By Amy Hilbert, executive vice president of government solutions at Casepoint
A compromised password can lead to identity theft, a phishing attack can disrupt a major corporation’s operations and a ransomware attack can paralyze an entire industry for days. The importance of cybersecurity and the consequences of a data breach are widely understood.
What about the potentially disastrous consequences if classified information falls into the wrong hands? For government agencies dealing with massive volumes of everything from personal data to critical national security information, the risks of a data breach are exponentially multiplied.
The need to keep data secure is real, but so is the need for the openness and transparency that empowers citizens to hold their elected officials accountable, understand government decisions and participate more meaningfully in the democratic process. Balancing these two very different mandates is a challenge for Freedom of Information Act staff across the federal government.
Those challenges are growing. Fiscal year 2023 saw an all-time high of more than a million separate FOIA requests. Understaffed teams working with outdated software are struggling to keep up. And while rapid advances in AI are presenting new opportunities to streamline and simplify FOIA workflows, cybercriminals are also taking advantage of new technologies to create ever more sophisticated and dangerous incursions.
Protecting sensitive data during FOIA requests, government investigations and litigation requires a comprehensive, integrated approach that looks at data security from multiple levels, including:
1. Operational Security
Physical security measures are a first line of defense. Tools such as key card entry, biometric scanners, controlled site access and surveillance are already regarded as essential to protecting sensitive and classified information. Network security should be bolstered with next-generation firewalls, encryption and intrusion detection and prevention systems. Granular access controls, such as single-sign-on and multi-factor authentication, should be employed for enhanced security. All these systems should undergo regular vulnerability assessments to ensure ongoing protection against potential and emerging threats.
2. Solution Security
Efficiently managing the large volume of data involved in the FOIA and eDiscovery processes just isn’t possible anymore without integrated technology solutions. However, many agencies are still struggling with outdated tools and manual processes that leave them sinking in a sea of records and increase the risk of compliance errors and security breaches. Agencies need updated end-to-end capabilities that harness the power of AI to streamline workflows, make it easier to search and categorize information and enable redactions with robust quality controls to protect data and ensure accuracy.
When investing in new technologies, agencies should also look for partners that have obtained and maintained the highest levels of industry security certifications and attestations. With the gold standard of FOIA discovery tools being cloud-based, agencies need to ensure their chosen partners have FedRAMP certification, Department of Defense Impact Levels 5 and 6, as well as NIST 500-83, which covers the security controls for federal information systems and organizations.
3. Organizational Security
No matter how many high-tech security solutions your agency employs, the biggest risk of all often comes from human error and the possibility of a careless action by a single employee. Mandating a “one and done” security training course for new employees just doesn’t cut it in today’s world. Agencies must make data security part of their mission and culture by setting clear guidelines, regularly reviewing policies to address changing threats and requirements, and providing ongoing training to ensure compliance. They should also ensure that the contractors and vendors who interact with sensitive information meet these same expectations.
As a leading provider of FOIA and eDiscovery solutions for federal agencies, Casepoint understands the critical importance of creating reliable tools and fostering a culture of compliance around information security.
Commitment to security is evident through our extensive list of certifications and third-party audits. As the only eDiscovery cloud solution with FedRAMP High Authorization (in process), Casepoint has demonstrated its readiness to meet stringent government security requirements. Casepoint is also the only cloud-based eDiscovery solution to achieve DOD Authority to Operate Impact Level 5 for controlled unclassified information and DOD ATO Impact Level 6 for classified information up to secret. Our dedication to security extends further with certifications including SOC 1, SOC 2, SOC 3 and ISO 27001.
The Federal Risk and Authorization Management Program is a rigorous security compliance framework mandatory for all federal agency cloud deployments. The FedRAMP High Authorization explicitly addresses the security needs of data critical to law enforcement, emergency services, financial systems, and health systems. Achieving this level of security is paramount to ensuring the integrity and confidentiality of sensitive government information.
Looking ahead, Casepoint remains dedicated to maintaining and exceeding security standards. Our participation in initiatives like the U.S. Department of Commerce’s AI Safety Institute Consortium further demonstrates our commitment to advancing security in government applications. Casepoint’s ongoing efforts ensure that we continue to lead the industry in providing secure and reliable eDiscovery solutions.