Federal agencies are under pressure to deploy cost-effective IT systems quickly, and cloud computing is one of the solutions favored by the Obama Administration. Yet, would-be cloud users in government will have to navigate a thicket of security requirements and other guidelines, warns one expert.In a slide presentation shared with attendees at a cloud interoperability workshop yesterday in Arlington, Va., John Curran, CTO and COO of ServerVault, tackled the question of what cloud vendors could do to let federal agencies use cloud services while complying with federal IT policies. "For many agency applications, stringent compliance requirements in areas such as privacy, financial controls, and health information will preclude use of public clouds, regardless of the actual security controls of the provider," he says.

Curran outlines a handful of existing regulations originally designed for outsourced IT that he says also apply to cloud computing. They include FISMA section 3544b, the OMB M-08-21, and FIPS publication 199 and 200. You can get more detail on those requirements from Curran's downloadable presentation here.

According to Curran, the "Federal CIO's dilemma" is that cloud computing, in some respects, represents a newer, better approach to IT, but issues around security, compliance, and interoperability are yet to be resolved. He presents a to-do list to get the cloud computing industry from here to there. It includes technical standards for interoperability, to support data and applications portability across public clouds, as well as between public clouds and "private" government cloud environments.

As a managed service provider to government agencies, ServerVault has already cleared the hurdle on some of the strict facility, personnel, and process requirements of providing IT services to Uncle Sam. I asked Curran whether federal agencies would tap into cloud services from general purpose cloud providers such as Amazon and Google. "That's the big question," he said.

The most likely scenario, he said, is that federal agencies would use commercial cloud services for unclassified, "low impact" data and applications--those in which any data loss would have minimal adverse effect--and not for data or applications more sensitive in nature.