top of page

NIST drafts new cloud security policy

The U.S. government's Cloud First plan, which is a direct ive that tells agencies to look to cloud computing solutions first during IT procurement processes, is getting some help from the National Institute of Standards and Technology. NIST is drafting a special publication specifically to help companies define a cloud security architecture. This builds on the previous reference architecture the NIST created, but not the special publication that had been previously released, according to Fierce Government IT.

Michaela Iorga, NIST senior security technical lead for cloud computing, told the news source that the intent is to map out the specific controls necessary for a safe move into the cloud. Many components come from the Cloud Security Alliance's Trust Cloud Initiative-Reference Architecture, as they address high and mid-level security needs of government agencies. One example given as a high concern is security monitoring service, while mid-level cloud be endpoint monitoring.

"The document's objective is to demystify the process of selecting cloud-based services that best address an agency's requirements in the most secure and efficient manner," Iorga said. "The Risk Management Framework has to be adapted when applying the risk-based approach to applications or systems migrated to the cloud because the implementation, assessment, authorization and monitoring of selected security controls may fall under the responsibility of different cloud 'actors;' for example, consumer, service provider or broker."

As a prescription for a"healthy security lifestyle," Iorga told FierceGovernmentIT that agencies and consumers must think about concerns before any kind of adoption. Requirements should not be compromised once implementation gets underway she said, as there is a responsibility to keep security up to the organization's standards.

To help users pick out the best possible cloud solution, a case study will be provided to walk agencies through steps for deploying a typical application into the cloud, whether it be email, calendars, document sharing or a cloud-based chatting service.

According to the CDW-G State of the Cloud Report, 73 percent of IT professionals said personal use of cloud applications by employees has influenced their decision to adopt more cloud computing services and applications. Sixty-one percent of users agree that these apps allow their agencies to move faster.

"Users recognize the ease, and IT departments are responding with bring-your-own-device (BYOD) programs and secure cloud services," FedTech Magazine said. "The goal has always been to make technology easier for employees to use, and now that's happening faster than ever."


bottom of page