FedRAMP Guidelines for Cloud Service Providers
In June 2019, FedRAMP, the Federal Risk and Authorization Management Program, issued guidelines for cloud service providers, FedRAMP Marketplace. CSPs can be categorized as having one of three statuses:
1. FedRAMP Ready - a third party assessment organization attests to a CSP's capabilities and a report is accepted by FedRAMP.
2. FedRAMP In Process - CSP working on FedRAMP authorization with the Joint Authorization Board or a federal agency. In order to get to this stage, a Security Assessment Plan (SAP) and Security Assessment Report (SAR) must be prepared. Security package materials have to be uploaded to the OMB MAX document repository, and kickoff meeting with the JAB must be held. The in process status cannot be held for more than 12 months.
3. FedRAMP Authorized - in order to get authorization, the CSP must submit monthly deliverables to the JAB. A provisional authority to operate letter (P-ATO) signed by the CIOs of the Department of Defense; Department of Homeland Security; and the General Services Administration will allow the CSP's status to be updated to authorized.
The FedRAMP Marketplace is a sortable database of CSPs. Notable businesses in the legal technology field that are in the marketplace include:
Box (Authorized)
CDS - Complete Discovery Source (Authorized)
DocuSign (Authorized)
EverLaw (In Process)
Exterro (In Process)
Slack (Authorized)
Smarsh (In Process)
VMware (In Process)
(Pretty nice feather in CDS's cap!)