Security of data stored in the cloud is a shared responsibility between the vendor and the customer, said CA's Brown.
"IT organizations must take a very focused and methodical approach to evaluating what should or should not be moved to the cloud," he said. "The cloud is not a panacea, and may not be appropriate for all workloads."
Other witnesses raised concerns about cloud computing. Some federal agencies may be concerned about the physical location of their data and whether it's being stored overseas, said John Curran, CEO of the American Registry of Internet Numbers. Data interoperability standards, to guard against cloud providers going out of business, are not yet established, he added.
Lungren said he sees benefits to cloud computing, but also potential risks. "Sometimes, things sound too good to be true," he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is firstname.lastname@example.org.