Black Box FISMA-based Security Control Assessment of Public Cloud Providers

Public cloud computing solutions are desirable for business and government agencies to outsource infrastructure technology requirements. This decision transfers the responsibility of certain security controls to the cloud provider, and impacts the ability for system owner oversight of security. Government agencies are required by law to conform to the Federal Information Security Management Act of 2002 (FISMA) that outlines a collection of security controls that must be implemented. Cloud service providers therefore have to implement these controls, at a minimum, to be valid for government usage. Given the known library of controls that must be implemented by the Cloud service provider, this paper identifies 9% of FISMA-based NIST 800-53 security controls can be validated externally by an end-user of a cloud service provider with confidence.