Thought Leadership and Industry Trends
FedRAMP: Why the US Government is in the Cloud
The current of movement into the cloud is flowing fast, and organizations from every sector are joining the rush—including the public sector.
The Federal Risk and Authorization Management Program (FedRAMP) has been in place for years, and its goal is to maximize security and cost-effectiveness for government agencies seeking new and updated technology by encouraging cloud adoption.
Complete Discovery Source (CDS) has built a sophisticated, FedRAMP-friendly service offering for government agencies seeking eDiscovery assistance. Matthew Milone, Director of Federal Operations at CDS, discusses the government move to cloud services and what the eDiscovery world is doing to keep up.
Q: Matt, please tell us a little bit about your role and CDS.
Matt: My role at CDS as Director of Federal Operations has changed a lot over the years. It went from a purely operational role that involved managing clients and cases, working with project management teams, and developing workflows, to a more technical role as program manager for our FedRAMP initiative. Now that I’ve taken on more of a business development role, I am consulting with current and prospective clients, sharing best practices from an operational standpoint and the security knowledge from a technical perspective. The best thing is no day is the same and the challenges are interesting, to say the least.
For some background, can you explain what FedRAMP is? Why was it put into place?
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. The program was designed to help drive adoption of cloud solutions in the U.S. Federal Government while ensuring the security and resiliency of approved providers. FedRAMP is a mandatory program for any cloud service provider that hosts data for government agencies.
FedRAMP is the result of close collaboration between cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council, and its working groups, alongside experts from private industry. The goals of the FedRAMP program are to accelerate the adoption of and increase confidence in secure cloud solutions for federal agencies. Authorization by FedRAMP requires the assessed cloud service provider to go through a demanding three-step process including security assessment, leveraging, and authorization—with ongoing continuous monitoring and authorization required to maintain FedRAMP status.
Short answer: FedRAMP is based on NIST SP800-53, which is the gold standard for security control frameworks as determined by the National Institute of Standards and Technology (NIST). More importantly, FedRAMP provides a clear and consistent means for cloud service providers, as well as customers across all sectors, to measure security not only at a single point in time, but on an ongoing basis as well.
Your team recently became FedRAMP certified. What did that process look like, and why did your team decide it was an important step to take for your business?
Security is something that is rooted in our culture at CDS. We have a robust commercial environment where we have stayed ahead of the curve in obtaining and maintaining our highly secure ISO 27001 certified hosting and SOC 2 Type 2 audited data centers. When it came to working with the federal government and looking at the security landscape, we were ready to jump in with two feet.
For CDS, the process began three years ago when we were awarded a contract to provide an end-to-end eDiscovery solution for the Pension Benefits Guaranty Corporation (PBGC). As the “federal agency customer,” PBGC was required to deploy a cloud solution and was responsible for ensuring FISMA compliance. PBGC became our sponsor agency and we worked closely with their internal stakeholders to ensure a secure FedRAMP cloud environment that could withstand the rigorous demands of continuous monitoring.
Also, the opportunity to bring commercial best practices and a streamlined approach to data management seemed like the obvious next step. We see a lot of attorneys leaving the private sector to work for the government and they brought with them the need and expectation for sophisticated tools like Relativity.
What legal developments led to business changes like this in recent years?
Looking at the landscape of eDiscovery and data management in the federal space, we knew about certain policies and directives and read the writing on the wall. It was important for CDS to not only offer the government tangible solutions in the face of these regulations, but also to provide them with a FedRAMP-authorized cloud to leverage in their efforts to satisfy requirements like these:
- Federal Cloud First policy: All new department IT projects must implement cloud services (e.g., private or U.S. Government-owned, community, public, or hybrid) whenever they are cost effective, meet system/owner mission requirements, and provide the required level of security and performance.
- Federal Records Management Directive (Office of Records Management): By December 31, 2019, Federal agencies will manage all permanent electronic records in an electronic format.
- Data Center Optimization Initiative (DCOI): Requires agencies to develop and report on their data center strategies; transition to more efficient infrastructure, such as cloud services and inter-agency shared services; leverage technology advancements to optimize infrastructure; and provide quality services for the public good.
What key approaches help simplify your work with government clients, and how are they different than those for the private sector?
Our work with the government is most beneficial when we can engage very early in the process. When given the opportunity to consult on subpoena language, production specifications, and so on, we can guarantee that the federal agency is not only receiving the correct data, but also that those documents are in the right format to ensure we can apply the most efficient workflows.
In addition, getting in early assures that we can evaluate legacy systems and technologies that might not be as robust and sophisticated as a tool like Relativity. Having worked on large data migrations for the government, I can tell you that a trusted and tested product like Relativity—combined with industry best practices—greatly enhance efficiency while also leveraging robust security.
Most of the time on the commercial side, there are very tight deadlines where the opportunity to consult is limited to a few hours before we receive the data. In situations where we are dealing with mostly raw data that we process directly into Relativity, we have a lot more control over the metadata extraction process and the specific workflows that can be created around that information, such as applying analytics and formatting productions.
At the end of the day, the values are the same in terms of work product and performance. Both our government clients and our commercial clients expect the efficient convergence of process, product, and people, and at CDS, we service both industries at a very high level.
What can enterprise customers learn from FedRAMP and the government agencies you work with, and vice versa?
In the last two or three years, we have started to have very forward-thinking meetings with our government clients. Based on the questions we are being asked and the requirements they are demanding, we can see they are entering a period where not only is security a priority, but functionality is also of high importance.
Commercial clients never wanted to be in the IT business, where the government in a lot of respects had no choice early on. However, I think we are seeing forward-thinking CTOs and CIOs not wanting to worry about the cost and resources that are needed to maintain their own infrastructure and support the ever-changing and evolving security standards that go along with it. Relying on a trusted partner that can train their staff on emerging technologies and best practices, consult through the entire lifecycle of a matter, and host data on software and in a cloud that is highly scalable and secure makes a lot of sense.