U.S. Department of Commerce
Office of the Chief Information Officer
Cloud Computing Policy

Background
Scope
Policy
Guidance
References and Additional Information
Point of Contact

Background

The National Institute of Standards and Technology (NIST) defines Cloud Computing as: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Three common service models include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). For additional details, see the NIST Definition of Cloud Computing.¹

Department of Commerce (DOC) use of Cloud Computing services must adequately address relevant statutory and policy requirements associated with Federal IT systems, including issues of IT security and risk management, privacy, legal issues (e.g., Terms of Service), records management, and other applicable requirements. See the section below for issues to consider.

Beginning with the FY 2012 budget, the Office of Management and Budget requires that Federal agencies consider Cloud Computing as an alternative for new IT investments. For the FY 2013 budget, the requirement to consider Cloud Computing covers mixed lifecycle projects (those that include development, modernization, and enhancement as well as steady state operations), and in FY 2014, the requirement covers all projects.

Since Cloud Computing can offer benefits in the cost, performance, and delivery of IT services, it is anticipated that the use of Cloud Computing services will grow significantly over the next several years. This policy is intended to ensure that the use of these services is managed in accordance with existing Federal IT management requirements, and to provide a level of Chief Information Officer (CIO) oversight to address the possibility of a higher level of risk existing as a result of these new and still-evolving IT service models. The primary reason for this policy is to facilitate a well-managed and successful adoption of Cloud Computing by establishing a process that directs attention to IT-related requirements, management processes, and risk factors.

Scope

This policy applies to any Department of Commerce acquisition of Cloud Computing services. The project manager must coordinate planning with the operating unit CIO early in the planning process to avoid unnecessary problems later in the planning and acquisition lifecycle.

This policy pertains to the acquisition of services from a source outside of the Department of Commerce. Internal Cloud Computing services are already covered by existing requirements.

Policy

Use of Cloud Computing services must be formally authorized in accordance with the Department of Commerce and operating unit risk management framework and certification and accreditation processes. Specifically:

• Use of Cloud Computing services must comply with all current laws, IT security, and risk management policies.
• Use of Cloud Computing services must comply with all privacy laws and regulations, and appropriate language must be included in the vehicle defining the Cloud Computing source responsibilities for maintaining privacy requirements.
• Government-wide authorizations of Cloud Computing services under the Federal Risk and Authorization Management Program (FedRAMP) may be leveraged to facilitate use of these services. However, FedRAMP authorization alone is not sufficient to meet the requirement of authorization for Department of Commerce use of a particular service for a particular purpose. An appropriate Authorizing Official, sufficiently familiar with the context of the use of the service (including the mission requirements and associated Federal Information Processing Standard (FIPS) 199 impact level), and adequately informed of the associated risks through a risk assessment, must document an acceptance of risk and formal authorization of the use of the service.
• For external Cloud Computing services that require users to agree to terms of service agreements, such agreements must be approved by the DOC Office of General Counsel.

All use of Cloud Computing services must be approved in writing by the operating unit CIO. The operating unit CIO will certify that security, privacy, and other IT management requirements have been adequately addressed prior to approving use of Cloud Computing services.

• The Cloud Computing service may not be put into production use until the operating unit CIO has provided written approval.
• The project manager must retain the CIO’s certification along with other investment documentation.

Guidance

Many issues should be considered carefully before adopting a Cloud Computing solution. The list below features some of the more important issues to consider, and to address in contract language when appropriate:

• Determine why the agency needs to use a Cloud Computing approach. What are the drivers? Several possible drivers are listed below.
  • More efficiency or effectiveness for the IT investment.
• Need for a specific Cloud Computing characteristic (elasticity, scalability, usage-based model).
• Need for rapid implementation (e.g., use of an existing infrastructure, leveraging of existing Government-wide FedRAMP authorization)
• Be realistic in cost estimates. Consider the total lifecycle costs, not just the cost of implementation.
• Acquisition strategy
  • Identify and consider appropriate existing contracts and Cloud Computing solutions already in use at the Department of Commerce before acquiring new services.
• When acquiring new services, consider how services can be architected and agreements written in a way that would enable broader use/adoption of the service across the rest of the Department.
• IT security
  • Match IT security requirements (including FIPS 199 impact level) and the security capabilities of the Cloud Computing implementation to those of the mission/business needs being supported.
  • Weigh the security threats and opportunities that are present for public, private, and community Clouds.
  • Consider how issues of logging, incident reporting, response, forensics, and other security-related functions should be addressed with respect to the Cloud Computing service provider.
  • Consider how disaster recovery and continuity of operations planning will be addressed.
• Privacy impact
  • If Personally Identifiable Information (PII) or other sensitive information is involved, document how it will be protected and who is allowed access to it.
  • If the Cloud Computing source is keeping user usage statistics, consider the privacy implications involved and define appropriate safeguards to assure user privacy is maintained. This would include session logs and security access logs, among others.
• Define how all relevant provisions of the Privacy Act will be enforced, and identify responsible parties.
• Records Management
• Identify all systems of records to be hosted in the cloud.
• Identify the schedules for all records and include the information on retention as part of the agreement with the vendor.
• Specify the retention time for all system backups.
• Consider how records management and electronic discovery will be managed in the cloud environment.
• Consider implications of using a service model that is different from the traditional use of Government-owned and -operated infrastructure.
• Identify which issues should be explicitly documented in service level agreements.
• Consider issues of interoperability with existing systems.
• Consider issues of data ownership and portability. How would you migrate from a given Cloud Computing infrastructure to another one at some point in the future?
• Examine the need for additional training for Departmental staff.
• Focus on the requirement driving the need, not the technology used to implement it.
• Determine how mature the industry offerings are for the implementation under consideration.

References and Additional Information

A wealth of information exists about the Federal Cloud Computing Initiative and other topics regarding the implementation of Cloud Computing in the Federal Government. The links below are the most current documents from the Federal CIO Council, General Services Administration, National Institute of Standards and Technology (NIST), and the National Archives and Records Administration (NARA).

The General Services Administration and the Federal CIO Council are preparing a document entitled "Security Controls, Guidelines and Process for US Government Cloud Computing," which is currently being reviewed and should be published by the end of the first quarter of fiscal year 2011. A draft copy is available on request from the contact listed below.

• A Report on Federal Web 2.0 Use and Record Value
• Federal Risk and Authorization Management Program (FedRAMP)
• NIST Computer Security Resource Center - Cloud Computing
• Guidance on Managing Records in Cloud Computing Environments

In addition to these documents, there is a large collection of documents on the OMB MAX Web site.

Point of Contact

For additional questions regarding this policy, please contact Tom Pennington, 202-482-5899, tpennington@doc.gov.

Revision date: None

Approved by: Simon Szykman, Chief Information Officer December 8, 2010