Federal agencies are increasingly looking to leverage e-discovery technology to meet their data management needs. But to use these tools on the cloud, such services need to be certified under the Federal Risk and Authorization Management Program (FedRAMP).

For e-discovery providers catering to government clients, this has meant deploying solutions on FedRAMP-certified cloud platforms, such as Amazon Web Services or Microsoft Azure. But not all providers want to outsource their hosting capabilities. Among them is Complete Discovery Source (CDS), which recently announced its achievement of FedRAMP certification.

Matthew Milone, director of federal operations at Complete Discovery Source, said that the company is now certified “for end-to-end management of data in our cloud,” adding that he believes CDS is the first e-discovery company to “own our complete environment.”

To be sure, Veritas Technologies announced in October 2016 that its Veritas Enterprise Vault and Veritas Discovery Accelerator were FedRAMP certified as well. But CDS noted it is the only e-discovery provider to offer a full EDRM “one-stop-shop” e-discovery cloud service that has achieved FedRAMP certification.

Certificiation, however, wasn't easy to obtain. For an e-discovery company, such certification can be a years-long and expensive process, one that requires managing multiple stakeholders and meeting vast security standards. CDS, for example, couldn't have gotten FedRAMP certification if it weren't for its government client, the Pension Benefits Guaranty Corporation (PBGC), which had to sponsor the e-discovery company to be considered by FedRAMP.

To initially work with the PBGC, CDS had to first acquire an authorization to operate (ATO) from FedRAMP. Milone noted that such ATOs are essentially agreements where the federal government accepts “the risks as it is now” from cloud providers, so long as there are no “critical errors in the system where any bad things can happen.” Before granting an ATO, the government looks to see if the cloud provider has “a proven track record of managing the risk and securing the implementation,” and if the security provided is up to the government's needs.

Such approval, however, was only the first step in the process for CDS. “When we got our initial deal with PBGC, it was contingent that we would get FedRAMP certification and that we would work together as team to become FedRAMP certified,” Milone said. “It took about three years for us to get everything settled and done and finalized.”

So why did the certification process take CDS several years? For one, when FedRAMP's Joint Authorization Board (JAB) reviews whether to certify a company, it looks to see whether the company meets an enormous set of security standards. The criteria encompasses “17 categories with about 2,326 security controls,” Milone said.

He explained that some of these categories include topics like “access control, configuration management, and contingency planning if something goes wrong, like incident response plans.” Within these categories, the controls that are looked at can be as specific as the temperature of one's data center to the physical locks on the doors. CDS, therefore, had to create what Milone called a “security bible,” documenting not only the company's security controls, but also the security and access policies its staff would abide by. Such controls and policies had to be verified thoroughly by FedRAMP-approved third party assessment organizations, whose examinations were themselves reviewed by FedRAMP.

The cost of getting up to speed on all required security controls was significant. “For a small company like ours, the biggest expense is the time it took,” Milone said. He noted that in addition to the third party assessment, “you're dealing with the agency stakeholders who sponsor you, and you're dealing with the security consultants you hired who are constantly asking you questions.”

Of course, just by their very nature, e-discovery companies can have a harder time with certain security controls than others. Milone noted that implementing access controls can be a challenge given that “the nature of a service-based e-discovery business is having a lot of people touching the data.”

To tackle this challenge, Milone sought to change the culture of his company, rather than just put in place a new access control technologies. “So instead of just having an access control plan, we have an access control policies and procedures.”

While getting FedRAMP approval was an arduous and expensive process for CDS, the e-discovery company ultimately sees it as one that will help it grow its government client base.

“For a small e-discovery vendor like us, we wanted a leg to stand on, because now we can begin competing with other vendors out there in the government space.”

But ultimately CDS believes that it will be one of many e-discovery companies with FedRAMP certification. Milone noted that those in legal are slow adopters and often wait for a certification, such ISO 27001, to become more widely adopted become jumping on board. It may be only a matter of time then, until FedRAMP certification is a yet another must-have asset for modern e-discovery providers.