FedRAMP compliancy

Hello e-learning peeps. I have been developing a number of modules in Storyline 1 for a federal client. An issue that has arisen is the client's IT security governance requirements and Storyline's compatibility with these requirements.

Does anyone know if Storyline is FedRAMP compliant software?

Thanks much, any input would be appreciated.

 

11 Replies
Bob O'Donnell

Our company is an approved FedRAMP vendor for Web Hosting & Development. I would be happy to toss the software question out to our FedRAMP team and see if they have anything they can add or clarify.

I do know that we are using Storyline right now for a lot of our government clients. FedRAMP applies to the SERVERS we host the government data on. In the BML case, it would apply to say a server we host that has your LMS and the uploaded Storyline course files on it.

I would guess that its safe to assume you can use Storyline for development as long as your server side complies with FedRAMP for hosting, delivery services, and data management.

Now if you were trying to use the Storyline 360 cloud review site as a link to pass out to your agency workers - that would NOT be FedRAMP compliant. I also think that would violate Articulate's use policy. Maybe Ashley knows for sure.

Ashley, I should have an answer tomorrow morning. I can post a follow up and/or send info to the sales team. Note: FedRAMP is a huge hurdle if you guys consider it. Our company is 1 of 95 that are authorized around the country. And in that group, some agencies like Google, have several authorizations. So the number of actual approved companies is very small.

Robert Hambrick

*Thank you!* I appreciate the time and effort you are spending to find an
answer.

Articulate Storyline 360 is merely an Web authoring tool used to create
online content. There is nothing about that sets off FedRAMP alarms from a
security standpoint. However, Articulate, the company, does collect and
store Personally-Identifiable Information: my name, my work email address,
the agency I work for, my credit card number, and my self-selected
password.

If the software were purchased by my agency using a federal Purchase
Authorization and loaded onto my work machine with a single sign-on, there
wouldn't be a problem. But cloud-based subscription services are very hard
to justify. We do not collect data on users; Articulate collects data on
us!

I am hopeful there is a creative way around this. Thanks for your help.

Bob O'Donnell

Well, I can tell you outright that many other government agencies in DC are using it now. I can't see how your office would be much different than any of them. We're currently working with agencies like DOE, FAI, and OPM. I may be able to put you in touch with someone at OPM that could possibly give you some guidance. I wouldn't worry about Articulate too much. The OPM breach in 2015 lost everyone's data anyway. That and the recent breach at all the credit agencies - your stuff is most likely out there already. Ok, back to FedRAMP....

Our IT guy in charge here at the office says the FedRAMP application applies to software going onto a server that hosts/holds/transfers government data. It either needs certified or authorized for use. FedRAMP doesn't technically apply to your current authoring tools. As long as YOUR agency approves the purchase and use of the authoring software, you should be covered.

Extra Note: If BLM requires hosting for your training courses, shoot me a separate email and I'll get you in touch with someone at OPM that can cover all the details for your office. BTW - here's the link to the authorized FedRAMP vendors, its alphabetically, so we're listed right down below Oracle - PowerTrain, Inc. I think it took us about 2 years of hard work to get authorized and the process to keep it is a daily ongoing effort by our IT folks.

Have fun authoring! Storyline is great tool.

https://marketplace.fedramp.gov/#/products?sort=productName

Bob O'Donnell

Thanks Ashley, I just shot them an email. I'm right there with you, all the heavy details are outside of my wheelhouse of knowledge but there are folks here who could speak to it if your sales team wishes to discuss it. There's plenty of info on line regarding it. I do have to say its a big consideration as it does take up staff hours to stay on top of it. Its fun working with the government. :0

Robert Hambrick

Thanks, Bob. Our office isn't any different than others. We create online
content for the Wildland Fire community. The aggravating thing is that the
Office of Wildland Fire has been using Articulate Storyline 360 for almost
a year, but our IT folks don't seem to get the distinction that an LCMS is
simply an authoring tool. Once the content is exported as a SCORM package
to the LMS, it's just content.

I am working with the BLM Privacy Officer in DC, so hopefully she can get
this approved. However, I will definitely checkout PowerTrain. Thanks
again for the note. I'll keep you posted!

Bob O'Donnell

No problem! FYI - Our office has worked with Fire and Emergency Response folks for about 20 years. If you ever need any help, give us a shout. A lot of our courses were done for the U.S. Air Force and DoD community. Fun stuff! Last project was a Marine Firefighter course. I got to go into a nuclear sub for the first time. Reach out if you need anything.