Thought Leadership and Industry Trends
FedRAMP: A Closer Look at the U.S. Government’s Standards for Cloud-Based eDiscovery
With the Federal government looking to accelerate the adoption of secure cloud solutions for Federal agencies, Cloud Service Providers (CSPs) and software providers themselves are looking to achieve FedRAMP certification. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. As a result of the rigorous certification process, only a select group of Cloud-Service Providers have earned FedRAMP approval. These companies represent some of the largest, cloud-based enterprise solutions, including Microsoft, IBM, Amazon Web Services, and Salesforce. However, any CSP with a dedication to process management and data security can achieve FedRAMP certification. CDS is proud to be the first dedicated to end–to-end eDiscovery provider to have been authorized by FedRAMP. This means CDS is authorized to host sensitive data for government agencies in our cloud-based environment. FedRAMP is a mandatory program for any cloud service provider that hosts data for government agencies. It is the result of close collaboration between cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups alongside experts from private industry. Authorization by FedRAMP requires the assessed cloud service provider to go through a demanding three-step process including security assessment, leveraging, and authorization with ongoing assessment and authorization required to maintain FedRAMP status. For CDS, the process began three years ago when it was awarded a contract to provide an end-to-end eDiscovery solution for the Pension Benefits Guaranty Corporation (PBGC). As the “Federal agency customer,” PBGC was required to deploy a cloud solution and was responsible for ensuring FISMA (The Federal Information Security Management Act) compliance. PBGC became CDS’s sponsor agency and we worked closely with its Information System Security Officer (ISSO), Information System Owner (ISO), and the Chief Information Security Officer (CISO) / Information System Security Manager (ISSM) on all matters, technical and otherwise, to ensure a secure FedRAMP cloud environment that could withstand the rigorous demands of continuous active monitoring. Since achieving that designation; agencies such as the Federal Trade Commission, Department of Commerce and Federal Communications Commission were able to leverage that FedRAMP Authorization to securely store and review their data with CDS. CDS has engaged the auditing firm of Schellman and Company as a Third-Party Assessor (3PAO) to validate and attest to the quality and compliance of our security package. We worked with the cyber risk management firm Coalfire to assist us in generating security documentation as well as to act as a soundboard for questions during this intense process. Schellman conducts CDS’s continuous monitoring through comprehensive annual audits. This ensures that CDS is complying with both internal policies and procedures as well as the 325 critical FedRAMP Moderate controls. Once onboarded an Agency looking to leverage our secure FedRAMP environment reviews our security package internally with its security personnel, stakeholders, and General Counsel and grants CDS an Authorization to Operate (ATO). For other CSPs or other Federal System Integrators interested in pursuing FedRAMP authorization, the chief concerns include:
- Getting a sponsor agency. Agencies want to work with CSPs who are willing to be flexible and create custom solutions based on their needs. In CDS’s case, we already had an infrastructure in place and experience providing full customized end-to-end eDiscovery in a cloud-computing environment.
- Finding the right security consultants. Before we engaged Schellman and Company and Coalfire, we worked with other consultants who did not have the appropriate experience dealing specifically with FedRAMP and its intricacies. When looking for the right consultant(s), you want to look for someone skilled in creating FedRAMP specific documentation and a company that is familiar with all critical FedRAMP controls.
- Continuous monitoring and security. Now that we have been granted our FedRAMP Agency Authorization to Operate, CDS entered “Continuous Monitoring.” Continuous Monitoring ensures that Cloud Service Provider (CSP) reporting provides a consistent level of quality government-wide. Along with our internal security team (we already maintain highly secure ISO 27001 certified hosting and SOC 2 Type 2 audited data centers) and through the help of our 3PAO, continuous monitoring ensures FedRAMP security is maintained and monitored.
Since FedRAMP was new for PBGC, the certification process was a learning experience for its team as well. This provided a great opportunity to work hand in hand with our sponsoring agency in crafting a package that was not only secure but also acceptable for all stakeholders. As more agencies fund projects to move into cloud compliance, best practices can be shared. In the meantime, CSPs should be prepared to address the sponsor agency’s internal high standards combined with a highly technical and detailed certification process. For CDS, the achievement of FedRAMP authorization is a major component of our ongoing campaign to bring commercial eDiscovery and records management best practices to the federal marketplace all while ensuring the highest levels of data security and integrity for its systems. To learn more about our long-term commitment to data security or find out about how the CDS Federal Team can assist with the movement of your eDiscovery or Records Management workloads to the Cloud, contact us today.
About the Author