Attached below is a report to the President on cloud computing from the President’s National Security Telecommunications Advisory Committee.
NSTAC’s highest priority recommendations to the President are as follows:
The President’s National Security Telecommunications Advisory Committee (NSTAC) recommends that the President, in accordance with responsibilities and existing mechanisms established by Executive Order 12472, Assignment of National Security and Emergency Preparedness Telecommunications Functions, undertake the following package of actions as a matter of the greatest priority related to national security and emergency preparedness (NS/EP) in cloud computing:
- Direct the appropriate Government organization to develop processes and maintain priorities as described in the body of the report for migration of NS/EP missions to cloud based environments.
- Direct the adoption of NS/EP service level agreements (SLA) in all contracts pertaining to NS/EP cloud computing, which address the following functionalities:
- Mission emphasis on continuous availability, assured capacity;
- Identity management (authentication & authorization) for specified mission functions;
- Periodic third-party audit;
- Provisions for continuous monitoring;
- Data encryption in hosted data center (data at rest);
- Security process transparency for users (EP systems only); and
- Certification and Accreditation (C&A) of hosting systems/processes.
- For certain national security systems, additional requirements include:
- Data tagging; and
- Security management conducted by government service provider.
- Direct the National Communications System (NCS) to adopt cloud security controls developed by this study and found at Appendix E as a comprehensive NS/EP cloud security program, making their use mandatory by NS/EP service owners and auditable by third parties.
- Broaden the definitional scope of NS/EP, as reflected in current law and federal regulation, to embrace information services, as defined, in order to permit the technical nature of cloud computing to fit within the NS/EP definition.
- Direct the expansion of scope of the Federal Risk and Authorization Management Program (FedRAMP) to embrace those governmental information systems reportable under the Federal Information Security Management Act (FISMA) as being of Federal Information Processing Standards (FIPS) 199 High Risk Impact level, thereby closing a current gap in oversight of a large number of systems relevant to NS/EP.
- Direct the initiation of a Federal program, in collaboration with relevant industry partners, to develop a system for priority access to cloud-based equities in times of need, based on infrastructure degradation due to natural or man-made causes.
Leave a Reply