On July 10, the federal banking regulators, through the Federal Financial Institutions Examination Council (FFIEC), published a statement on outsourcing of cloud computing services by financial institutions. The statement explains that the regulators consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. The statement goes on to outline the key risks of outsourced cloud computing, focusing on due diligence, vendor management, information security, audits, legal and regulatory compliance, and business continuity planning. The statement concludes that “[c]loud computing may require more robust controls due to the nature of the service. When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service.”
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.