Yesterday, I attended a cloud computing forum and workshop hosted by the National Institute of Standards and Technology (NIST). The most memorable line I heard all day came from an industry panelist who said, "Cloud Computing is basically the Internet eating IT." Despite that alarming image, NIST, the General Services Administration (GSA), the Federal CIO Council and the Cloud Computing Interagency Council, and the Office for Management and Budget (OMB) are forging ahead with their efforts to provide standardization and security to agencies moving to the cloud. The message was clear: the federal government wants to include industry in the process.

Vivek Kundra delivered the keynote, in which he stressed the criticality of standards, interoperability and data portability in moving forward. These factors shape the major initiatives underway that focus on increasing the adoption of cloud computing.

Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) SAJACC is a NIST-led initiative that will validate and communicate interim specifications to agencies in the areas of security, interoperability and data portability. The idea here is that, rather than waiting (possibly years) for formal standards to be developed by concensus, NIST would conduct use tests to validate the viability of cloud computing against specific requirements and share test results with agencies and the public.

NIST will identify use cases (9 have been identified already) for evaluation and test those cases against specifications in the following categories:

• File/Object System (e.g. sharing access, accessing by name/pattern, etc.)
• Job Control Programming (e.g. set-up controls, specifications)
• Cloud-2-Cloud (e.g. storage peering, cloud bursts, cloud brokers, backup/restore, etc.)
• Administration (e.g. user account management, compliance, SLA comparison, etc.)
• Data Management (e.g. data in, data out, archiving, etc.)

NIST also plans to accept use cases from vendors, although the process for doing so is still under development. Once the tests are completed, NIST will communicate those results to agencies considering cloud computing projects as well as the public via a web portal.

Federal Risk and Authorization Management Program (FedRAMP) FedRamp, which is at the end of the conceptual phase, will use NIST's risk management framework to provide centralized security certification and authorization government-wide. NIST will provide the technical advice, and planning is underway to develop the implementation framework.

How it works: FedRAMP works with agencies to develop government-wide baseline security requirements and works with the cloud computing vendors to assess and authorize their systems based on those requirements. Vendor products would be listed as "FedRamp authorized." Rather than complete the entire end-to-end certification process themselves, agencies would have the option of leveraging the work already completed by FedRAMP, and add any incremental steps needed to address agency-specific requirements. Agencies maintain the authority and responsibility for ensuring that systems meet their needs but much of the initial legwork will already be done. The goal is to limit some of the duplicative risk management efforts, acquisition delays caused by lengthy compliance processes, and inconsistent application of federal security requirements that have plagued agencies in the past.

According to Peter Mell, Sr. Computer Scientist at NIST, defense and intelligence agencies were also involved in the development of FedRAMP in order to unify the security control framework that will be used government-wide.

NIST, GSA and the Cloud Computing Interagency Council will be developing implementation details in the coming weeks and months. Other questions to be answered: Who's going to run FedRamp? How will it be funded?

Federal Budget Planning During his presentation, Vivek Kundra also mentioned a new Federal CIO Council report, "The State of Public Sector Cloud Computing". This report outlines the role of cloud computing in the budget process for FY2011 and beyond. Agencies will be required to complete alternative analyses that include cloud computing-based alternatives as part of future budget submissions.

• By September 2011: alternatives analyses for all newly planned or performing major IT investments
• By September 2012: alternatives analyses for all IT investments making enhancements to an existing investment
• By September 2013: alternatives analyses for all IT investments in steady-state

The morning session included a panel of industry representatives from Intel, Microsoft, the Cloud Security Alliance, Amazon.com and the Center for Democracy and Technology. Many of the questions centered around what NIST and other federal agencies should do to propel cloud computing forward. Panelists' wish list:

• Keep going with FEDRAMP (security certification effort), but don't stop there.
• Develop standards in collaboration with both industry and international stakeholders
• Recognize that interoperability needs can vary case by case; no one size fits all
• Don't stifle innovation by setting standards too quickly; focus on building the framework
• ID management, access control and cryptographic key management are the main security issues surround cloud computing and can have a serious impact on scalability
• Push vendors to be more transparent about their security controls
• Traditional notions based on physical boundaries will need to change
• SLAs must include meaningful metrics for performance and security

NIST and other agencies seem committed to successful implementation of these initiatives, in partnership with industry. Success will largely depend on agency buy-in, which federal cloud computing champions are anticipating. However, if cloud computing is indeed "eating IT," part of the sale to the IT personnel who have to implement it should include the image of him or her emerging as the person who can help personnel do their jobs more efficiently, rather than the person to blame when their Crackberrys won't work.