Thomson Reuters (TR) became the first legal services provider to achieve FedRAMP “In Process” status, marking a significant milestone in the company’s commitment to data security.
This accomplishment demonstrates TR’s dedication to strengthening its security measures and provides government customers with robust assurance of TR’s seriousness regarding security obligations.
Jump to ↓
| What Is FedRAMP “In Process” status? |
| How did Thomson Reuters achieve this status? |
| Why does this matter for government legal professionals? |
| What should government legal professionals expect from FedRAMP documentation and audit transparency? |
What Is FedRAMP “In Process” status?
The Federal Risk and Authorization Management Program (FedRAMP) is a standardized approach which federal agencies use for security assessment and for authorization of cloud service offerings. Products with FedRAMP “In Process” status undergo comprehensive third-party assessments and reviews required for federal cloud security authorization.
The “In Process” status also confirms the applicant’s commitment to completing full FedRAMP authorization process. By contrast, “FedRAMP Ready” is an early-stage designation, which means only that a company has had a third-party assessment of its capabilities, often without any federal involvement.
In July, TR achieved FedRAMP “In Process” status by obtaining a federal government sponsor, the U.S. Department of Health and Human Services. No provider can skip this “In Process” step—all of its products must be evaluated in this manner before they receive full FedRAMP authorization.
Throughout the authorization process, Thomson Reuters will be engaged with its federal sponsor HHS, for both its Legal Research and Risk & Fraud applications.
By committing to a collaborative approach, TR is aiming to expedite the FedRAMP Program Management Office review of its application and its listing in the FedRAMP marketplace. This sponsorship strengthens TR’s commitment to meet, and to surpass, all security requirements necessary to protect federal information systems while delivering mission-critical solutions.
How did Thomson Reuters achieve this status?
Thomson Reuters has been experiencing heightened demand from its federal customers over the past few years, and it anticipates such demand will grow even further. So it made the strategic decision to undertake the FedRAMP process, seeking to move its services for federal government customers to a new, elevated level.
For the FedRAMP process, TR chose products which it believes have the greatest growth potential in the federal government space. These are:
- Westlaw, TR’s leading legal research service;
- Practical Law, TR’s legal how-to resource hub, written and maintained by more than 650 full-time attorney-editors globally; and
- CLEAR, TR’s legal investigation software, is used by law enforcement agencies to manage and analyze cases.
Each of these products is being FedRAMPed individually, with a “batting order” for prioritization.
The FedRAMP process includes having the applicant conduct internal education efforts, make any necessary investments in internal security upgrades, and have routine, ongoing collaborations between its internal security teams and its government sponsors.
TR’s pursuit of FedRAMP authorization supports a broader strategy to achieve compliance with additional state and local security frameworks, such as the Government Risk and Authorization Management Program (GovRAMP) and the Texas Risk and Authorization Management Program (TxRAMP).
Why does this matter for government legal professionals?
Securing full FedRAMP authorization will position Thomson Reuters (TR) as a leader in cloud security for the federal sector. FedRAMP represents the gold standard for cloud security, and federal agencies require this designation for competitive bids. By achieving this milestone—especially as no vendor currently holds full certification for certain products—TR will gain a significant competitive edge.
Further, even being “In Process” signals to customers that TR has made significant investments, and is making verifiable progress, toward meeting all applicable federal security standards. TR’s current expectation is to achieve full FedRAMP Authorization by early 2026.
FedRAMP authorization will assure government customers that TR delivers best-in-class security and service. This achievement will also reinforce confidence in TR’s products among large law firms and corporate clients, addressing any potential security concerns.
What’s next?
TR has committed to FedRAMPing additional products in its legal suite, including CoCounsel Core and Drafting, to meet all federal government security needs.
And the FedRAMP approval process is not one-and-done achievement, by any means. It’s an ongoing, and continually revised, process. All applicable products will need to be re-certified as they evolve, such as if new features are added to approved products, as well as to keep in compliance with any new or altered security standards and data regulations. This is particularly important with the growth of generative artificial intelligence programs and sensitive data handling.
What should government legal professionals expect from FedRAMP documentation and audit transparency?
Government legal professionals should regard the FedRAMP process as putting a stamp of approval upon what is already a suite of trusted, secure products with the highest security standards. TR is committed to being transparent as to where each of its products stands throughout the FedRAMP journey.
Clients will benefit from having verified legal research and compliance tools, adding greater value and increased reliability in their work in the federal sector. TR’s major achievement of achieving FedRAMP “In Process” demonstrates its rock-solid commitment to data security, and its dedication to keeping compliant with all relevant regulations.
Learn more about FedRAMP reading the official press release regarding Thomson Reuters’ new status.
