Written by Doug Austin, Editor of eDiscovery Today
As the COVID-19 pandemic and social distancing enforced remote work only accelerated the move to the cloud for many organizations, it should come as no surprise that the use of cloud-based solutions continues to be on the rise.
Last November, Gartner forecast worldwide end-user spending on public cloud services to grow 18.4% in 2021, to a total of $304.9 billion, up from $257.5 billion in 2020.
And from an eDiscovery standpoint, the increased use of cloud-based eDiscovery solutions was the second biggest eDiscovery trend for 2021 (behind only discovery of collaboration app data) identified by respondents in the eDiscovery Today 2021 State of the Industry report (sponsored by EDRM) which was issued back in January.
One type of organization, however, has still been slow to move to cloud-based solutions – government entities (especially Federal government entities).
Many of these entities have continued to use on-premise solutions for security reasons (among other considerations) even as other types of organizations have moved to cloud-based solutions for everything from Office to eDiscovery.
But even that trend has started to change because of a Federal program that is literally design to “ramp” up usage of cloud-based solutions within Federal government agencies.
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
In 2011, the Office of Management and Budget (OMB) released a memorandum establishing FedRAMP “to provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies”.
In June 2012, the General Services Administration (GSA) established the FedRAMP Program Management Office (PMO). The mission for the FedRAMP PMO is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
As directed by the OMB memorandum, any cloud services that hold federal data must be FedRAMP Authorized and FedRAMP prescribes the security requirements and process cloud service providers must follow in order for the government to use their service.
FedRAMP standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with the Federal Information Security Modernization Act of 2014 (FISMA), OMB Circular A-130, and FedRAMP policy.
As noted in the official government FedRAMP site, benefits of FedRAMP include:
- Reduces duplicative efforts, inconsistencies, and cost inefficiencies.
- Establishes a public-private partnership to promote innovation and the advancement of more secure information technologies.
- Enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
Achieving FedRAMP authorization isn’t a simple, quick, or inexpensive process. It takes time – a LOT of time.
Assuming the cloud service provider has implemented all the required controls and completed related documentation, the estimated timeframe includes:
- A FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) assessment, which takes about 7-9 months to complete.
- An agency ATO can take anywhere from 4-6 months to complete.
- A cloud service provider supplied package can likely be completed in 2-3 months.
And achieving FedRAMP authorization can be expensive as well, with this report estimating the costs to be between $350K to $865k.
Given the security requirements that an organization must meet and the time and cost it takes to obtain FedRAMP authorization, it’s probably no surprise that many cloud-based eDiscovery solutions are not hosted in FedRAMP authorized facilities – at least not yet. Many may never pursue it because of the effort and cost involved.
Even before the COVID-19 pandemic, federal agencies were accelerating the use of cloud-based capabilities and that only figures to accelerate as more cloud-based solutions become FedRAMP approved.
That includes the demand for eDiscovery solutions as well, so expect Federal government agencies to be more focused on moving to the cloud in the near term.
The paradigm for Federal agencies to only stick to on-premise solutions is shifting – so expect eDiscovery solution providers to shift to support that demand (even as some continue to support those agencies not ready to move to the cloud because of policy or contract commitments).
Those who support both scenarios with government approved environments are well positioned to support the eDiscovery needs of government agencies today and tomorrow!
Just this week IPRO announced a partnership with Complete Discovery Source to bring its eDiscovery solution to the CDS cloud environment.
For more educational topics from me related to eDiscovery, cybersecurity and data privacy, feel free to follow my blog, eDiscovery Today!