Legal / Bar-Oriented Resources

Lawyer-Specific Cloud & SaaS Evaluation Resources

Bar ethics opinions & law-practice guides

  • State bar and ABA cloud ethics opinions
    Clio maintains a nice roundup of U.S. state bar ethics opinions on cloud computing, with links to the underlying opinions. These opinions spell out what “reasonable due diligence” on a cloud/SaaS provider looks like for lawyers (security, confidentiality, vendor vetting).

  • ABA / law-practice cloud computing tech reports
    The ABA’s Law Practice Division has tech reports on cloud computing that discuss how many firms actually review terms of service and ethics opinions (spoiler: not enough), and outline the kind of due diligence lawyers should be doing.

  • State bar tech/ethics resources
    For example, the California Bar’s “Electronic Files” page aggregates resources on cloud computing and related tech ethics; similar resource hubs exist in other states and often include “what to ask a cloud provider” checklists.

  • Individual ethics opinions
    Opinions like Wisconsin EF-15-01 (amended 2025) explicitly say lawyers must understand cloud tech and use “reasonable efforts” to evaluate whether a provider complies with their ethical duties, then give factors and questions to consider.

  • Articles aimed at lawyers
    E.g., state bar journals on “The Ethics of Using Cloud-Based Services” outline practical ways to vet providers and contract with them, specifically for law firms.

Cloud / SaaS Security & Vendor Evaluation Frameworks

These aren’t legal-specific, but they’re the backbone for “how to think about SaaS risk”:

  • Cloud Security Alliance (CSA) – Security Guidance & tools

    • Security Guidance for Cloud Computing v5 – broad best-practice guide across 12 domains (governance, legal, compliance, operations, etc.).

    • Articles like “Five Keys to Choosing a Cloud Security Provider” and “Your Guide to SaaS Compliance” give plain-language criteria for evaluating providers (data privacy, security certifications, shared responsibility, etc.).

    • CSA also maintains the Cloud Controls Matrix (CCM) and CAIQ (Consensus Assessments Initiative Questionnaire), which are industry-standard question sets you can cherry-pick from when you build your own mini-RFP.

  • NIST cloud & third-party risk guidance

    • NIST SP 800-144 – Guidelines on Security and Privacy in Public Cloud Computing: lays out key risks and what customers should look for (isolation, encryption, identity, incident response).

    • NIST guidance on evaluating cloud services and cloud service providers (e.g., SP 500-322 and the cloud standards roadmap) explains how to tell if something really is “cloud,” and how to think about security, portability, and interoperability.

    • Newer material on third-party risk and vendor management (NIST CSF 2.0, SP 800-53/800-161) gives a risk-based structure for evaluating SaaS suppliers.

  • SaaS security questionnaires & checklists

    • “Checklist to Quickly Evaluate SaaS Security” from IronCore Labs shows how much you can learn just from a vendor’s website (certifications, encryption claims, privacy policy).

    • Recent guides on SaaS security questionnaires explain what typical buyer questionnaires cover (data encryption, access controls, incident response, SOC 2/ISO 27001, etc.).

    • Articles specifically about SaaS vendor risk assessments and supply-chain risk (Binadox, Nudge Security, etc.) give step-by-step methods for scoring and tracking vendors.

2. General Cloud / SaaS Evaluation Frameworks

3. SaaS Security Checklists & Questionnaires (Vendor-Neutral)