Complete Discovery Source Achieves Full-EDRM FedRAMP Certification. It Wasn't Easy
CDS's three-year road to FedRAMP underscores the challenges e-discovery providers will have to navigate when looking to provide cloud services for government clients.
February 13, 2018 at 09:30 AM
5 minute read
Federal agencies are increasingly looking to leverage e-discovery technology to meet their data management needs. But to use these tools on the cloud, such services need to be certified under the Federal Risk and Authorization Management Program (FedRAMP).
For e-discovery providers catering to government clients, this has meant deploying solutions on FedRAMP-certified cloud platforms, such as Amazon Web Services or Microsoft Azure. But not all providers want to outsource their hosting capabilities. Among them is Complete Discovery Source (CDS), which recently announced its achievement of FedRAMP certification.
Matthew Milone, director of federal operations at Complete Discovery Source, said that the company is now certified “for end-to-end management of data in our cloud,” adding that he believes CDS is the first e-discovery company to “own our complete environment.”
To be sure, Veritas Technologies announced in October 2016 that its Veritas Enterprise Vault and Veritas Discovery Accelerator were FedRAMP certified as well. But CDS noted it is the only e-discovery provider to offer a full EDRM “one-stop-shop” e-discovery cloud service that has achieved FedRAMP certification.
Certificiation, however, wasn't easy to obtain. For an e-discovery company, such certification can be a years-long and expensive process, one that requires managing multiple stakeholders and meeting vast security standards. CDS, for example, couldn't have gotten FedRAMP certification if it weren't for its government client, the Pension Benefits Guaranty Corporation (PBGC), which had to sponsor the e-discovery company to be considered by FedRAMP.
To initially work with the PBGC, CDS had to first acquire an authorization to operate (ATO) from FedRAMP. Milone noted that such ATOs are essentially agreements where the federal government accepts “the risks as it is now” from cloud providers, so long as there are no “critical errors in the system where any bad things can happen.” Before granting an ATO, the government looks to see if the cloud provider has “a proven track record of managing the risk and securing the implementation,” and if the security provided is up to the government's needs.
Such approval, however, was only the first step in the process for CDS. “When we got our initial deal with PBGC, it was contingent that we would get FedRAMP certification and that we would work together as team to become FedRAMP certified,” Milone said. “It took about three years for us to get everything settled and done and finalized.”
So why did the certification process take CDS several years? For one, when FedRAMP's Joint Authorization Board (JAB) reviews whether to certify a company, it looks to see whether the company meets an enormous set of security standards. The criteria encompasses “17 categories with about 2,326 security controls,” Milone said.
He explained that some of these categories include topics like “access control, configuration management, and contingency planning if something goes wrong, like incident response plans.” Within these categories, the controls that are looked at can be as specific as the temperature of one's data center to the physical locks on the doors. CDS, therefore, had to create what Milone called a “security bible,” documenting not only the company's security controls, but also the security and access policies its staff would abide by. Such controls and policies had to be verified thoroughly by FedRAMP-approved third party assessment organizations, whose examinations were themselves reviewed by FedRAMP.
The cost of getting up to speed on all required security controls was significant. “For a small company like ours, the biggest expense is the time it took,” Milone said. He noted that in addition to the third party assessment, “you're dealing with the agency stakeholders who sponsor you, and you're dealing with the security consultants you hired who are constantly asking you questions.”
Of course, just by their very nature, e-discovery companies can have a harder time with certain security controls than others. Milone noted that implementing access controls can be a challenge given that “the nature of a service-based e-discovery business is having a lot of people touching the data.”
To tackle this challenge, Milone sought to change the culture of his company, rather than just put in place a new access control technologies. “So instead of just having an access control plan, we have an access control policies and procedures.”
While getting FedRAMP approval was an arduous and expensive process for CDS, the e-discovery company ultimately sees it as one that will help it grow its government client base.
“For a small e-discovery vendor like us, we wanted a leg to stand on, because now we can begin competing with other vendors out there in the government space.”
But ultimately CDS believes that it will be one of many e-discovery companies with FedRAMP certification. Milone noted that those in legal are slow adopters and often wait for a certification, such ISO 27001, to become more widely adopted become jumping on board. It may be only a matter of time then, until FedRAMP certification is a yet another must-have asset for modern e-discovery providers.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Litigation Leaders: Greenspoon Marder’s Beth-Ann Krimsky on What Makes Her Team ‘Prepared, Compassionate and Wicked Smart’
- 2A Look Back at High-Profile Hires in Big Law From Federal Government
- 3Grabbing Market Share From Rivals, Law Firms Ramped Up Group Lateral Hires
- 4Navigating Twitter's 'Rocky Deal Process' Helped Drive Simpson Thacher's Tech and Telecom Practice
- 5Public Notices/Calendars
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250