it is so 
vital. The legacy IT model of separate IT infrastructures for each 
system--both within the Federal Government and industry--must evolve to 
meet the growing customer demands within a budget-constrained 
environment. The traditional model is not well-positioned to reduce 
time to market for new services or provide transparency for operational 
expenses. It also introduces higher risk due to up-front capital 
expenditures. Additionally, customized applications hosted in 
traditional data center environments cannot scale fast enough to 
support urgent demand in real-time. These challenges, in addition to 
potential security vulnerabilities, present a call to action for the 
Federal Government and industry.
    Fortunately, we are experiencing an exciting change within the IT 
industry--the rise of cloud computing. This evolutionary transformation 
is fast replacing the legacy IT model not only within private industry 
but also within the Federal Government.
    The National Institute of Standards and Technology (NIST), an 
agency of the U.S. Department of Commerce, provides the following 
definition of cloud computing in NIST Special Publication 800-145 (NIST 
SP 800-145):

``Cloud computing is as a model for enabling convenient, on-demand 
network access to a shared pool of configurable computing resources 
(e.g., networks, servers, storage, applications, and services) that can 
be rapidly provisioned and released with minimal management effort or 
service provider interaction. This cloud model promotes availability 
and is composed of five essential characteristics, three service 
models, and four deployment models.''

    Cloud computing provides the rapid delivery of computing resources 
inexpensively to multiple users from a centralized source of related 
and unique service offerings that is shared by many customers. To 
provide further context, this model is similar to business models 
deployed in the electric power, cable, or telecommunications markets. 
That is, within this model, customers do not fund up-front costs to 
fully stand up environments, or fund on-going operations and 
maintenance costs. Instead these capital costs are borne by industry, 
while the customer only pays for services received in the consumption-
based model.
    NIST prescribes the following five primary characteristics of cloud 
    1. On-demand self-service.--A consumer can unilaterally provision 
        computing capabilities, such as server time and network 
        storage, as needed automatically without requiring human 
        interaction with each service's provider.
    2. Broad network access.--Capabilities are available over the 
        network and accessed through standard mechanisms.
    3. Resource pooling.--The provider's computing resources are pooled 
        to serve multiple consumers using a multi-tenant model, with 
        different physical and virtual resources dynamically assigned 
        and reassigned according to consumer demand.
    4. Rapid elasticity.--Capabilities can be rapidly and elastically 
        provisioned, in some cases automatically, to quickly scale out, 
        and rapidly released to quickly scale in. To the consumer, the 
        capabilities available for provisioning often appear to be 
        unlimited and can be purchased in any quantity at any time.
    5. Measured Service.--Cloud systems automatically control and 
        optimize resource use by leveraging a metering capability at 
        some level of abstraction appropriate to the type of service. 
        Resource usage can be monitored, controlled, and reported, 
        providing transparency for both the provider and consumer of 
        the utilized service.
    NIST also identifies three discrete service offerings, each of a 
unique value to the customer. As customers move up this offering chain, 
they gain greater efficiencies, yet more standardization is required:
    1. Cloud Infrastructure as a Service (IaaS).--The capability 
        provided to the consumer is to provision processing, storage, 
        networks, and other fundamental computing resources where the 
        consumer is able to deploy and run arbitrary software, which 
        can include operating systems and applications. The consumer 
        does not manage or control the underlying cloud infrastructure 
        but has control over operating systems, storage, deployed 
        applications, and possibly limited control of select networking 
        components (e.g., host firewalls). This model provides the most 
        flexibility for the customer, however will not provide all the 
        potential efficiencies gained at the Software as a Service 
    2. Cloud Platform as a Service (PaaS).--The capability provided to 
        the consumer is to deploy onto the cloud infrastructure 
        consumer-created or acquired applications created using 
        programming languages and tools supported by the provider. The 
        consumer does not manage or control the underlying cloud 
        infrastructure including network, servers, operating systems, 
        or storage, but has control over the deployed applications and 
        possibly application hosting environment configurations.
    3. Cloud Software as a Service (SaaS).--The capability provided to 
        the consumer is to use the provider's applications running on a 
        cloud infrastructure. The consumer does not manage or control 
        the underlying cloud infrastructure including network, servers, 
        operating systems, storage, or even individual application 
        capabilities, with the possible exception of limited user-
        specific application configuration settings.
    Finally, NIST identifies four primary deployment models, which are 
generally accepted across Government. These deployment models range 
from models that are more secure to those that are more available. 
Federal agencies will employ models based on risk-based decisions that 
address their financial, operational, and security needs. The four 
models include:
    1. Private cloud.--The cloud infrastructure is operated solely for 
        an organization. It may be managed by the organization or a 
        third party and may exist on-premise or off-premise.
    2. Community cloud.--The cloud infrastructure is shared by several 
        organizations and supports a specific community that has shared 
        concerns (e.g., mission, security requirements, policy, and 
        compliance considerations). It may be managed by the 
        organizations or a third party and may exist on-premise or off-
    3. Public cloud.--The cloud infrastructure is made available to the 
        general public or a large industry group and is owned by an 
        organization selling cloud services.
    Hybrid cloud.--The cloud infrastructure is a composition of two or 
        more clouds (private, community, or public) that remain unique 
        entities but are bound together by standardized or proprietary 
        technology that enables data and application portability (e.g., 
        cloud bursting for load-balancing between clouds).
    DHS is currently focused on two of the four deployment models, 
private cloud and public cloud. DHS will house our private cloud 
computing capabilities within our two enterprise data centers, while 
our public cloud will be hosted by organizations selling cloud 
services. I will provide more detail on these momentarily, but first 
allow me to briefly address the differences between the cloud and the 
traditional IT business model.
               the benefits and risks of cloud computing
    Cloud computing is truly transforming the IT business. It is 
difficult to say which is more compelling--the cloud's significant 
scalability and rapid deployment, or full transparency for managing 
operational costs. For many, controlling and reducing capital expense 
(the expenditures used to acquire physical assets, including both 
equipment and office space) is uppermost, while others argue meeting 
demand is the foremost concern. The cloud addresses both and is clearly 
becoming vital to how we align IT to support mission and business 
    For example, the deployment of private cloud services at DHS 
enables the Department's many components to outsource hosting and other 
services capabilities to DHS's two Enterprise Data Centers (EDCs). This 
model enables components to pay on a per-use basis, rather than 
standing up isolated capabilities throughout the organization that 
duplicate efforts and costs. In fact, early projections for these 
services look to yield cost avoidance savings of 8 to 10 percent once 
we fully transition to private cloud infrastructure services.
    As DHS moves more of its operations to cloud computing models, it 
will simplify the overall administration and oversight of its IT 
infrastructure. DHS will move from having to manage operations of its 
infrastructure at the server level, to one in which DHS ensures that 
cloud-based service level agreements (SLAs) are being met by the 
service provider. Such simplification will enable discretionary 
resources to be moved to better understanding and fulfilling customer 
needs, so that IT organizations can focus more of their efforts on 
addressing core business and mission needs.
    Migration to the cloud, however, is not without information 
security risks. The Federal Cloud Computing Strategy specifies:

 . . . it is not sufficient to consider only the potential value of 
moving to cloud services. Agencies should make risk-based decisions 
which carefully consider the readiness of commercial or government 
providers to fulfill their Federal needs.

    It is important to recognize that many Federal departments and 
agencies are targeted by Advanced Persistent Threat (APT) campaigns by 
adversaries that attempt to compromise Government information systems 
to further their own objectives. These APT campaigns are aggressive, 
well-financed, and difficult to detect and prevent. APTs target the 
systems necessary to achieve their goals, regardless of the cloud or 
traditional computing environments in use by the Federal department or 
agency. Some cloud environments have capabilities necessary to defend 
against and provide recovery from these threats, such as advanced 
monitoring capabilities and cleared information security professionals, 
while other cloud environments may not, because the increased costs to 
provide these security capabilities may price their cloud offering 
outside of the competitive marketplace for their customers. Thus, the 
security capabilities of the cloud offering must be considered to 
determine cloud readiness before use by a Federal department or agency, 
and why DHS considers use of both public and private cloud computing 
important, as I will discuss later.
                       building the cloud at dhs
    At DHS, we are pursuing private and public cloud offerings. 
Specifically, we are establishing private cloud services to manage 
sensitive but unclassified information, while using the public cloud 
for non-sensitive information. We have already made significant strides 
through nine DHS cloud service offerings that are either in the 
planning, acquisition, or sustainment phase.
    DHS has committed to nine current and planned private cloud 
   Email as a Service (EaaS).--DHS is in the process of rolling 
        out our messaging capability across Headquarters and Federal 
        Emergency Management Agency (FEMA). We expect to have more than 
        100,000 users DHS-wide on this service offering by the end of 
        fiscal year 2012.
   SharePoint as a Service (SHPTaaS).--We are currently 
        migrating Headquarters and United States Citizenship and 
        Immigration Services (USCIS) users to our secure collaboration 
        program. We expect to have nearly 90,000 users DHS-wide on this 
        service by the end of the 2011 calendar year. This migration 
        will significantly improve information-sharing capabilities 
        across DHS.
   Development and Test as a Service (DTaaS).--Establishing 
        development and test offerings in the cloud will have 
        tremendous positive impact on DHS. Currently, DHS has multiple 
        development environments spread across the Department and 
        industry locations. Because all environments are different, 
        moving new releases to production or changes to existing 
        environments presents high-risk and multiple challenges and new 
        releases or changes may not always work in production, leading 
        to significant inefficiencies. Moving and hosting development 
        and test services to our enterprise data centers provides not 
        only a simple path to transition from project creation to 
        implementation, but also accelerated delivery. In fact, we 
        expect to provision new servers within 1 business day with this 
        new capability, while the legacy model averaged up to 6 months 
        to provision one server. Additionally, this service will 
        provide on-demand testing and application management tools, 
        which will significantly improve the quality of our new 
        offerings. DHS plans to roll out DTaaS over the next 60 days.
   Infrastructure as a Service (IaaS).--Complementary to the 
        Development and Test as a Service (DTaaS) offering is our 
        Infrastructure as a Service (IaaS) offering to provide 
        virtualized production services, including operating systems, 
        network, and storage, that is consistent with new industry 
        standards. These services will provide a logical destination 
        for code developed in the development and test environment. We 
        aim to stand up new services in the cloud in less than 1 week, 
        while the legacy model typically averaged up to 12 to 18 
        months. DHS expects to have initial IaaS capabilities by the 
        end of the 2011 calendar year.
   WorkPlace as a Service (WPaaS).--Enabling a mobile workforce 
        is a priority within the Department. We are working closely 
        with the Department's other line-of-business chiefs to 
        modernize how DHS employees work. This offering will provide 
        robust virtual desktop, remote access, and other mobile 
        services over the next 24 months. This capability enables 
        telework and Continuity of Operations (COOP), not only in the 
        National Capital Region (NCR), but for DHS personnel Nation-
        wide. Additionally, we expect to reduce our out-year 
        expenditures on traditional desktop and laptops as we consume 
        more mobile enabling technologies.
   Project Server as a Service (PSaaS).--This offering will 
        provide a robust project management platform to publish project 
        schedules that can more easily be shared across offices, 
        divisions, and components. We expect this service to better 
        enable standardization of project management disciplines and 
        directly support our efforts to improve the management of both 
        IT and non-IT programs. DHS plans to make available PSaaS 
        service within the next 30 days.
   Authentication as a Service (AuthaaS).--We have already 
        established a core fundamental offering that provides robust 
        authentication services across 250,000 Federal and contractor 
        employees. This service eliminated the need for duplicative 
        authentication services, while significantly enhancing the 
        Department's information-sharing needs. Nearly 70 DHS 
        applications are using this service today.
   Case and Relationship Management as a Service (CRMaaS).--
        Over the next 6 months, we will rollout our Case and 
        Relationship Management offering. This offering, leveraging 
        Enterprise License Agreements (ELAs), will better enable CRM 
        and case workflows across DHS. Utilizing these services, the 
        Department will be piloting a litigation case management 
        capability for ICE, partnering with TSA on modernizing the 
        redress service, improving customer relationship capabilities 
        within USCIS, and deploying a regulations tracking service for 
   Business Intelligence as a Service (BIaaS).--The Department 
        is already piloting an early version of a Business Intelligence 
        capability which started in March 2011 and will run through 
        fiscal year 2012. The Department will leverage this current 
        offering to enhance transparency into departmental programming 
        and expenditures. By the end of fiscal year 2012, we expect the 
        Department will have visibility to information sources across 
        the investment life-cycle, including IT, financial, human 
        resources, asset management, and other information sources. 
        Based on the successful pilot and maturing offerings in 
        service, the Department will look to move to a full Business 
        Intelligence as a Service offering in fiscal year 2013.
    Establishing these private cloud services is critical to our 
success. Our private cloud offerings will provide real value to the 
organization. As mentioned previously, private cloud services will 
enable components to outsource secure, commodity IT services to DHS's 
two enterprise data centers to eliminate redundancy and reduce costs, 
while ensuring information security. Each service will be rolled out 
with a minimum ``Federal Information Security Management Act of 2002'' 
(FISMA) rating of Moderate or High. Clearly, our private cloud services 
will streamline our time to market and enhance our security posture, 
better enabling DHS to accomplish its mission.
    But DHS is not wedded to only establishing private cloud services 
at its two enterprise data centers. We are embarking on a public cloud 
strategy as well. The Department will leverage public cloud 
capabilities to enhance Government-to-citizen-services and gain 
operational and financial efficiencies. In addition, the FedRAMP 
initiative will address critical security concerns of agency Chief 
Information Officers (CIOs) over the next few years by having cloud 
services receive provisional security authorities to operate.
    The Department has three public cloud initiatives underway. Two are 
already deployed, and the third will be piloting in Quarter 1 of fiscal 
year 2012.
   Identity Proofing as a Service (IDPaaS).--We successfully 
        deployed an innovative identity proofing service in the cloud 
        in March 2011. This offering met USCIS's EVerify Self Check 
        requirement to allow individuals in the United States to check 
        their employment eligibility status before formally seeking 
        employment and is the first on-line E-Verify program offered 
        directly to workers and job seekers. This service is now 
        available in more than 20 States, including the District of 
        Columbia. This voluntary, free, fast, and secure service was 
        developed through a partnership between the DHS and the Social 
        Security Administration (SSA).
   Enterprise Content Delivery as a Service ECDaaS.--For the 
        past several years, DHS has used cloud service for Enterprise 
        Content Delivery (ECD) to ensure our public-facing websites are 
        always available. The private sector uses this capability 
        extensively, and DHS adopted EDC for protection against denial 
        of service attacks, to help manage surge requirements, and to 
        significantly reduce hosting costs. This service proved 
        invaluable during the July 4, 2009, denial of service attack on 
        multiple Federal websites. DHS.gov experienced a nearly 100-
        fold increase in traffic, and no services were lost to the 
        public. The Department has 70% of its externally-facing 
        websites using this service today.
   Web Content Management as a Service (WCMaaS).--Finally, 
        building off our success with our ``RestoretheGulf.gov'' 
        implementation in the public cloud in late fiscal year 2010, 
        the Department awarded a public cloud hosting contract off the 
        General Services Administration's (GSA) Infrastructure as a 
        Service (IaaS) Blanket Purchase Agreement (BPA). Within this 
        offering, the Department will leverage open source software 
        hosted in the public cloud and consolidate all public-facing 
        DHS websites. We expect to complete this consolidation over the 
        next 2 years. During the next 6 months, the Department will 
        pilot multiple websites in the cloud, including websites from 
        U.S. Immigration and Customs Enforcement (ICE), United States 
        Citizenship and Immigration Services (USCIS), and Federal the 
        Emergency Management Agency (FEMA).
    DHS has taken an aggressive stance regarding the use of both 
private and public cloud computing services. The Department continues 
to evaluate its enterprise needs, and we certainly expect to deploy 
additional cloud services. Further, as the FedRamp model is deployed 
across the Federal Government, we anticipate that there will be a 
number of public cloud offerings that have been provisionally certified 
at the FISMA Low and Moderate levels within the next 2 years. Given 
DHS's mission, we believe a robust private cloud solution will always 
be needed for DHS's most sensitive applications and data. Further 
leverage of public cloud services will enable the Government to ensure 
there is robust competition for such services, driving down costs and 
improving overall service levels.
                       securing the cloud at dhs
    As stated earlier, at DHS, we are pursuing private and public cloud 
offerings, and the DHS cloud security strategy employs both public and 
private cloud services as a risk mitigation tool. The move to DHS's 
private cloud model bolsters information security through the DHS IT 
security Defense-in-Depth (DiD) strategy. DiD is built upon a robust 
security architecture and enterprise architecture, and adopts the NIST 
definition of private cloud computing. Hosting in the enterprise data 
centers is a primary feature of the DHS private cloud and provides 
multiple subordinated services, allowing components and systems to 
inherit the inherent enterprise security controls for system security. 
The DHS private cloud includes the full DHS enterprise security 
capabilities outlined in the DiD, including security operations, 
OneNet, Trusted Internet Connections (TICs), and Policy Enforcement 
Points (PEPs). The technologies are from the various programs within 
the layers of the DiD and aids in combating advanced threats, providing 
enterprise security controls to all users in DHS, regardless of their 
component and mission function.
    For the DHS private cloud, we are leveraging continuous monitoring 
and migration to common controls at the DHS data centers. Embracing 
information security controls through an inherited approach allows 
large, complex organizations like DHS to build on economies of scale in 
a private cloud infrastructure to reduce the workload for individual 
system owners. As common controls are defined and vetted by the DHS 
enterprise and provided as a service to system owners, only the system-
specific controls need to be defined and implemented by system owners. 
By centrally managing the development, implementation, and assessment 
of enterprise common security controls at the DHS enterprise data 
centers and through the DHS private cloud, security responsibility can 
be shared across multiple information systems.
    While private clouds incorporate new technologies that may be 
challenging to secure, public clouds introduce additional risks that 
must be addressed through controls and contract provisions that ensure 
appropriate accountability and visibility. Though many distinctions can 
be drawn between public and private cloud computing, a fundamental 
measure of readiness is their ability to meet security requirements. By 
design, FedRAMP provides a common security risk model that supplies a 
consistent baseline for cloud-based services, including security 
accreditation designed to vet providers and services for reuse across 
Government. Reducing risk and bolstering the security of clouds, while 
ensuring the delivery of the promised benefits, FedRAMP not only 
applies to public cloud services, but private, too. Ultimately the 
consumption of cloud services requires acknowledgement of a shared 
responsibility and governance. From the fact that accountability can 
never be outsourced from the Authorizing Official (AO) to the need to 
continue to meet Government requirements, all require acknowledgement 
of a shared responsibility between the cloud service provider and 
customer. For public clouds, there is a ``visibility gap'' between the 
provider and customer, in which they cannot see into each other's 
management, operational, and technical infrastructure, and procedures. 
As such, the visibility gap must be reduced through a series of 
requirements for contractual reporting and technical auditing and 
continuous monitoring data feeds. The key to secure use of cloud 
computing is the shared understanding of the division of security 
responsibilities between provider and client, and the ability to verify 
that both are meeting their responsibilities. As DHS advances in the 
use of public cloud computing, we will be ensuring we have the proper 
visibility based on a determination of risk given the cloud service and 
underlying data in order to ensure the security of our information.
                        new challenges for cios
    While cloud computing is fundamentally changing Federal Government 
IT, it is not without its challenges. The decision to embrace cloud 
computing is a risk-based management decision, supported by inputs from 
stakeholders, including the CIO, Chief Information Security Officer 
(CISO), Office of General Counsel (OGC), privacy official, and the 
program owners. From a security perspective, agency CIOs face a number 
of issues in delivering both private and public cloud capabilities. 
These issues range from determining different levels of security 
visibility and responsibilities, ensuring strong authentication, 
adopting and implementing standards for cloud portability and 
interoperability, to establishing contingency planning that recognizes 
cloud computing is a shared capability and identifying new 
opportunities for real-time continuous monitoring capabilities but 
require new audit technologies implemented within the cloud 
    Cloud computing also leads to significant management and governance 
shifts for a department or agency. CIOs must work closely with 
acquisition, procurement, and finance communities to address the new 
business paradigm represented by cloud computing. While cloud computing 
requires some technological change, the most significant changes will 
be to the business and contracting models. Such models will need to 
ensure that agencies can move forward effectively with cloud solutions 
while maintaining necessary Federal control and oversight, complying 
with Federal procurement and competition laws and requirements, and 
managing funding limitations. CIOs must also address changes to the 
workforce based on this changing paradigm. As the cloud transforms the 
way CIOs deliver IT service, the traditional roles of IT specialists 
change, too. CIOs must provide leadership to update skills for existing 
personnel and recruit new staff in an environment under significant 
    These challenges are already inherent in the CIO's role. And, they 
have one thing in common--change. Perhaps above all, the cloud 
challenges CIOs to lead cultural change within their organization.
                        the future of the cloud
    Looking forward, as FedRAMP and Federal acquisition models mature, 
the options for Federal agencies to leverage public and community 
clouds clearly provide real value to citizens. Continued work on 
information security challenges will increase the defensive 
capabilities of cloud offerings, increasing the assurance level and the 
ability for Federal agencies to use cloud computing for more sensitive 
    For example, community clouds could provide agencies with a suite 
of specialized cloud hosting services that include the standard IaaS, 
PaaS, and SaaS offerings with a more robust security, business, and 
mission portfolio offerings such as financials, law enforcement, 
intelligence, medical/health, and the increased security and privacy 
controls necessary to process more sensitive information. The value of 
a community of cloud offerings across a broad suite of verticals for 
customers may be realized as the true evolution of the cloud in the 
years to come.
    Looking 5 years into the future, the cloud service commodity market 
appears poised to grow exponentially, creating significant innovation 
as a result of intense competition. Federal CIOs must focus on 
preparing departments and agencies to help foster and welcome 
innovation that changes the way we do business. By embracing the 
opportunities of cloud computing, we will redefine the role and 
capabilities of IT in the Federal Government.
    While we in the Federal Government face challenges to successfully 
implementing cloud capabilities to enhance mission performance and 
realize cost efficiencies, the benefits far outweigh the challenges. 
Already at DHS we are seeing reduced time to market for new 
capabilities, and soon, we will begin to reduce our capital 
expenditures while gaining transparency into our operational 
expenditures in ways we have never been able to before. In conclusion, 
we should not think of the cloud as simply a technology opportunity. It 
is a far more interesting discourse--and a significant change to the 
fundamental business model for how IT is delivered in the Federal 
    Thank you.

    Mr. Lungren. Thank you very much.
    Dr. McClure.


    Mr. McClure. Thanks, Mr. Chairman.
    Good morning, Mr. Thompson and Mr. Keating.
    Thanks for having me here on behalf of GSA to talk about 
cloud computing and cloud security.
    I just wanted to start by making two critical points about 
cloud computing itself. It really offers a compelling 
opportunity to substantially improve the efficiency of the 
Federal Government. When it is implemented with sound security 
risk management approaches, cloud computing can ensure more 
consistent protection of the Government's I.T. infrastructure, 
our data, and our applications.
    Second, the practical use of cloud computing really offers 
substantial performance benefits for Government. For example, 
tangible cost reductions resulting from more efficient data 
storage, web hosting, and even analytics performed on our vast 
data repositories.
    It can enhance productivity by shifting some of our 
workforce to high-value process improvement activity, problem 
solving, and customer service excellence. It allows us greater 
flexibility and scalability, as Richard just talked about--the 
ability of CIOs to actually stand-up services in hours, days, 
rather than months, and in some cases, years. It allows or 
creates an improved self-service environment: On-line, 
streamlined, commodity-like purchasing for I.T. resources 
rather than a very long and arduous I.T. acquisition.
    We are playing a leadership role in facilitating easy 
access to cloud-based solutions from commercial providers that 
meet Federal requirements, such as virtualization technologies 
for our data centers in the Government, cloud e-mail, disaster 
recovery and backup, and infrastructure storage. Our 
Government-wide procurement vehicles enable agencies to 
evaluate viable cloud computing options that meet their 
business needs.
    Now let me turn to cloud security. Cloud computing, like 
any technology, presents both known and new risks alongside the 
benefits that it offers. Different types of cloud services--
public, private, community, hybrid--create their own set of 
security challenges in the Government setting.
    To address these risks in a more uniform and comprehensive 
manner we will soon launch a new Government-wide cloud security 
    Mr. Chairman, you referred to it, the FedRAMP program.
    We have worked in close collaboration with cybersecurity 
and cloud experts in NIST, DOD, DHS, NSA, OMB, the Federal CIO 
Council, and with private industry. Let me be real clear: The 
intent of FedRAMP is to strengthen existing security practices 
associated with cloud computing solutions, which, in turn, will 
build greater trust between providers and consumers and 
accelerate appropriate adoption of security cloud solutions 
across the Government.
    FedRAMP ensures consistency and quality of system security 
certification and accreditation; it creates a transparent and 
trusted security environment in Government that will incentive 
more reusability of security testing and authorizations; and it 
fosters the push toward near real-time security assistance 
monitoring. It does this by standing up six critical 
    It standardizes a minimal baseline for Government-wide 
security controls for low and moderate risk cloud systems based 
upon existing NIST standards and additional controls vetted 
with all interested parties. It manages a process for 
accrediting independent third-party assessors to ensure greater 
competency, consistency, and compliance with required 
Government security controls.
    It creates a joint authorization board, comprised of CIOs 
and technical representatives from DOD, DHS, and GSA, to grant 
provisional authorizations for cloud systems that can be 
leveraged by multiple agencies. It also allows agencies to 
focus on their own specific security requirements and address 
legitimate deltas with the baseline controls rather than 
repeating work already competently done by another Federal 
    Consistent with FISMA changes, it requires cloud service 
providers to perform continuous monitoring, especially for 
persistent threats, and will eventually automate the exchange 
of status information on specific controls on a near-time--near 
real-time basis. In concert with DHS, it controls and manages 
the incident response, mitigation, and proof of resolution for 
FedRAMP-authorized cloud systems.
    Last, it will create a secure data repository to facilitate 
Government access to security authorization packages, sample 
contract language and templates, examples of cloud service-
level agreements, best practices, and continuous monitoring 
    So, Mr. Chairman, we think these kinds of steps can really 
advance more secure cloud computing in the Government. I am 
happy to answer questions for the subcommittee.
    [The prepared statement of Mr. McClure follows:]
                  Prepared Statement of David McClure
                            October 6, 2011
    Chairman King, Ranking Member Thompson, and Members of the 
subcommittee: Thank you for the opportunity to appear before you today 
to discuss the General Service Administration's (GSA) leadership role 
in on-going efforts to enable and accelerate adoption of secure cloud 
computing across the Federal Government. Cloud adoption is a critical 
component of the administration's plan to improve management of the 
Government's IT resources. The IT reforms we have underway are enabling 
agencies to use information more efficiently and effectively, 
delivering improved mission results at lower cost.
           cloud computing adoption in the federal government
    Before I discuss the security of cloud computing, and the Federal 
Risk Authorization and Management Program (FedRAMP) in particular, I 
would like to make a two important points. First, cloud computing 
offers a compelling opportunity to substantially improve the efficiency 
of the Federal Government. It moves us from buying and managing 
physical assets to purchasing IT as a commoditized service. Agencies 
pay for only IT resources they use in response to fluctuating program 
demands, avoiding the expenses of building and maintaining costly IT 
infrastructure. When implemented with sound security risk management 
approaches, cloud computing also ensures more consistent protection of 
the Government's IT infrastructure, data, and applications.
    Second, practical use of cloud computing offers substantial 
performance benefits for the Government. Federal agencies are moving to 
consolidate and virtualize the more than 2,000 Federal data centers. 
Cloud technologies provide an ideal path forward to maximize value in 
IT investment dollars while substantially lowering costs--an essential 
focus given Federal budget constraints. Case studies we have collected 
from agencies point to benefits that include:

``tangible cost reductions (data storage, web hosting and analytics 
performed on the Government's vast data repositories);
``enhanced productivity (shifting workforce to more high-value process 
improvements, problem solving, and customer service excellence);
``greater flexibility and scalability (enabling CIOs to be much more 
responsive to pressing service delivery expectations); and
``improved self-service capabilities (on-line streamlined commodity-
like purchasing for IT resources rather than long, arduous IT 

    GSA is playing a leadership role in facilitating easy access to 
cloud-based solutions from commercial providers that meet Federal 
requirements. This will enable agencies to analyze viable cloud 
computing options that meet their business and technology modernization 
needs, while reducing barriers to safe and secure cloud computing. We 
are developing new cloud computing procurement options with proven 
solutions that leverage the Government's buying power. These cloud 
procurement vehicles ensure effective cloud security and standards are 
in place to lower risk and foster Government-wide use of cloud 
computing solutions such as virtualization technologies for Government 
data centers, cloud e-mail, disaster recovery/backup, and 
infrastructure storage. Useful information about cloud computing and 
available solutions is accessible from our web page, Info.Apps.gov.
    GSA's Federal Cloud Computing Initiative was started and is managed 
under GSA's e-Government program. In fiscal year 2010 and fiscal year 
2011 GSA's Federal Cloud Computing Initiative (FCCI) Program Management 
Office (PMO) focused on five primary tasks:
   Establishing procurement vehicles that allow agencies to 
        purchase IT resources as commodities, culminating in the award 
        of the Infrastructure as a Service (IaaS) Blanket Purchase 
        Agreement under GSA Schedule 70 to 12 diverse cloud service 
   Addressing security risks in deploying Government 
        information in a cloud environment--resulting in the 
        development of the Federal Risk Authorization Management 
        Program (FedRAMP);
   Establishing a procurement vehicle that will allow agencies 
        to purchase cloud-based e-mail services, which created GSA's 
        Email as a Service (EaaS) Blanket Purchase Agreement;
   Supporting the Government-wide collection and assessment of 
        data center inventories, and assisting agencies in the 
        preparation and execution of plans to close and consolidate 
        data centers. Current work includes developing a comprehensive 
        data center Total Cost Model for agencies to use to analyze 
        alternative consolidation scenarios, enables data-driven 
        decision-making for infrastructure cost and performance 
        optimization. Operationalizing a data center marketplace that 
        would help optimize infrastructure utilization across 
        Government by matching agencies with excess computing capacity 
        with those that have immediate requirements is also being 
   Creating apps.gov, an on-line storefront that provides 
        access to over 3,000 cloud-based products and services where 
        agencies can research solutions, compare prices and place on-
        line orders using GSA's eBuy system.
    Initial funding provided by the e-Gov Fund has allowed GSA to be an 
effective catalyst for secure cloud technology adoption Government-
wide. However, there are critical activities that still need to be 
accomplished to fully realize the significant cost savings and 
productivity improvements that GSA can help agencies achieve. The 
continuation of these cost-saving initiatives is dependent on fiscal 
year 2012 eGov Fund budget levels and decisions.
            fedramp: ensuring secure cloud systems adoption
    Cloud computing--like any technology--presents both known and new 
risks alongside the many benefits outlined above. To address these 
risks in a more uniform and comprehensive manner, we will soon launch a 
new Government-wide cloud security program--the Federal Risk and 
Authorization Management Program (FedRAMP). The primary goal of the 
administration's Cloud First policy is to achieve widespread practical 
use of secure cloud computing to improve operational efficiency and 
effectiveness of Government. Today, each agency typically conducts its 
own security Certification and Accreditation (C&A) process for every IT 
system it acquires, leading to unnecessary expense, duplication, and 
inconsistencies in the application of NIST-derived security controls 
testing, evaluation, and certification procedures. According to the 
2009 FISMA report to Congress, agencies reported spending $300 million 
annually on C&A activities alone.
    At GSA, we have worked in close collaboration with cybersecurity 
and cloud experts in NIST, DHS, DoD, NSA, OMB, and the Federal CIO 
Council and its Information Security and Identity Management 
Subcommittee (ISIMC) to develop FedRAMP. An OMB policy memo officially 
establishing the FedRAMP program is expected shortly. The intent is to 
strengthen existing security practices associated with cloud computing 
solutions which, in turn, will build greater trust between providers 
and consumers and accelerate appropriate adoption of secure cloud 
solutions across Government. Accordingly, FedRAMP establishes a common 
set of baseline security assessment and continuous monitoring 
requirements for FISMA low- and moderate-impact risk levels using NIST 
standards that must be adhered to by all cloud systems. Figure 1 
illustrates how FedRAMP will address three fundamental challenges with 
how the Federal Government approaches ensuring cloud security. 

Ensuring Consistency and Quality in Cloud Security Certification and 
    FedRAMP approves qualified, independent, third-party security 
assessment organizations, ensuring consistent assessment and 
accreditation of cloud solutions based on NIST's long-standing 
conformity assessment approach. As noted above, security C&As are 
currently performed with varying quality and consistency. This is true 
for situations where a third-party service provider is contracted to do 
a security assessment of a CSP-provided system, product, or service and 
where Government security organizations perform the work themselves. As 
a result, trust levels are low for reusing this work across agencies.
    To address this challenge, FedRAMP will require that cloud services 
providers be assessed using these approved, independent, third-party 
assessment organizations (3PAOs). The 3PAOs will initially apply for 
accreditation through the FedRAMP PMO and be assessed using established 
conformity assessment criteria developed by NIST. This will ensure 
higher-quality assessments, done much more consistently, using agreed-
upon FedRAMP security assessment controls. This can save millions of 
dollars in expenses borne both by Government and industry in running 
duplicative assessments of similar solutions by each agency.
Building Trust and Re-Use of Existing C&A Work
    All IT systems, including cloud solutions, must receive an 
Authority to Operate (ATO) from the buying agency before they can be 
made available for purchase and implemented. The ATO is based on a 
thorough review by agency security professionals of the security 
packages submitted following the C&A process described above. To 
accelerate cloud adoption and enable C&A re-use, FedRAMP will provide a 
single, provisional authorization that can be used by all agencies as 
the basis for issuing an ATO. If additional security assessment 
evaluation and testing is needed for specific agency cloud 
implementations, the C&A should only address any additional controls 
needed above the existing FedRAMP-approved baseline.
    FedRAMP establishes a Joint Authorization Board (JAB) that reviews 
all cloud systems that have been assessed by approved 3PAOs using 
FedRAMP controls and processes. The JAB membership consists of CIOs and 
Technical Representatives from DOD, DHS, and GSA. The JAB reviews the 
C&A work and decides whether to grant the ``provisional 
authorization''--a seal of approval on the C&A work. The security 
packages, assessments and documented decisions will be accessible 
within Government from a secure central repository. While each agency 
must grant its own ATO for systems under its control, FedRAMP will 
facilitate greater use of an ``approve once, and use often'' approach, 
leveraging more ATOs across Government.
Moving Towards More Real-Time Security Assurance
    FedRAMP shifts risk management from annual reporting under FISMA to 
more robust continuous monitoring, providing real-time detection and 
mitigation of persistent vulnerabilities and security incidents. Using 
the expertise of industry, NIST, NSA, DHS, and ISIMC, nine initial 
continuous monitoring controls have been identified that are among the 
most common persistent threat vulnerabilities in cloud and non-cloud 
systems environments. Cloud Service Providers (CSPs) must agree to 
near-real time reporting of continuous monitoring data feeds to DHS 
and/or agency Security Operations Centers (SOCs). We are finalizing 
data reporting details, with the expectation that the process will 
eventually use automated data feeds to maximize efficiencies and 
timeliness. When done in addition to the C&A evaluations, this will 
result in valuable situational cyber awareness--a relevant and timely 
picture of a CSP's security posture. In addition, this approach 
provides visibility of prompt mitigation and tangible evidence of 
resolution; ensuring quick steps are taken to minimize threats to 
Government data and operations.
    In short, FedRAMP offers the following improvements for cloud 
security assessments conducted in the Federal Government: 

    There is strong support and demand for stronger cloud security from 
agencies seeking to adopt cloud services, as required by the 
administration's Cloud First policy. Industry cloud services providers 
need to know the specific cloud security capabilities for which they 
are accountable. They also desire more efficiency in how C&As and ATOs 
are leveraged Government-wide to avoid unnecessary, duplicative, costly 
security evaluations. Ensuring IT security is an on-going challenge. We 
fully expect to make improvements to the process based on collaboration 
with all key stakeholders, including industry, lessons learned, and the 
continuous evolution of security standards and controls based upon the 
careful, deliberative work of NIST.
    FedRAMP will be launched in phases that incrementally build toward 
sustainable operations and allows for risk management by capturing on-
going lessons learned and process improvement. Initial rollout will 
occur this Fall. Initial Operational Capabilities will have limited 
scope and cover a relatively small number of cloud service providers. 
Full operations are expected to begin next Spring with more robust 
operational capabilities and larger intake of cloud service providers 
for FedRAMP review and approval. Late in 2012, we expect sustaining 
operations to scale by demand using a privatized board for 3PAO 
accreditation. We will discuss the rollout in more depth with the 
Congress, Government executive branch agencies, industry, and the 
public prior to the initial launch date.
    Considerable progress has been made in adopting successful cloud 
solutions. ``Cloud computing'' is now an accepted part of the Federal 
IT lexicon. However, there continues to be a need for more thorough 
understanding of cloud deployment models, unique security implications, 
and data management challenges. Agency executives should not focus on 
cloud technology itself; rather, they should focus on the desired 
outcome driving the need for cloud adoption delivered in a secure 
    FedRAMP will provide a sound, cost-effective framework for secure 
cloud computing. CIOs need to work with their line of business 
executives and program managers to develop and deploy effective cloud 
roadmaps that address pressing agency mission needs, taking into 
account appropriate security and risk management. Agencies should 
analyze business needs and identify cloud solutions that best fit their 
requirements by making secure cloud adoption part of an overall IT 
portfolio management and sourcing strategy. Consistent with the Federal 
Cloud Computing Strategy, NIST is currently working on the first draft 
of a USG Cloud Computing Technology Roadmap, to be released for public 
comment in November, 2011. If linked to cloud provider products and 
services, it would greatly assist in this decision-making.
    Mr. Chairman, thank you for the opportunity to appear today. I look 
forward to answering questions from you and Members of the 

    Mr. Lungren. Thank you very much, Dr. McClure.
    Now, Mr. Wilshusen.


    Mr. Wilshusen. Chairman Lungren, Mr. Thompson, Mr. Keating, 
thank you for the opportunity to participate in today's hearing 
on cloud computing security. I believe this is a vitally 
important topic.
    Earlier this week GAO issued a report on Federal 
information security in which we note that the number of 
security incidents reported by Federal agencies increased by 
over 650 percent during the past 5 years. This fact helps to 
underscore the need for effective security in cloud computing 
    Today I will describe the information security implications 
of Federal use of cloud computing services. I will also discuss 
GAO's previous reporting on Federal efforts and guidance on 
cloud computing and agencies' actions to implement our 
recommendations to improve cloud security.
    But if I may, Mr. Chairman, I have first like to recognize 
Assistant Director Vijay D'Souza and Shaunyce Wallace, from my 
staff, who are here, and also Nancy Glover, who is not here, 
for their diligent efforts in reviewing cloud security as well 
as preparing my statement.
    Mr. Chairman, cloud computing can have both positive and 
negative information security implications. Potential security 
benefits include those related to broad network access, 
possible economies of scale, and the use of self-service 
technologies. For example, Federal agencies frequently cited 
the prospect of on-demand security controls, the consistent 
application of those controls, and low-cost disaster recovery 
and data storage as potential benefits.
    However, the use of cloud computing can also create 
numerous information security risks. Twenty-two of the 24 major 
Federal agencies reported that they were either concerned or 
very concerned about the potential security risks with cloud 
    These risks include the ineffective or noncompliant 
security practices of the service provider, an inability to 
examine controls of the provider, the prospect of data leakage 
to unauthorized users, and the loss of data if the cloud 
service is terminated. These risks generally relate to 
dependence on the security practices and assurances of the 
service provider and the sharing of computing resources.
    In a report GAO issued last year, we noted that Federal 
agencies had begun efforts to address information security for 
cloud computing, but specific guidance was lacking and efforts 
remained incomplete. We also reported that OMB and GAO--I am 
sorry, GSA--had launched Government-wide initiatives but had 
not completed key actions pertaining to cloud computing 
    For example, OMB had not finished its cloud computing 
strategy or defined how information security issues would be 
addressed in that strategy. Accordingly, in that report GAO 
made recommendations to OMB, GSA, and NIST to take several 
actions to address these issues.
    Since that report was issued in May 2010 these agencies 
have made progress in implementing our recommendations, but 
additional actions are still needed to assist agencies in 
securely implementing cloud computing. For example, in February 
OMB issued its cloud computing strategy, which does reference 
the establishment of FedRAMP and other security issues; 
however, it does not address the need for agency-specific 
guidance, the use of standards for control assessments of cloud 
service providers, or the division of security responsibilities 
between customer and provider.
    Consistent with our recommendation, GSA, in collaboration 
with the CIO Council, further developed FedRAMP, as Mr. McClure 
has indicated in his opening remarks, and intends to issue 
additional guidance on FedRAMP later this quarter. In addition, 
NIST has issued three of four guidance documents related to 
cloud computing and expect to finalize guidelines on security 
and privacy in the public cloud computing later this quarter. 
These actions and the issuance of appropriate guidance will 
help, yet the true test will be their effective implementation 
over time.
    To summarize, Mr. Chairman, the use of cloud computing 
offers the promise of efficient service, but it also carries 
risk. OMB, GSA, and NIST have taken steps to develop a 
strategy, processes, and guidance on cloud computing security. 
Nevertheless, continued efforts will be needed to ensure that 
cloud computing is implemented securely in the Federal 
    Mr. Chairman, this concludes my statement. Be happy to 
answer any questions.
    [The prepared statement of Mr. Wilshusen follows:]
               Prepared Statement of Gregory C. Wilshusen
                            October 6, 2011
   information security: additional guidance needed to address cloud 
                           computing concerns
    Chairman Lungren, Ranking Member Clarke, and Members of the 
subcommittee: Thank you for the opportunity to participate in today's 
hearing on the security implications of cloud computing. My statement 
today summarizes our report issued last year, titled Information 
Security: Federal Guidance Needed to Address Control Issues with 
Implementing Cloud Computing \1\ and describes actions taken by Federal 
agencies to implement our report's recommendations.
    \1\ GAO, Information Security: Federal Guidance Needed to Address 
Control Issues with Implementing Cloud Computing, GAO-10-513 
(Washington, DC: May 27, 2010).
    Cloud computing, an emerging form of delivering computing services, 
can, at a high level, be described as a form of computing where users 
have access to scalable, on-demand information technology (IT) 
capabilities that are provided through internet-based technologies. 
Examples of cloud computing include web-based e-mail applications and 
common business applications that are accessed on-line through a 
browser, instead of through a local computer. Cloud computing can 
potentially deliver several benefits over current systems, including 
faster deployment of computing resources, a decreased need to buy 
hardware or to build data centers, and more robust collaboration 
capabilities. However, along with these benefits are the potential 
risks that any new form of computing services can bring, including 
information security breaches, infrastructure failure, and loss of 
data. Media reports have described security breaches of cloud 
infrastructure and reports by others have identified security as the 
major concern hindering Federal agencies from adopting cloud computing 
    My statement today will provide a description of: (1) The 
information security implications of using cloud computing services in 
the Federal Government, (2) our previous reporting on Federal efforts 
and guidance to address cloud computing information security, and (3) 
our recommendations and subsequent actions taken by Federal agencies to 
address Federal cloud computing security issues. In preparing this 
statement, we summarized the content of our May 2010 report on cloud 
computing security. In conducting the work for that report, we 
collected and analyzed information from industry groups, private sector 
organizations, the National Institute of Standards and Technology 
(NIST), and 24 major Federal agencies.\2\ In addition, we followed up 
with agencies to determine the extent to which the recommendations made 
in that report have been implemented. The work for the report on which 
this statement is based was performed in accordance with generally 
accepted Government auditing standards.
    \2\ The 24 major Federal agencies are the Agency for International 
Development; the Departments of Agriculture, Commerce, Defense, 
Education, Energy, Health and Human Services, Homeland Security, 
Housing and Urban Development, the Interior, Justice, Labor, State, 
Transportation, the Treasury, and Veterans Affairs; the Environmental 
Protection Agency; the General Services Administration; the National 
Aeronautics and Space Administration; the National Science Foundation; 
the Nuclear Regulatory Commission; the Office of Personnel Management; 
the Small Business Administration; and the Social Security 
    We have previously reported that cyber threats to Federal 
information systems and cyber-based critical infrastructures are 
evolving and growing.\3\ Without proper safeguards, computer systems 
are vulnerable to individuals and groups with malicious intentions who 
can intrude and use their access to obtain and manipulate sensitive 
information, commit fraud, disrupt operations, or launch attacks 
against other computer systems and networks.
    \3\ GAO, Cybersecurity: Continued Attention Needed to Protect Our 
Nation's Critical Infrastructure and Federal Information Systems, GAO-
11-463T (Washington, DC: Mar. 16, 2011) and Cybersecurity: Continued 
Attention Needed to Protect Our Nation's Critical Infrastructure, GAO-
11-865T (Washington, DC: July 26, 2011).
    In addition, the increasing interconnectivity among information 
systems, the internet, and other infrastructure presents increasing 
opportunities for attacks. For example, since 2010, several media 
reports described incidents that affected cloud service providers such 
as Amazon, Google, and Microsoft. Additional media reports have 
described hackers exploiting cloud services for malicious purposes. The 
adoption of cloud computing will require Federal agencies to implement 
new protocols and technologies and interconnect diverse networks and 
systems while mitigating and responding to threats.
    Our previous reports and those by agency inspectors general 
describe serious and widespread information security control 
deficiencies that continue to place Federal assets at risk of 
inadvertent or deliberate misuse, mission-critical information at risk 
of unauthorized modification or destruction, sensitive information at 
risk of inappropriate disclosure, and critical operations at risk of 
disruption. We have also reported that weaknesses in information 
security policies and practices at major Federal agencies continue to 
place confidentiality, integrity, and availability of sensitive 
information and information systems at risk. Accordingly, we have 
designated information security as a Government-wide high-risk area 
since 1997,\4\ a designation that remains in force today.\5\ To assist 
agencies, GAO and agency inspectors general have made hundreds of 
recommendations to agencies for actions necessary to resolve control 
deficiencies and information security program shortfalls.
    \4\ GAO, High-Risk Series: Information Management and Technology, 
GAO/HR-97-9 (Washington, DC: February 1997).
    \5\ GAO, High-Risk Series: An Update, GAO-11-278 (Washington, DC: 
February 2011).
Cloud Computing Is a Form of Shared Computing with Several Service and 
        Deployment Models
    Cloud computing delivers IT services by taking advantage of several 
broad evolutionary trends in IT, including the use of 
virtualization.\6\ According to NIST, cloud computing is a means ``for 
enabling convenient, on-demand network access to a shared pool of 
configurable computing resources that can be rapidly provisioned and 
released with minimal management effort or service provider 
interaction.'' NIST also states that an application should possess five 
essential characteristics to be considered cloud computing: On-demand 
self-service, broad network access, resource pooling, rapid elasticity, 
and measured service.
    \6\ Virtualization is a technology that allows multiple software-
based virtual machines with different operating systems to run in 
isolation, side-by-side on the same physical machine. Virtual machines 
can be stored as files, making it possible to save a virtual machine 
and move it from one physical server to another.
    Cloud computing offers three service models: Infrastructure as a 
service, where a vendor offers various infrastructure components; 
platform as a service, where a vendor offers a ready-to-use platform on 
which customers can build applications; and software as a service, 
which provides a self-contained operating environment used to deliver a 
complete application such as web-based e-mail. Figure 1 illustrates 
each service model. 

    In addition, four deployment models for providing cloud services 
have been developed: Private, community, public, and hybrid cloud. In a 
private cloud, the service is set up specifically for one organization, 
although there may be multiple customers within that organization and 
the cloud may exist on or off the premises. In a community cloud, the 
service is set up for related organizations that have similar 
requirements. A public cloud is available to any paying customer and is 
owned and operated by the service provider. A hybrid cloud is a 
composite of the deployment models. Figure 2 further illustrates each 

  cloud computing has both positive and negative information security 
    Cloud computing can both increase and decrease the security of 
information systems. Potential information security benefits include 
the use of virtualization and automation to expedite the implementation 
of secure configurations for virtual machine images. Other advantages 
relate to cloud computing's broad network access and use of internet-
based technologies. For example, several agencies stated that cloud 
computing provides a reduced need to carry data in removable media 
because of the ability to access the data through the internet, 
regardless of location. In response to the survey we conducted for our 
2010 report, 22 of the 24 major agencies also identified low-cost 
disaster recovery and data storage as a potential benefit.
    The use of cloud computing can also create numerous information 
security risks for Federal agencies. In response to our survey, 22 of 
24 major agencies reported that they are either concerned or very 
concerned about the potential information security risks associated 
with cloud computing. Several of these risks relate to being dependent 
on a vendor's security assurances and practices. Specifically, several 
agencies stated concerns about:
   the possibility that ineffective or non-compliant service 
        provider security controls could lead to vulnerabilities 
        affecting the confidentiality, integrity, and availability of 
        agency information;
   the potential loss of governance and physical control over 
        agency data and information when an agency cedes control to the 
        provider for the performance of certain security controls and 
        practices; and:
   potentially inadequate background security investigations 
        for service provider employees that could lead to an increased 
        risk of wrongful activities by malicious insiders.
    Of particular concern was dependency on a vendor. All 24 agencies 
specifically noted concern about the possibility of loss of data if a 
cloud computing provider stopped offering its services to the agency. 
For example, the provider and the customer may not have agreed on terms 
to transfer or duplicate the data.
    Multitenancy, or the sharing of computing resources by different 
organizations, can also increase risk. Twenty-three of 24 major 
agencies identified multitenancy as a potential information security 
risk because, under this type of arrangement, one customer could 
intentionally or unintentionally gain access to another customer's 
data, causing a release of sensitive information. Agencies also stated 
concerns related to exchanging authentication information on users and 
responding to security incidents. Identity management and user 
authentication are a concern for some Government officials because 
customers and a provider may need to establish a means to securely 
exchange and rely on authentication and authorization information for 
system users. In addition, responding to security incidents may be more 
difficult in a shared environment because there could be confusion over 
who performs the specific tasks--the customer or the provider.
    Although there are numerous potential information security risks 
related to cloud computing, these risks may vary based on the 
particular deployment model. For example, NIST stated that private 
clouds may have a lower threat exposure than community clouds, which 
may have a lower threat exposure than public clouds. Several industry 
representatives stated that an agency would need to examine the 
specific security controls of the provider the agency was evaluating 
when considering the use of cloud computing.
 federal agencies and government-wide initiatives had begun to address 
     information security issues for cloud computing, but remained 
    In our report, we noted that Federal agencies had begun to address 
information security for cloud computing; however, they had not 
developed corresponding guidance. About half of the 24 major agencies 
reported using some form of public or private cloud computing for 
obtaining infrastructure, platform, or software services. These 
agencies identified measures they were taking or planned to take when 
using cloud computing. These actions, however, had not always been 
accompanied by development of related policies or procedures.
    Most agencies had concerns about ensuring vendor compliance and 
implementation of Government information security requirements. In 
addition, agencies expressed concerns about limitations on their 
ability to conduct independent audits and assessments of security 
controls of cloud computing service providers. Several industry 
representatives were in agreement that compliance and oversight issues 
were a concern and raised the idea of having a single Government entity 
or other independent entity conduct security oversight and audits of 
cloud computing service providers on behalf of Federal agencies. 
Agencies also stated that having a cloud service provider that had been 
precertified as being in compliance with Government information 
security requirements through some type of Government-wide approval 
process would make it easier for them to consider adopting cloud 
computing. Other agency concerns related to the division of information 
security responsibilities between customer and provider. As a result, 
we reported that the adoption of cloud computing by Federal agencies 
may be limited until these concerns were addressed.
Several Government-wide Cloud Computing Information Security 
        Initiatives Had Been Started, but Key Guidance and Efforts Had 
        Not Been Completed
    In our May 2010 report, we also noted that several Government-wide 
cloud computing security activities had been undertaken by 
organizations such as the Office of Management and Budget (OMB), 
General Services Administration (GSA), the Federal Chief Information 
Officers (CIO) Council, and NIST; however, significant work remained to 
be completed. Specifically, OMB had stated that it had begun a Federal 
cloud computing initiative in February 2009; however, it did not have 
an overarching strategy or an implementation plan. In addition, OMB had 
not yet defined how information security issues, such as a shared 
assessment and authorization process, would be addressed.
    GSA had established the Cloud Computing Program Management Office, 
which manages several cloud computing activities within GSA and 
provides administrative support for cloud computing efforts by the CIO 
Council. The program office manages a storefront, www.apps.gov, 
established by GSA to provide a central location where Federal 
customers can purchase software as a service cloud computing 
applications. GSA had also initiated a procurement to expand the 
storefront by adding infrastructure as a service cloud computing 
offerings such as storage, virtual machines, and web hosting. However, 
GSA officials reported challenges in addressing information security 
issues as part of the procurement. As a result, in early March 2010, 
GSA canceled the request and announced plans to begin a new request 
process. GSA officials stated that they needed to work with vendors 
after a new procurement was completed to develop a shared assessment 
and authorization process for customers of cloud services purchased as 
part of the procurement, but had not yet developed specific plans to do 
    In addition to GSA's efforts, the CIO Council had established a 
cloud computing Executive Steering Committee to promote the use of 
cloud computing in the Federal Government, with technical and 
administrative support provided by GSA's Cloud Computing Program 
Management Office, but had not finalized key processes or guidance. A 
subgroup of this committee had developed the Federal Risk and 
Authorization Management Program (FedRAMP), a Government-wide program 
to provide joint authorizations and continuous security monitoring 
services for all Federal agencies, with an initial focus on cloud 
computing. The subgroup had worked with its members to define 
interagency security requirements for cloud systems and services and 
related information security controls. However, a deadline for 
completing development and implementation of a shared assessment and 
authorization process had not been established.
    NIST is responsible for establishing information security guidance 
for Federal agencies to support the Federal Information Security 
Management Act of 2002 (FISMA); however, at the time of our report, it 
had not yet established guidance specific to cloud computing or to 
information security issues specific to cloud computing, such as 
portability, interoperability, and virtualization. The NIST official 
leading the institute's cloud computing activities stated that existing 
NIST guidance in Special Publication (SP) 800-53 and other publications 
applied to cloud computing and could be tailored to the information 
security issues specific to cloud computing. However, both Federal and 
private sector officials had made clear that existing guidance was not 
 agencies have made progress in implementing gao recommendations, but 
     additional actions are needed to assist agencies in securely 
                      implementing cloud computing
    In our May 2010 report, we made several recommendations to OMB, 
GSA, and NIST to assist Federal agencies in identifying uses for cloud 
computing and information security measures to use in implementing 
cloud computing. These agencies generally agreed with our 
recommendations. Specifically, we recommended that the Director of OMB 
establish milestones for completing a strategy for implementing the 
Federal cloud computing initiative; ensure the strategy addressed the 
information security challenges associated with cloud computing, such 
as needed agency-specific guidance, the appropriate use of attestation 
standards for control assessments of cloud computing service providers, 
division of information security responsibilities between customer and 
provider, the shared assessment and authorization process, and the 
possibility for precertification of cloud computing service providers; 
and direct the CIO Council Cloud Computing Executive Steering Committee 
to develop a plan, including milestones, for completing a Government-
wide security assessment and authorization process for cloud services.
    In response, in February 2011, OMB issued its Federal Cloud 
Computing Strategy,\7\ which references the establishment of a shared 
assessment and authorization process for cloud computing. In addition, 
the strategy discusses other steps to promote cloud computing in the 
Federal Government, including ensuring security when using cloud 
computing, streamlining procurement processes, establishing standards, 
recognizing the international dimensions of cloud computing, and 
establishing a governance structure. However, the strategy does not 
address other security challenges such as needed agency-specific 
guidance, the appropriate use of attestation standards for control 
assessments of cloud computing service providers, and the division of 
information security-related responsibilities between customer and 
provider. Until these challenges are addressed, agencies may have 
difficulty readily adopting cloud computing technologies.
    \7\ OMB, Federal Cloud Computing Strategy (Washington, DC: February 
    We also recommended that the Administrator of GSA, as part of the 
procurement for infrastructure as a service cloud computing 
technologies, ensure that full consideration be given to the 
information security challenges of cloud computing, including a need 
for a shared assessment and authorization process.
    In response, GSA issued a request for quote relating to its 
procurement for cloud services that included the need to use FedRAMP 
once it is operational. FedRAMP was further developed by GSA, in 
collaboration with the Cloud Computing Executive Committee, as a shared 
assessment and authorization process to provide security authorizations 
and continuous monitoring for systems shared among Federal agencies. 
The CIO Council, in collaboration with GSA, issued a draft version of 
the shared assessment and authorization process in November 2010;\8\ 
however, the process has not yet been finalized. GSA officials stated 
that they intend to release additional information on FedRAMP once OMB 
issues a policy memorandum related to cloud computing, expected in the 
first quarter of fiscal year 2012.
    \8\ CIO Council, Proposed Security Assessment and Authorization for 
U.S. Government Cloud Computing, Draft version 0.96 (Washington, DC: 
November 2010).
    Last, to assist Federal agencies in implementing appropriate 
information security controls when using cloud computing, we 
recommended that the Secretary of Commerce direct the Administrator of 
NIST to issue cloud computing information security guidance to Federal 
agencies to more fully address key cloud computing domain areas that 
are lacking in SP 800-53, such as virtualization, data center 
operations, and portability and interoperability, and include a process 
for defining roles and responsibilities of cloud computing service 
providers and customers.
    NIST has also taken steps to address our recommendations. In 
January 2011, it issued SP 800-125, Guide to Security for Full 
Virtualization Technologies.\9\ Virtualization is a key technological 
component of cloud computing. SP 800-125 discusses the security 
characteristics of virtualization technologies, provides security 
recommendations for virtualization components, and highlights security 
considerations throughout the system life cycle of virtualization 
solutions. In July 2011, NIST issued SP 500-291, NIST Cloud Computing 
Standards Roadmap,\10\ and in September 2011, SP 500-292, NIST Cloud 
Computing Reference Architecture.\11\ Collectively these documents 
provide guidance to help agencies understand cloud computing standards 
and categories of cloud services that can be used Government-wide. 
Among other things, these publications address cloud computing 
standards for interoperability and portability.
    \9\ NIST, Guide to Security for Full Virtualization Technologies, 
SP 800-125 (Gaithersburg, MD: January 2011).
    \10\ NIST, NIST Cloud Computing Standards Roadmap, SP 500-291 
(Gaithersburg, MD: July 2011).
    \11\ NIST, NIST Cloud Computing Reference Architecture, SP 500-292 
(Gaithersburg, MD: September 2011).
    NIST also issued a draft publication on cloud computing, SP 800-
144, Guidelines on Security and Privacy in Public Cloud Computing,\12\ 
which addresses the security concerns associated with data center 
operations and the division of responsibilities among providers and 
customers. In addition, the guide discusses the benefits and drawbacks 
of public cloud computing, precautions that can be taken to mitigate 
risks, and provides guidance on addressing security and privacy issues 
when outsourcing support for data and applications to a cloud provider. 
According to NIST officials, SP 800-144 will be finalized in the first 
quarter of fiscal year 2012.
    \12\ NIST, Guidelines on Security and Privacy in Public Cloud 
Computing, Draft SP 800-144 (Gaithersburg, MD: January 2011).
    In summary, the adoption of cloud computing has the potential to 
provide benefits to Federal agencies; however, it can also create 
numerous information security risks. Since our report, Federal agencies 
have taken several steps to address our recommendations on cloud 
computing security, but more remains to be done. For example, OMB has 
issued a cloud computing strategy; however the strategy does not fully 
address key information security challenges for agencies to adopt cloud 
computing. The CIO Council and GSA have also developed a shared 
assessment and authorization process, but this process has not yet been 
finalized. In addition, NIST has issued several publications addressing 
cloud computing security guidance. Although much has been done since 
our report, continued efforts will be needed to ensure that cloud 
computing is implemented securely in the Federal Government.
    Chairman Lungren, Ranking Member Clarke, and Members of the 
subcommittee, this concludes my prepared statement. I am pleased to 
respond to any questions.

    Mr. Lungren. Thank you very much.
    Thank all three of you for that. I understand we are going 
to have votes in about 10 minutes so we will see if we can get 
through a couple of 5-minute question periods. I will start.
    If I were to summarize what I heard, it is that Mr. Spires 
and Mr. McClure have the glass-half-full approach, and Mr. 
Wilshusen, you have the glass-half-empty approach.
    Mr. Spires and Mr. McClure, can you tell me which glass I 
should take up?
    Mr. Spires. Well, sir, I do have the glass-half-full 
approach. I believe that cloud computing is going to transform 
I.T. as things become more commoditized. The world is moving 
that way; we need to move with it because the advantages are so 
    Mr. Lungren. So it is inevitable that we are going to move 
    Mr. Spires. I think it is inevitable.
    Mr. Lungren. So the question we have here is: How secure 
can we make it?
    Dr. McClure, you--if I were to just listen to what you had 
to say I would be very, very pleased that it is very secure 
right now or on the process of getting even more secure. But 
the gentleman to your left is paid to poke holes in arguments 
that people like you make, and he has poked some holes.
    Sometimes things sound too good to be true, and most of the 
time I have found that is true. What assurance do we have as we 
move toward this cloud computing--well, let me put it this way: 
In the report that we issued yesterday, and this is consistent 
with what we have heard before this committee, there has been 
the suggestion that 85 percent of computer intrusions, 
unwarranted interference, et cetera, could be stopped by good 
computer hygiene, which suggests that we have a lot to do in 
terms of public and private awareness.
    One of the key aspects to security on cloud computing would 
be awareness. How am I to be able to tell my colleagues and my 
constituents that the awareness that evidently isn't there now 
with the way we are doing things is going to be there as we 
move to computing? Because isn't that the essential question?
    You can set up the best sort of secure systems possible, 
but if there is not the awareness of what you have to do, both 
in terms of what we are talking about here, the ultimate user, 
that is, the Government employee, but also the vendor, and the 
vendor's employees--it is not going to happen. So is that 
computed into what you said today, that we have the awareness, 
we are going to have the awareness, it is built in, or it is 
easier in a cloud computing atmosphere than what we have had 
thus far?
    Mr. McClure. Well, thank you, Mr. Chairman. As Greg knows, 
I used to be a hole-poker, as well, because I sat in GAO, so 
there is no--this is a really challenging area, so I don't 
think it is a half-full, half-empty glass. We are never done in 
this area. I think all of us here at the table would agree with 
    We can put the best controls in place, the best policies, 
the best people, but you are going to always be advancing in 
your knowledge and in your ability to deter threats and 
vulnerabilities to your system. So it is a given.
    So I think that is one thing we need to do is to dispel the 
myth that there is some magical control or formula that we are 
not using and if we just put in place we would--we will be 
absolutely secure. Security is an on-going exercise.
    Mr. Lungren. True. But how do we answer the question to 
those who would be skeptics of what we think we need to do, 
that if you move in the direction of cloud computing you are 
necessarily creating greater target-rich environments? That is, 
if I can invade a cloud that has multiple--more data points 
than a small network I would target my energies on that, and if 
I am successful, boy, I really have a tremendous amount of 
information, and connected information, where I may not have it 
if it is divided over 2,700 different networks. That is the 
concern I have expressed to me.
    On the other hand, I hear the argument, ``Well, wait a 
second. We can put more capital investment into cloud 
technology. They can be more up-to-date, more timely. They can 
find things more quickly because they have a greater 
observation point.'' I understand that.
    But I think you understand the point about a greater 
target-rich environment with the concern people then have that 
you have got to have a promise that the security of the cloud 
is going to be measurably better than the security we have in 
the current system.
    Mr. McClure. Yes, and I would absolutely agree, that is the 
way forward. Our problems in security are not unique cloud 
computing systems, by the way. So if you look at what we are 
putting in place in FedRAMP, we need, first of all, agreement 
on what the baseline controls actually are, and I think we have 
achieved that by working across a huge community in the 
Government to have that dialogue.
    Second, we have to agree on what are the additional 
controls that are warranted in a cloud environment, much as you 
described, where there are extended vulnerabilities that are 
not necessarily applicable to traditional systems. So we have 
done that. We have tried to introduce new controls.
    Third, we have to move to continuous monitoring. We have to 
make sure that agencies are applying managerial, technical, and 
operational controls to their systems for clouds, but we also 
have to report on a real-time basis the posture of the cloud 
security provider's environment, and that we have to see and we 
have to be able to take action, and we have to demand a 
solution be put in place. Then we can really bump up, I think, 
our security posture to more tolerable levels.
    Mr. Lungren. Thank you very much.
    Now, I either recognize the gentlelady or Mr. Thompson.
    No, whoever you want to----
    Mr. Thompson. Well, thank you very much.
    Mr. Lungren. Because we have, I think, 5 minutes, probably, 
before we have to go vote. Votes have already been called. So--
    Mr. Thompson. Right. Well, thank you, Mr. Chairman. I 
appreciate the Ranking Member's indulgence.
    Clearly, the cloud is kind of cloudy right now to a lot of 
us, and we are trying to get better. But as we go forward, I am 
a little concerned about how our Government moves forward 
without the necessary safeguards in place.
    Mr. Spires, let us talk about one of my concerns. I 
understand that DHS has contracted with a company called CGI 
Federal, Inc., to move its public website to the cloud. Now, I 
understand that this is not a U.S. company. Am I correct or 
    Mr. Spires. Actually, sir, CGI Federal--well, you are 
correct, we are--we have contracted, through the GSA 
infrastructure as a service vehicle for CGI Federal to provide 
cloud services so we can move our public-facing websites to the 
cloud. That is correct.
    CGI Federal is a U.S.-based company. The parent company is 
a Canadian-based company.
    Mr. Thompson. So it is a U.S.-based company----
    Mr. Spires. Yes, sir.
    Mr. Thompson [continuing]. Owned by a Canadian company?
    Mr. Spires. That is correct, sir.
    Mr. Thompson. Okay. Does that cause you any concern?
    Mr. Spires. In awarding the contract, sir, and going 
through the evaluation, we followed all the proper regulations 
from the FARR. I worked with our procurement organization, 
worked with GSA's procurement organizations.
    I should also point out, sir, that we put a clause into 
that contract or that task order that States that everyone that 
works on that particular contract needs to be a U.S. citizen 
unless we grant a waiver, and I don't expect we would be 
granting a waiver to that, and that all the data that is--that 
we would use in running those public websites needs to be 
resident within the United States.
    Mr. Thompson. Can you provide the committee with a copy of 
that task order?
    Mr. Spires. We certainly can, sir.
    Mr. Thompson. So none of the work--none of the hosting or 
anything will be done out of the----
    Mr. Spires. No. The hosting will be done in two geographic 
diverse data centers that are both located within the United 
States, sir.
    Mr. Thompson. Thank you very much.
    Dr. McClure, when you testified before the House Oversight 
and Government Reform Committee last year you called security 
one of the most significant obstacles to the adoption of cloud 
computing. Is that still your position or have you modified it?
    Mr. McClure. No, and I think it is a--the top challenge. 
There are others that we have alluded to.
    Security, because of these issues we have been bringing up 
this morning--the lack of consistent standards, the lack of the 
quality of the work being done to assess cloud systems, the 
lack of real continuous monitoring, real-time capabilities--it 
presents real challenges, particularly in cloud environments. 
But we are addressing those; that is what we are trying to do.
    The other two, though--and I think Greg may have mentioned 
this--are portability--I park my data onto a cloud provider's 
system; I, either by choice or because they are going out of 
business, I want to get that data off of their cloud system and 
into a new one. Can they aggregate and reconstitute that data 
and give it back to me? It is a huge question that Federal 
officials have to ask of their cloud service provider.
    Mr. Thompson. So that is still a concern?
    Mr. McClure. Absolutely.
    Mr. Thompson. Well, I understand that we have 12 companies 
that have been approved for some services under these 
contracts, while only four have been--of those 12--have been 
fully vetted. Is there some issues around security, or what?
    Mr. McClure. Absolutely. Once the 12 entities were found to 
be qualified and awarded business under that BPA, the second 
step is to go through a security authorization process, which 
is controls and testing to make sure they meet all Federal 
requirements. To date, four have, and they are subcontractors, 
and the remaining are going through the completion of that 
security authorization.
    Mr. Thompson. So another Federal agency couldn't pick from 
the eight at this point?
    Mr. McClure. Correct.
    Mr. Thompson. They can only take the four?
    Mr. McClure. They can take the four. They can actually, if 
they wanted to, enter into business with one of the other eight 
if they themselves performed the security assessments. We are 
doing it at GSA in order for all agencies to be leveraging off 
of that rather than repeating it.
    Mr. Thompson. Well, and I guess for the GAO person in my 
last second, I am a little concerned that some of the vetting 
is not complete with some of the companies. Have you looked at 
that and whether or not you have some concerns around that, 
    Mr. Wilshusen. Well, we haven't specifically looked at 
GSA's authorization and assessment process yet, but certainly 
if we haven't--or the GSA or Federal agencies have not yet 
assessed the security controls over the cloud environment, they 
are doing--if they use that environment they are doing so at 
risk, and at an increased risk.
    Mr. Thompson. Yes. Thank you.
    Mr. Lungren. All right. We are expected at a series of five 
votes on the House floor that has already started. We have, I 
think, 5 minutes to get over there to vote.
    The subcommittee will stand in recess until the conclusion 
of these votes, reconvene immediately following the last vote, 
which will probably be between 45 minutes to an hour.
    Mr. Lungren. With the acceptance of the Minority I am going 
to ask a few questions, and then, when Ms. Clarke gets here she 
will have the chance, or Mr. Keating returns from the floor, so 
we can allow the first panel to go as quickly as possible.
    Let me ask you, Mr. Spires, how is the Department 
evaluating the different needs for different data sets? That 
is, if we have an agreement that there are different categories 
of clouds that are appropriate for different levels of security 
based on the nature of the data, what is the criteria you are 
using in evaluating those different needs?
    Mr. Spires. My apologies. Yes, sir. We are using different 
evaluation--or, using evaluation criteria based on the 
sensitivity of the data itself. So in our case, we are starting 
off fairly simple right now.
    All of what we would consider sensitive data, including 
data that would be for official use only and higher sensitivity 
data--law enforcement sensitive, for instance, in the 
unclassified realm--right now we are keeping that within what 
we call our private cloud, and that private cloud is hosted out 
of our two enterprise data centers. It runs within our own 
wide-area network, and hence, we are able to control that 
environment and really have the insights through continuous 
monitoring into the security stature of that environment.
    We are aggressively looking at public cloud for what we 
would say is nonsensitive data. So the example I used in my 
testimony of us moving our public-facing websites, like 
dhs.gov, fema.gov, to public cloud, and we are trying to get 
experience using the public cloud.
    As the FedRAMP process matures we would anticipate over 
time looking at how that evaluation criteria could change, 
because I am a real believer, having been in the private sector 
for a good part of my career, that we always want to foster 
competition; we always want to have choice. So as we have more 
and more comfort over time that public cloud services can 
provide the security levels, okay, and the continuous 
monitoring capabilities that we need we would look, then, over 
time to start to relax that criteria or shift it so that more 
sensitive data would be able to be moved into the public cloud.
    Mr. Lungren. Now, what is the interplay between Department 
of Homeland Security and GSA in terms of assurance of 
cybersecurity as we move to the cloud? DHS appears to be the 
point agency for--I don't want to say looking over the 
shoulder, but looking at other Government agencies and 
departments to assure that they are taking cybersecurity 
seriously. I know we have the office in the White House, which 
is an office that I would suggest is sort of a--my definition, 
sort of a focal point for policy, but DHS is the operational 
    How do you interface with GSA on something like this, with 
respect to their responsibilities in the areas that they have 
    Mr. Spires. Let me provide an answer, and I am sure Dr. 
McClure will then want to weigh in.
    First, I should state that I am the CIO for the Department 
of Homeland Security; there is another part of DHS within what 
we call our NPPD organization that really has this mission, if 
you will, to provide--really look at cybersecurity, of course, 
for the Nation, but in particular, for the civilian government 
    Mr. Lungren. Hopefully you folks talk to one another.
    Mr. Spires. We talk to one another all the time. As I like 
to say, we are the biggest guinea pig for what they want to do 
next. I think we should be, right? So we work very, very 
closely with them.
    So they have, for instance the US-CERT operation, which 
    Mr. Lungren. Right.
    Mr. Spires [continuing]. Incident response information from 
throughout the Government to be able to share, analyze that 
information. That organization is working very closely with our 
organization and with GSA as we look at how we are going to 
roll out this FedRAMP initiative.
    For instance, as FedRAMP rolls out and we look at 
continuous monitoring for public cloud service providers, those 
feeds would be provided to the Department of Homeland Security, 
to US-CERT, for continual analysis, as well as to the agency, 
so that we can continue to monitor, if you will, public cloud 
capabilities, if you will, real-time throughout the Government 
for the use of the public cloud.
    Mr. Lungren. Dr. McClure.
    Mr. McClure. Yes, it is a--excuse me, Mr. Chairman--it is a 
very complementary relationship. FedRAMP has actually been 
devised with heavy DHS participation, both from Richard's 
office, representing the CIO angle, and from Greg Schaffer's 
office, the NPPD directorate that Richard referred to, which 
does the operational monitoring and runs a lot of the--a lot of 
the US-CERT capabilities.
    So what we are doing in FedRAMP is designed to actually 
incorporate the role of DHS into that process. We are not 
replicating, we are not eliminating anything that is really 
clearly in DHS space.
    In fact, if you look at the recent change made to FISMA 
that requires agencies to do monthly reporting of continuous 
monitoring, FedRAMP is simply building on top of that. It is 
utilizing that process as we designed our process for FedRAMP.
    Mr. Lungren. In either your opening statement or an answer 
to a question you indicated that continuous monitoring was one 
of the essentials as we move to cloud computing. Is the 
suggestion that this needs to be increased in intensity? Is it 
a relatively new concept? Is it one that has been implemented 
across the board in Government agencies and departments, or is 
it sporadic?
    Given what you said about this being an essential, one 
would think it would be essential now, and one would also ask 
whether it is treated as something essential now.
    Mr. McClure. Absolutely. The issue with the continuous 
monitoring controls is the agreement upon the standard for the 
control and on the data elements that actually would be passed 
to show compliance.
    What we want to do is to make sure that that has been 
agreed to with industry as well as inside of Government. So 
that is the process that is underway now, establishing those 
standards for the controls and the continuous monitoring are 
and coming up with agreement on the actual data elements that 
would be shared between entities to show compliance.
    Once that is worked out, I think we can begin moving to a 
near real-time view of what is happening in the provider space, 
whether it is an internal or external provider that is doing--
    Mr. Lungren. Mr. Wilshusen, do you have any comments, 
    Mr. Wilshusen. Yes, I do. Thank you very much.
    As you know, we issued a report just this week on Federal 
information security. One of the issues we discuss had to do 
with continuous monitoring.
    It is a relatively new phenomenon and requirement within 
the Federal Government. NIST recently issued some guidance that 
included it in its risk framework. I believe that came out back 
in February, perhaps, of 2011, or--I think it was February 
2011, if I remember correct.
    Right now the experience with Federal agencies in 
continuous monitoring is still immature, if you will. There is 
still a great deal that needs to be done. In some respects it 
is required that agencies have the capability to have automated 
tools in place in which they can gather this information and 
feed it on a regular near-real-time basis, and many of the 
agencies so far don't have those capabilities over all of their 
    It is also important to know that with continuous 
monitoring there is that automated aspect of it, but there is 
still a need for testing and evaluation of the effectiveness of 
the controls to assure that the information that is being 
provided through these automated tools is accurate and 
    Mr. Lungren. One of the key risks the GAO report identifies 
relating to cloud computing is the dependency on vendor. There 
was mention by Mr.--by Dr. McClure when we were doing the first 
round of questions about the scenario in which you terminate a 
contract or a vendor ceases operations.
    Any thoughts on how you protect against the vulnerability 
there? What do you have to build in to protect the Government's 
essential needs at that point?
    Mr. Wilshusen. Well, that certainly is a key risk to 
Federal agencies. When we did our report last May all 24 of the 
24 agencies cited loss of information as a key risk should 
their cloud service be terminated.
    So in terms of being able to help mitigate those risks, it 
is imperative for agencies to establish comprehensive service-
level agreements that specify clearly up front what the roles 
and responsibilities of the cloud service provider is as well 
as what the customer is with regard to providing information 
should they go out of business. It is also--or service is 
    It is also imperative that interoperability and portability 
standards be developed and implemented so that agencies have 
the capability to take their information that is being 
processed by a cloud service provider and use it either 
internally or to another provider should the need arise.
    Mr. Lungren. Mr. Spires, is there anything technologically 
unique about cloud computers that causes more difficulty with 
this particular concern--that is, termination of services?
    Mr. Spires. Not on the technical side, sir, but I would 
echo what Greg said, that one of our big concerns about moving 
to the public cloud is exactly that, that we want to be able to 
assure continuity of service to our customers, right, in all 
events. So we have to work those scenarios as to what happens 
in the hopefully unlikely event that that cloud service 
provider can no longer offer that service--so data archiving 
capabilities, having the standards set--and I know this is 
something NIST is working on--for cloud interoperability so 
that we can quickly shift to another cloud service provider if 
    Mr. Lungren. So cloud interoperability would presume that 
you have equal security measures available.
    Mr. Spires. Well, I think that comes back to the FedRAMP 
initiative and the idea of having these provisional 
authorizations in place for, hopefully over time, many cloud 
service providers so that that makes it much easier for us, as 
CIOs, to have choice and to be able to much more easily move 
our services. Goes back to my competition point earlier. It 
also gives us a more competitive playing field, which will 
drive down costs over time and, of course, provide better 
    Mr. Lungren. Before I yield to the gentlelady, the Ranking 
Member, the Ranking Member of the full committee brought up the 
question about the contract with the first that is a U.S.-based 
firm but a wholly-owned subsidiary of a Canadian firm. We are 
close to Canada, but it is another country, as I recall.
    I think Congressman Thompson was bringing up the question 
of the--I don't know the visuals of that or how we tell the 
American people, ``Yes, we are going to have--the Government is 
going to use vendors that have cloud computing with all of the 
assets but also the vulnerabilities we talked about, and it is 
going to be a company that answers to people who aren't in this 
    You answered it specifically. Do you understand the--at 
least the question some people might have there?
    Mr. Spires. Sure. The more general point--certainly at the 
Department of Homeland Security within my office, we would be--
want to always make sure, sir, that our data is protected, that 
for any sensitive data as we move forward that we would want 
U.S. citizens to only have access to that data, that it be 
housed--for sensitive information, that we would only have that 
data housed in data centers that were on American soil. That 
would go without--I mean, it is the given, okay?
    All I can say, sir, is we followed the regulations. We did 
an open competition within the providers that were available to 
us through the GSA vehicle, and based on the evaluation 
criteria, this firm won that particular task order.
    Mr. Lungren. Okay. Thank you very much.
    The gentlelady, the Ranking Member of the subcommittee, is 
recognized for 5 minutes.
    Ms. Clarke. Thank you very much, Mr. Chairman.
    Let me thank our panelists and thank you for your patience. 
We need clones around here, that is all I can say.
    But let me say that in the brief moments I have had in the 
hearing I am not as concerned about our capability to secure 
the cloud, and I say that simply because we were innovative 
enough to invent it. I believe that our knowledge, our 
capability, our skills will enable us to protect. So I am going 
to be affirmative.
    Then when I think about young people today and their level 
of curiosity, their innovativeness, I know that somewhere 
seated in some classroom today is the person that is going to 
come forth who will enable us to do what we need to do to move 
forward with the innovations that we have as a civil society. 
So I am coming at this not as a scary person but as someone who 
is ready for the adventure.
    Having said that, I would like to ask this question of both 
Mr. Spires and Mr. Wilshusen: Did you look at the experiences 
of other Federal agencies in using public clouds before 
undertaking this effort? If so, what lessons did you learn and 
how did you apply them? What about State and private sector 
experiences? Were those also taken into account?
    Mr. Spires. Ma'am, we certainly have, within our strategy, 
had numerous discussions, both with other Federal Government 
agencies--NASA, the Veterans Administration come to mind, both 
of which have been very aggressive at looking at cloud 
capabilities. We have also talked to a number of--I have 
personally talked to a number of CIOs within private sector 
firms as well as my staff, who have been very involved in 
reaching out, as well as to advisory services that work in the 
I.T. industry and serve that industry.
    A few of the lessons learned--and I think we are still 
learning a lot of these lessons, right? I mean, one of our 
biggest issues, beyond security, because that is probably the 
biggest issue; we have been talking about that. But the next 
one is really, this is fundamentally a different business 
model, and it changes--I mean, we are buying a service-level 
agreement; we are not, you know, out there purchasing hardware 
and licensing software and integrating together.
    Fundamentally, how we procure this is very, very different. 
So we have been working across the Federal Government--and as a 
matter of fact, in a couple weeks the Federal CIO Council and 
the Federal Chief Acquisition Officer Council are going to be 
meeting together to talk about this very issue: How do we work 
out the procurement issues, the business model issues, so that 
we put ourselves in the best position to leverage this 
capability from a business perspective?
    I would say that is where a lot of the lessons learned are. 
I think many of us are still feeling our way, to be honest, as 
to what is the right business model moving forward.
    Mr. Wilshusen. Ms. Clarke, when we conducted our review 
last year over cloud computing security we went to a couple of 
different agencies and looked at some of the pilot cases that 
were underway. We went to DOD and looked at the DISA RACE, 
which is the Rapid Access Computing Environment, and also 
looked at NASA's Nebula cloud environment.
    A couple of lessons learned that they experienced had to do 
with just the assuring that they are having to reengineer some 
of their business processes in order to accommodate the use of 
the cloud computing. They also found that one of the challenges 
that they had was also clearly specifying and delineating the 
responsibilities for security of the client personnel, you 
know, at NASA, as well as the cloud provider.
    Now, in both cases each of their implementations were 
private cloud implementations. They decided in each case to 
take a kind of a slow, cautious approach before jumping in and 
maybe going to a public cloud. But in both cases they went to 
the private cloud implementation, which generally will have a 
lower threat exposure than public cloud.
    Ms. Clarke. Then I want to ask, are there any agency 
applications or services that should never move to the cloud, 
or is everything an agency does open to the move? In either 
case, why would it be the case?
    Mr. Wilshusen. Well, I will take an initial stab at that. 
There is probably implementations and information that is so 
sensitive, perhaps, you know, classified information that needs 
to be particularly protected that it should not be placed out 
into a cloud environment, particularly a public cloud 
environment, given the current security capabilities present. 
So certainly classified information probably should not be 
placed in a public cloud environment.
    Ms. Clarke. So would you say never, or do you foresee in 
the future that that capability will exist? Because my question 
was never.
    Mr. Wilshusen. Right. Well, I was taught from a very early 
age never to say never, and I think I will keep to that now.
    Mr. Spires. I think I have essentially the same answer, Ms. 
Clarke. In the I.T. field I have learned to never say never 
because things change so much, since, certainly, in the years I 
have been in this field.
    That being said, I would agree wholehearted with Greg. It 
is going to be quite a while before we would have any comfort 
in putting any classified information into a public cloud 
environment, and it may never happen. I think it will quite a 
few years before we would look to do that.
    Mr. McClure. Yes. The only thing I would add, Ms. Clarke, 
is that it goes back to what the agency sets as its 
requirements for what it is trying to do with its data and its 
service delivery. If the data demands protection levels that 
are beyond the capabilities of either in-house or out-house 
providers then you have got to address that.
    So the term ``public cloud'' is used pretty loosely. 
Actually, there are instances, I think, where you will see 
Federal agencies claiming they do have things in public cloud 
but it is not the equivalent of what you might find a consumer 
such as ourselves doing from our own homes.
    We have security requirements, records management 
requirements, 508 requirements. They have all these other 
requirements that still these providers have to show that they 
are able to provide that even though they may be called a 
public cloud solution.
    Ms. Clarke. Thank you very much, Mr. Chairman.
    Mr. Lungren. Mr. Keating, you are recognized for 5 minutes.
    Mr. Keating. Thank you, Mr. Chairman.
    With the new technologies I think there is a possibility of 
increased risk on infringement of copyright holders' rights 
because of the nature of this, that it is faster, cheaper, and 
it is easier to engage with unauthorized reproduction and 
distribution of public performances of types of copyrighted 
works. To what extent can the increased reliance on the data 
storage through cloud computing services contribute to this 
kind of copyright infringement? Do you see an issue there?
    I will throw it open to the whole panel.
    Mr. McClure. Sure. I will take a stab at it first.
    I think it goes back to in any environment, private or 
public cloud regardless, you have still basic security and 
privacy standards that have to be met. Access controls come to 
mind in this particular case. Who has access to information in 
these cloud environments is still a huge issue. If you don't 
define that and put the controls in place then you are subject 
to losing information no matter what kind of cloud environment 
you have it in.
    Mr. Keating. Yes.
    Anyone else?
    Mr. Spires.
    Mr. Spires. I would just add, sir, that one of the things 
we are really working on within Homeland Security is 
strengthening our identity credential and access management 
capabilities, to pick up on what Dr. McClure said. We foresee 
in the future having a much stronger authentication model to 
protect against these very types of things, whether it be 
copyright infringement, or in our case we are very concerned 
about privacy and civil liberties, right, and access to the 
data that we store.
    That really transcends whether you are in a cloud 
environment or whether this is just a more traditional kind of 
I.T. system and database. But these are the things that we are 
working on right now that strengthen the safeguarding side yet 
still enable the right kind of information-sharing to protect 
the homeland.
    Mr. Keating. Okay.
    Mr. Wilshusen. I would just like to add that I agree that 
authorization and identification and verification is going to 
be key in this respect. The one additional wrinkle--not to poke 
a hole or anything--is that the responsibility for sharing that 
the authorization is correct and the identity of the user is 
actually verified and claimed may no longer reside with the 
Federal Government or the Government agency with the cloud 
service provider. So the effectiveness of the cloud service 
provider's controls and access controls come into play as well.
    Mr. Keating. Okay. That is interesting.
    Thank you very much. I had just one other--might be a bit 
tangential, but, you know, in terms of the Government security 
and securing Government data, there is the use of flash drive-
type products as well. Is there any advantage or 
differentiation that is being made when you have that kind of, 
you know, product, in using a hard drive kind of system versus 
a software authentication?
    Do you get anything more out of--from a secure basis--out 
of the hardware kind of authentication for that type of product 
than just the software itself? I mean, is it--where do you see 
it going? I mean, do you need both? Is it fine just with 
software, or do you think there is a need for that going 
forward for secure data?
    Mr. Wilshusen. Well, I will take the initial stab. Yes, I 
think, you know, the hardware's authentication and security is 
something that can definitely help protect information, and 
particularly with flash drives and thumb drives. It, as you 
know, is a key risk because those devices can contain----
    Mr. Keating. Right.
    Mr. Wilshusen [continuing]. Large volumes of information 
and they are extremely portable, as they are designed to do. 
Some agencies, like the Department of Defense, has banned their 
use on their systems because they also are carriers or can be 
used to carry malicious software and install that on devices on 
an agency's internal network.
    Mr. Keating. Okay.
    I will yield back my time, Mr. Chairman. Thank you.
    Mr. Lungren. Thank you very much.
    I want to thank this first panel for not only testifying 
but understanding we have votes that interrupt, I understand 
that this takes a portion of your day, and we appreciate you 
being here. We thank you for your testimony.
    The Members would request the Members of the committee may 
have some additional questions for you that we might submit in 
writing. We would ask that you would respond to those in 
    With that, I am happy to thank you and dismiss you, and we 
will move on to the second panel.
    I am going to ask unanimous consent that Mr. Duncan, who is 
a Member of the full committee but not a Member of the 
subcommittee, can sit for this second panel and have the 
privilege of introducing someone from his State when we get 
    So thank you, to the first panel.
    If the second panel would come up, Mr. Sheaffer, Mr. Brown, 
Mr. Bottum, and Mr. Curran?
    Today we have the opportunity to hear from a distinguished 
second panel on the question of ``Cloud Computing: What Are the 
Security Implications?''
    We have Mr. James Sheaffer, the president of Computer 
Science Corporation's North American Public Sector. Previously, 
Mr. Sheaffer served as vice president for CSC as well as a 
general manager of Prime Alliance--that is CSC's partnership 
with the IRS--to support the business systems modernization 
program. Prior to joining CSC Mr. Sheaffer spent 27 years in 
the American Management Systems, Inc. working on 
telecommunication in North America and Europe.
    Mr. Timothy Brown is vice president and the chief architect 
for security management at CA, Inc. With more than 20 years of 
information security experience, Mr. Brown has been involved in 
many areas of security, including threat research, 
vulnerability management, consumer and enterprise identity, 
access management, network security in the encryption 
compliance and managed security services.
    John Curran is the president and CEO of American Registry 
for Internet Numbers. He serves as the chief technology officer 
and chief operating officer for ServerVault as well as the 
chief technology officer at XO Communications and BBN/GTE 
Internetworking. Mr. Curran also has been an active participant 
in the Internet Engineering Task Force.
    It is my privilege to allow Mr. Duncan to introduce the 
next gentleman, who, as I understand, had something to do with 
Purdue University. Since I went to Notre Dame I would like you 
to introduce him.
    Mr. Duncan. Okay. Thank you.
    Mr. Duncan. Thank you, Mr. Chairman. Thanks for giving me 
the opportunity, and thanks to the committee for allowing me to 
sit on the dais with you this morning.
    It is my distinct pleasure to introduce one of my 
constituents, but he is also someone from my alma mater, 
Clemson University. Jim Bottum is a chief information officer 
and vice provost for computing and information technology for 
Clemson University.
    Clemson, Mr. Bottum leads efforts focusing on high-
performance computing and communication as well as 
collaborating with State and National government entities. 
Under his leadership, Clemson University's Palmetto Cluster has 
appeared at No. 60 in the world's top 500 computing sites 
alongside Clemson's Computational Center for Mobility Systems, 
ranked at No. 100.
    Mr. Bottum currently serves on the NSF Advisory Committee 
for Cyber-Infrastructure, NSF Advisory Committee for CRPA 
Assessment, and the I-2 or Internet 2 Board of Trustees. Prior 
to coming to Clemson, Mr. Bottum was the first CIP and VP for 
computing at Purdue, where he was responsible for planning and 
coordinating all computing and information systems across the 
    He has also served on other NSF committees as well as 
National laboratory boards and provided consulting services for 
major universities across the United States. He has worked 
extensively on issues of cloud computing and should provide an 
excellent perspective of this issue from his academic research 
and experience.
    I look forward to hearing his testimony and thank you for 
having him here today. I yield back.
    Mr. Lungren. I thank the gentleman.
    We thank you all for being here. We thank you for your 
indulgence, in that I know you had to wait as well, as we went 
over to vote.
    We have the procedure here that your written remarks will 
be made a part of the record in their entirety, and we would 
ask you to limit your verbal remarks to 5 minutes apiece, and I 
would ask Mr. Sheaffer to go first.


    Mr. Sheaffer. Thank you. Mr. Chairman, Ranking Member 
Clarke, Mr. Duncan, it is an honor for me to appear before you 
    My name is Jim Sheaffer. I am president of CSC's North 
American Public Sector, with 29,000 employees who proudly serve 
and support the missions of Federal agencies.
    I also recently served as vice chair for the Public Sector 
for TechAmerica Foundation's Commission on the Leadership 
Opportunity in U.S. Deployment of the Cloud. In July our 
commission issued a report called ``Cloud First, Cloud Fast'' 
that included 14 specific recommendations for the Federal 
Government to accelerate the adoption of the cloud, and I 
respectfully request that that document be entered into the 
    * The information has been retained in committee files.
    Let me offer a brief word about CSC. Last year we had 
revenues of just over $16 billion. We are acknowledged as a 
leading global provider of I.T. services. We deliver large-
scale projects for both public and private sector clients, and 
we provide cybersecurity to some of the world's largest 
companies and some of the most sensitive U.S. Government 
    By leveraging shared computing resources, higher 
utilization rates of hardware, and economies of scale, cloud 
computing is ushering in an I.T. revolution. Users pay only for 
what they consume. Cloud computing and the as-a-service 
delivery model enable organizations to cut costs of computing, 
build capacity for growing volumes of data, and burgeoning 
requirements for computation.
    Cloud is a hot topic, but it is only the latest 
evolutionary step in the field. I began first with custom-build 
computers, moved to mainframes, on to personal computers, then 
to client-servers, and then to the internet.
    What is different about the cloud is the rate of adoption. 
The economics are compelling and the take-up of this technology 
is much faster than some of the earlier technologies that were 
adopted. In fact, the global nature of the cloud makes this a 
different kind of phenomenon.
    Today's austere Federal budget climate offers an added 
incentive for agencies to adopt the cloud, but it also raises 
questions of trust. Trust is more than just security. U.S. 
citizens and users must believe in the integrity and 
reliability of cloud computing in addition to security.
    We acknowledge the challenges. One, the speed of cloud 
advancement requires new security policies and even new 
security technologies and procedures.
    The internet, which is the foundation for the cloud, was 
originally designed without a primary focus on security, and 
since then we have had to play catch-up to make it secure. In 
the future it will require the design of intrinsically secure 
architectures to ensure security.
    A second risk is that all required security standards for 
cloud are not yet in place, as we heard from the prior--the 
previous panel. The National Institute of Standards and 
Technology and the Cloud Security Alliance, a nonprofit 
coalition, are developing, with industry support, those 
standards, and we believe that they need to be global 
standards, not just standards here in the United States.
    Third, cyber threats are serious and dynamic, and becoming 
more pernicious. Threats are more severe than we experienced in 
the past, and the capabilities of bad actors are evolving 
    The risks and challenges to cloud computing are substantial 
but not insurmountable and should not be used as an excuse to 
shrink from the adoption of the cloud. Fundamentally, 
cybersecurity must be integral to the architectures and not 
bolted on after the fact. We at CSC are confident that prudent 
cloud computing adoption can meet the stringent security 
    How should those risks and challenges be addressed? The key 
is to align the risk profiles of various types of data and 
their uses with the levels of protection required.
    One-size-fits-all approaches provide neither effective 
security nor the lowest cost. Each application and data set 
must be evaluated to identify its specific security 
requirements, and then appropriate cloud solutions can be 
implemented, choosing from private, public, or hybrid clouds.
    As an evolving technology, it is important to gain feedback 
and lessons learned from the implementation of cloud computing. 
Lessons will need to be shared across agencies, as one of your 
previous questions indicated.
    The Department of Homeland Security is laudably reaching 
out to foster a more secure and resilient cyber environment. 
The Department is leaning forward to show leadership in cloud 
    In consolidating infrastructure from the 22 components of 
the primary data center at Stennis and its backup, DHS is 
increasing the productivity of its capital investment in 
computing and it has also implemented a private cloud behind 
its firewall and security systems. The Department is clearly an 
early and prudent adopter of cloud computing.
    One example of the success of this approach is our systems. 
With our assistants at DHS we are designing and implementing a 
private cloud for DHS that will reduce the time to provision 
new software development and test environments from months to 
just a couple of days.
    In conclusion, cloud computing offers enormous opportunity 
to improve performance and reduce costs. Security issues can be 
managed. The United States is a leader worldwide in cloud 
adoption, and we can and must maintain that position.
    I welcome your questions. Thank you.
    [The prepared statement of Mr. Sheaffer follows:]
                Prepared Statement of James W. Sheaffer
                            October 6, 2011
    Mr. Chairman, Ranking Member Clarke, and Members of the 
subcommittee, it is an honor to appear before you today to discuss 
security implications of cloud--or shared--computing. The subcommittee 
laid a good basis for today's discussion in its April 15 hearing on 
promoting Department of Homeland Security cybersecurity innovation and 
securing critical infrastructure, and its June 24 hearing on the 
homeland security impact of the administration's cybersecurity 
    I am Jim Sheaffer, President of CSC's North American Public Sector. 
Recently I served as Vice-Chair for the Public Sector of the 
TechAmerica Foundation's Commission on the Leadership Opportunity in 
U.S. Deployment of the Cloud (CLOUD\2\). The mandate of the Commission 
was to provide recommendations on how the Federal Government could 
deploy and accelerate the adoption of cloud technologies, and to 
address public policies that would enable U.S. innovation in the cloud. 
In July, the Commission issued a report--Cloud First, Cloud Fast--that 
addresses some of the issues we are discussing today.
    Let me begin by offering a brief word about CSC. Last year we had 
revenues of just over $16 billion. Three-fifths derived from IT 
services provided to the private sector, and two-fifths from a range of 
services for the public sector. Acknowledged as a leading global 
provider of IT services, CSC delivers large-scale IT projects for both 
public and private sector clients. We provide cybersecurity to some of 
the world's largest companies, including critical infrastructure 
providers, and some of the most sensitive U.S. Government agencies.
                            cloud computing
    By leveraging shared computing resources, higher utilization rates 
of computing hardware, and economies of scale, cloud computing is 
ushering in an IT revolution which promises far lower costs while 
greatly improving capacity and performance. Cloud computing combines 
self-service provisioning of software applications and IT 
infrastructure with on-demand scaling of computing and storage in which 
users pay only for what they consume. Cloud computing and ``as-a-
service'' delivery enable organizations to slash unit costs of 
computing, and build capacity for rapidly growing volumes of data and 
burgeoning requirements for computation.
    Cloud computing is a hot topic. In essence, it is just the latest 
evolutionary step that has taken us from custom-built computers to 
mainframes to personal computers to client-servers, and then to the 
internet. What is different about cloud computing is the accelerating 
pace of change, rapid adoption rates, and global nature of its use.
    Cloud innovation allows entrepreneurs and public sector innovators 
to create value at little to no capital expense in computing resources, 
unlike the previous waves. Cloud computing disrupts existing business 
models and enables wholly new ones. The explosion of mobile computing 
catalyzes even faster adoption of cloud computing.
    Cloud computing hardware can reside on-premise at an organization's 
facility, or off-premise, such as at an IT provider's facility. The 
National Institute of Standards and Technology (NIST) defines four 
types of environments for cloud computing: (1) Private cloud that is 
operated by an organization and may exist on-premise or off-premise; 
(2) Community cloud that is shared by multiple organizations related to 
a specific community and may exist on-premise or off-premise; (3) 
Public cloud that is available to the general public, owned by a 
commercial vendor and located off-premise; and (4) Hybrid cloud that is 
a combination of two or more clouds (private, community, or public).
    Today's tight Federal budget climate offers an added incentive to 
agencies to adopt the cloud. But while cloud computing offers 
substantial benefits, such as cost savings, speed, and responsiveness 
to mission needs, it also raises questions of trust. Trust encompasses 
such concepts as security, availability, reliability, transparency to 
the user, and ability to extract data.
    The pace and degree of adoption of cloud delivery services will 
depend on establishing a basis of trust. This begins with understanding 
the risks and challenges. Can important data be entrusted to the cloud? 
Are there new risks and challenges to trust, especially the security of 
    Let us look at the new risks and challenges to trust. One, the 
speed of cloud technology advancement requires new security policies, 
and even new technologies and procedures, to keep pace with cloud 
advancements. Most current knowledge about IT security is based on a 
world in which most computer resources are under the direct control of 
a person or organization and in which physical and technical means 
exist, including software firewalls, to control access. Moreover, the 
internet was originally designed without a primary focus on security; 
since then computer security specialists have played catch-up.
    Many of those security concepts must be reconsidered for a world in 
which cloud computing enables a much broader spectrum of solutions and 
much greater cost savings derived from the sharing of computing, 
storage, and network resources, bringing new economies of scale. For 
example, firewall technologies designed for operating inside the 
virtual fabric of cloud architectures--the design of cloud computing 
systems--are just now becoming available, and they remain largely 
    A second risk is that all of the required security standards for 
cloud computing are not yet in place. Clear, understandable, and 
verifiable standards are essential for building trust. The National 
Institute of Standards and Technology and the Cloud Security Alliance--
a non-profit coalition of practitioners, companies, and associations--
are conducting research and developing new cloud security standards.
    Third, while not specific to cloud computing but relevant to it, 
cyber threats are serious and dynamic--and becoming more pernicious. 
Business and Government alike face threats much more severe than in the 
past, and more likely to change and do so swiftly.
    Advanced Persistent Threats tend to be state-sponsored and target 
especially sensitive information, such as military and financial data 
and intellectual property. Such information lies at the heart of 
America's security and economic well-being.
    The risks and challenges to cloud computing are substantial but not 
insurmountable. Of fundamental importance, cybersecurity must be 
integral to cloud computing architectures and not be ``bolted-on'' 
after the fact. CSC participates in various forums that develop 
standards. CSC's rigorous validation and testing programs promote 
innovation for security solutions.
    On balance, we are confident that prudent cloud computing will 
satisfy stringent security requirements. USCYBERCOM Commander General 
Keith Alexander said it best to a House Armed Services Subcommittee 
last March:

``The idea is to reduce vulnerabilities inherent in the current 
architecture and to exploit the advantages of cloud computing and thin-
client networks, moving the programs and the data that users need away 
from the thousands of desktops we now use--up to a centralized 
configuration that will give us wider availability of applications and 
data combined with tighter control over accesses and vulnerabilities 
and more timely mitigation of the latter.''

                        ways to enhance security
    How should security risks and challenges be addressed? The key is 
to align risk profiles of varying types of data and uses with levels of 
protection required.
    Understanding the risk profiles of data being considered for the 
cloud is key to determining the required levels, and hence costs of 
security. One-size-fits-all approaches provide neither effective 
security nor the lowest-cost solution. Each software application and 
data set must be evaluated to identify its specific security 
requirements. For example, published scientific research may be 
suitable for less-stringent cloud computing environments than are 
needed for classified intelligence data on potential terrorists. CSC is 
assisting Federal agencies to develop roadmaps that outline risk 
profiles of data sets and identify appropriate cloud solutions.
    It will be important to gain feedback and learn lessons from 
implementations of cloud computing. They can help identify best 
practices and improve security for future uses.
                             federal policy
    Federal policy on cloud computing and its security has evolved 
rapidly. In 2002 the Federal Information Security Management Act, or 
FISMA, came into force. It establishes a ``comprehensive framework 
designed to protect government information, operations and assets 
against natural and man-made threats,'' and requires program officials, 
chief information officers, and inspectors general to conduct annual 
reviews of information security.
    The Federal Risk and Authorization Management Program, or FedRAMP, 
was initiated in 2010 to provide a standard approach across the Federal 
Government for assessing and authorizing cloud computing services and 
products. A common security risk model enables the Federal Government 
to ``approve once, and use often.''
    In the 25-Point Implementation Plan to Reform Federal Information 
Technology Management, issued on December 9, 2010, the Office of 
Management and Budget called for reducing the number of Federal data 
centers by at least 800 by 2015 and creating a Federal-wide marketplace 
for data center availability. Curiously, not one of OMB's 25 points 
focused on cybersecurity.
    On February 9, 2011, OMB issued a Federal Cloud Computing Strategy, 
which gives more attention to security. It cautions that cloud security 
is an exercise in risk management, ``identifying and assessing risk, 
and taking the steps to reduce it to an acceptable level.'' Risk 
management based on intelligent risk assessment enhances the protection 
of the most valuable information and is more cost-effective than 
compliance-based approaches.
    The Federal Strategy points to several potential security benefits 
of cloud computing. The first is the ability of the cloud provider to 
focus centralized resources on security services. Second, the greater 
uniformity and homogeneity of the cloud platform eases security 
management and improves response times. A third benefit is the improved 
resource availability of the cloud provider through scalability, 
redundancy, and disaster recovery capability. Fourth are the improved 
backup and recovery capabilities and procedures that a cloud provider 
can offer. A fifth potential benefit of cloud computing is the ability 
to leverage, as needed, services from other data centers.
    At the same time, the Federal Strategy highlights potential 
vulnerabilities of cloud computing. One is the inherent system 
complexity of a cloud computing environment. A second vulnerability is 
dependency on the service provider to maintain secure logical 
separation in a shared computing resource, or what is called a multi-
tenant environment. A third potential vulnerability is the cloud user's 
need to have sufficient knowledge of potential threats and 
vulnerabilities to know how to make decisions and set priorities on 
security and privacy.
    Increasing experience in the implementation of cloud computing, 
with careful attention to security, will help validate and refine our 
collective understanding of its benefits and risks.
    The Department of Homeland Security is laudably reaching out across 
the Federal Government and the private sector to foster a more secure 
and resilient cybersecurity environment. The DHS Chief information 
Officer is leaning forward to show leadership in cloud adoption.
    In moving data from 22 separate components into the primary DHS 
Stennis data center and a secondary backup center, DHS has increased 
the productivity of its capital investment in computing. While 
migrating into the two consolidated data centers, DHS has also 
implemented a private cloud behind a DHS-controlled firewall and 
security systems. As new security standards are developed and 
effectively verified, more data will be ready to move to the cloud. In 
addition to private cloud implementation, DHS is moving certain public-
facing websites, such as DHS.gov and FEMA.gov, into a public cloud in 
order to increase efficiency and productivity. DHS is an early and 
prudent adopter of cloud computing and its experience may be 
instructive for others.
                             cloud examples
    Let me outline three examples of how cloud computing can be 
implemented in a homeland security context.
    First, CSC helps a global chemical company that is part of 
America's critical infrastructure. Its research unit must allow access 
to scientists and others from inside and outside the company to foster 
collaboration for new discoveries. Researchers require high-performance 
computing and surge IT capacity, and they store highly sensitive 
intellectual property. The research unit must accommodate projects that 
start and stop abruptly and then restart.
    CSC has installed a private cloud that the chemical company manages 
to satisfy its own special security requirements. The company has 
deployed cloud access at each of its laboratories around the world, and 
CSC federates and orchestrates cloud services across the chemical 
company's global IT infrastructure.
    In a second example, DHS wanted more responsive computing. It opted 
for cloud computing for the development and testing of new computer 
application systems. This eliminates costly and time-consuming tasks of 
procuring, installing, and testing new computer hardware and software 
every time a software development team starts a new project.
    To support DHS, CSC designed and is implementing a private cloud 
that will reduce the time to provision new development and test 
environments from months to just a couple of days. We are also 
assisting with a strategy and plan for helping DHS encourage management 
and cultural changes required to take best advantage of the cloud.
    A third example is the potential for increased use of unmanned 
aerial vehicles to help DHS monitor U.S. borders. Evolving technology 
will allow aerial platforms to collect greatly increasing amounts of 
ground imagery. As this develops, cloud computing could assist DHS to 
expand data collection and processing while holding down computing 
    I wish to call special attention to four important recommendations 
from the TechAmerica Commission Report, and offer a fifth 
    First, the Federal Government and the private sector should support 
the creation of international standardized frameworks for securing, 
assessing, certifying, and accrediting cloud computing.
    Second, the public sector and the Federal Government should 
accelerate the development of an identify management ecosystem to 
facilitate the adoption of strong authentication technologies, enabling 
more secure access to cloud services and websites.
    Third, a law is needed to clarify responsibilities of companies to 
notify customers in the event of data breaches, and strengthened 
criminal laws are required against those who attack computer systems, 
including cloud services.
    Fourth, the Federal Government and the private sector should 
develop and execute a more robust joint research agenda for cloud 
    Fifth, verification and continuous monitoring of cloud security 
ought to be standardized. Independent, professional third-party audit 
of cloud providers should become standard practice, along with real-
time transparency in the security posture of cloud-based systems.
    In conclusion, as the use of cloud computing accelerates, better 
security must go hand-in-hand with saving money and improving 
performance. Cybersecurity must be integrated into cloud computing 
architectures at the outset, rather than be left to ``catch up.'' This 
will enhance trust in the information revolution that underlies so much 
of America's prosperity and homeland security.
    I welcome your questions and comments. Thank you.

    Mr. Lungren. Thank you very much, Mr. Sheaffer.
    Now, Mr. Brown.


    Mr. Brown. Chairman Lungren and Members of the 
subcommittee, I want to thank you for the opportunity to talk 
to you today. CA Technologies is one of the world-leading I.T. 
management software companies that provides software and 
services to enterprise, governments, and cloud providers.
    The hype and promise to the cloud continue to accelerate, 
but it is clear that significant confusion remains about 
exactly what cloud computing is and the risks and benefits 
associated with it. Security is the concern cited most.
    When you consider the loss of direct control involved with 
the cloud these concerns are expected, but they must be 
addressed for the cloud to be successful. From a security 
perspective, any service that is accessed outside of an 
enterprise's direct control should be considered a cloud 
    Services like ADP, for check processing, and a 401(k) 
portal are good examples of--that have been around for a long 
time. Cloud is not new, but the current momentum and explosion 
of new cloud services gives us opportunity to enhance 
    Mr. Lungren. I think we lost your mike there.
    Mr. Brown. Am I back?
    Mr. Lungren. There you are.
    Mr. Brown. All right. We will move up. Here we go.
    So CA Technologies believes the responsibility for cloud 
security lies with both the providers and the consumers. The 
cloud is neither inherently more secure nor less secure than 
other I.T. services.
    Security fears and arguments that those fears are overblown 
have muddied the waters about this vital issue. To provide some 
clarity I will focus on four critical areas affecting cloud 
    First, it is important to note that cloud won't replace all 
other technologies and service delivery options. As 
organizations move to the cloud it will be one of many 
platforms that must be operated and managed together to 
minimize risk and security vulnerabilities. We should be wary 
when people say that cloud will replace all technologies.
    Second, the responsibility for security rests with both the 
provider and the consumer of cloud technologies. Different 
cloud services have different risk profiles.
    What is important is transparency. Customers and providers 
need to agree upon those security expectations and know that 
the service being deployed meets those requirements.
    Customers must have trust in their cloud service providers 
but also must have the ability to verify their claims and 
performance. Cloud customers need to be vigilant in their 
investigation, auditing, and oversight of their providers. 
Cloud providers must approach securing their customers' data 
with the same degree of seriousness as the owner of the data.
    Third is that a strong trusted identity system that enables 
the right people to have the right access to the right 
information at the right time is vital to securing the cloud. 
Many of the data breaches we read about today find their root 
cause in weak identity and access management controls.
    To be certain the move to the cloud doesn't create new 
security risks cloud consumers should ask the following: Who 
has and needs access to what? What can they do with that 
access? What can they do with the information they obtain? 
Finally, what did they do with that information?
    On-line banking and bill pay services provide an example of 
how transactions between different cloud services can be 
accomplished using strong identity management. As most of us 
know, different on-line banking transactions have different 
risks, and banks have implemented tiered security requirements 
based on that risk. Simply accessing your account balances 
requires one level of authentication, while transferring funds 
may require a higher degree of security.
    If you want to authorize your bank to pay a bill, your bank 
may need to access a bill payment service in the cloud on your 
behalf. This type of transaction requires that the bank and the 
bill pay service have trusted and transparent security 
practices that are audited and enforced.
    Finally, the adoption of standards is critical to the 
security and operability in the cloud. CA Technologies 
contributes actively to the efforts of standards organizations, 
such as OASIS, and collaborates with NIST.
    There are two efforts I would like to highlight. The first 
is FedRAMP.
    FedRAMP offers the promise that solutions can be accredited 
once and used many times across Federal agencies. While we 
await the final draft of FedRAMP, several questions about its 
scope and its implementation remain. We recommend that Congress 
continue oversight to be sure these important questions are 
    The second is the National Strategy for Trusted Identities 
in Cyberspace, or NSTIC. NSTIC is aimed at enhancing trust by 
strengthening industry-based identity management practices and 
minimizing the proliferation of username and password 
combinations we use on-line.
    NSTIC has asked for its first budget in fiscal year 2012. 
We recommend that Congress fund this important effort.
    Finally, I would like to offer several additional 
recommendations for your consideration. First, because we are 
in the nascent stage of cloud adoption, Congress should look at 
cloud policy issues through the lens of outcomes, not specific 
technologies. Static rules and mandated checklists are not 
adequately flexible and will rapidly become outdated as new 
technologies emerge.
    Second, Congress should avoid adopting policies that create 
a country-specific--country-specific policy. For U.S. 
businesses in competing markets all over the world, global 
harmonization policy will enable industry to build solutions 
that can be delivered in multiple markets and will enhance our 
    Finally, the cloud is an opportunity for new business 
models, enhanced security, and for the United States to drive 
innovation and technical leadership. We recommend that Congress 
support the important policy recommendations from the 
TechAmerica Cloud\2\ commission.
    I appreciate your opportunity to be here for you today. I 
would be happy to answer any questions. Thank you.
    [The statement of Mr. Brown follows:]
                  Prepared Statement of Timothy Brown
                            October 6, 2011
    Good morning Chairman Lungren, Ranking Member Clarke, and Members 
of the subcommittee. My name is Tim Brown and I'm honored to be here 
today to testify on cloud computing security risks and opportunities. I 
am the senior vice president and chief architect for security at CA 
Technologies. CA Technologies (www.ca.com) is one of the world's 
largest information technology management software providers. The 
company has expertise across IT environments--from the mainframe and 
distributed computing to virtual and cloud technologies. CA 
Technologies manages and secures IT environments and enables customers 
to deliver more flexible IT services. The majority of the global 
Fortune 500 and most major Federal and State government agencies rely 
extensively on CA Technologies software to manage their constantly 
evolving technology environments. Founded in 1976, CA Technologies is a 
global company with headquarters in New York, 150 offices in more than 
47 countries, and thousands of developers and researchers worldwide.
    CA Technologies was honored to serve on the TechAmerica 
Foundation's Commission on the Leadership Opportunity in U.S. 
Deployment of the Cloud (CLOUD\2\), and was heavily involved in the 
development of the Commission's recommendations. Since another member 
of the Commission is participating in the hearing today, I will focus 
the bulk of my remarks on a number of specific cloud security issues CA 
Technologies believes are critical to ensure secure adoption of cloud 
computing. However, CA Technologies supports the recommendations of the 
CLOUD\2\ report and I address many of the issues covered in the 
Commission's report in my testimony today.
    CA Technologies believes that cloud computing is neither inherently 
more nor less secure than other IT platforms, and that securing the 
cloud is a shared responsibility of both providers and consumers of 
cloud services. There are a number of policy issues that must be 
resolved to realize the cloud's potential and we will focus on those 
issues on our testimony today.
    While both the hype and promise surrounding cloud computing 
continue to accelerate at a feverish rate, it is clear that significant 
confusion remains in global markets about what exactly cloud computing 
is and what the risks and benefits are associated with transitioning to 
this latest technology. Corporate and governmental organizations across 
the globe are anxious to reap the cost, performance, and agility 
benefits that the cloud can offer, but at the same time are wary of a 
range of risks that accompany a different way of buying and consuming 
technology solutions.
    Chief among concerns raised in survey after survey of both current 
and potential cloud customers is security. Security is often followed 
by related concerns about data privacy as well as interoperability, 
availability of cloud services, performance, and transparency of 
providers. When one considers the loss of direct control that 
accompanies cloud deployments, concerns about security risks associated 
with moving to the cloud are not only reasonable, but also expose 
critical operational risk management issues that must be discussed and 
addressed when determining if and when to move particular services to 
the cloud.
    It is important to keep in mind that from a security professional's 
perspective, any service that runs outside of the operationally-
controlled environment of an IT organization is considered a cloud 
service. This is true in the case of commonly-known cloud services like 
Salesforce.com, Google Docs, and cloud email, but also includes 
services like ADP, 401(k) programs, corporate travel sites, and health 
plans. No two applications or systems are alike, and pragmatic 
implementation of cloud technologies necessitates that risk-based 
processes be used to determine what services and applications may or 
may not be feasible to move to the cloud, their level of sensitivity, 
what platform is most suitable, whether a private or public cloud 
environment is appropriate, and the specific security and operational 
controls that are needed.
    The use of cloud computing represents an exciting new opportunity 
for IT organizations and for CIO's in both business and Government to 
remake the way in which they work together with their customers and the 
user communities that rely on IT-based services. Because cloud 
computing enables IT organizations to focus on business services rather 
than infrastructure, technology organizations will have increased 
agility to build new solutions to support their customers with minimal 
    In my testimony today, I would like to focus on the four key areas 
that CA Technologies feels must be considered in evaluating both the 
opportunities and risks associated with the transition to cloud:
   The reality of new complexities introduced with the adoption 
        of cloud computing;
   Security considerations for the cloud;
   The critical role that identity management and 
        authentication play in enabling cloud security; and
   The importance of standards development and adoption to 
        ensure interoperability and common implementation of cloud 
        solutions globally.
    I will also make some recommendations on the role Congress can play 
in fostering the secure uptake and adoption of cloud computing 
                 the ``new normal'' of cloud computing
    A theme that CA Technologies keeps hearing from our customers is 
that they want to use cloud computing as a real game-changer. The 
layers and layers of complexity in IT have made it increasingly more 
challenging to deliver new services to the business in a rapid manner. 
The global downturn in markets across the globe has resulted in flat 
and/or declining IT budgets in both the commercial and public sectors. 
But the demand for new technology-based services inside large 
organizations has not slowed, so IT organizations are constantly 
challenged to provide more business technologies faster with reduced 
    These factors have all contributed to the perfect storm that has 
emerged for cloud uptake across the globe.
    It is important to note that while many would have you believe that 
cloud technologies will replace all on-premise IT, in reality the 
transition to cloud technologies will be gradual and the need to 
develop and support on-premise solutions will remain for the 
foreseeable future. The introduction of cloud technologies will create 
greater complexities for IT organizations to manage and support. With 
cloud solutions, a single business service may include a combination of 
physical, virtual, and cloud components that all must work together to 
deliver the functionality that users expect.
    Consumers of cloud technologies will find themselves in a hybrid 
technology environment for a long time. Existing solutions and 
technologies will still need to be maintained, and cloud technologies 
will most often serve as a natural extension of existing IT 
environments. As such, the cloud introduce a new heterogeneity to IT 
environments, one that will require coordinated and orchestrated 
management, transition plans, and risk-based security evaluations.
    This can be a real boon to IT organizations that can harness the 
enthusiasm and momentum of the cloud to drive changes that have been 
needed in the management process for technology generally. One of the 
most promising aspects of cloud computing is its ability to fill the 
gap between technology supply and demand and help organizations focus 
less on commodity IT services and more on what is unique to their 
particular business or Government program. Off-loading standard 
services and functions to the cloud can save money and resources that 
can be better utilized to drive change and tackle problems that are 
more foundational and transformative to businesses and governments. At 
CA Technologies, we call this opportunity the innovation dividend.
    To gain this dividend, however, IT organizations must take a very 
focused and methodical approach to evaluating what should or should not 
be moved to the cloud. The means that organizations need to evaluate 
people, processes, technology, and perhaps most importantly, risk 
involved with each potential opportunity move to the cloud. 
Organizations may determine that certain services, applications and 
data are too critical or sensitive to be moved to the cloud, which can 
be an appropriate risk management decision. The cloud is not a panacea, 
and may not be appropriate for all workloads. Organizations must take a 
measured approach that is driven by substantive analysis of the risks 
and opportunities associated with each opportunity to migrate services 
to the cloud.
    Once decisions have been made to move a particular service or 
application to the cloud, organizations must evaluate what providers 
and what services will meet their needs. All of these analyses have 
impacts on and contribute to the security posture of the organization. 
Some of the considerations that CA Technologies advises our customers 
to use in evaluating providers include the following, which have been 
developed through the Cloud Service Measurement Initiative Consortium 
(CSMIC) that I provide additional details on later in my testimony:
   Accountability.--Can we count on the provider to deliver the 
        promised service?
   Agility.--Can the service be changed, and how quickly?
   Assurance.--How likely is it that the service will work as 
   Cost.--How much is it, including both start-up and on-going 
   Performance.--Does the service do what we need?
   Usability.--Is it easy to learn and use?
   Portability.--Can I move my data and application from one 
        provider to another?
   Security and Privacy.--Is the service safe and privacy-
                      security issues in the cloud
    Just like when you buy a car, an appliance, or any other service, 
the reputation of cloud providers and their ability to deliver on the 
service promised is a key consideration when making a purchase of cloud 
solutions. The Cloud Service Provider ecosystem is just as diverse as 
any other industry. Responsible providers want to do all they can to 
demonstrate trust and accountability to their customers and that 
security services are built in and not bolted onto their solutions. 
These providers will be in the cloud marketplace for the long run and 
will continue to drive innovation and excellence in the industry. But 
it is important to keep in mind that new and innovative cloud service 
providers are emerging daily. We are in the midst of a significant 
expansion period in the cloud market, and the ever-expanding number of 
providers who want to move into the cloud market may not have long-term 
interest or commitment to the technology, which in turn may create 
risks for customers who want to embrace the cloud. Customers must have 
assurance their provider of choice will be there when they need service 
modifications or need to move their data and applications elsewhere, 
and that they take the responsibility of securing their data as 
seriously as they do as the owner of that data.
    The Cloud Security Alliance (CSA), a major industry consortium 
focused on cloud security issues, has identified 14 critical focus 
areas for organizations deploying cloud computing resources.\1\ CA 
Technologies/Ponemon Institute survey of the cloud service provider 
community made use of these 14 areas in a report released earlier this 
year. The survey data uncovered a wide range of viewpoints on the role 
that cloud service providers have in providing security for their 
solutions. With lower costs and faster deployment being the main 
drivers for moving to cloud services, some providers feel that security 
is more the responsibility of cloud customers than it is of providers.
    \1\ The 14 focus areas identified by the Cloud Security Alliance 
are the following: Governance and enterprise risk management; legal and 
contracting issues; procedures for electronic discovery; compliance and 
audit; information life-cycle management; portability and 
interoperability; business continuity and disaster recovery; data 
center operations; incident response, notification, and remediation; 
application security; encryption and key management; identity and 
access management; storage operations; and virtualization operations.
    In reality, not all cloud services require the same level of 
security. It will be appropriate for certain workloads to be deployed 
in the cloud with different security levels than others. But the goal 
of cost savings that is so often identified as the main driver for 
cloud adoption sometimes masks the importance of security risk 
management. Security must remain at the forefront of all cloud strategy 
discussions to ensure the right sets of security controls are applied 
to the right services. What is important is that security, performance, 
cost, and accountability decisions are clear and transparent to the 
users of cloud services.
    CA Technologies believes that the responsibility for securing the 
cloud lies with both the providers and the consumers of cloud 
solutions. The cloud is neither inherently more nor less secure than 
other IT services and solutions. Generalized concerns over cloud 
security on the one hand, and arguments that the security risks in the 
cloud are overblown on the other hand, have muddied the waters to the 
point that policymakers and practitioners are experiencing security 
schizophrenia. Should I overlook legitimate security concerns and 
plunge head-first into the cloud, or should fear and uncertainty of 
these risks stop me from doing anything that even remotely resembles 
cloud computing? Like most responsible decisions, the answer lies 
somewhere in the middle of these two extremes.
    Cyber criminals, state and non-state actors, and other cyber 
adversaries move rapidly and adeptly to exploit weaknesses and 
vulnerabilities in systems, networks, applications, and practices. They 
are successful at taking control of machines and stealing data. But 
done right, the movement to the cloud is an opportunity for 
organizations to enhance operational security.
    As such, potential consumers of cloud solutions must be mindful of 
the wide range of providers and the security risk management controls 
they have implemented for the solutions they host or provide in the 
cloud. A key for cloud customers will be to evaluate both the 
sensitivities of the services and data they hope to deploy to the 
cloud, and a long-term viability, references, and the depth of their 
    Cloud customers must insist on built-in security and transparency 
from the providers they select. They need to create compliance plans 
and closely scrutinize their contracts, Service Level Agreements 
(SLAs), and the security and disaster recovery plans of their providers 
to ensure they are making sound choices on who to partner with in 
moving services to the cloud. A key consideration here is to trust, but 
verify. CA Technologies recommends that cloud customers meet their 
responsibility to audit and monitor their providers, including the use 
of inspection programs, testing and monitoring compliance with SLAs, 
and assessing the security of critical systems.
    identity and access management as a foundation of cloud security
    While there are certainly myriad operational issues to consider 
when architecting cloud solutions to deliver strong and robust 
security, CA Technologies believes that identity and access management 
(IAM) issues deserve particular attention. Our surveys of cloud 
providers and the views from leading industry analysts and 
organizations find that identity and access management is the most 
important issue that companies considering moving to the cloud face 
today. A strong trusted identity system that enables the right people 
to have the right access to the right information is critical to the 
protection and enablement of the cloud.
    Cloud service providers and customers generally feel comfortable 
that they have highly qualified IT personnel and tools which can 
prevent or curtail viruses from infecting their services, and that they 
can effectively secure data flowing in and out of cloud services. They 
are less comfortable with the process of identifying and authenticating 
the users, systems, and devices that need access to their services and 
managing access to specific information or data when using cloud 
    One of the greatest challenges facing the IT sector today is 
fostering on-line trust, including the important trust components of 
security and privacy. The fact is that most on-line threats and 
successful data breaches of late have been based on and exploit access 
control and identity management failures in systems. The Government 
Accountability Office has written to Congress about unauthorized access 
issues as recently as Monday of this week (October 3, 2011). Identity 
management and access management controls are central to the secure 
adoption of cloud services.
    Identity and access management practices within the cloud provide 
the foundation for effective security by ensuring that all users have 
only the appropriate level of access rights to protected resources, and 
that those rights are effectively enforced. IT organizations generally 
as well as cloud service providers, both public and private, struggle 
to keep up with the explosion in the number of users from multiple 
systems, applications, and user communities that are consuming their 
services and the complexity of managing access rights for these users.
    With the transition to cloud solutions, employees and applications 
will continue to move outside the walls of the customer enterprise. 
This introduces new risks for unauthorized access and the loss of 
information. Cloud applications are new services that users must have 
access to, and managing that access without creating new 
vulnerabilities or new silos of identity are incredibly daunting 
challenges. Managing the on-boarding and off-boarding of users to cloud 
services and integrating those access rights with the overall IAM 
strategy for on-premise solutions requires that cloud providers and 
customers answer the following questions:
   Who has and needs access to what?
   What can they do with that access?
   What can they do with the information they obtain?
   What did they do with that information?
    These questions reinforce that managing access and authorization is 
but one part of the challenge. To be successful, identity security 
strategies must also focus on the specific data being accessed and what 
individual users can do with it. CA Technologies refers to this process 
and approach as content-aware identity and access management.
    Cloud computing creates opportunities for Government agencies and 
commercial organizations alike to make certain that new silos of 
identity don't emerge that increase vulnerabilities and complexities 
for users. For Government programs and systems, we recommend that 
Federal agencies enhance their IAM capabilities to provide for risk-
based authentication, the use of multi-factor authentication solutions, 
and leverage the investments they have already made in Personal 
Identity Verification (PIV) cards.
    An example of how many of these integrated identity controls are 
used today can be found in the financial services sector. CA 
Technologies counts the majority of the world's major financial 
services organizations as customers, and we have worked closely with 
these organizations to implement strong and flexible IAM solutions that 
provide their customers with ease of use in the most secure fashion 
possible. Financial services firms have taken a security-first approach 
because of the economic risks of the transactions they conduct. 
Enhancing the security of those transactions helps meet regulatory 
requirements, but first and foremost focuses on providing Defense in 
Depth in ways that enhance security and provide ease of use for 
consumers that include IAM solutions as a core component. Financial 
institutions are doing a great job of analyzing not only the risk of 
individuals and their access rights, but also the unique risks of 
individual transactions. This is a trend that we believe the overall 
cloud security market must and will embrace.
    Most of us are already comfortable with the concept of signing onto 
the website of our bank to access our account information. This usually 
requires that users provide an account number, username, and password. 
If you want to move money around from one bank account to another at 
the same financial institution, the bank may require you to provide a 
secondary identifier, like a PIN, because that transaction involves 
more risk. If you want to use your bank's bill pay service and 
authorize the movement of money from your bank to your credit card 
company or your local utility, the transaction becomes more complicated 
and introduces additional risk to both parties involved.
    In many cases, when you initiate a transaction like this from your 
bank, the experience to the user will be seamless. But behind the 
scenes a complex transaction whereby the user is redirected to a bill 
pay website and has their identity credentials passed to the bill pay 
provider without needing to sign on or provide their credentials again 
has taken place securely and transparently. The identity authentication 
taking place in this scenario is being accomplished via a cloud 
service. This type of transaction is an illustration of how user 
experience and sound security can be implemented across the very 
diverse technology environments present today. We believe that this 
represents the direction future secure transactions across public, 
private, and hybrid cloud environments will progress.
      the role and need for standards in fostering cloud security
    I believe this example also highlights the importance of standards 
development and the valuable contributions of industry-led, recognized 
standards development organizations (SDOs) and consortia. The adoption 
of standards and their integration into the innovative security 
solutions offered by the vendor community make possible predictable, 
interoperable, secure implementations in enterprise and cloud-based 
services. Such standards are vital to the management of cloud security 
risks. As I noted earlier, existing security technologies implemented 
in the enterprise are the building blocks of cloud security. And to a 
huge extent those technologies, and the practices and controls which 
they support, are standards-based.
    Such building block standards are now foundational for cloud 
computing environments, and where gaps exist, new standards are under 
development. CA Technologies and other major IT companies contribute 
actively to these efforts. For example, the Organization for the 
Advancement of Structured Information Standards (OASIS) has developed 
important security standards such as Extensible Access Control Markup 
Language (XACML), Security Assertion Markup Language (SAML), and web 
services security standards such as WS-Trust. OASIS also has technical 
committees in place addressing new security challenges applicable to 
the cloud, such as cloud identity, identity trust elevation, privacy 
management, and reputation management. Its committees are also working 
to create profiles which are used to apply existing standards suchas 
XACML directly in support of cloud computing requirements.
    Other standards bodies, including the Internet Engineering Task 
Force (IETF) and the World Wide Web Consortium (W3C), de jure bodies 
such as the International Organization for Standardization/
International Electrotechnical Commission Joint Technical Committee 1 
(ISO/IEC JTC 1), key industry consortia such as the Open Identity 
Exchange and the Kantara Initiative and other standards organizations 
are all key contributors to enabling trust in the cloud. In combination 
with best practices organizations such as the Cloud Security Alliance, 
the resources contributed by industry, academia, governments, and 
independent technical experts together represents a huge and on-going 
investment to support security risk management in the cloud 
environment. I would like to note the important role that the National 
Institute for Standards and Technology (NIST) plays by its active 
participation in industry standards development and as a convener of 
industry efforts and focus. NIST recently issued a Special Publication 
500-291, the Cloud Computing Standards Roadmap, which examines the 
applicability of standards for the cloud and areas where gaps need to 
be filled.
    The NIST publication looks well beyond security alone, and SDOs and 
consortia have certainly recognized the importance of standards-based 
cloud interoperability at the data level, and through the development 
of relevant application, operational management, license management, 
audit, virtualization, and other standards that are needed to enable 
interoperability of applications and services across clouds. CA 
Technologies is a major participant and leader at many levels of the 
cloud standardization process. And we believe that all of these 
categories of standardization, and more, are relevant to the 
development of interoperable clouds and cloud computing trust.
    There are several specific efforts I want to highlight as examples 
of emerging standards in the cloud security arena. The first and 
perhaps most important in the Federal space is the Federal Risk and 
Authorization Management Program (FedRAMP). While still in its draft 
form, FedRAMP will provide Federal agencies with a baseline, common 
approach for assessing and authorizing cloud services for use in 
Federal agencies. This will provide Federal agencies with a common set 
of controls against which to evaluate cloud services, and will give 
cloud providers certainty of Federal specifications that must be built 
into their products. FedRAMP is built on the premise that solutions 
should be certified once and used many times across Federal agencies. 
Federal agencies, however, have shown a tendency historically to ignore 
previous certifications and re-certify technologies for use in their 
own departments based on special requirements. Reciprocity of 
authorizations will be a critical gauge of the success of FedRAMP.
    FedRAMP will also require the transmittal of more frequent 
operational security information by providers to the Government, a 
process that is most-often termed ``continuous monitoring.'' Continuous 
monitoring offers the potential to dramatically improve the situational 
security posture of Federal information systems that rely on the cloud 
if implemented correctly.
    While we await the final draft of the FedRAMP specifications, 
several questions about its scope and implementation remain, however. 
Will agencies be required to honor authorizations made by other 
agencies and avoid re-evaluating solutions that are implemented 
similarly at another agency? How often and how will the security data 
envisioned under continuous monitoring be transmitted? How will the 
Government evaluate this data once received? The answers to these and 
other questions will be critical to ensuring FedRAMP is both 
implemented correctly and receives the buy-in needed from Government 
and the private sector to ensure its success.
    A second area I feel is important is the need to develop common 
service measurement frameworks to help enable data-driven decisions on 
the relative effectiveness of cloud solutions based on variables like 
cost, availability, security, and scalability. Right now, there is no 
standard mechanism to evaluate common services from different providers 
against one other. The Cloud Service Measurement Initiative Consortium 
(CSMIC), under the direction of Carnegie Mellon University and with 
participation from government agencies like the State of Colorado 
Office of the CIO, and corporations like CA Technologies and Accenture, 
has begun developing a service measurement index (SMI), which can be 
used to measure and compare a business service using a common language 
and evaluation process. A high-level representation of the 
characteristics and questions the CSMIC seeks to address is included as 
an attachment to my testimony today. In conjunction with standard 
recognition of cloud services authorized under the FedRAMP program, the 
use of a framework like SMI in Government procurements will enhance the 
analysis of competing cloud services and lead to greater 
standardization of solutions. As such, CA Technologies encourages the 
U.S. Government to investigate using the SMI to encourage data-driven 
decision-making on cloud acquisitions.
    Third, in the area of identity and access management, the National 
Strategy for Trusted Identities in Cyberspace (NSTIC) is a critical 
initiative that will make it easier for citizens and consumers to 
securely and confidently navigate cyberspace and will enhance trust 
among different consumers of identity through the sharing and 
reciprocation of identity credentials. NSTIC is aimed at enhancing on-
line trust by strengthening industry-based identity management 
practices and minimizing the constant proliferation of username and 
password combinations that individuals must remember to conduct 
business on-line. The standards and governance rules that will be 
developed under NSTIC are a critical component of implementing robust 
IAM solutions that can enhance trust of and the use of cloud computing 
services. As the NSTIC program gets up and running at the Department of 
Commerce, CA Technologies recommends that Congress fully fund this 
important effort and that Federal agencies become active participants 
in both the development of the NSTIC standards, and ultimately, accept 
private sector-issued credentials as a means of authentication for 
citizens who wish to interact with Government agencies securely.
    Standards development, then, is an on-going and vital area of 
industry and Governmental focus. It is international in scope, and the 
standards are integral to key Government initiatives such as FedRAMP 
and NSTIC. It is important that the subcommittee recognize that it is 
only through support for industry-led, internationally supported 
standards will we have measurable, interoperable security risk 
management technologies, innovative technical solutions and practices 
that can ensure trust in cloud-based services, not only in the United 
States, but globally.
                      recommendations for congress
    I was asked to address some of the security risks and opportunities 
associated with the transition to cloud computing. I hope that my 
testimony has highlighted that while there certainly are risks, the 
opportunities are extremely positive if a number of actions are carried 
out to ensure that the adoption of cloud technologies does not create 
new silos in IT security and new, unintended risks. We are in the 
nascent stage of cloud adoption. To ensure the promises of cloud 
computing can be delivered in concert with effective security risk 
management, we recommend that Congress:
   Adopt policies that can accommodate future development and 
        flexibility in the cloud market, specifically, and in IT more 
        generally. Too often, Federal policy has imposed static 
        frameworks that must constantly be updated based on new 
        technology developments. We recommend that Congress focus on 
        outcomes and not on specific technologies;
   Avoid policies that create a fragmented, country-specific 
        market for cloud services in the United States. As the cloud 
        market continues to evolve, we see great risk for market 
        segmentation based on unique policies designed solely to 
        address U.S. or other countries' market demands. For U.S.-based 
        businesses seeking to compete in markets all over the world, 
        globally harmonized policies will enable industry to build 
        solutions that can be delivered in multiple markets, enhances 
        our competitiveness, and makes it easier to deliver innovative 
        solutions around the world. Policies that acknowledge the 
        global nature of cloud markets will enable the United States to 
        maintain its leadership position in cloud computing and 
        encourage innovation to support jobs and exports of U.S.-
        developed technologies;
   Support standards developed by recognized standards 
        development organizations in the areas of cloud security, 
        interoperability, and transparency. These standards are vital 
        to the management of cloud security risks and should be 
        embraced by Congressional and Executive Branch policy makers;
   Fund and support the continued development and rollout of 
        FedRAMP and the NSTIC. To enhance operational cybersecurity at 
        the Federal level, we recommend that Congress ensure that 
        critical funding to develop and implement these programs be 
        preserved, even in difficult Federal budget environments. We 
        further recommend that Congress keep a watchful eye on FedRAMP 
        implementation to ensure that the efficiencies hoped for are 
   Continue support for NIST and its unique role as both an 
        internationally-respected body of security experts developing 
        standards and practices for the Federal Government as well as 
        for its important function as a contributor to industry-led 
        standards development and as a convener for addressing emerging 
        security issues; and
   Encourage the Federal Government to leverage emerging 
        efforts to develop service measurement indexes in Government 
        cloud procurements. The CSMIC effort I described in my 
        testimony can provide Federal agencies facing budget, 
        performance, and transparency demands with tools that take 
        data-driven approaches to evaluating competing offers of cloud 
        technologies. I believe that frameworks like these can 
        facilitate more robust decision-making about which specific 
        cloud services and providers are right for Federal agencies.
    Mr. Chairman, Ranking Member Clarke, and Members of the 
subcommittee, this concludes my written statement. I appreciate the 
opportunity to appear before you to share some of our thoughts on cloud 
security. CA Technologies shares the subcommittee's goal of increasing 
awareness of the cloud and the particular goal of enhancing 
cybersecurity, and we would be happy to work with you towards this goal 
however we can.
    I would be happy to answer any questions you may have for me.
    Thank you.

    Mr. Lungren. Thank you very much.
    Now, Mr. Bottum, you are recognized for 5 minutes.


    Mr. Bottum. Mr. Chairman, I would like to thank you and the 
Members of the subcommittee for the opportunity to present this 
testimony. Located in Clemson, South Carolina, Clemson 
University is a Nationally-ranked public land grant research 
university with an enrollment of 19,500 students.
    Mr. Chairman, many definitions explain what the cloud 
represents. A good working definition should reflect the 
distinctive characteristic of cloud computing, namely on-demand 
delivery of shared services over the internet.
    By allowing users to share resources, cloud computing 
enables infrastructure to be right-sized, balancing user 
requirements with the information technology services actually 
rendered. Cloud computing is both efficient and economical. 
However, we must ensure that our security tools, practices, and 
policies grow in proportion to our use of this evolving 
    Clemson has, in some sense, been in the cloud business for 
over 30 years, provisioning Medicaid applications and services 
to the State and citizens of South Carolina. Three years ago, 
as the recession intensified, we created a South Carolina Cloud 
experiment to see if several institutions could do things we 
could not do by ourselves, and/or do them in a more economical 
    Today our cloud is operational and involves a collaboration 
of educational institutions and commercial organizations. 
Partner institutions include both public and private 
universities, technical colleges, and historically black 
colleges and universities. Many of these would not ordinarily 
have access to the resources as a stand-alone institution.
    Our team is working with a Fortune 500 company to build out 
a secure and comprehensive cloud computing environment. 
Considering our diverse set of users and the numerous 
organizations that connect into the environment, it is 
important to properly ensure identity and access management and 
address concerns over data theft or manipulation and 
    Our goal is to apply policies, procedures, and controls 
that are seamless, transparent, and non-impeding to the end-
user. It is my view that the benefits of cloud computing far 
outweigh the risks.
    A thoughtful strategy for prudently broadening adoption of 
cloud services can facilitate a smooth transition to this 
dynamic platform. The transition should be complemented with a 
thoughtful and comprehensive information security initiative to 
ensure the protection of our data and resources as our 
environments have evolved.
    To increase security within the cloud, R&D is needed in a 
number of areas. Six important areas are highlighted here.
    The first area involves the use of virtual machines. Cloud 
computing is enabled by virtualization. Further research is 
needed to better understand virtual machine operation and 
establish safeguards to effectively protect this evolving 
    Second is authentication, authorization, and accounting. 
Current security approaches leverage current best practices. 
Research is needed to counter the many threats, including 
eavesdropping and tampering, distributed denial of services, 
network infrastructure vulnerabilities, and insider threats.
    Third, R&D on security applications and tools should focus 
on the creation of applications that leverage the distributed 
nature of the cloud to provide a new level of security. This 
research would result in a more secure environment that is 
resistant to both infections of individual hosts and the 
current generation of network-based attacks.
    Another area is encryption for programs and data 
processing. Recent work has produced an encryption system 
allowing computers to execute encrypted programs.
    Research on distributed denial of service detection and 
control is also needed. A DDOS attack is an attempt to make a 
computer resource unavailable to its intended users. Currently 
there is not a good mechanism for DDOS detection and control.
    Finally, research on network technologies is also 
important. Current protocols and tools in place today make it 
difficult to make networks available dynamically to match the 
elasticity in clouds. Adaptive and intelligent networking 
research is an important area of study.
    It is also critical that we have a security-conscious 
workforce. There is a gap that exists between what universities 
teach and what industry needs. Universities teach theory and 
fundamentals, whereas industries desire practical experience.
    In addition, Mr. Chairman, I believe attention should be 
given to legal issues surrounding cloud computing--contractual 
and service-level agreement issues regarding physical data 
protection, incident response, confidentiality, privacy and 
security controls, and other matters, which are important 
aspects in developing a relationship with a provider.
    Mr. Chairman, on behalf of Clemson University, I would 
again like to thank you for your time.
    [The statement of Mr. Bottum follows:]
                 Prepared Statement of James R. Bottum
                            October 6, 2011
    Mr. Chairman, I would like to thank you and the Members of the 
subcommittee for this opportunity to present testimony before this 
committee. I would like to begin by taking a moment to briefly acquaint 
you with Clemson University.
    Located in Clemson, South Carolina, Clemson University \1\ is a 
Nationally-ranked, science and technology-oriented land grant public 
research university founded in 1889, known for its emphasis on 
collaboration, focus, and a culture that encourages faculty and 
students to embrace bold ideas. Clemson's teaching, research, and 
outreach are driving economic development and improving quality of life 
in South Carolina and beyond. With an enrollment of 19,500, Clemson is 
a high-energy, student-centered community dedicated to intellectual 
leadership, innovation, service, and a determination to excel.
    \1\ Clemson University. 
    Regarding my own background, I have been the vice provost and chief 
information officer at Clemson University since July 2006. During my 
tenure, Clemson has transformed its network, storage, and computational 
infrastructure, including the data center, into a state-of-the-art set 
of services benefitting research, education, and public service. We 
have been recognized for transformative work in publications such as 
Network World, Computer World, and Storage Magazine. Before coming to 
Clemson, I was the first chief information officer at Purdue University 
beginning in 2001 where I forged a new model for partnering with 
research (recognized in a publication by the EDUCAUSE Center for 
Applied Research, July 2005). Prior to that, I was the executive 
director at the National Science Foundation's National Center for 
Supercomputing Applications at the University of Illinois at Urbana-
Champaign. I currently or previously have served on a number of 
National committees including the National Science Foundation's 
Advisory Committee on Cyberinfrastructure and the Internet2 Board of 
                            cloud definition
    Mr. Chairman, many definitions exist to explain what ``the cloud'' 
actually represents. For purposes of my comments today, a good working 
definition should reflect what I believe to be the distinctive 
characteristic that defines cloud computing, namely the elastic, on-
demand virtual delivery over the internet of shared services, including 
infrastructure and software. By allowing users to share access to 
software applications, computational power, networks, and data storage, 
cloud computing enables computing infrastructure to be right-sized 
while balancing user requirements with the information technology 
services actually rendered. Recognizing this shared component is 
fundamental to understanding the dynamic effects that are derived from 
the cloud.
    Also inherent in the cloud model is its flexibility. Multiple 
implementation regimes--private, community, public, and hybrid--permit 
organizations to select deployment schemes that best meet their needs 
and missions. Clouds are not one-size-fits-all. As defined in the draft 
National Institute of Standards and Technology Definition of Cloud 
Computing.\2\ Private clouds are environments where ``the cloud 
infrastructure is operated solely for an organization.'' Private clouds 
host and on-demand deliver resources, under the control of the 
organization, generally within a firewall. Community clouds are where 
``the cloud infrastructure is shared by several organizations and 
supports a specific community that has shared concerns (e.g., mission, 
security, requirements, policy, and compliance considerations).'' This 
shared infrastructure enables the community to share in the cost, yet 
also offers a common set of security and privacy policies and 
procedures. In Public clouds ``the cloud infrastructure is made 
available to the general public or a large industry group and is owned 
by an organization selling cloud services.'' Public clouds may be free 
or pay-per-use and provide resources that are dynamically provisioned 
on a self-service basis. Hybrid clouds are environments where ``The 
cloud infrastructure is a composition of two or more clouds (private, 
community, or public) that remain unique entities but are bound 
together by standardized or proprietary technology that enables data 
and application portability.''
    \2\ Mell, Peter and Timothy Grance. National Institute of Standards 
and Technology. ``The NIST Definition of Cloud Computing (Draft).'' 
National Institute of Standards and Technology Special Publication 800-
145. January 2011. 
                            cloud evolution
    Cloud computing may be characterized as evolutionary over time. 
Cloud computing should not be viewed as revolutionary, since some of 
the earliest concepts regarding computer time-sharing and utility 
computing came out as early as the 1960s, but did not take hold in our 
society until decades later. Past models of computing focused on 
utilizing supercomputers, mainframes, and storage devices primarily 
owned and operated by a single organization. As the internet and 
broadband capabilities expanded, opportunities arose to connect, share, 
and leverage these resources by multiple organizations with a common 
purpose. Referred to as grids, or grid computing, this model provided 
multiple users and various sites access to a shared heterogeneous 
computational infrastructure utilized to solve computational problems. 
During the 2000s, the cloud concept further evolved as major companies 
such as IBM, Google, and Amazon as well as numerous universities and 
research organizations began to develop and grow environments.
                      south carolina cloud example
    At Clemson University, our own cloud initiative has coalesced 
around what we refer to as the South Carolina Cloud \3\ or ``SC 
Cloud.'' SC Cloud represents a collaboration of educational 
institutions, IT professionals, commercial entities, and others who 
drive cutting-edge research in the areas of computing and communication 
infrastructure, data storage and visualization, virtual collaboration, 
and education workforce training. In pursuing their research, 
participants access a cluster of 61,700 PCs as well as other High 
Performance Computing resources and networks to virtually explore new 
concepts in a host of critical computing research fields, including: 
Data modeling, the hyper-growth in connected devices, surge in real-
time data streams, on-line and mobile commerce, business use of 
service-oriented architecture, virtualization, and Web 2.0 
    \3\ South Carolina Cloud. 
    The SC Cloud initially began as a consolidation effort of Clemson's 
on-campus distributed computing resources to improve computing 
efficiencies and advance capabilities in research and education. One of 
the unanticipated results of this effort was the partnerships that 
developed with other South Carolina universities. SC Cloud partners 
share a common set of computing and IT services, including networking, 
high performance computing, server administration, data storage, 
instructional and classroom technology support, monitoring, and 
security and privacy. Likewise, higher education also share a common 
set of issues and challenges related to these services, including the 
economics of supporting and maintaining a growing set of services 
during economically challenging times, ensuring an adequate workforce, 
and continually modifying the service offerings to meet ever-changing 
demands and expectations. Across South Carolina the value of working 
together in a shared resource environment was quickly recognized as an 
evolving ``work-in-progress'' model that enables institutions to more 
efficiently and effectively address computing and information 
technology collectively.
                             cloud benefits
    Our SC Cloud experience resonates and echoes many of the benefits 
found in cloud computing across the Nation, regardless of the cloud 
deployment model. Costs are reduced by sharing the overhead capacity 
required for peak loads. Large numbers of standardized hardware enables 
next-day parts replacement contacts in lieu of expensive rapid response 
time, on-site maintenance contracts. Advantageous hardware and software 
pricing is negotiated. Economies of scale allow investment in redundant 
cooling, backup power, and other facility infrastructure. 
Virtualization and infrastructure management solutions make it possible 
to rapidly deploy or remove resources incrementally based on demand. 
Researchers focus on research instead of administering systems. 
Reliability is improved by locating away from high-risk areas. Energy 
use is reduced by eliminating the need for powering and cooling unused 
capacity, and energy costs are reduced by locating where power is 
    There are numerous examples of both public and private entities 
that have realized sizable benefits from the adoption of cloud 
computing initiatives. GlaxoSmithKline, a leading pharmaceuticals 
company, recently deployed a Microsoft cloud solution through a 
Deskless Worker Suite to 15,000 of its employees, reducing IT 
operational costs by 30 percent while enhancing productivity and 
expanding external collaboration.\4\ The U.S. Air Force saved an 
estimated $4 million annually on its Personnel Services Delivery 
Transformation (PSDT) system by implementing a cloud solution from 
RightNow and customers can now find answers from over 15,000 documents 
within 2 minutes, a drastic improvement from previous wait times of 20 
minutes.\5\ The Department of Energy estimates it will save $1.5 
million over the next 5 years in hardware, software, and other labor 
costs from implementing a cloud solution at the Lawrence Berkeley 
National Lab for its e-mail accounts and from utilizing Google Sites 
and Google Docs for its scientific research teams.*
    \4\ Microsoft Corporation--Case Studies. 2009. 
    \5\ Kundra, Vivek, Federal Chief Information Officer. State of 
Public Sector Cloud Computing. 2009. 
    * [sic]
    Another benefit of cloud computing adoption is a company's ability 
to better manage its power resources for its IT infrastructure. By 
deploying an IBM cloud-based endpoint management solution, Fiberlink--
an innovator in voice, data, and IP networking solutions--achieved a 
25% annual growth rate over the last 5 years and has saved an estimated 
$500,000 a year from improved power management alone.\6\ A study 
concluded this year by Verdantix and sponsored by AT&T estimates that 
cloud computing could enable companies to save $12.3 billion off their 
energy bills and results in a carbon emissions savings of 85.7 million 
metric tons by 2020.\7\ Another study from Microsoft and Accenture 
revealed that moving business applications to the cloud could cut per-
user carbon footprints by 30 percent for large, already efficient 
companies and as much as 90 percent for the smaller and less efficient 
businesses.\8\ Cloud computing is not only beneficial to the companies 
themselves that use the technology, but its benefits can extend to the 
environment at large because of its decreased dependency on independent 
hardware sites distributed across a company.
    \6\ IBM Corporation--Success Stories. 2011. 
    \7\ Verdantix Research. ``Verdantix Cloud Computing Report For 
Carbon Disclosure Project Forecasts $12.3 Billion Financial Savings For 
US Firms.'' 2011. 
    \8\ Accenture Corporation. ``Microsoft, Accenture and WSP 
Environment & Energy Study Shows Significant Energy and Carbon 
Emissions Reduction Potential from Cloud Computing.'' 2010 .
    Our experience with SC Cloud has been that it is a collaborative 
mechanism for research, as well as the high-quality, innovative R&D it 
is delivering to advance our understanding about virtual environments 
in ways that are beneficial to both the public and private sectors. It 
is this type of environment that is instructive for framing some of the 
key considerations in cloud migration. I would like to share some of 
that experience with the committee today, particularly in the areas of 
security, scalability, and identity management.
                  security--clemson university example
    Concerns over data theft or manipulation and vulnerabilities to 
critical applications are real when contemplating the network security 
architecture of the cloud platform. Clemson's Information Security and 
Privacy organization mission is to protect the confidentiality, 
integrity, and availability of information and informational resources. 
The goal is to apply policies, procedures, and controls that are 
seamless, transparent, and non-impeding to the organization. Controls 
match the risks that exist and ensure the protection of data, provide 
redundancy, and include the ability to monitor Clemson's environment. 
Security and privacy at Clemson are a shared responsibility, meaning 
efforts have been made to educate and raise awareness among faculty, 
staff, students, alumni, etc. so that security and privacy become a 
natural part of the culture.
    The security challenges that Clemson faces are typical of other 
higher education institutions and similar to those mentioned in Cloud 
Security Alliance's Top Threats to Cloud Computing''.\9\ CSA is a 
``member-driven organization chartered with promoting the use of best 
practices for providing security assurance within cloud computing.'' 
CSA's research shows that the top security threats include such areas 
as insecure interfaces, malicious insiders, shared technology issues, 
account or service hijacking, and unknown risk profiles. We have 
implemented a series of policies, best practices, and controls that 
provide for increased protection, but know that nothing is 100% 
``bullet-proof.'' Staying ahead of the curve of threats and 
vulnerabilities is a continual challenge, which Clemson addresses 
through a variety of best practices that should be part of any 
organization's security strategy.
    \9\ Cloud Security Alliance. ``Top Threats to Cloud Computing 
V1.0.'' March 2010. 
    First among these best practices are human resource procedures. A 
criminal background and E-verify check is conducted on all university 
personnel prior to their hire and employees are bound by 
confidentiality in their work. In addition, establishing a series of 
policies and procedures provides a foundation by which Clemson's 
security strategy has been developed and lays the framework under which 
security operations function. Included topics among the policies are 
Acceptable Use, Userid and Password, Network Security, Server 
Administration, and Data Center access. Regarding security clearances, 
employees needing access either physically or virtually, must be 
requested and authorized by supervising personnel based on the 
employee's job function requirement. Restricted or secure areas are 
protected by monitored and recorded video surveillance and key-card 
access. Additionally, the main data center facility has staff on-site 
24/7/365. Technical controls are put in place based on the evaluated 
risk, a variety and matrix of controls would be deployed that might 
include physical or logical network segmentation, Firewall and Access 
Control List use, increased and elevated levels of monitoring, 
separated Virtual Private Network use, limited availability of access, 
and more stringent levels of credential use.
   scalability--sc cloud and health sciences south carolina examples
    For most organizations, economics is the force multiplier driving 
them into cloud computing to realize enterprise efficiencies both in 
terms of IT spending and asset utilization. Clemson has been in the 
``cloud business'' for over 30 years provisioning Medicaid applications 
services to the State and citizens of South Carolina. As previously 
mentioned, the SC Cloud evolved into a State-wide consortium of 
institutions who either could not afford to address the infrastructure 
needs on their own or did not have the expertise to deploy in-house 
resources. What once started as a Clemson private cloud need, evolved 
into a community cloud where the volume of computing and cloud services 
increased, but yet did not result in any service degradation at 
Clemson. These institutions realized the economic benefit of fully 
participating in the SC Cloud, especially in the context of high-
performance computing, as it enables them access to a set of resources 
that are flexible, scalable, and reliable to meet current and future 
needs. Institutions participating in the SC Cloud include both public 
and private universities, including technical colleges and Historically 
Black Colleges and Universities,\10\ or HBCUs.
    \10\ United States Department of Education--Historically Black 
Colleges and Universities 
    Likewise, the SC Cloud further evolved and scaled to provide 
flexibility for the Health Sciences South Carolina referred to as 
HSSC.\11\ HSSC is composed of six of South Carolina's largest health 
systems and the State's largest research-intensive universities. This 
State-wide biomedical research collaborative has a vision of 
transforming the State's public health and economic well-being through 
research as well as education and training of the health-care 
workforce. Given Clemson's security strategies previously described as 
well as our experience being the primary provider of operational 
support to South Carolina's Department of Health and Human Services for 
Medicaid transactional processing and eligibility determination, HSSC 
determined that the SC Cloud would be a natural fit not only for 
infrastructure, platform, and software cloud services, but also for 
security as a service. Clemson essentially serves as the Information 
Security Office for HSSC by providing the same suite of services 
afforded to Clemson, but also applying the same confidentiality, 
integrity, and availability philosophies, strategies, controls, 
policies, and procedures within a HSSC context. This environment shares 
much of the infrastructure utilized by Clemson, yet is segmented in 
such a way so as to provide a hybrid cloud that addresses both 
Clemson's and HSSC's needs.
    \11\ Health Sciences South Carolina. 
    Building upon the previously-mentioned security best practices, 
Clemson's experiences with scalability has demonstrated four additional 
areas of consideration when forging a cloud computing security 
strategy. First among these is ensuring a trust relationship is 
established between client and provider. Current cloud models are 
widely used because they provide economies of scale. They also, 
however, outsource data and resource management to third parties. 
Clients must rely on the ability of the provider to assure privacy, 
accuracy, and availability of information. Developing a trust 
relationship, as in the case of HSSC with Clemson, is an important 
consideration in ensuring the safety of data. Clemson's experience with 
Medicaid data as well as the policies, procedures, and controls that 
are put in place enable an increased level of trust. Continual 
interaction and engagement has resulted in Clemson being at the table 
when HSSC is in the early stages of application development and the 
subsequent change management. This has resulted in security and privacy 
being an integrated, proactive part of HSSC's planning and operations.
    Clemson University's relationship with HSSC members has been 
strengthened with their deployment of previous investments in 
authentication research and development. Clemson University is a 
participating member of Internet2's InCommon federated identity 
management supporting Shibboleth authentication. HSSC systems has 
utilized Shibboleth authentication to allow for multiple trusted 
participating members to leverage their own identity management vetting 
process and procedures for access to HSSC systems. This is a great 
example of how R&D has produced a viable, productive application and 
methodology to achieve greater efficiencies and ease of use without 
compromising the security of the system.
    Second, the level of cloud integration should be considered. 
Depending upon an organization's mission and requirements, an 
organization may only take advantage of cloud infrastructure services. 
Some may pursue software as a service. Yet others may outsource the 
entire suite of cloud services, including security as a service. In the 
case of HSSC, the SC Cloud provides infrastructure, platform, and 
security. In other words, one size does not fit all and a cloud 
provider should be flexible.
    Third, natural disasters such as Hurricane Katrina, the recent 
earthquake in Japan, and the Midwest floods show the importance of 
disaster recovery and business continuity. Documenting a plan and 
implementing redundancy technologies are obvious components of this 
planning. Conducting test failovers and actual physical disaster drills 
on a periodic basis should also be included in any DR/BC strategy. Many 
lessons are learned when physically conducting a disaster exercise that 
enable an organization to be better prepared.
    Fourth, one of the reasons HSSC chose Clemson is because of its 
Medicaid provisioning experience with medical data, compliance, and 
audit response. Clemson has a proven track record of being able to 
address internal and external audit requests and quickly address any 
findings. A cloud service provider should be able to address their 
experience and capabilities in dealing with Federal compliance and 
audit needs.
                     identity and access management
    Considering the diverse set of users that the SC Cloud has and the 
numerous organizations that connect into the environment, it is 
important to properly ensure identity and access management (IaAM). 
Identity and access management concerns the need to permit access to 
enterprise resources only to authenticated users, with access to only 
the data they have permission to view or change. Without appropriate 
procedures in place to verify access, concerns over identity theft and 
the insider threat can arise.
    Authentication is performed when a computing session starts. In 
existing systems, a user is authenticated in one of three ways: 
Knowledge, which is something the user knows such as a password; 
possession, which is something the user has such as a smart card; or 
identity, which refers to biometrical aspects, such as a fingerprint.
    Clemson's experience has been that identity and access each can be 
problematic. Passwords can be forgotten, sent over the network in 
clear-text, so that they are readable in transit or revealed 
inadvertently. Simple passwords are easy to guess. Complex passwords 
are easily forgotten, or need to be written down. Taking IaAM issues a 
step further, smart cards, dongles, or other authentication tokens can 
be stolen. Voiceprints may have false negatives if the user has a cold. 
People are hesitant to use retina scans, since they seem invasive. 
Biometrics can also be spoofed. Clemson limits these challenges by 
requiring complex passwords, providing training to faculty, staff, and 
students, and using a single-sign-on service that forces password 
encryption in transit over the network.
    On a local machine, authentication is straightforward. If 
authentication uses knowledge, for example a password, the user is 
prompted directly for the information. If possession is used, the token 
(ex. smart card) can be interfaced directly to the computer. Some 
authentication systems give the user a device that displays a code 
value to enter into the system. For biometrics, a physical device has 
to interact with both the user and the computer system. Two-factor 
authentication uses more than one authentication technique. This helps 
minimize the damage caused by key-loggers and related tools.
    All these approaches assume the device used to access the internet 
is trustworthy. If the local hardware or software is not trustworthy 
(for example compromised by malicious software) this will compromise 
both knowledge and biometric authentication.
    Access control is at least as challenging as authentication. When 
all data and users were locally created and managed, it was relatively 
easy to provide controlled access. However, in the cloud, it is more 
difficult to provide controlled access. It is possible for there to be 
different levels of security for systems and different levels of 
assurances for users. The basic infrastructure security level within a 
public cloud should match the level of the highest security need, not 
be a mixed bag of approaches. Understanding the access control security 
practices as well as the results of the provider's risk assessment 
efforts are essential considerations. As discussed later in my 
testimony, further study is needed in the area of identity and access 
management technologies and policy.
    Mr. Chairman, the power of cloud computing offers tremendous 
advantages to both the commercial and public sectors. For our 
Government agencies in particular, cloud migration represents an 
achievable strategy for deriving the tangible cost savings that the 
current economic and fiscal environment demand. Furthermore, it enables 
both the smart, streamlined organizational construct that Government 
employees need to better perform their mission, and the more efficient 
services delivery model that taxpayers deserve. And, while I have 
enumerated some of the challenges that exist, it is my view that the 
benefits of cloud far outweigh the risks, and that a thoughtful 
strategy for prudently broadening adoption of cloud services can 
facilitate a smooth transition to this dynamic platform. Many of the 
security-oriented policies, procedures, controls, and best practices 
previously mentioned are key elements of any security strategy. 
Additional components that such a strategy might consider include 
current areas of research and development, education and workforce 
priorities, and economic implications.
                   areas of research and development
    Many areas of research and development exist in the cyber-security 
field. It is my opinion as well as the opinion of other researchers in 
the field that Cybersecurity R&D is best conducted in an operational 
environment as opposed to a simulated environment. The SC Cloud was set 
up in an operational environment with this principle in mind. IT staff 
provisioners work side-by-side with researchers from academia and 
industry across the spectrum. Cybersecurity is critical to all 
communities. An exemplary Federal program that includes this program is 
the NSF funded Global Environment for Network Innovation or GENI.\12\ 
Core premises of GENI are that the internet architecture is over 25 
years old and in need of strengthening and updating. A second premise 
is that network R&D should be conducted on the internet itself and the 
GENI approach is to use ``slices''. Analogous to the use of virtual 
machines to allow isolated computing on a shared computer, emerging 
technologies now allow virtual network slices to be created on shared 
network infrastructure to allowed isolated network operation. Network 
virtualization not only allows cyber R&D occur on production internet 
in protected ways, it also enables isolated and secure enterprise 
operations to take place on a shared network.
    \12\ Global Environment for Network Innovations (GENI). 
    My comments will highlight some research, which in my opinion are 
of importance and worthy of investment.
    The first area of R&D involves the use of virtual machines (VMs) in 
clouds. Cloud computing is enabled by virtualization. This has enabled 
servers to migrate from one host to another dynamically for load 
balancing as well as made easier dynamic recovery from hardware 
failures. Security can be enforced by executing programs on different 
virtual machines. Virtual machines, however, are subject to various 
vulnerabilities. Researchers at Clemson have shown how power and timing 
data can be used to extract information, including cryptographic keys, 
from running systems. Further research is needed to establish what 
hardware safeguards are required to effectively protect virtual machine 
    The second area of R&D is authentication, authorization, and 
accounting. Current security approaches leverage current best practices 
for authentication, authorization, and accounting relying on Public Key 
Infrastructure (PKI) and a certificate authority (CA) hierarchy to 
establish a chain of trust. Traditional approaches are designed to 
secure monolithic computing entities, but the distributed nature of the 
cloud could be leveraged to provide additional security.\13\ As cloud 
computing leverages distributed resources at different sites and 
potentially of different ownership--for example, an enterprise might 
dynamically purchase computing resources from multiple cloud providers 
for resilience, load balancing, and cost optimization, the cloud user 
needs ways to identify itself in consistent, unified, secure, and 
portable means to all resources.
    \13\ R.R. Brooks, ``Mobile code paradigms and security issues,'' 
IEEE Internet Computing, vol. 8, no. 3, pp. 54-59, May/June 2004. R.R. 
Brooks, Disruptive Security Technologies with Mobile Code and Peer-to-
Peer Networks, CRC Press, Boca Raton, FL, 2005.
    R&D on security applications and tools is another area of research 
that focuses on the creation of applications that leverage the 
distributed nature of the cloud to provide a new level of security that 
neutralizes security vulnerabilities and the various classes of 
attacks. This research would result in a cloud environment that is 
resistant to both infections of individual hosts and the current 
generation of network-based attacks.
    Another R&D area is encryption for programs and data for 
processing. Recent work \14\ has produced a true homomorphic encryption 
system that allows computers to execute encrypted programs. In theory 
this should be free of side-channels, but the newness of this approach 
means that vulnerabilities may still be found.
    \14\ C. Gentry, A Fully Homomorphic Encryption Scheme, Ph.D. 
Dissertation, Dept. of Computer Science, Stanford University, 2009. T. 
Rabin (ed.) Advances in Cryptology--Crypto 2010. LNCS vol. 6223, 
Springer Verlag, Berlin 2010.
    Research on Distributed Denial of Service (DDoS) detection and 
control is also needed. A Distributed Denial of Service attack is an 
attempt to make a computer resource unavailable to its intended users. 
A DDoS attack can shut down cloud service site or constantly affect 
cloud performance, thus increasing the costs. Currently there is not a 
good mechanism for DDoS detection and control. It is not possible to 
detect the source of the DDoS or control the traffic. DDoS is currently 
an intensive area of research. For example, the National Science 
Foundation's GENI project funds researchers at Clemson to leverage 
OpenFlow, a software-defined networking technique, to flexibly analyze 
network traffic for DDoS threats and control different categorized 
traffic to ameliorate detected threats.\15\ Some suggestions have been 
made for ways to create DDoS-resilient clouds.\16\
    \15\ Brooks, Richard and Kuang-Ching, Wang. EAGER-GENI Experiments 
on Network Security and Traffic Analysis. National Science Foundation 
Award No. 1049765. 
    \16\ Dingankar, C. (MS) ``Enterprise Security Analysis Including 
Denial of Service Countermeasures,'' ECE Dept. Clemson University 
(August 2007). C. Dingankar, S. Karandikar, C. Griffin, and R.R. 
Brooks, ``On Bandwidth Limited Sum of Games Problems,'' IEEE 
Transactions on Systems, Man and Cybernetics, Part A: Systems and 
Humans, 41(2) 341-349, March 2011.
    Finally, research on network technologies is also important. 
Current protocols and tools in place today make it difficult to make 
networks available dynamically to match the elasticity in clouds. 
Networks tend to be static and specialized with data passing through 
hundreds of thousands of separate network devices that operate 
individually instead of as a unified system. A paradigm shift is needed 
to instill more dynamic control plane flexibility to match the growth 
of diverse applications and devices utilizing cloud services, including 
mobile, across entire networks in a cloud environment.
    Such a paradigm shift can be seen today through the implementation 
and use of Software Defined Networking (SDN) technology such as 
OpenFlow,\17\ which has been developed as the network layer of the GENI 
model. SDN moves the control plane from the individual network device 
to external controllers that can view and manage a network as a system 
instead of a vast network of individually-configured devices. 
Additionally, SDN makes it easy for new network protocols to be rapidly 
prototyped into production networks.
    \17\ OpenFlow. 
    In addition, adaptive and intelligent networking that does not rely 
only on the end-host or individuals for correct protocol application is 
an important area of study. One cannot rely on all providers having 
firewalls, consistent security standards, intrusion detection, etc. 
Distributed tools are needed to enable automated security through 
improved network monitoring to analyze traffic patterns and detect/
isolate vulnerabilities as well as securing internet traffic in 
distributed and seamless ways.
                     education/workforce priorities
    Mr. Chairman, in addition to R&D, it is also critical that we have 
a security-conscious workforce. There is a gap that exists between what 
universities teach and industry needs. Universities teach theories and 
fundamentals whereas industries desire practical experience from 
university graduates. This is difficult to incorporate into the 
curriculum. Programs are needed to facilitate bridging this gap and 
partnerships between universities and 2-year technical and community 
colleges should be encouraged. In addition programs that encourage 
students to major in science, technology, engineering, and mathematics 
(STEM), including an emphasis on cyber-security, are needed.
    NSF GENI is an example of program that is filling this gap by 
creating an environment linking industry with university research thus 
providing experiences for students to receive training and education on 
core technologies that are applicable in the workforce. In addition, 
GENI also extends these opportunities to multiple disciplines ranging 
from computer software, computer system, networking, to hardware 
engineering thus giving a student a broader experience of conducting 
research and having regular interaction on a large scale with other 
fields of study. Federal facilitation of similar programs in cross-
cutting areas may begin to close this gap over time.
                         economic implications
    There is a growing body of research involving interactions between 
information security and economics.\18\ Current market incentives 
reward behaviors that do not safeguard the well-being of the public. 
This is in direct conflict with the Institute of Electrical and 
Electronics Engineers (IEEE) \19\ and Association for Computing 
Machinery (ACM) codes of ethics.\20\
    \18\ Anderson, R. and T. Moore, 2008: Information security 
economics--and beyond. Lecture Notes in Artificial Intelligence, 5076, 
    \19\ Institute of Electrical and Electronics Engineers Code of 
    \20\ Association for Computing Machinery Code of Ethics and 
Professional Conduct 
    Hardware and software markets have network externalities: The value 
of an investment depends in large part on whether or not other parties 
make the same purchase decision.\21\ These markets are ``tippy,'' i.e. 
miniscule differences in quality or perception result in major 
differences in profitability. In our industry, network externalities 
often result in markets where one product dominates the market. This 
explains the historically dominant market positions of the IBM PC, 
Microsoft Windows, and Intel processor architecture.\22\ The need to be 
the dominant player induces pressure to be ``first to market'' with new 
applications. Arriving early usually tips the market enough to dominate 
it. In this ``winner take all''\23\ context, actions that improve 
product quality and security, but delayed delivery can be fatal to an 
    \21\ Katz, M.L. and C. Shapiro, 1985: Network externalities, 
competition, and compatibility. The American Economic Review, 75, 424-
    \22\ Besen, S.M. and J. Farrell, 1994: Choosing how to compete: 
Strategies and tactics in standardization. Journal of Economic 
Perspectives, 8, 117-131.
    \23\ Dekel, E. and S. Scotchmer, 1999: On the evolution of 
attitudes towards risk in winner-take-all games. Journal of Economic 
Theory, 87, 125-143.
    This is exacerbated by software being a ``lemon market''\24\ with 
information asymmetry between buyer and seller. The buyer cannot 
reliably distinguish between quality goods and shoddy products. Under 
these conditions, buyers choose the lower-priced product. Shoddy 
products are produced more cheaply, driving quality products from the 
    \24\ Akerlof, G.A., 1970: The market for ``lemons'': quality 
uncertainty and the market mechanism. The Quarterly Journal of 
Economics, 84, 488-500.
    These factors encourage the industry to quickly produce large 
quantities of poorly analyzed programs. There is little financial 
incentive to do otherwise and much to gain. The consequences of poor 
software quality for consumers and the economy as a whole are immense. 
Dr. David Rice cites NIST studies showing the annual cost of insecure 
software to the United States as conservatively $180 billion.\25\ He 
also cites a market research survey, which finds 75 percent of 
computers connected to the internet have been infected and used to 
distribute spam. Computer and network security is likely to remain a 
difficult problem for the foreseeable future. Research and development 
of secure systems will be costly, but that cost is expected to be much 
less than current losses due to on-line system misuse.
    \25\ Rice, D., 2008: Geekonomics. Addison-Wesley, Upper Saddle 
River, NJ, 2nd ed.
                          other considerations
    In addition, Mr. Chairman, there is one other priority that I 
believe will receive attention as cloud services grow, namely the many 
legal issues surrounding cloud computing. Contractual and service-level 
agreement issues regarding physical data protection, incident response, 
confidentiality, access, availability, privacy, security controls, and 
other such critical matters are important aspects in developing a 
relationship with a provider. Likewise, intellectual property issues 
and export controls, meaning where is the data being stored, should 
also be discussed in a cloud computing strategy. It is conceivable that 
some cloud service providers could store data outside the United States 
for backup or archival purposes. Also, consideration should also be 
given to the portability of data and what happens to the data once a 
provider contract is terminated. Safeguards and assurances are 
important to ensure all data packaged for migration to a new provider 
and that all data is cleaned and removed from any provider asset. 
Finally, considering the level of hardware manufacturing that occurs 
overseas, assurances that personal computers, tablets, etc. do not 
contain viruses or other security compromising elements is needed.
    Mr. Chairman, on behalf of Clemson University I would again like to 
thank you for the opportunity to testify before the subcommittee and I 
look forward to your questions.

    Mr. Lungren. Thank you much, Mr. Bottum. I was just 
thinking that cloud computing is the only thing I have not 
heard being argued for the breakup of the Big East or ACC, and 
I suspect that maybe we will be hearing about that----
    Mr. Duncan. Will the gentleman yield?
    Mr. Lungren. Sure.
    Mr. Duncan. Go Tigers against Boston College----
    Mr. Lungren. Well, I have got a neighbor who is a freshman 
at Clemson, so I will say okay.
    Mr. Curran.


    Mr. Curran. Thank you, Chairman Lungren, Ranking Member 
Clarke, Members of the subcommittee, for having me here today. 
You have my written testimony so I will keep my verbal comment 
    I am going to focus on areas related to using the cloud 
over the public internet, because that is truly what is new in 
what we are discussing. Dr. McClure, earlier today, indicated 
that the use of public clouds poses new areas of risk, and I 
would like to highlight four of those that this committee 
should consider when looking at this issue.
    First is, the relationship of public clouds to other 
initiatives within the Federal Government for cybersecurity 
needs to be carefully considered, because public clouds are 
using vendors outside the Federal Government, yet the Federal 
Government has several Government-wide security initiatives. 
These include HSPD-12 for validation and authorization; this 
includes the Trusted Internet Connections program.
    When you make use of a public cloud and a public vendor 
they may not be familiar with how to actually use those 
initiatives, which are Government-wide cybersecurity 
initiatives. So the documentation and the approach to vendors 
so that they have everything they need when they design their 
public cloud to make use of Government-wide cybersecurity 
initiatives is essential. Otherwise, our public clouds won't be 
participating in our Government-wide initiatives. This is very 
    Second is the issue of the physical location of the actual 
data and systems. The FISMA framework and the FISMA security 
control profile always had an assumption within it of Federal 
control of the facilities or systems. It is true about 10 
percent of our Federal inventory is outsourced to contractors, 
but even then, it is outsourced in a way that puts it directly 
under agency control to the vast majority of cases.
    When we make use of public clouds we suddenly have the idea 
of using a FISMA profile that is 10 years old to secure public 
clouds that may actually be worldwide in nature. The problem, 
of course, is that the questions to be asked--where is the 
data, where is the systems--simply don't exist in the original 
FISMA profile.
    Now, the proposed FedRAMP security profile does have 
enhancements, and one of the enhancements it includes is 
talking about the personnel that are making use of managing 
this data. In the current public drafts it does not include, 
however, controls for where is the data and the systems 
themselves? So we know, in many cases, that the systems are 
managed by U.S. citizens, but we don't know necessarily that 
they are located within the United States.
    A given agency can implement SLAs to cover that if they 
know to do so. What might be a better approach is making that 
inherently part of the profile, so as GSA accredits 
organizations they say where there systems are, so a Federal 
agency CIO has the ability to say: Is that acceptable to me or 
    The third matter is on migration, and I guess this is more 
important. The FISMA profile is very good about talking about 
recovering of systems; it has a whole contingency planning 
section which handles the failure of a given server or data 
center. That was perfect for when we were talking about Federal 
    But the recovery now that is provided by the FISMA profile 
now works within the cloud. It is whether a cloud provider 
provides fail over one of their data centers to another one of 
their data centers.
    The problem is, we now need contingency planning at one 
level higher up. In fact, you need to worry about the case 
where the cloud provider themselves is no longer able to 
provide service securely and you need to move not to another 
one of their data centers but to an entirely different cloud 
provider. You might need to do that on very rapid notice to 
accommodate a cloud provider who is compromised in an 
irrecoverable manner.
    So the migration is not a question just of cost or being 
able--agencies being able to get their own data back. It is 
actually a security control. It is an inherent function that 
needs to be provided so that if a cloud provider is compromised 
the ability to migrate isn't a question that we are all asking; 
it is inherent and it is known to be able to quickly move up in 
a short number of days or hours and move to another provider.
    Finally, the internet itself: The internet itself is not 
static. It is changing rapidly, and there are several security 
protocols, such as DNSSEC, to secure the Domain Name System, 
and I.P. version 6, the new internet protocol that is coming 
out, that need to be considered. We need to make sure these are 
part of the profile for FedRAMP so we don't build on the 
internet while the internet is changing out from under us.
    I would like to thank the committee for having me. I look 
forward to your questions.
    [The statement of Mr. Curran follows:]
                   Prepared Statement of John Curran
                            October 6, 2011
                            i. introduction
    Good morning Chairman Lungren, Ranking Member Clarke, Ranking 
Member Thompson, and Members of the committee, and thank you for 
inviting me to testify before the Cybersecurity, Infrastructure 
Protection, and Security Technologies Subcommittee.
    I am the president and chief executive officer of the American 
Registry for Internet Numbers, Ltd. (``ARIN''), which issues Internet 
Protocol (IP) number resources for the United States, Canada, and 
Caribbean, but I am speaking here today in my personal capacity based 
on a long history of building and securing FISMA-compliant Federal 
Information Technology (IT) systems.
    I have first-hand knowledge of these matters from my experience in 
the internet industry since 1990, including serving as the chief 
technology officer for several Government contractors and Internet 
Service Providers (ISPs) including BBN, GTE Internetworking, and XO 
Communications, as well as internet standards work in the Internet 
Engineering Task Force (IETF). Most recently, I served for 5 years as 
executive vice president and chief technology officer for ServerVault, 
providing secure managed IT services for sensitive Federal Government 
applications. My duties included direct responsibility for securing and 
preparing the certification of FISMA Moderate impact level Federal 
information systems over shared internet-based infrastructure. I have 
prepared my remarks today out of a desire to see the advancement of 
responsible Cloud-based computing for the Federal Government.
    I would like to start by offering congratulations to the GSA for 
the development of its Federal Risk and Authorization Management 
Program (FedRAMP) program, as well as the recent Infrastructure as a 
Service (IaaS) Blanket Purchase Agreement (BPA) awards. By developing 
this program in cooperation with the Federal CIO council, the GSA has 
enabled agencies to leverage cloud-based storage, virtual machines, and 
web hosting services in a manner that should improve the cost and 
timeliness of Federal IT system deployments.
            ii. managing emerging risks from cloud computing
    As a result of my experiences deploying Federal IT systems over the 
public internet, I was asked to present at cloud interoperability 
workshop in 2009, and to identify the most critical challenges that 
Federal CIO's faced in making use of cloud computing under the existing 
FISMA security framework. Back then, the major difficulties that I 
identified were:
   Agency pressure for deployment of timely, cost-effective IT 
   Administration expectations for leveraging new IT 
   Compliance with IT policy mandates (Federal and agency-
   Lack of common IT infrastructure services between systems & 
        Potential vendor lock-in with any sizable deployment;
   Preparation of extensive FISMA control documentation for 
        each system.
    It is remarkable to see the progress that has occurred since that 
time. As a result of the FedRAMP program (with its common security 
control baseline), agencies now have a clear roadmap that should 
address many of these challenges in making use of cloud computing for 
Federal IT applications.
    I must note, however, that cloud computing does not eliminate all 
of the challenges, and in particular, cloud computing may actually 
heighten the difficulties that Federal CIO's face in some areas if not 
carefully managed. The areas that are most likely to pose increased 
risks as a result of the introduction of cloud computing are:
    1. Interaction of cloud computing services with Federal 
        cybersecurity initiatives;
    2. Physical location of cloud computing facilities and data;
    3. Migration between vendors of cloud computing services;
    4. Evolution of cloud computing services with internet 
    None of these risks precludes the use of cloud computing services 
by the Federal Government, but each does pose new challenges for 
Federal CIO's to consider and may warrant consideration by the Federal 
CIO Council and its partners to determine if additional standards or 
coordination activities would help minimize these risks. I will outline 
each of these risk areas with recommendations for further 
iii. interaction of cloud computing services with federal cybersecurity 
    There are several Government-wide IT security initiatives that 
require consideration with respect to cloud computing because of their 
service nature: Specifically, there is the distributed issuance and 
recognition of user authentication credentials via the HSPD-12 
initiative, as well as the provision of secure and monitored internet 
connectivity via the Trusted Internet Connections (TIC) initiative. 
These programs provide certain security-related services to Federal IT 
environments which result in increasing cybersecurity protection on a 
Government-wide basis as more agencies make use of the services.
    While specified in the FedRAMP security profile for Moderate risk 
environments, the actual mechanism and ability to participate in these 
Government-wide cybersecurity initiatives by private cloud computing 
vendors remains unclear, and any deployment of Federal IT systems via 
cloud computing services that do not leverage these common capabilities 
dilutes the value of these initiatives in supporting the overall 
cybersecurity stance of the Federal Government.
    The goal must be to have unequivocal documentation for cloud 
computing companies on how to appropriately secure their offerings, 
including how to make use of Government-wide cybersecurity initiatives, 
and thus encourage significant industry-wide vendor participation in 
offering FedRAMP cloud services. The resulting competition will both 
drive down costs and improve service quality for all FedRAMP 
      iv. physical location of cloud computing facilities and data
    One of the more unusual consequences that results from the use of 
the cloud computing is the potential loss of the ability to know at any 
given time the specific physical location for the systems and data 
which support a given Federal IT system. While it may be possible to 
know the set of data centers which support the service (and the FISMA-
based FedRAMP security control profile does specify certain physical 
controls at such facilities for facility access, power redundancy, 
etc.), the question of actual physical location of the Federal IT 
system is highlighted when the cloud service provider has facilities 
which are outside of the United States.
    As a practical matter, there may not be a concern with incident 
services being provided for out of non-U.S. locations, and it may be 
desirable in some circumstances with Federal applications that must be 
accessed globally. However, the present FedRAMP profile does not 
directly address the question of location and it is not assured that 
use of facilities and storage of data outside the United States is 
universally desirable, particularly if the use of cloud computer for 
Federal IT applications is undertaken on a large scale.
    The FedRAMP program should include controls that address the 
physical location of cloud computing facilities and data storage used 
by the application, and allow (as is done with the corresponding 
personnel controls) for the consideration of exceptions once fully 
documented and reviewed.
        v. migration between vendors of cloud computing services
    The ability to extract agency data in standard formats from cloud 
computing services (whether that be application data such as mail 
messages and mailing lists, or system data such as the virtual server, 
storage, and network configurations) is essential to be able to migrate 
between cloud vendors. Lack of this capability means vendor lock, 
eroding the financial benefits of cloud computing and preventing timely 
response if a vendor's security is irrevocably compromised.
    There are on-going efforts in the area of standards for cloud 
computing data, and this work should continue and be prioritized by the 
agencies supporting the FedRAMP program. Unlike an internal agency 
information system, cloud solutions are inherently subject to change by 
the cloud service provider, and this creates a new requirement 
(specifically, the ability to quickly and reliably migrate to another 
service provider) where it previously was not needed for agency 
systems. FedRAMP must facilitate migration capabilities to protect 
against any cloud computer vendors that fail to continuously deliver 
the necessary quality or security in their offerings.
    The FedRAMP security control profile includes standard FISMA 
contingency planning and recovery security controls, but these 
fundamentally only address recovery within a given service provider 
cloud. Specific mechanisms should be put in place to insure that 
Federal agencies can extract their data and configuration in generally 
accepted formats and that these mechanisms suffice for service 
migration to other cloud computing vendors.
  vi. evolution of cloud computing services with internet technologies
    The internet is constantly evolving with the introduction of new 
standards and technology, and in making use of the internet as a 
platform for cloud computing, FedRAMP must be equally prepared as these 
changes occur. This is particularly true when it comes to internet 
technology improvements in the area of cybersecurity.
    In many cases, the Federal Government has taken an active interest 
in the technologies and standards that could improve the overall 
security of the internet, and this includes DNSSEC initiative in 
securing the Domain Name System (DNS), the next version of the 
underlying network protocol for the internet--Internet Protocol version 
6 (IPv6) and on-going work in internet routing security. These 
technologies are now being deployed in the public internet, and are 
also covered by specific directives in the FISMA security control 
baseline and/or guidance from OMB.
    These new standards are quite important in protecting the global 
internet from cybercrime, in that they insure that internet users reach 
the actual website that they intended to, and that their communication 
is protected in the process. When it comes to agency use of cloud 
computing services, these protections are equally important, since 
these services are reached over the public internet.
    It is crucial that the FedRAMP program clearly and unambiguously 
incorporates DNSSEC and IPv6 into the FedRAMP baseline, and that on-
going developments in internet-wide security technologies are promptly 
incorporated as they reach maturity.
    Furthermore, the on-going need to adopt and maintain state-of-the-
art security technologies and practices for cloud computing services 
does not appear to be given sufficient priority in the FedRAMP 
approach. While traditional Federal IT systems have been built and 
certified one at a time in predominantly closed environments, the rapid 
pace of evolution of internet threats requires equally dynamic and 
responsive security responses. Vendors should be given the flexibility 
to propose additional or alternative security mechanisms, as there are 
security lessons learned from running large-scale internet services 
that are not readily available to the Federal IT community, and the 
benefits of such experience should not be lost in the process of 
structuring cloud services into the FISMA framework.
                            vii. conclusion
    The FedRAMP program is a remarkable achievement; by providing 
agencies with ready access to additional computing resources that have 
already undergone a joint authorization process, the program offers the 
potential to significantly improve cost and timeliness of Federal IT 
    While not detracting from the importance of this achievement, the 
use of public and shared cloud computing services does introduce new 
areas of risk to be considered, and this is particularly true with 
respect to the interaction of cloud computing services with Federal 
cybersecurity initiatives, the geographic location of Federal data, the 
migration between vendors of cloud computing services, and the 
evolution of cloud computing services with the internet.
    The risks should not preclude use of cloud computing services by 
the Federal Government, but the model should be closely examined, and 
appropriate efforts inserted into the FedRAMP program so that it can 
deliver its full benefits in an efficient and secure manner.
    Mr. Chairman, Ranking Member Thompson and Members of the 
subcommittee, this concludes my written statement.
    Thank you again for this opportunity to speak before you today on 
this important topic, and I would be happy to answer your questions.

    Mr. Lungren. I thank you, Mr. Curran.
    I thank all of you for your testimony, and I will yield 
myself 5 minutes for first questions.
    Mr. Sheaffer, one of the things that struck me as you spoke 
was the idea that in the past, with the internet and so forth, 
we didn't build in security at the outset and we have had to 
play catch-up. Mr. Curran has just outlined a number of things 
that deal with building security into our advances in computer 
technology, including the cloud. Could you comment on the 
comments that he made?
    Mr. Sheaffer. Certainly, sir. I agree that we are in a 
position where we are using a technology and infrastructure 
that was not originally intended to be with the security issues 
in mind, and I agree that there are a number of initiatives 
underway to address a number of those vulnerabilities and 
    I think there has been a--there is good examples that exist 
in--within our intelligence community and in the secure side of 
Government operations that point the direction that we are able 
to build architectures that can secure data and applications 
adequately in a private cloud environment. I think some of the 
comments were addressed to how are we going to do that in the 
public environment, and I would go back, I think, to some 
comments in the earlier panel that suggest that until we can do 
that we have to be careful about what we put out into the 
public domain.
    But the interest of the commercial sector is to, as quickly 
as possible, get to a point where they can provide those 
adequate protections and the innovation that is going on in the 
commercial world, I think, will solve those problems in time.
    I think in the mean time I would agree, we have to be aware 
of what they are, do what we can from a standards perspective 
to build in standards and approaches that will guarantee to the 
maximum extent possible that those vulnerabilities can--and 
risks can be managed. But we will, as a--from a technological 
perspective, solve those problems.
    Mr. Lungren. Mr. Brown, it appears one of the messages from 
this panel is that the dynamism of the I.T. world----
    Mr. Brown. Yes.
    Mr. Lungren [continuing]. That we make a mistake when we 
take a static view of things and that cloud computing is one 
evolutionary point in this utilization of advanced information 
systems. So therefore, we have got to try and, from our 
standpoint, make decisions that reflect that.
    At the same time, there is this sort of fundamental issue 
or concern that reflected in both constituencies and Members of 
Congress that there is something about possessing a system, 
there is something about possessing your own information, there 
is something about fencing off your information from everything 
else, which is perversely at odds with using the internet.
    Mr. Brown. Right.
    Mr. Lungren. Yet, people seek both the ease of access and 
the multiplication of recipients of their information that the 
internet offers with a heightened sense of privacy. So I think 
one of the great concerns we have to deal with--both legitimate 
aspects of it and, let's say, hyped aspects of it--are that as 
you surrender your possession of the system and move more to a 
cloud system, which, as I get your various definitions, 
essentially means you are cooperating with other systems in a 
way that your information is not totally under your control, 
how do we both overcome the fear that people have a loss of 
security because of a loss of possession, but at the same time 
assure them that we do have technology fixes so long as we 
understand that that requires a sufficiency of information that 
the users have and a persistence in the use of what I will just 
call generally good cyber hygiene?
    Mr. Brown. So, one of the things that we have to understand 
is that from an economic standpoint, cloud is coming, okay? The 
reason why is that in cloud computing we can do many more 
releases, put together more software that is better more 
quickly, we can test it in one environment, we can get higher 
quality software out of the, you know, out of our building and 
into the hands of the consumers quicker.
    If we don't, as vendors, embrace cloud we will be out of 
business, okay?
    Mr. Lungren. That is a pretty strong imperative.
    Mr. Brown. Yes. So it is a very strong imperative. If we 
don't embrace cloud we will be out of business.
    So I think the same goes for governments in the same way, 
that if you want to keep up, if you want to move quickly, 
embracing the cloud for the same efficiency reasons needs to 
occur. Now, anytime we have these types of changes, right, we 
have opportunities to become better or become worse, right? We 
believe that cloud gives us an opportunity to become more 
    Now, the things that need to happen there is you need to 
have trust in the providers, like as what we said, but you need 
to be able to verify, right? So you need to be able to have 
things like FedRAMP that allow you to monitor those providers 
to make sure they are not only doing what the contract says, 
but actually doing what they say, right?
    You need to be able to be cautious as you go in--enter into 
these environments to make sure that--you know, in some cases 
we are going to see huge expansions of cloud providers and only 
a certain portion of them will survive, so you need to have 
contingency plans set up to be able to move from one cloud 
provider to another.
    So it is not a question of if it is going to happen. It is 
going to happen; we are going to move there.
    So it is a question of how we get enough trust in that 
environment that we can effectively move forward. Trust ends up 
being transparency; it ends up being, you know, acceptance of 
this is what a--this is what a cloud provider is going to do; 
and the ability to consistently monitor what they are doing to 
ensure that, you know, what they--they are doing what they say 
they need to do.
    Mr. Lungren. I have got a whole bunch of other questions, 
but I am going to yield to Ms. Clarke now for 5 minutes.
    Ms. Clarke. Thank you very much, Mr. Chairman.
    I want to thank the panelists for lending their expertise 
to this discussion today.
    My first question is, many potential agency users of the 
cloud believe it is not yet secure enough for their needs. From 
your perspectives, are they right?
    Mr. Bottum. Well--excuse me--I am a provisioner, and so I 
say amen to everything Mr. Brown just said, and it is a 
question of building up trust. I think with the relationships 
we have, you know, that is essentially how we got there, was 
through building the trust of the end-user and the community 
that we are provisioning for.
    The first thing I did 5 years ago when I went to Clemson 
was consolidate 43 I.T. departments into one, and that is 
essentially building a cloud for 43 people who used to do their 
own--departments that used to do their own computing. So over 
time you have to, you know, build that trust and that true 
    I think, you know, directly answering your question is it 
secure enough, we get tested in a number of ways. I think the 
end-user has to figure out how they, you know, trust but 
verify, I think.
    I mentioned that we run the Medicaid system for the State 
of South Carolina. We get both planned visits, audits, and we 
get unplanned visits and audits. So you have to be ready at all 
    It is a matter of communication, policies, people working 
together. I think, you know, the--to me, you know, the cloud 
is--you know, we just call it something different every decade. 
It was time-sharing in the 1980s; it was the grid in the 1990s. 
We did a project with Notre Dame, the Northwest Indiana 
Computation Grid.
    But basically it is, you know, that is essentially what it 
is, is a matter of people working together and creating a 
trusted environment, so----
    Mr. Curran. Let me address this a little bit, and I will 
pick up on the comments of the earlier panel from DHS CIO 
Spires. At the end of the day, the question of whether or not 
secure enough is the agency CIO's determination. That is truly 
his job.
    What we need to do is make sure that the mechanisms we have 
put in place give that agency CIO enough information to make 
that determination. The FedRAMP program is a start at a profile 
of controls that would make public clouds useful to CIOs.
    However, right now there are a number of pieces that a CIO 
has to fill in on their own. If you want your data within the 
United States that is not in the profile; that is your SLA. If 
you are worried about migration, that is not in the profile; 
that is something you are going to worry about.
    So the answer is: Is it suitable today? For an ambitious, 
high-energy agency that decides it is going to take this on, 
yes, where they fill in those pieces. So the question is 
whether or not we can make a FedRAMP program where those 
functions are already provided for, already clearly documented.
    That doesn't mean all the data, for example, needs to be in 
the United States. An agency whose workers are around the globe 
doing aid might want data centers that are close to where those 
people are for performance reasons. Someone else doing 
sensitive work might want to know that the cloud that he is 
using has said all of its servers are located in the 
continental United States.
    It is making sure that information is in the profile and in 
the documentation so the agency CIO has the work he has, has 
the information he needs to do the job of answering that 
question. I think it is possible to use it today; I think it 
could be much easier to use with work.
    Mr. Brown. One of the other important points here is that 
there will be specialized cloud services that are developed for 
specialized purposes, okay? So, you know, if there is enough 
money available for someone to produce a cloud service that is 
ultra-secure, you know, ultra--you know, ultra-secure and 
ultra-resilient, right, somebody will produce that cloud 
service from--as long as the economic model fits.
    You are going to see other economic models that take less 
security, and less security less resilience. All of those types 
of models are okay as long as they transparently tell you what 
their models are and what they can provide.
    Ms. Clarke. Let me thank you all for your answers. So many 
questions come to mind once you raise that question and then 
you get the answers, right? So it is a totally new space. That 
is a lot of pressure on a CIO.
    Then you start thinking about, well, does this become an 
issue for litigation as, you know, we begin to build those 
areas of trust, all right? So does that become a whole 'nother 
practice within the legal field and an understanding of that 
world that we have created?
    So, my time is elapsed and I want to just thank you once 
again for raising the consciousness here in the Congress of 
what we need to do. Thank you.
    Mr. Lungren. There are so many questions, but you have been 
very good about--let me just ask one general question. When we 
look at all the positives of cloud computing, however we want 
to define it, and as the new evolutionary point, is it a canard 
to suggest, though, that with cloud computing you do create 
some more target-rich environments? That is, if I could go 
after a larger bit of information or a larger universe of data 
points that involve a number of different players it might be 
worth my while to put more capital investment and time to go 
after it, or is that just----
    Mr. Brown. Same idea as Fort Knox, right? So can we protect 
the gold, right? That is the question, right, is: Can we have 
appropriate safeguards to protect that information?
    If you look at what some systems have done, you know, your 
data actually isn't stored in one central location; little 
pieces of your data are stored all over, in many different 
servers all over the, you know, world, therefore they can't be 
reconstituted into one piece. So, you know, because the data 
just happens to be stored in the cloud it takes advantage of 
technology that makes it harder to compromise one data center. 
It won't help you. You have to compromise the whole system.
    So there are technology advantages to, you know, moving to 
the cloud. But you are right about a target, right? As you have 
more data in one place it is more of a target, but it is also 
one of the things that you can centrally protect.
    Mr. Lungren. Well, I want to thank all four of you for 
testifying, and the previous panel. This is an issue that we 
are just scratching the surface on here. I think there is a lot 
of confusion about it, I guess even, I would say, fear, just 
because this is a new notion to the larger public, computer--
cloud computing.
    I think one of our obligations is not only to help clear up 
that confusion as best we can, but understand the reality as 
best we can.
    I think what you suggest, Mr. Curran, is make sure that all 
the moving parts are related, that if we do something on the 
Government side where we think we have certain protections that 
that is not only communicated with but is operational with 
public clouds as we work with them, and that we sort of 
anticipate these things instead of doing patchwork approaches 
later on.
    So I want to thank you. I thank you for your valuable 
    Members of the committee may have some additional questions 
for you and, we would ask you if you would please respond to 
those in writing upon your receipt. The hearing record for 
Members will be held open for 10 days, and the subcommittee 
stands adjourned.
    [Whereupon, at 12:56 p.m., the subcommittee was adjourned.]

                            A P P E N D I X


      Questions From Honorable William Keating for Richard Spires
    Question 1a. I'm concerned about maintaining the security of 
Government data maintained and transmitted through mobile data storage 
devices, particularly USB flash drive products. While I appreciate the 
obvious day-to-day benefits of flash-drive technology, flash drives 
infected with malware, as well as lost and stolen drives, present a 
clear threat to our Government's information systems. I understand that 
some flash drives use hardware--instead of software--authentication, 
which protects the devide from malware and hacking.
    Are you familiar with hardware-authenticated drives?
    Answer. Response was not received at the time of publication.
    Question 1b. If so, to what extent have you tested and evaluated 
    Answer. Response was not received at the time of publication.