In its Guidelines on Security and Privacy in Public Cloud Computing, Special Publication 800-144, the National Institute of Standards and Technology (NIST) notes that organizations have a responsibility to “operate in agreement with established laws, regulations, standards, and specifications.” When cloud service providers (CSPs) work on behalf of federal departments or agencies to gather, process, store, transmit and destroy information, they must comply with many of these same laws, regulations, standards and specifications for:

• Security – CSPs must comply with the Federal Information Security Management Act (FISMA), Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), National Security Act, Clinger-Cohen Act, Office of Management and Budget (OMB) Circular A-130, and NIST and other guidelines for protecting information owned by commercial entities and individuals. They also need to meet Federal Risk and Authorization Management Program (FedRAMP) requirements.
  
• Accessibility – If there is a public-facing aspect to a cloud implementation, CSPs must comply with Section 508 requirements for accessibility by people with disabilities.
  
• Other mandates and guidelines – Records management controls, access and user training requirements also must be addressed, such as National Archives and Records Administration (NARA) statutes. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data from the Organisation for Economic Co-operation and Development (OECD) also must be followed.

CSPs applying the greatest rigor to legal and regulatory compliance offer a better value-to-risk ratio than those that do not. The rigor of a CSP’s compliance can best be assessed using at least these three tests:

1. Do they meet the NIST definition of cloud computing? Anything less does not provide the maximum efficiency, flexibility and value of cloud computing. For example, CGI’s cloud has successfully demonstrated the five NIST cloud characteristics.
   
2. Do they have a FedRAMP provisional Authority to Operate (ATO) or equivalent? An ATO demonstrates compliance with FISMA, OMB A-130 and NIST; addresses 508 compliance; requires at least two data centers in the continental United States; and shows the CSP has a satisfactory continuous monitoring process. CGI went through a rigorous process to become the first CSP to receive a full, three-year ATO from the General Services Administration (GSA) for our IaaS offering, and we fully expect to be one of the first to meet new FedRAMP requirements.
   
3. Do they provide robust security documentation? A CSP’s security documentation provides the primary source of information for an agency to conduct its own risk assessment for the purpose of issuing an ATO. CGI has the full set of documents associated with our ATO available for review, providing a level of transparency greater than what most agencies expect for their own systems.

Fundamental to all three tests, or any other test, is disclosure and transparency. This information will not be found on a CSP’s public website, as much of it is considered intellectual property, but should be available by other means. GSA established a reading room for reviewing security documentation in a pre-proposal evaluation phase. Post-award, documentation should be available from the CSP under a non-disclosure agreement. Agencies need to know the risks before adopting cloud solutions. Full disclosure and transparency helps them assess their risk and make informed decisions.