Some classified information should not be put on the public Internet-based cloud right now, said Greg Wilshusen, director of information security issues U.S. Government Accountability Office.
Clarke asked if some government information should "never" be moved to the cloud.
"I was taught from a very early age never to say never," Wilshusen said.
Technology changes rapidly, and what's inappropriate today may be acceptable in a few years, Spires added. Still, it will be "quite awhile before we have any comfort putting any classified information into a public cloud environment," he said.
Security of data stored in the cloud is a shared responsibility between the vendor and the customer, said CA's Brown.
"IT organizations must take a very focused and methodical approach to evaluating what should or should not be moved to the cloud," he said. "The cloud is not a panacea, and may not be appropriate for all workloads."
Other witnesses raised concerns about cloud computing. Some federal agencies may be concerned about the physical location of their data and whether it's being stored overseas, said John Curran, CEO of the American Registry of Internet Numbers. Data interoperability standards, to guard against cloud providers going out of business, are not yet established, he added.
Lungren said he sees benefits to cloud computing, but also potential risks. "Sometimes, things sound too good to be true," he said.
Sign up for CIO Asia eNewsletters.