May 17, 2011

Abstract
This presentation will provide an overview of the Federal Chief Information Officer (FCIOC) Information Security and Identity Management Committee (ISIMC) Network and Infrastructure Security Subcommittee (NISSC) Guidelines for Secure Use of Cloud Computing by Federal Departments and Agencies. The goal of this document is to help federal program managers create a strong business case for embracing the appropriate type of cloud computing capability commensurate with their level of acceptable risk. This document presents a set of security guidelines and recommendations for using cloud computing technologies, capabilities and the selection of deployment and service models. These guidelines compliment the FedRAMP cloud computing requirements and controls and the NIST guidelines to provide outcome-based control objectives based on NIST guidance and requirements.

The Federal Cloud Computing Strategy outlines the Cloud First Initiative, intended to accelerate the adoption of cloud computing by federal departments and agencies, by modifying their IT portfolios to take advantage of the benefits of cloud computing to maximize capacity, improve flexibility, and minimize costs. As stated in the strategy, “Agencies should make risk-based decisions which carefully consider the readiness of commercial or government providers to fulfill their Federal needs.” Cloud computing readiness considerations within the federal government include but are not limited to data security and privacy, governance and continuous monitoring. The primary purpose of the ISIMC Guidelines is to enable federal program managers to make a careful assessment of security risks and cloud providers’ readiness to mitigate security risks to enable the secure use of cloud computing by federal departments and agencies.

The federal government is targeted by advanced threats and adversaries that attempt to compromise government information systems to further their own objectives. These advanced attackers are aggressive, persistent, are difficult to detect and prevent, and will sometimes be successful. Some cloud environments have the same capabilities to defend against and recover from these threats as current federal information systems, such as advanced monitoring capabilities and cleared information security professionals, though others may not. Other risks include an increased level of complexity, which may make cloud environments more prone to mistakes such as uploading sensitive or classified information into a cloud environment not authorized to handle that level of information. Finally, some risks may be due to design and architecture, where the cloud environment is abstracted from federal security controls, reducing the level of visibility available to support continuous monitoring.

These guidelines compliment the FedRAMP cloud computing requirements and the NIST security guidelines to support federal program managers in selecting the appropriate cloud computing model and security controls to mitigate these risks. Cloud computing does not absolve an agency of responsibility for securing its data nor eliminate the need for agencies to conduct assessments and authorizations of their respective major application (MA) and general support system (GSS) boundaries.

This document recommends the following “Top 20” federal cloud computing security considerations and guidelines for federal program managers and is intended to help the federal system owner to conduct their control selection by articulating cloud security issues through a discussion of sixteen (16) federal cloud security domains. Each of these sixteen domains is mapped against current cloud security best practices and FISMA security guidance, and is summarized into one or two top federal cloud security issues.

Cloud computing adoption is still in its early stages, but the commercial and government sectors are beginning to see the advantages of lower IT costs and reduced overhead by adopting this new trend. Though cloud computing comes with some risks, these can be mitigated by making informed risk management decisions when selecting cloud deployment models, service models, and cloud security controls. Federal program managers may consider public cloud computing for some low and moderate systems, freeing up their limited security resources to focus security operations on private cloud computing capabilities.

About the Speaker
Mr. Crane is the Director of the Cybersecurity Strategy Division in the Office of the Chief Information Security Officer (OCISO) for the Department of Homeland Security. Mr. Crane is responsible for developing the DHS Information Security Strategic Plan, enabling the Department to provide a secure, reliable, and trusted computing environment to support DHS’ mission and objectives and effectively share information that protects the Homeland.

Mr. Crane is a contributing author of multiple books, including “SPECIAL OPS: Host and Network Security for Microsoft, UNIX and Oracle”. He is also an adjunct professor in the Carnegie Mellon University H. John Heinz III School of Public Policy & Management where he teaches two courses on incident response and information security management.

Mr. Crane earned a Bachelor of Science in Mechanical Engineering with a minor in Robotics from Carnegie Mellon University. He also earned his Masters of Information System Management at Carnegie Mellon, specializing in Information Security and graduating with honors of “Highest Distinction”. Currently he is pursuing a PhD in information security management from George Washington University.

Please RSVP if you plan to attend.
Non-members are welcome without charge!  Light refreshments will be served.

Tuesday, May 17, 2011 6:30 PM

Government Printing Office
Room A138
732 N. Capitol St.
Washington, DC, 20401

Click here for details