Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Size: px
Start display at page:

Download "Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service"

Transcription

1 Cloud Computing Best Practices Cloud Computing Best Practices Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

2 Overview Cloud Computing What is it? Cloud First Policy and Guidance The Cloud Procurement White Paper Minimizing Litigation Risk and Cost Slide 2

3 What is Cloud Computing? NIST Definition Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Source: NIST, Definition of Cloud Computing, Draft version 15, computing/index.html Laymen's Definition Cloud is essentially utility computing Automated services (no humans needed for change in services) Services are consumed as used ( pay per drink ) Enabled via the internet (accessible anywhere) Elasticity in amount of services consumed (rapid provisioning and deprovisioning) Transition from capital expenses to operating expense Slide 3

4 What Services Are In The Cloud? Software SaaS (software as a service) Applications available as an on demand service End user applications Platform PaaS (platform as a service) IT and developer tools for database and testing environments to develop applications Development or deployment activities Infrastructure IaaS (infrastructure as a service) Computing, Storage and Hosting Services Network administrators Source: Common Examples Applications, Internet Services Social Media (Blogs, Wikis) , E Meetings Productivity Tools (Office) Application Development (Workflow and Automation) Security Services (Single Sign On, Authentication) Database Management Directory Services Mainframes Servers Storage IT Facilities/Hosting Services Slide 4

5 What Types of Clouds Are There? PRIVATE CLOUD Operated solely for an organization COMMUNITY CLOUD Shared by several organizations can be public or private PUBLIC CLOUD Available to the general public HYBRID CLOUD Composition of two or more clouds (private, community, or public) Source: Slide 5

6 Cloud: A Fundamental Shift in IT Source: Slide 6

7 Cloud: Cheaper, Better, Faster Cloud = Future State of Government IT A fundamental shift: Agencies get state of the art products and services when they need them, at lower, commodity based prices. Government can redirect scarce resources to mission critical efforts as opposed to managing IT. Cheaper Save money & help lower the cost of government operations while driving innovation by avoiding duplicative infrastructure by using pay as you go service models Better Allows key resources to focus on mission critical activities and/or use solutions and services on demand or as needed Faster Decrease time tomarket to deploy or implement IT solutions via secure, easy to use contract vehicles available to federal & state and local government Slide 7

8 Administration s Drive to the Cloud The Administration s Federal Cloud Computing Strategy requires agencies to default to cloud based solutions whenever a secure, reliable and cost effective cloud option exists however, the move to the cloud requires a dramatic shift in the way Federal agencies buy IT from capital expenditures to operating expenditures. With this shift comes a learning curve as the government analyzes how to best procure this new service based model.... Steven VanRoekel U.S. Chief Information Officer, OMB February 24, 2012 Slide 8

9 Federal Timeline for Cloud Cloud First 25 Point Plan to Reform Federal IT December 9, 2010 FedRAMP Policy Memo December 8, 2011 Federal Cloud Computing Strategy February 8, 2011 Creating Effective Cloud Computing Contracts February 24, 2012 Slide 9

10 Cloud: 25 Point Plan to Reform IT Cloud First Policy Point 3 of the White House s 25 Point Plan to Reform Federal IT Requires agencies to evaluate safe, secure cloud options before making any new investments. This means agencies should evaluate their technology sourcing plans to include cloud solutions as part of the budget process. Three Cloud Projects by June 9, 2012 Cloud First mandates agencies move three projects to the cloud At least 1 project had to move to the cloud by December 9, 2011; 2 additional must move by June 9, Slide 10

11 Cloud Computing Strategy Overview Details benefits of cloud to Federal government Provides decision framework for moving to the cloud Case examples to illustrate framework Promotes vision for catalyzing cloud adoption across Federal government Slide 11

12 Cloud Security: FedRAMP Federal Risk and Authorization Management Program Overview Mandatory for Federal agencies via OMB Policy Memo Creates government wide security process for cloud computing solutions Provides assessments, provisional authorizations, and continuous monitoring of cloud services Transparent processes for Federal agencies and cloud service providers Establishes a Federal government standard baseline for securing cloud environments Slide 12

13 Cloud Procurement White Paper Overview Top 10 areas Federal agencies need to address when procuring cloud Gives description of issues along with ways to address issues within contracts Provides tactical guidance through a questionnaire checklist Slide 13

14 Partnership of IT, Acquisition, Legal Today, the CIO Council, CAO Council, and Federal Cloud Compliance Committee released: Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service. This guide enables Federal agencies to make smarter, more informed cloud purchasing decisions by utilizing lessons learned and best practices of early adopters moving us to a more efficient and more effective government. Steven VanRoekel U.S. Chief Information Officer, OMB February 24, 2012 Slide 14

15 Development of White Paper Two Tier Approach to Creating Guidance. Existing Cloud Contracts Develop lessons learned from early adopters Informal data call through OMB to collect ~15 existing Federal cloud contracts Review of contracts to see variance of contract terms, establish baseline and identify themes Interview project managers and contracting officers of each contract: What worked What doesn t work How various issues were addressed FC3 Guidance Guidance Developed by Federal Cloud Compliance Committee (FC3) Informal interagency group comprised of Federal Attorneys, procurements officials, and cloud SMEs. Mission: create tactical guidance to proactively assist agencies when contracting cloud Created four working groups: Security Privacy E Discovery Records Management/FOIA Slide 15

16 Goals of White Paper Cloud Computing and the Federal Government: Effectively Acquiring IT as a Service Merge the Cloud First mandate and the visionary Cloud Computing Strategy The next step in government s move to cloud with specific guidance in effectively buying cloud services Provide guidance to agencies in developing requirements for a cloud computing contract. Highlight top ten areas for Federal agencies to address in cloud contracts Help shape the way that cloud computing services are purchased and consumed Establish common practices for the Federal government to take advantage of its position as the largest purchaser of IT Slide 16

17 Top 10 Focus Areas 1) Selecting a Cloud Service 2) CSP and End User Agreements 3) Service Level Agreements (SLAs) 4) CSP, Agency, and Integrator Roles and Responsibilities 5) Standards 6) Security 7) Privacy 8) E Discovery 9) Freedom of Information Act (FOIA) 10) E Records Slide 17

18 Selecting a Cloud, End User Agreements ONE Selecting a Cloud Service Agencies must choose the appropriate cloud to meet their needs Determine the appropriate service model to meet user needs Determine the appropriate deployment model that meets data protection needs TWO CSP & End User Agreements Terms of Service Agreements (TOS) need to be negotiated TOS must be compliant with Federal laws and statutes Need to ensure NDA enforceability End User Agreements need to be integrated fully into cloud contracts Slide 18

19 SLAs and CSP, Agency, Integrator Rs & Rs THREE Service Level Agreements SLAs should clearly define CSP performance standards Need clear terms and definitions Need to determine how CSP performance will be measured Needs to establish enforcement mechanisms for SLA compliance FOUR CSP, Agency, & Integrator Roles and Responsibilities Establishes a contract with (at least) three parties Determine integrator role with CSP Need to clearly define the roles and responsibilities of all actors to ensure effectiveness of the cloud contract Slide 19

20 Standards and Security FIVE Standards Agencies should ensure CSPs align with government standards Map services to NIST Reference Architecture Ensure government participation in standards creation Compliance with Internet Protocol version 6 SIX Security FedRAMP Compliance Clearly defined requirements Continuous monitoring activities Incident response to attacks and vulnerabilities Key escrow/encryption Forensic capabilities Multi factor authentication with HSPD 12 Audit capabilities Slide 20

21 Privacy and E Discovery SEVEN Privacy Ensure compliance with the Privacy Act of 1974 and PII requirements Privacy Impact Assessments Adequate privacy training Clearly defined data location requirements How to respond to a breach where privacy data was compromised EIGHT E Discovery Provide information management in the cloud Ability to locate relevant documents Ability to preserve data in a cloud environment Moving documents through the e discovery process Cost avoidance by inclusion of tools with CSP solution Slide 21

22 FOIA and Federal Recordkeeping NINE FOIA Access Ability to conduct a reasonable search to meet Freedom of Information Act (FOIA) obligations Ensure the processing of information is pursuant to FOIA requirements Allow for the tracking and reporting of information pursuant to FOIA TEN Federal Recordkeeping Agencies should have proactive records planning before using a cloud service Ensure the ability to have timely and actual destruction of records in accordance with mandated records schedules How to deal with permanent records Process for transitioning to a new CSP Slide 22

23 Appendix A: Questionnaire Overview Translates the paper to tactical questions to ask when reviewing or creating a cloud contract Maps to the ten areas of focus within the paper Tactical approach for Agencies to use Slide 23

24 White Paper: Key Takeaway All necessary stakeholders should be included when creating cloud computing contracts. OCIO OGC Privacy Records E Discovery FOIA Acquisition staff This will enable Federal agencies to more effectively procure and manage IT as a service Slide 24

25 Cloud Resources CIO Council Federal Cloud Computing Initiative FedRAMP NIST NARA mgmt/bulletins/2010/ html Slide 25

26 Questions? Matt Goodrich Federal Cloud Computing Initiative, GSA Cloud Computing Best Practices Allison Stanton Director, E Discovery, DOJ Civil Division

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division Benjamin Young, Assistant General Counsel U.S. Department of Agriculture 1 Disclaimer The views expressed in this presentation

More information

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Jason R. Baron Director of Litigation National Archives and Records Administration 1 Overview Cloud Computing Defined

More information

Seeing Though the Clouds

Seeing Though the Clouds Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

More information

Creating Effective Cloud Computing Contracts for the Federal Government

Creating Effective Cloud Computing Contracts for the Federal Government Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service A joint publication of the In coordination with the Federal Cloud Compliance Committee

More information

Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services

Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services O F F I C E O F IN S P E C TO R GENERAL Audit Report 2014-IT-C-016 Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services September 30, 2014 B O A R D O F G O V E R

More information

Overview. FedRAMP CONOPS

Overview. FedRAMP CONOPS Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,

More information

Federal Cloud Computing Initiative Overview

Federal Cloud Computing Initiative Overview Federal Cloud Computing Initiative Overview Program Status To support the Federal Cloud Computing Direction and Deployment Approach, the ITI Line of Business PMO has been refocused as the Cloud Computing

More information

Management of Cloud Computing Contracts and Environment

Management of Cloud Computing Contracts and Environment Management of Cloud Computing Contracts and Environment Audit Report Report Number IT-AR-14-009 September 4, 2014 Cloud computing contracts did not comply with Postal Service standards. Background The

More information

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based

More information

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments

More information

Scott Renda Office of Management and Budget www.whitehouse.gov/omb/egov

Scott Renda Office of Management and Budget www.whitehouse.gov/omb/egov Cloud Computing Briefing Scott Renda Office of Management and Budget www.whitehouse.gov/omb/egov Cloud Computing Basics Style of computing Cloud Computing: What Does it Mean? Close public/private sector

More information

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

The Cloud Seen from the U.S.A.

The Cloud Seen from the U.S.A. The Cloud Seen from the U.S.A. Stephen R. Bell, Counselor to the U.S. Coordinator, International Communications and Information Policy, U.S. Department of State OUTLINE Commercial drivers of Cloud services

More information

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent Cloud Security A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud Sean Curry Sales Executive, Aquilent The first in a series of audits DoD did not fully execute elements of the July 2012

More information

Federal Risk and Authorization Management Program (FedRAMP)

Federal Risk and Authorization Management Program (FedRAMP) Federal Risk and Authorization Management Program (FedRAMP) NIST June 5, 2013 Matt Goodrich, JD FedRAMP, Program Manager Federal Cloud Computing Initiative OCSIT GSA What is FedRAMP? FedRAMP is a government-wide

More information

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance United States Government Accountability Office Report to Congressional Requesters April 2016 CLOUD COMPUTING Agencies Need to Incorporate Key Practices to Ensure Effective Performance GAO-16-325 April

More information

Cloud Computing. Report No. OIG-AMR-74-14-03. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.

Cloud Computing. Report No. OIG-AMR-74-14-03. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General Cloud Computing Report No. OIG-AMR-74-14-03 October 21, 2014 CONTENTS EXECUTIVE SUMMARY... 1 BACKGROUND... 2 OBJECTIVE,

More information

Cloud Security for Federal Agencies

Cloud Security for Federal Agencies Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service

More information

Office of Inspector General Audit Report

Office of Inspector General Audit Report Office of Inspector General Audit Report DOT LACKS AN EFFECTIVE PROCESS FOR ITS TRANSITION TO CLOUD COMPUTING Department of Transportation Report Number: FI-2015-047 Date Issued: June 16, 2015 U.S. Department

More information

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative September 2014 Council of the Inspectors General on Integrity and Efficiency Cloud Computing Initiative Executive

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Status of Cloud Computing Environments within OPM (Report No. 4A-CI-00-14-028)

Status of Cloud Computing Environments within OPM (Report No. 4A-CI-00-14-028) MEMORANDUM FOR KATHERINE ARCHULETA Director FROM: SUBJECT: PATRICK E. McFARLAND Inspector General Status of Cloud Computing Environments within OPM (Report No. 4A-CI-00-14-028) The purpose of this memorandum

More information

Kent State University s Cloud Strategy

Kent State University s Cloud Strategy Kent State University s Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

Cisco Cloud Assessments. Justin Tang

Cisco Cloud Assessments. Justin Tang Cisco Cloud Assessments Justin Tang Cisco Landscape Evolution of Cloud Assessments Performing Cloud Assessments Challenges 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Definition:

More information

Cloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA

Cloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA Cloud Services The Path Forward Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA November 1, 2012 Agenda Integrated Technology Services (ITS) Cloud Acquisition

More information

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.segal@usitc.gov Reference

More information

Federal Aviation Administration. efast. Cloud Computing Services. 25 October 2012. Federal Aviation Administration

Federal Aviation Administration. efast. Cloud Computing Services. 25 October 2012. Federal Aviation Administration efast Cloud Computing Services 25 October 2012 1 Bottom Line Up Front The FAA Cloud Computing Vision released in 2012 identified the agency's road map to meet the Cloud First Policy efast must provide

More information

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public. Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM

More information

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011 A Strawman Model NIST Cloud Computing Reference Architecture and Taxonomy Working Group January 3, 2011 Objective Our objective is to define a neutral architecture consistent with NIST definition of cloud

More information

GAO INFORMATION TECHNOLOGY REFORM. Progress Made but Future Cloud Computing Efforts Should be Better Planned

GAO INFORMATION TECHNOLOGY REFORM. Progress Made but Future Cloud Computing Efforts Should be Better Planned GAO July 2012 United States Government Accountability Office Report to the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee

More information

Enterprise Managed Cloud Computing at NASA. Karen Petraska NASA Office of the CIO Computing Services Service Office (CSSO) October 1, 2014

Enterprise Managed Cloud Computing at NASA. Karen Petraska NASA Office of the CIO Computing Services Service Office (CSSO) October 1, 2014 Enterprise Managed Cloud Computing at NASA Karen Petraska NASA Office of the CIO Computing Services Service Office (CSSO) October 1, 2014 What is Cloud Computing? Cloud Computing in a Nutshell Cloud computing

More information

Report via OMB s Integrated Data Collection (IDC), https://community.max.gov/x/lhtgjw 10

Report via OMB s Integrated Data Collection (IDC), https://community.max.gov/x/lhtgjw 10 EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 June 2, 2016 M-16-12 MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES FROM: Anne E. Rung United States Chief

More information

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 Washington, DC 20420 Transmittal Sheet February 28, 2012 CLOUD COMPUTING SERVICES 1. REASON FOR ISSUE: This Directive establishes the Department of Veterans

More information

The Keys to the Cloud: The Essentials of Cloud Contracting

The Keys to the Cloud: The Essentials of Cloud Contracting The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb

More information

EPA Classification No.: CIO 2155-P-3.0 CIO Approval Date: 04/04/2014 CIO Transmittal No.: 13-011 Review Date: 04/04/2017

EPA Classification No.: CIO 2155-P-3.0 CIO Approval Date: 04/04/2014 CIO Transmittal No.: 13-011 Review Date: 04/04/2017 EPA Classification No.: CIO 2155-P-3.0 CIO Approval Date: 04/04/2014 CIO Transmittal No.: 13-011 Review Date: 04/04/2017 Collection and Retention Procedures for Electronically Stored Information (ESI)

More information

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing Warren S. Udy, CISSP Senior Cyber Security Advisor Office of Cyber Security 301-903-5515 warren.udy@hq.doe.gov

More information

Cloud Computing Contract Clauses

Cloud Computing Contract Clauses Cloud Computing Contract Clauses Management Advisory Report Report Number SM-MA-14-005-DR April 30, 2014 Highlights The 13 cloud computing contracts did not address information accessibility and data security

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE

More information

United States Department of Agriculture. Office of Inspector General

United States Department of Agriculture. Office of Inspector General United States Department of Agriculture Office of Inspector General USDA s Implementation of Cloud Computing Services Audit Report 50501-0005-12 What Were OIG s Objectives Our objective was to evaluate

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

CLOUD COMPUTING. A Primer

CLOUD COMPUTING. A Primer CLOUD COMPUTING A Primer A Mix of Voices The incredible shrinking CIO CIO Magazine, 2004 IT Doesn t Matter, The cloud will ship service outside the institution and ship power from central IT groups to

More information

DEPARTMENT AGENCY STATEMENT OF OBJECTIVES FOR CLOUD MIGRATION SERVICES: INVENTORY, APPLICATION MAPPING, AND MIGRATION PLANNING MONTH YYYY TEMPLATE

DEPARTMENT AGENCY STATEMENT OF OBJECTIVES FOR CLOUD MIGRATION SERVICES: INVENTORY, APPLICATION MAPPING, AND MIGRATION PLANNING MONTH YYYY TEMPLATE DEPARTMENT AGENCY STATEMENT OF OBJECTIVES FOR CLOUD MIGRATION SERVICES: INVENTORY, APPLICATION MAPPING, AND MIGRATION PLANNING MONTH YYYY TEMPLATE 1 Introduction and Instructions This sample Statement

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE

STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE HOUSE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON INFORMATION TECHNOLOGY AND SUBCOMMITTE

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

TESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY

TESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY TESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY

More information

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable

More information

1. From the CIO 3. 2. Strategic Direction for Cloud Computing at Kent State 4. 3. Cloud Computing at Kent State University 5

1. From the CIO 3. 2. Strategic Direction for Cloud Computing at Kent State 4. 3. Cloud Computing at Kent State University 5 Kent State University ss Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology

More information

Cloud Computing A NIST Perspective & Beyond. Robert Bohn, PhD Advanced Network Technologies Division

Cloud Computing A NIST Perspective & Beyond. Robert Bohn, PhD Advanced Network Technologies Division Cloud Computing A NIST Perspective & Beyond Robert Bohn, PhD Advanced Network Technologies Division ISACA National Capital Area Chapter Arlington, VA, USA 17 March 2015 Cloud Program Overview Launch &

More information

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

journey to a hybrid cloud

journey to a hybrid cloud journey to a hybrid cloud Virtualization and Automation VI015SN journey to a hybrid cloud Jim Sweeney, CTO GTSI about the speaker Jim Sweeney GTSI, Chief Technology Officer 35 years of engineering experience

More information

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009 Perspectives on Moving to the Cloud Paradigm and the Need for Standards Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009 2 NIST Cloud Computing Resources NIST Draft Definition of

More information

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government October 4, 2009 Prepared By: Robert Woolley and David Fletcher Introduction Provisioning Information Technology (IT) services to enterprises

More information

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January 2014. PPM Project Type Custom Development

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January 2014. PPM Project Type Custom Development Project Planning and Management (PPM) V2.0 Project Type Guide Custom Development Version 1.1 January 2014 Last Revision: 1/22/2014 Page 1 Project Type Guide Summary: Custom Development Custom software

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Federal Data Center Consolidation Initiative

Federal Data Center Consolidation Initiative Federal Data Center Consolidation Initiative United States Agency for International Development (USAID) 2011 Data Center Consolidation Plan & Progress Report September 30, 2011 1 Introduction...2 2 Agency

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Cloud Computing Best Practices and Considerations for Project Managers Mike Lamoureux, PMP, MBA. Page 1

Cloud Computing Best Practices and Considerations for Project Managers Mike Lamoureux, PMP, MBA. Page 1 Cloud Computing Best Practices and Considerations for Project Managers Mike Lamoureux, PMP, MBA Page 1 Cloud Computing is the 5 th Utility Water Electricity Gas Telephone Computing Page 2 Why does a Project

More information

Federal Cloud Security

Federal Cloud Security Federal Cloud Security The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision,

More information

A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud

A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud Robert Bohn NIST March 7, 2012 DC/SLA Washington, DC Chapter History Cloud" is borrowed from telephony. Telecoms once offered

More information

Cloud Computing in a Regulated Environment

Cloud Computing in a Regulated Environment Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2

More information

NIST Cloud Computing Program

NIST Cloud Computing Program NIST Program USG Roadmap Top 10 high priority requirements to accelerate USG adoption of the model NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science,

More information

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society

More information

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012 A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

2.0 ROLES AND RESPONSIBILITIES

2.0 ROLES AND RESPONSIBILITIES 2.0 ROLES AND RESPONSIBILITIES This handout describes applicable roles and responsibilities for the Capital Planning and Investment Process (CPIC) as presented in the NIST Integrating IT Security into

More information

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes Cloud Computing Supplementary slides Course: Designing and Implementing Service Oriented Business Processes 1 Introduction Cloud computing represents a new way, in some cases a more cost effective way,

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

Cloud Computing. by Civic Consulting (research conducted October 2011 January 2012)

Cloud Computing. by Civic Consulting (research conducted October 2011 January 2012) Cloud Computing by (research conducted October 2011 January 2012) for the European Parliament, DG Internal Policies of the Union, Directorate A (Economic and Scientific Policy); presentation for the EP

More information

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS Char Sample Security Engineer, Carnegie Mellon University CERT Information Security Decisions TechTarget Disclaimer Standard Disclaimer - This talk

More information

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud? East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management

More information

Cloud-Based ICT Services Checklist

Cloud-Based ICT Services Checklist Cloud-Based ICT Services Checklist Guideline A non-exhaustive list of considerations to be made when evaluating, purchasing, implementing and managing cloud-based ICT services. Keywords: Cloud-based ICT

More information

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015 10 Considerations for a Cloud Procurement Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015 www.lbmctech.com info@lbmctech.com Purpose: Cloud computing provides public sector organizations

More information

Cloud Computing at CDC Current Status and Future Plans Earl Baum. March, 2014

Cloud Computing at CDC Current Status and Future Plans Earl Baum. March, 2014 Cloud Computing at CDC Current Status and Future Plans Earl Baum March, 2014 1 Background Current Activities Agenda Use Cases, Shared Services and Other Considerations What s Next 2 Background Cloud Definition

More information

Security Authorization Process Guide

Security Authorization Process Guide Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...

More information

Evaluation Report. The Social Security Administration s Cloud Computing Environment

Evaluation Report. The Social Security Administration s Cloud Computing Environment Evaluation Report The Social Security Administration s Cloud Computing Environment A-14-14-24081 December 2014 MEMORANDUM Date: December 17, 2014 Refer To: To: From: The Commissioner Inspector General

More information

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015 NSW Government Data Centre & Cloud Readiness Assessment Services Standard v1.0 June 2015 ICT Services Office of Finance & Services McKell Building 2-24 Rawson Place SYDNEY NSW 2000 standards@finance.nsw.gov.au

More information

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT

More information

What Cloud computing means in real life

What Cloud computing means in real life ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

Why Migrate to the Cloud. ABSS Solutions, Inc. 2014

Why Migrate to the Cloud. ABSS Solutions, Inc. 2014 Why Migrate to the Cloud ABSS Solutions, Inc. 2014 ASI Cloud Services Information Systems Basics Cloud Fundamentals Cloud Options Why Move to the Cloud Our Service Providers Our Process Information System

More information

Federal CIO: Cloud Selection Toolkit. Georgetown University: Chris Radich Dana Christiansen Doyle Zhang India Donald

Federal CIO: Cloud Selection Toolkit. Georgetown University: Chris Radich Dana Christiansen Doyle Zhang India Donald Federal CIO: Cloud Selection Toolkit Georgetown University: Chris Radich Dana Christiansen Doyle Zhang India Donald Agenda Project Introduction Agency Cloud Challenges Toolkit Solution Overview Step 1:

More information

Cloud Computing and Government Services August 2013 Serdar Yümlü SAMPAŞ Information & Communication Systems

Cloud Computing and Government Services August 2013 Serdar Yümlü SAMPAŞ Information & Communication Systems eenviper White Paper #4 Cloud Computing and Government Services August 2013 Serdar Yümlü SAMPAŞ Information & Communication Systems 1 Executive Summary Cloud computing could revolutionise public services

More information

ClOP CHAPTER 1351.39. Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

ClOP CHAPTER 1351.39. Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1 ClOP CHAPTER 1351.39 Departmental Information Technology Governance Policy TABLE OF CONTENTS Section 39.1 Purpose... 1 Section 39.2 Section 39.3 Section 39.4 Section 39.5 Section 39.6 Section 39.7 Section

More information

New Computing Models, and What They Mean to the Small and Mid-Sized Business Consumer

New Computing Models, and What They Mean to the Small and Mid-Sized Business Consumer New Computing Models, and What They Mean to the Small and Mid-Sized Business Consumer How your business can make practical decisions between The Cloud, Utility Computing and Hosted Services 1 Business

More information

The Next Generation Data Centers: SPECS and The 3 rd Platform.

The Next Generation Data Centers: SPECS and The 3 rd Platform. The Next Generation Data Centers: SPECS and The 3 rd Platform. Dr. Silvio La Porta Senior Research Scientist EMC Research Europe Dr. Said Tabet Senior Technology Strategist Corporate CTO Office, EMC 1

More information

GRC and Cloud Services. By David Lingenfelter 2012

GRC and Cloud Services. By David Lingenfelter 2012 GRC and Cloud Services By David Lingenfelter 2012 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 > Member of the Cloud Security Alliance > Participant

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO DoD CIO s 10-Point Plan for IT Modernization Ms. Teri Takai DoD CIO Executive Summary Proactive Partnerships for IT Modernization IT Modernization Strategy Consolidate Infrastructure Streamline Processes

More information

ITSM in the Cloud. An Overview of Why IT Service Management is Critical to The Cloud. Presented By: Rick Leopoldi RL Information Consulting LLC

ITSM in the Cloud. An Overview of Why IT Service Management is Critical to The Cloud. Presented By: Rick Leopoldi RL Information Consulting LLC ITSM in the Cloud An Overview of Why IT Service Management is Critical to The Cloud Presented By: Rick Leopoldi RL Information Consulting LLC What s Driving the Move to Cloud Computing Greater than 70%

More information

The NIST Definition of Cloud Computing (Draft)

The NIST Definition of Cloud Computing (Draft) Special Publication 800-145 (Draft) The NIST Definition of Cloud Computing (Draft) Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication

More information

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks 2011 Morrison & Foerster LLP All Rights Reserved mofo.com Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks 14 September 2011 Presenters Alistair Maughan Morrison & Foerster

More information

Top 10 Cloud Risks That Will Keep You Awake at Night

Top 10 Cloud Risks That Will Keep You Awake at Night Top 10 Cloud Risks That Will Keep You Awake at Night Shankar Babu Chebrolu Ph.D., Vinay Bansal, Pankaj Telang Photo Source flickr.com .. Amazon EC2 (Cloud) to host Eng. Lab testing. We want to use SalesForce.com

More information

CLOUD COMPUTING. Additional Opportunities and Savings Need to Be Pursued

CLOUD COMPUTING. Additional Opportunities and Savings Need to Be Pursued United States Government Accountability Office Report to Congressional Requesters September 2014 CLOUD COMPUTING Additional Opportunities and Savings Need to Be Pursued GAO-14-753 September 2014 CLOUD

More information

Expert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II

Expert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II Expert Reference Series of White Papers Understanding NIST s Cloud Computing Reference Architecture: Part II info@globalknowledge.net www.globalknowledge.net Understanding NIST s Cloud Computing Reference

More information