`
`
`
`
`
`
`
`
`
`
`
` Special Publication 500-291, Version 2
`
`NIST Cloud Computing
`
`Standards Roadmap
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NIST Cloud Computing Standards Roadmap Working Group
`NIST Cloud Computing Program
`Information Technology Laboratory
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1021
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`
`
`
`
`This page left intentionally blank
`
`
`
`
`
`ii
`
`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`This page left intentionally blank
`
`1
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NIST Special Publication 500-291,
`Version 2
`
`(Supersedes Version 1.0, July 2011)
`
`NIST Cloud Computing
`Standards Roadmap
`
`
`
`NIST Cloud Computing Standards
`
`Roadmap Working Group
`
` July 2013
`
`
`
`U. S. Department of Commerce
`Penny Pritzker, Secretary
`
`National Institute of Standards and Technology
`Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
`
`
`
`
`
`
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`
`
`
`
`
`
`This page left intentionally blank
`
`iv
`
`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`This page left intentionally blank
`
`iv
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`Reports on Computer Systems Technology
`
`The Information Technology Laboratory (ITL) at the National Institute of Standards and
`Technology (NIST) promotes the U.S. economy and public welfare by providing technical
`leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
`methods, reference data, proof of concept implementations, and technical analysis to advance the
`development and productive use of information technology. ITL’s responsibilities include the
`development of technical, physical, administrative, and management standards and guidelines for
`the cost-effective security and privacy of sensitive unclassified information in federal computer
`systems. This document reports on ITL’s research, guidance, and outreach efforts in Information
`Technology and its collaborative activities with industry, government, and academic organizations.
`
`
`
`
`
`
`
`
`
`
`
`
`
`National Institute of Standards and Technology Special Publication 500-291 V2
`
`Natl. Inst. Stand. Technol. Spec. Publ. 500-291, 108 pages (May 24, 2013)
`
`DISCLAIMER
`
`This document has been prepared by the National Institute of Standards and Technology
`(NIST) and describes standards research in support of the NIST Cloud Computing
`Program.
`
`Certain commercial entities, equipment, or material may be identified in this document in
`order to describe a concept adequately. Such identification is not intended to imply
`recommendation or endorsement by the National Institute of Standards and Technology,
`nor is it intended to imply that these entities, materials, or equipment are necessarily the
`best available for the purpose.
`
`
`
`
`
`v
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`Acknowledgements
`
`This document is an update of the first version, which was published in July 2011. It reflects the
`contributions and discussions by the membership of the NIST Cloud Computing Standards Roadmap
`Working Group, chaired by Michael Hogan and Annie Sokol of the Information Technology Laboratory,
`National Institute of Standards and Technology, U.S. Department of Commerce.
`
`NIST SP 500-291, Version 2 has been collaboratively authored by the NIST Cloud Computing Standards
`Roadmap Working Group. As of the date of this publication, there are over one thousand Working Group
`participants from industry, academia, and government. Federal agency participants include NASA and the
`U.S. Departments of Agriculture, Commerce, Defense, Health & Human Services, Homeland Security,
`Justice, Transportation, Treasury, State, and Veterans Affairs.
`
`NIST would like to acknowledge the specific contributions from the following Working Group members:
`
`
`Alan Sill, Open Grid Forum
`
`Michaela Iorga, NIST
`
`Annie Sokol, NIST
`
`Nancy Landreville, University of Maryland
`
`Craig Lee, Open Grid Forum
`
`P W Carey, Compliance Partners, LLC
`
`David Harper, Johns Hopkins University
`
`Paul Lipton, CA Technologies
`
`Eugene Luster, U.S. Department of Defense
`
`Richard Brackney, Microsoft
`
`Frederic de Vaulx, NIST
`
`Robert Bohn, NIST
`
`Gary Massaferro, AlloyCloud, Inc.
`
`Robert Marcus, Cloud Standards Customer Council
`
`Gilbert Pilz, Oracle Corporation
`
`Shin Adachi, NTT Multimedia Communications Labs
`
`Jerry Smith, US Department of Defense
`
`Steven McGee, SAW Concepts LLC
`
`John Calhoon, Microsoft
`
`Steven Woodward, Woodward Systems
`
`John Messina, NIST
`
`Michael Hogan, NIST
`
`Sundararajan Ramanathan, Capgemini US Consulting
`
`Winston Bumpus, DMTF, VMWare Inc.
`
`Michael Stewart, Space and Naval Warfare
`Systems Command
`
`
`
`
`
`The NIST editors for this document were: Michael Hogan and Annie Sokol.
`
`vi
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`TABLE OF CONTENTS
`
`1
`
`2
`
`3
`
`4
`
`EXECUTIVE SUMMARY ..................................................................................................................................... 1
`
`INTRODUCTION ................................................................................................................................................... 5
`
`2.1 BACKGROUND.................................................................................................................................................. 5
`2.2 NIST CLOUD COMPUTING VISION ............................................................................................................... 6
`2.3 NIST CLOUD COMPUTING STANDARDS ROADMAP WORKING GROUP ............................................. 7
`2.4 HOW THIS REPORT WAS PRODUCED .......................................................................................................... 7
`
`THE NIST DEFINITION OF CLOUD COMPUTING ....................................................................................... 8
`
`CLOUD COMPUTING REFERENCE ARCHITECTURE...............................................................................11
`
`4.1 OVERVIEW .......................................................................................................................................................11
`4.2 CLOUD CONSUMER ........................................................................................................................................14
`4.3 CLOUD PROVIDER ..........................................................................................................................................16
`4.3.1
`SERVICE DEPLOYMENT .........................................................................................................................17
`4.3.2
`SERVICEORCHESTRATION ....................................................................................................................18
`4.3.3 CLOUD SERVICE MANAGEMENT .........................................................................................................19
`4.3.4
`SECURITY .................................................................................................................................................20
`4.3.5
`PRIVACY ...................................................................................................................................................21
`4.4 CLOUD AUDITOR ............................................................................................................................................23
`4.5 CLOUD BROKER ..............................................................................................................................................23
`4.6 CLOUD CARRIER .............................................................................................................................................24
`
`5
`
`CLOUD COMPUTING USE CASES ...................................................................................................................25
`
`5.1 BUSINESS USE CASES ....................................................................................................................................25
`5.2 TECHNICAL USE CASES ................................................................................................................................26
`5.3 DEPLOYMENT SCENARIO PERSPECTIVE ..................................................................................................26
`
`6
`
`CLOUD COMPUTING STANDARDS ................................................................................................................32
`
`INFORMATION AND COMMUNICATION TECHNOLOGIES (IT) STANDARDS LIFE CYCLE .............32
`6.1
`6.2 THE ROLE OF CONFORMITY ASSESSMENT TO STANDARDS ...............................................................33
`6.2.1 CONFORMITY ASSESSMENT ACTIVITIES ............................................................................................34
`6.2.2 GOVERNMENT USE OF CONFORMITY ASSESSMENT SYSTEMS .......................................................35
`6.2.3
`VISUALIZATION OF CONFORMITY ASSESSMENT PROCESSES ........................................................36
`6.2.4 CURRENT STATE OF CONFORMITY ASSESSMENT IN CLOUD COMPUTING .................................38
`6.3 CATEGORIZING THE STATUS OF STANDARDS .......................................................................................39
`6.4 CLOUD COMPUTING STANDARDS FOR INTEROPERABILITY AND PORTABILITY .........................40
`6.4.1 CLOUD STANDARDS FOR INTEROPERABILITY ..........................................................................40
`6.4.2 CLOUD COMPUTING STANDARDS FOR PORTABILITY ...........................................................42
`SUMMARY ON INTEROPERABILITY AND PORTABILITY ..........................................................43
`6.4.3
`6.5 CLOUD COMPUTING STANDARDS FOR SECURITY ................................................................................44
`6.6 CLOUD COMPUTING STANDARDS FOR PERFORMANCE ......................................................................47
`6.6.1 CLOUD STANDARDS FOR SERVICE AGREEMENTS ...........................................................................48
`6.6.2 CLOUD STANDARDS FOR MONITORING .............................................................................................49
`6.7 CLOUD COMPUTING STANDARDS FOR ACCESSIBILITY ......................................................................49
`
`7
`
`CLOUD COMPUTING STANDARDS MAPPING ............................................................................................51
`
`7.1 SECURITY STANDARDS MAPPING .............................................................................................................52
`7.2
`INTEROPERABILITY STANDARDS MAPPING ...........................................................................................58
`7.3 PORTABILITY STANDARDS MAPPING .......................................................................................................59
`
`vii
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`7.4 PERFORMANCE STANDARDS MAPPING....................................................................................................60
`7.5 ACCESSIBILITY STANDARDS MAPPING....................................................................................................61
`
`8
`
`ANALYZING USE CASES TO IDENTIFY STANDARDS GAPS ...................................................................62
`
`8.1 USE CASE: CREATING, ACCESSING, UPDATING, DELETING DATA OBJECTS IN CLOUD
`SYSTEMS ....................................................................................................................................................................62
`8.2 USE CASE: MOVING VMS, VIRTUAL APPLIANCES, SERVICES, AND APPLIANCES BETWEEN
`CLOUDS ......................................................................................................................................................................63
`8.3 USE CASE: SELECTING THE BEST IAAS CLOUD VENDOR, PUBLIC OR PRIVATE ............................63
`8.4 USE CASE: PORTABLE TOOLS FOR MONITORING AND MANAGING CLOUD SYSTEMS ................63
`8.5 USE CASE: MOVING DATA BETWEEN CLOUD SYSTEMS ......................................................................64
`8.6 USE CASE: SINGLE SIGN-ON ACCESS TO MULTIPLE CLOUD SYSTEMS ............................................65
`8.7 USE CASE: ORCHESTRATED PROCESSES ACROSS CLOUD SYSTEMS AND ENTERPRISE
`SYSTEMS ....................................................................................................................................................................65
`8.8 USE CASE: DISCOVERING CLOUD RESOURCES ......................................................................................66
`8.9 USE CASE: EVALUATING SLAS AND PENALTIES ....................................................................................67
`8.10 USE CASE: AUDITING CLOUD SYSTEMS ...................................................................................................67
`8.11 END-TO-END: CLOUD RESOURCE MANAGEMENT USE CASE..............................................................68
`
`9
`
`USG PRIORITIES TO FILL CLOUD COMPUTING STANDARDS GAPS ..................................................69
`
`9.1 AREAS OF STANDARDIZATION GAPS ........................................................................................................69
`9.1.1
`SAAS FUNCTIONAL INTERFACES .........................................................................................................70
`9.1.2
`SAAS SELF-SERVICE MANAGEMENT INTERFACES ............................................................................70
`9.1.3
`PAAS FUNCTIONAL INTERFACES .........................................................................................................70
`9.1.4
`BUSINESS SUPPORT, PROVISIONING AND CONFIGURATION .........................................................70
`9.1.5
`SECURITY .................................................................................................................................................71
`9.1.6
`ACCESSIBILITY ........................................................................................................................................71
`9.2 STANDARDIZATION PRIORITIES BASED ON USG CLOUD COMPUTING ADOPTION PRIORITIES 72
`9.2.1
`SECURITY AUDITING AND COMPLIANCE ...........................................................................................72
`9.2.2
`IDENTITY AND ACCESS MANAGEMENT ..............................................................................................73
`9.2.3
`SAAS APPLICATION SPECIFIC DATA AND METADATA .....................................................................73
`9.2.4
`RESOURCE DESCRIPTION AND DISCOVERY ......................................................................................73
`9.2.5
`SUMMARY OF STANDARDIZATION GAPS AND STANDARDIZATION PRIORITIES .........................74
`
`10 CONCLUSIONS AND RECOMMENDATIONS ................................................................................................76
`
`10.1 CONCLUSIONS .................................................................................................................................................76
`10.2 RECOMMEDATION TO USG AGENCIES TO HELP ACCELERATE THE DEVELOPMENT AND USE
`OF CLOUD COMPUTING STANDARDS .......................................................................................................76
`
`11 BIBLIOGRAPHY...................................................................................................................................................78
`
`12 APPENDIX A – NIST FEDERAL INFORMATION PROCESSING STANDARDS AND SPECIAL
`PUBLICATIONS RELEVANT TO CLOUD COMPUTING ............................................................................80
`
`13 APPENDIX B – DEFINITIONS............................................................................................................................81
`
`14 APPENDIX C – ACRONYMS ..............................................................................................................................86
`
`15 APPENDIX D – STANDARDS DEVELOPING ORGANIZATIONS ..............................................................89
`
`16 APPENDIX E – CONCEPTUAL MODELS AND ARCHITECTURES...........................................................97
`
`17 APPENDIX F – EXAMPLES OF USG CRITERIA FOR SELECTION OF STANDARDS ..........................98
`
`
`
`viii
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`LIST OF FIGURES
`
`FIGURE 1 – CLOUD ACTORS ................................................................................................................ 12
`FIGURE 2 – INTERACTIONS BETWEEN THE ACTORS IN CLOUD COMPUTING ......................................... 13
`FIGURE 3 – EXAMPLE OF SERVICES AVAILABLE TO A CLOUD CONSUMER .......................................... 15
`FIGURE 4 – CLOUD PROVIDER: MAJOR ACTIVITIES ............................................................................. 16
`FIGURE 5 – CLOUD PROVIDER: SERVICE ORCHESTRATION .................................................................. 18
`FIGURE 6 – CLOUD PROVIDER: CLOUD SERVICE MANAGEMENT ......................................................... 20
`FIGURE 7 – HIGH-LEVEL GENERIC SCENARIOS ................................................................................... 27
`FIGURE 8 – IT STANDARDS LIFE CYCLE .............................................................................................. 33
`FIGURE 9 – CONFORMITY ASSESSMENT INFRASTRUCTURE ................................................................. 36
`FIGURE 10 – ACCREDITATION PROCESS .............................................................................................. 37
`FIGURE 11 – ASSESSMENT PROCESS .................................................................................................... 38
`FIGURE 12 – THE COMBINED CONCEPTUAL REFERENCE DIAGRAM .................................................... 51
`FIGURE 13 – DOD DISR STANDARDS SELECTION PROCESS .............................................................. 102
`
`ix
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`LIST OF TABLES
`
`TABLE 1 – CLOUD CONSUMER AND CLOUD PROVIDER ....................................................................... 14
`TABLE 2 – DEPLOYMENT CASES FOR HIGH LEVEL SCENARIOS ........................................................... 28
`TABLE 3 – SCENARIOS AND TECHNICAL REQUIREMENTS .................................................................... 31
`TABLE 4 – STANDARDS MATURITY MODEL ........................................................................................ 39
`TABLE 5 – SECURITY STANDARDS: AUTHENTICATION AND AUTHORIZATION ..................................... 52
`TABLE 6 – SECURITY STANDARDS: CONFIDENTIALITY ........................................................................ 53
`TABLE 7 – SECURITY STANDARDS: INTEGRITY .................................................................................... 53
`TABLE 8 – SECURITY STANDARDS: IDENTITY MANAGEMENT ............................................................. 54
`TABLE 9 – SECURITY STANDARDS: SECURITY MONITORING & INCIDENT RESPONSE .......................... 55
`TABLE 10 – SECURITY STANDARDS: SECURITY CONTROLS ................................................................. 56
`TABLE 11 – SECURITY STANDARDS: SECURITY POLICY MANAGEMENT .............................................. 57
`TABLE 12 – SECURITY STANDARDS: AVAILABILITY ............................................................................ 57
`TABLE 13 – INTEROPERABILITY STANDARDS ...................................................................................... 58
`TABLE 14 – PORTABILITY STANDARDS ............................................................................................... 59
`TABLE 15 – PERFORMANCE STANDARDS ............................................................................................. 60
`TABLE 16 – ACCESSIBILITY STANDARDS ............................................................................................. 61
`TABLE 17 – AREAS OF STANDARDIZATION GAPS AND STANDARDIZATION PRIORITIES ....................... 75
`TABLE 18 – DOD SELECTION CRITERIA AND DESCRIPTION SUMMARY ............................................. 100
`TABLE 19 – DOD STANDARDS SOURCES PREFERENCES .................................................................... 101
`
`
`
`
`
`x
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`Foreword
`
`
`
`This is the second edition of the NIST Cloud Computing Standards Roadmap, which has been
`developed by the members of the public NIST Cloud Computing Standards Roadmap Working
`Group. This edition includes updates to the information on portability, interoperability, and security
`standards in the first edition and adds new information on accessibility and performance standards.
`Also new in this edition is information on the role of conformity assessment in support of voluntary
`consensus standards. Analyzing typical government use cases (see Section 8), U.S. Government
`priorities and gaps in cloud computing voluntary consensus standards are identified in this edition
`and the previous edition. This information is intended for use by federal agencies and other
`stakeholders to help plan their participation in voluntary consensus standards development and
`related conformity assessment activities, which can help to accelerate the agencies’ secure adoption
`of cloud computing.
`
`
`
`
`
`xi
`
`

`

`EXECUTIVE SUMMARY
`
`
`
`
`
` 1
`
`The National Institute of Standards and Technology (NIST) has been designated by the Federal
`Chief Information Officer (CIO) to accelerate the federal government’s secure adoption of cloud
`computing by leading efforts to identify existing standards and guidelines. Where standards are
`needed, NIST works closely with U.S. industry, standards developers, other government agencies,
`and leaders in the global standards community to develop standards that will support secure cloud
`computing.
`
`Consistent with NIST’s mission,1 the NIST Cloud Computing Program has developed a USG Cloud
`Computing Technology Roadmap, as one of many mechanisms in support of United States
`Government (USG) secure and effective adoption of the Cloud Computing model2 to reduce costs
`and improve services. Standards are critical to ensure cost-effective and easy migration, to ensure
`that mission-critical requirements can be met, and to reduce the risk that sizable investments may
`become prematurely technologically obsolete. Standards are key elements required to ensure a level
`playing field in the global marketplace,3 The importance of setting standards in close relation with
`private sector involvement is highlighted in a memorandum from the White House: M-12-08,4 dated
`January 17, 2012.
`
`The NIST Cloud Computing Standards Roadmap Working Group has surveyed the existing
`standards landscape for interoperability, performance, portability, security, and accessibility
`standards/models/studies/use cases/conformity assessment programs, etc., relevant to cloud
`computing. Where possible, new and emerging standardization work has also been tracked and
`surveyed. Using this available information, current standards, standards gaps, and standardization
`priorities are identified within this document.
`
`
`
`
`
`1 This effort is consistent with the NIST role per the National Technology Transfer and Advancement Act (NTTAA) of
`1995, which became law in March 1996.
`
`2 NIST Definition of Cloud Computing, Special Publication 800-145, “Cloud computing is a model for enabling
`ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g.,
`networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal
`management effort or service provider interaction.”
`
`3 This edition of the standards roadmap focuses on USG cloud computing requirements for interoperability,
`performance, portability, security, and accessibility, and does not preclude the needs to address other essential
`requirements.
`
`4 Principles for Federal Engagement in Standards Activities to Address National Priorities, January 17, 2012
`http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-08.pdf
`
`1
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`The NIST Definition of Cloud Computing identified cloud computing as a model for enabling
`ubiquitous, convenient, on-demand network access to a shared pool of configurable computing
`resources (e.g., networks, servers, storage, applications, and services) that can be rapidly
`provisioned and released with minimal management effort or service provider interaction.
`
`As an extension to the above NIST cloud computing definition, a NIST cloud computing reference
`architecture has been developed by the NIST Cloud Computing Reference Architecture and
`Taxonomy Working Group that depicts a generic high-level conceptual model for discussing the
`requirements, structures and operations of cloud computing. It contains a set of views and
`descriptions that are the basis for discussing the characteristics, uses, and standards for cloud
`computing, and relates to a companion cloud computing taxonomy.5
`
`Cloud computing use cases describe the consumer requirements when using cloud computing
`service offerings. Through its working groups as described below, the NIST Cloud Computing
`program has studied a range of U.S. federal government and general-purpose use cases to extract
`features that are amenable to standardization. Using these examples, the current document analyzes
`how existing cloud-related standards fit the needs of federal cloud consumers and identifies
`standardization gaps.
`
`Cloud computing standards are already available in support of many of the functions and
`requirements. While many of these standards were developed in support of pre-cloud computing
`technologies, such as those designed for web services and the Internet, they also support the
`functions and requirements of cloud computing. Other standards have been developed or are now
`being developed to support specific cloud computing functions and requirements, such as
`virtualization, infrastructure management, service level agreements (SLAs), audits and cloud-
`specific data handling. Wherever possible, applicable standards are identified in this document.
`
`To assess the state of standardization in support of cloud computing, the NIST Cloud Computing
`Standards Roadmap Working Group has compiled an Inventory of Standards Relevant to Cloud
`Computing.6 This inventory is being maintained and updated as necessary. Using the taxonomy
`developed by the NIST Cloud Computing Reference Architecture and Taxonomy Working Group,
`cloud computing relevant standards have been mapped to the requirements of accessibility,
`interoperability, performance, portability, and security.
`
`
`
` NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, September 2011
`http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
`
` 5
`
`6 http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/StandardsInventory
`
`
`
`2
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`Present areas with standardization gaps include: SaaS (Software as a Service) functional interfaces;
`SaaS self-service management interfaces; PaaS (Platform as a Service) functional interfaces;
`business support / provisioning / configuration; security; and privacy. Present standardization areas
`of priority to the federal government include: security auditing and compliance; identity and access
`management; SaaS application specific data and metadata; and resource description and discovery.
`
`While there are only a few approved cloud computing specific standards at present, there is a fast-
`changing landscape of cloud computing-relevant standardization under way in a number of
`Standards Developing Organizations (SDOs). Every effort has been made in the context of the
`NIST Cloud Computing Standards Roadmap to engage with and to gather input from SDOs active
`in this area. Federal agencies should also be encouraged to participate specifically in cloud
`computing standards development projects that support the specific needs and priorities of their
`cloud computing services. Specific recommendations regarding engagement between federal
`agencies and SDOs are:
`
`Recommendation 1 – Contribute Agency Requirements
`
`Agencies should coordinate and contribute clear and comprehensive user requirements for cloud
`computing standards projects.
`
`Recommendation 2 – Participate in Standards Development
`
`Agencies should actively participate and coordinate in cloud computing standards development
`projects that are of high priority to their agency missions. The January 17, 2012, White House
`Memorandum, M-12-08,7 lists five fundamental strategic objectives for federal government
`agencies whenever engaging in standards development.
`
`Recommendation 3 – Encourage Testing to Accelerate Technically Sound Standards-Based
`Deployments
`
`Agencies should support the concurrent development of conformity and interoperability assessment
`schemes to accelerate the development and use of technically sound cloud computing standards and
`standards-based products, processes, and services. Agencies should also include consideration of
`conformity assessment approaches currently in place that take account of elements from
`international systems, to minimize duplicative testing and encourage private sector support.
`
`
`
` Principles for Federal Engagement in Standards Activities to Address National Priorities, January 17, 2012
`
` 7
`
`3
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`Recommendation 4 – Specify Cloud Computing Standards
`
`Agencies should specify cloud computing standards in their procurements and grant guidance when
`multiple vendors offer standards-based implementations and there is evidence of successful
`interoperability testing.
`
`Recommendation 5 – USG-Wide Use of Cloud Computing Standards
`
`To support USG requirements for accessibility, interoperability, performance, portability, and
`security in cloud computing, the Federal Cloud Computing Standards and Technology Working
`Group, in coordination with the Federal CIO Council Cloud Computing Executive Steering
`Committee (CCESC) and the Cloud First Task Force, should recommend specific cloud computing
`standards and best practices for USG-wide use.
`
`
`
`
`
`
`4
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`2
`
`INTRODUCTION
`
`2.1
`
`BACK GRO UND
`
`U.S. laws and associated policy require federal agencies to use international, voluntary consensus
`standards in their procurement and regulatory activities, except where inconsistent with law or
`otherwise impractical.
`
`The National Institute of Standards and Technology (NIST) has been designated by the Federal
`Chief Information Officer (CIO) to accelerate the federal government’s secure adoption of cloud
`computing by leading efforts to identify existing standards and guidelines. Where standards are
`needed, NIST works closely with U.S. industry, standards developers, other government agencies,
`and leaders in the global standards community to develop standards that will support secure cloud
`computing.
`
`The NIST Cloud Computing Program was formally launched in November 2010 and was created to
`support the federal government effort to incorporate cloud computing as a replacement for, or
`enhancement to, traditional information system and application models where appropriate.
`
`The NIST Cloud Computing Program operates in coordination with other federal cloud computing
`implementation efforts (CIO Council/Information Security and Identity Management Committee
`[ISIMC], etc.) and is integrated with the Federal CIO’s 25-point IT Implementation Plan for the
`federal government.
`
`At the beginning of 2011, NIST created the following public working groups in order to provide a
`technically oriented strategy and standards-based guidance for the federal cloud computing
`implementation effort:
`
`
`
`
`
` Cloud Computing Reference Architecture and Taxonomy Working Group
`
` Cloud Computing Standards Acceleration to Jumpstart Adoption of Cloud Computing
`
`(SAJACC) Working Group
`
` Cloud Computing Security Working Group
`
` Cloud Computing Standards Roadmap Working Group
`
` Cloud Computing Target Business Use Cases Working Group
`
`
`
`5
`
`

`

`NIST CLOUD COMPUTING STANDARDS ROADMAP
`
`
`
`
`
`2.2
`
`NIST CLOUD COM PUT ING VISION
`
`NIST seeks t