The National Institute of Standards and Technology created a series of ‘special publications‘ beginning in 1990 that deal specifically with standards for computer security. Since that time, the SP 800 library has grown substantially. The Institute’s influence is recognized across the IT industry. SP 800-53 actually forms the basis of the new FedRAMP initiative as it relates to cloud service providers.

Definition Still Under Development

Because Cloud Computing is a very new area, the NIST is in the process of soliciting comments and recommendations for SP 800-145. This draft publication seeks to create a standardized, formal definition of the term itself. Some of the defining criteria so far include: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service (pay-for-use billing model).

Concerns Are Being Addressed

The same characteristics (such as resource pooling) that make cloud services attractive also create new concerns for federal entities that are used to having a great deal of control over their IT infrastructure and processes. The NIST is addressing general security concerns through the development of publications like the SP 800-137 which discusses continuous monitoring for information systems. An adequate monitoring system must be able to make the user aware of risk factors, provide accurate assessments of current security controls, and deliver the information needed to respond to a security threat in a timely manner.

Specific concerns that are being examined in SP 800-144 regarding cloud computing include:

  • Governance
  • Compliance
  • Trust
  • Architecture
  • Identity and Access Management
  • Software Isolation
  • Data Protection
  • Availability
  • Incident Response

Stay Tuned for More Info on SP 800 Topics

We’ll explore these issues in more detail in a future post along with how they relate to HR software. Emerald Software Group does currently offer a cloud option for Universal Onboarding in partnership with Amazon’s EC2 cloud platform. As a cloud partner, we have a vested interest in making sure our software meshes with NIST recommendations. So, this is yet another area where we are progressing toward compliance as these standards are formalized.

Advertisements