NIST Cloud Roadmap Helpful, But Doesn’t Address Everything

Four years after the Obama administration introduced its “cloud-first” policy, most federal agencies have completed simple projects, but the challenging tasks still remain. So said a panel of government IT executives at the Advanced Technology Academic Research Center (ATARC) summit on cloud computing in January.

“We’ve done the easy stuff, [such as] legacy email. The hard stuff [is] now applying cloud services to our legacy systems,” said Dawn Leaf, CIO of the U.S. Department of Labor.

The cloud roadmap developed by the National Institute of Standards and Technology (NIST) and laid out in the standards agency’s Special Publication 500-293 doesn’t actually identify specific actions that government organizations should take, but it sets 10 parameters that decision-makers should use when considering potential cloud solutions, said Bob Bohn, the NIST Cloud Computing Technical Program Manager.

“These are the 10 highest priority requirements … to move to safe adoption of cloud,” Bohn said. “This is not a NIST-centric view, but a community view.”

The roadmap is not intended to prescribe specific solutions, Bohn said.

“When we put this roadmap together, we started off with nothing but the NIST cloud computing definition, … then we developed a reference architecture based just on that definition,” he said. “It wasn’t in our best interest to define the technology in that architecture, but more a role-based model.”

For example, Requirement 4 on the list calls for clearly and consistently categorized cloud services. “Look at the definition of how the provider gives you that. [N]umber 3, high quality service level agreements [SLAs] – don’t assume anything. If you have questions, don’t hesitate to ask,” he said.

Param Soni, chief architect for the Environmental Protection Agency, said that two years his architecture working group designed a cloud computing questionnaire. “We used the working group first to educate them [about cloud computing], then gave them the questionnaire,” he said. They used the answers to determine if different parts of the organization were ready for cloud computing.

“I think most of them are not ready; they think they’re ready, but they’re not,” he said.

Leaf said moving to the cloud is “straightforward” – if not necessarily easy – for new applications or replacing an enterprise-wide service, but that it gets “messy” when it comes to including new capabilities in existing systems.

“We have field investigators, they’re trying to capture but we don’t have it embedded in our legacy systems,” she said. “When we’re looking at new capabilities, we want those we don’t already have up,” such as video.

Though it is not part of the NIST roadmap, Bohn said it’s important to have a good exit strategy.

“Because of interoperability [and] portability issues, once you give data off to a cloud provider, when you get the data back it may not be in a form you can read or move easily to another cloud,” he said. “Make sure it’s in that contract. Until we have the day where we’re completely interoperable, portable, I’d always be thinking how to get out.”

Leaf said that Labor “actually tested the exit strategy in our implementation, part of our [contract] requirement, on legacy email.”

The panelists all agreed that procurement regulations have not kept up with advances in technology and the move to cloud services.

“The closest we might get to procurement issues is requirements 3 and 4, where the rubber hits the road in understanding the cloud services and the SLAs,” Bohn said.