编者按：本报告是2010年，由美国CIO委员会针对美国政府云计算服务的安全评估与授权建议报告，汇聚了美国国家标准研究院、通用服务管理局、CIO委员会18个月的智慧，非常值得中国政府在盲目投入云计算之前学习和评估。

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Over the past 18 months, an inter-agency team comprised of the National Institute
of Standards and Technology (NIST), General Services Administration (GSA), the CIO
Council and working bodies such as the Information Security and Identity Management
Committee (ISIMC), has worked on developing the Proposed Security Assessment and
Authorization for U.S. Government Cloud Computing. This team evaluated security
controls and multiple Assessment and Authorization models for U.S. Government Cloud
Computing as outlined in this document.

The attached document is a product of 18 months of collaboration with State and
Local Governments, Private Sector, NGO’s and Academia. This marks an early step
toward our goal of deploying secure cloud computing services to improve performance
and lower the cost of government operations, but we need to improve this document
through your input.
Often stated, but still true, we recognize that we do not have a monopoly on the
best ideas. We seek your input, knowledge, and experience to help us frame appropriate
security controls and processes for the Federal Government’s journey to cloud
computing. The attached document is a draft and is designed to encourage robust debate
on the best path forward.
Comments on the documents should be submitted online at www.FedRAMP.gov by
December 2nd . We look forward to your active engagement and substantive comments.
Vivek Kundra
U.S. Chief Information Officer

Proposed-Security-Assessment-and-Authorization-for-Cloud-Computing.pdf(864 KB)