Thought Leadership and Industry Trends
CDS’s Journey to FedRAMP: The Lessons Learned
Matthew Milone, Esq., Director of Federal Operations at CDS.
With the Federal government looking to accelerate the adoption of secure cloud solutions for Federal agencies, Cloud Service Providers (CSPs) are attempting to achieve FedRAMP certification. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. As a result of the rigorous certification process, fewer than 80 Cloud-Service Providers have earned FedRAMP approval. These companies represent some of the largest, cloud-based enterprise solutions, including Microsoft, IBM, Amazon Web Services, and Salesforce. However, FedRAMP certification is achievable by mid-sized companies as well. CDS is now the first and only CSP solely dedicated to end–to-end eDiscovery to have earned FedRAMP certification. This means CDS is authorized to handle sensitive data for government agencies in our cloud-based environment.
FedRAMP is a mandatory program for any cloud service provider that hosts data for government agencies. It is the result of close collaboration between cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups alongside experts from private industry. Authorization by FedRAMP requires the assessed cloud service provider to go through a demanding three-step process including security assessment, leveraging, and authorization with ongoing assessment and authorization required to maintain FedRAMP status.
For CDS, the process began three years ago when it was awarded a contract to provide an end-to-end eDiscovery solution for the Pension Benefits Guaranty Corporation (PBGC). As the “Federal agency customer,” PBGC was required to deploy a cloud solution and was responsible for ensuring FISMA compliance. PBGC became CDS’s sponsor agency and we worked closely with its Information System Security Officer (ISSO), Information System Owner (SO), and the Chief Information Security Officer (CISO) / Information System Security Manager (ISSM) on all matters, technical and otherwise, to ensure a secure FedRAMP cloud environment that could withstand the rigorous demands of continuous monitoring.
On our end, CDS engaged auditing firm Schellman and Company as a Third-Party Assessor (3PAO) to validate and attest to the quality and compliance of our security package. We worked with the cyber risk management firm Coalfire to assist us in generating security documentation as well as to act as a soundboard for questions during this intense process. Schellman conducts CDS’s continuous monitoring through comprehensive annual audits. This ensures that CDS is complying with both internal policies and procedures as well as critical FedRAMP controls.
PBGC reviewed our security package internally with its security personnel, stakeholders, and General Counsel and granted CDS an Authorization to Operate (ATO). The package was then submitted to and reviewed by the Joint Authorization Board (JAB).
For other CSPs or other Federal System Integrators interested in pursuing FedRAMP authorization, the chief concerns include:
- Getting a sponsor agency. Agencies want to work with CSPs who are willing to be flexible and create custom solutions based on their needs. In CDS’s case, we already had an infrastructure in place and experience providing full customized end-to-end eDiscovery in a cloud-computing environment.
- Finding the right security consultants. Before we engaged Schellman and Company and Coalfire, we worked with other consultants who did not have the appropriate experience dealing specifically with FedRAMP and its intricacies. When looking for the right consultant(s), you want to look for someone skilled in creating FedRAMP specific documentation and a company that is familiar with all critical FedRAMP controls.
- Continuous monitoring and security. Now that we have been granted our FedRAMP Agency ATO Certification, CDS enters “Continuous Monitoring.” Continuous Monitoring ensures that Cloud Service Provider (CSP) reporting provides a consistent level of quality government-wide. Along with our internal security team (we already maintain highly secure ISO 27001 certified hosting and SOC 2 Type 2 audited data centers) and through the help of our 3PAO, continuous monitoring ensures FedRAMP security is maintained and monitored.
Since FedRAMP was new for PBGC, the certification process was a learning experience for its team as well. This provided a great opportunity to work hand in hand with our sponsoring agency in crafting a package that was not only secure but also acceptable for all stakeholders. As more agencies fund projects to move into cloud compliance, best practices can be shared. In the meantime, CSPs should be prepared to address the sponsor agency’s internal high standards combined with a highly technical and detailed certification process.
For CDS, the achievement of FedRAMP authorization is a major component of our ongoing campaign to bring commercial eDiscovery and records management best practices to the federal marketplace all while ensuring the highest levels of data security and integrity for its systems.
To learn more about our long-term commitment to data security or find out about how the CDS Federal Team can assist with the movement of your eDiscovery or Records Management workloads to the Cloud, contact us today.
About the Author