U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Multi-Cloud Security Public Working Group MCSPWG

Charter

I. Introduction

NIST scientific or technical Public Working Groups bring together organizations actively engaged in the specific field of interest and consist of subject-matter experts who collaborate to determine best practices and to develop consensus standards. During the past decade, NIST has convened multi-disciplinary cloud computing working groups to take on specific challenges that impact the broad US Government adoption of complex cloud-based solutions that combine services from more than one cloud service provider (CSP). The change in technical operations and control dynamics for such solutions (both in terms of ownership, management, and trust) with respect to IT resources, poses new security challenges. 

The NIST Multi-cloud Security Public Working Group (MCSPWG) is a subsidiary of the NIST Cloud Security public working group and will focus the research on particular cloud computing architectures referred to as multi-cloud solutions, that connect services from more than one cloud service providers. The work will aim to:

  1. identify the challenges of implementing secure multi-cloud systems and 
  2. develop guidance and best practice for mitigating the identified challenges. 

The NIST Special Publication (SP) 800-145, published in 2011 describes the five essential characteristics of the cloud systems, three service models (IaaS, PaaS, and SaaS), and four deployment models (public, private, community, and hybrid), which cannot sufficiently describe the complex cloud architectures being implemented nowadays. 

Encouraged by the Cloud Smart Federal Computing Strategy to accelerate cloud adoption and modernize their IT infrastructures, federal agencies leverage cloud technology scalability and speed-to-market by expanding and diversifying their cloud portfolio to incorporate multi-party (multi-providers) cloud solutions.  In adopting these multi-party cloud solutions, which can include services provided by multiple cloud service providers often with support from third-party entities, organizations are faced with added security and privacy implementation challenges. 

II. Call for Collaboration

NIST calls on all its collaborators to join the Multi-Cloud Security Public Working Group (MCSPWG) to document the challenges, and research mitigations and best practices for secure deployment of multi-cloud service solutions.    

III. Purpose

The purpose of the Multi-Cloud Security Public Working Group (MCSPWG) is to provide a forum in which participants from the public, including private industry, the public sector, academia, and civil society discuss the security and privacy risks and research guidance and best practices of implementing and using multi-cloud services.  This MCSPWG Charter (“Charter”) outlines the purposes, organizational structure, administrative details, and the roles and responsibilities related to this working group.

IV. MCSPWG Organizational Structure

A. Leadership
  1. MCSPWG Co-Chairs - The MCSPWG is led by Co-Chairs representing NIST;
  2. Project Team Leads - Each Project Team is led by a designated Team Lead (or Leads depending on needs and participation). The Project Teams’ order of work is dictated by the initial membership of each group. Each Project Team may determine their own order of work and deliverables to the working group.
B. Terms of Leadership
  1. MCSPWG Co-Chairs - The Co-Chairs will serve until the MCSPWG dissolves, or they step down
  2. Project Team Leads - Each Project Team Lead will serve until the Team has completed its work product deliverable and is dissolved.

V. Administration

A. Sponsorship and Authority

The MCSPWG is a NIST Public Working group. As such, formal recommendations from the MCSPWG will not be provided to the federal government.

B. Frequency of Meetings

The MCSPWG meetings are currently scheduled to occur bi-weekly. NIST reserves the right to change the frequency of the meetings to adjust to the project's needs. Additionally, the frequency can be adjusted by an agreement among MCSPWG's members.

C. Communications and Meeting Management
  • MCSPWG members can join the MCSPWG mailing list: mcspwg@list.nist.gov (and associated Google Group) to communicate with each other and with leadership. See the Overview page to learn how to join the WG.
  • Meetings will be held on the BlueJeans platform, or in the event of an outage or other technical problem, on the WebEx platform.  Meeting invitations will be updated with the platform information as needed. A meeting invitation or reminder will be sent only to the members of the mailing list.
 D. Charter Amendment

If NIST deems it necessary, the Charter may be amended at any time without prior notice and the working group membership will be notified of the changes.

VI. Roles and Responsibilities

A. Multi-Cloud Security Public Working Group (MCSPWG) Co-Chairs

The MCSPWG Co-Chairs are responsible for the following:

  • Provide input as needed to all meeting agendas and minutes.
  • Recommend members and participants to perform specific tasks to complete the work product deliverables within the scope of the MCSPWG.
  • Review and provide input to all MCSPWG work products.
  • Review and update the Charter as needed and communicate the changes to the working group membership.
  • Set up team lead(s) for separate group discussion topics or tasks, if necessary.
  • Provide guidance to the team lead(s).
B. Team Leads

The MCSPWG Team Leads are responsible for the following:

  • Attend and actively participate in their team meetings.
  • Lead the team’s research and completion of the assigned task(s).
  • Attend MCSPWG meetings as necessary for providing project status updates, obtaining input, or presenting final results.
  • Consider, deliberate on, and participate in creating draft documentation or other deliverables as requested.
  • Review and provide comments on deliverables prepared by or presented to the team.
  • Participate in the presentation of recommendations to the MCSPWG when invited.
C. Team Members
  • Complete requested tasks towards the goals of the team.
  • Attend and actively participate as subject matter experts in the Project Team meetings.
  • Contribute input to Teamwork product.

VII. Members’ Code of Conduct

A. Our Pledge

In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to make participation in the MCSPWG a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

B. Our Standards

Examples of behavior that contributes to creating a positive environment include:

  • Using welcoming and inclusive language
  • Being respectful of differing viewpoints and experiences
  • Gracefully accepting constructive criticism
  • Focusing on what is best for the community
  • Showing empathy towards other community members

Examples of unacceptable behavior by participants include:

  • The use of sexualized language or imagery and unwelcome sexual attention or advances
  • Trolling, insulting/derogatory comments, and personal or political attacks
  • Public or private harassment
  • Publishing other's private information, such as a physical or electronic address, without explicit permission
  • Other conduct which could reasonably be considered inappropriate in a professional setting
C. Our Responsibilities

Co-Chairs are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.

Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.

D. Scope

This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.

E. Enforcement

Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at mcsec@nist.gov. The Co-Chairs will review and investigate all complaints and will respond in a way that it deems appropriate to the circumstances. The Co-Chairs are obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.

MCSPWG leadership (co-chairs and team leads) who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by NIST.

F. Attribution

This Code of Conduct is adapted from the Contributor Covenant, version 1.4, available at http://contributor-covenant.org/version/1/4

 

 

Created October 12, 2021, Updated August 02, 2022