FYI for zotero leadership/developer regarding government users

I work for a US Federal government agency (a science agency that works on regular non-sensitive topics). We've been told that we're not allowed to use zotero anymore. When I asked why, the person I spoke to thought it was because the software is not "FedRAMP" compliant. It don't know much about this, or whether you can do anything about it, but I thought you should be aware of an issue that will drive away a portion of users.
  • @ike9898: There's nothing we can do about the FedRAMP part — compliance programs like those just aren't realistic for an organization of our size*, and I'm not sure any similar tools, even from vastly larger companies, have these certifications — but I'd reiterate what I say in that other thread:
    Zotero saves all data locally unless you explicitly set up syncing. Banning open-source software that purposely protects your privacy by saving your data locally by default is pretty ridiculous, so I would try to push back on that.
    In other words, the point is that Zotero isn't, by default, a cloud-based tool, making FedRAMP irrelevant.

    Another relevant thread is this more recent one, where I mention the possibility of our adding an enterprise setting to Zotero to fully disable the syncing capability. As I say there, whether we bothered implementing that would depend on whether it would actually satisfy the compliance departments in question, because Zotero would still need network access to download materials, etc. — you just wouldn't have the option as a user of having it sync your data. We're still open to feedback on whether that would be helpful.


    * FedRAMP's blog post on small businesses says that 30% of certified providers are small businesses, with an asterisk helpfully pointing out that "the U.S. Small Business Administration counts companies with less than $35.5 million in sales and approximately 1,500 employees as 'small businesses.'"
Sign In or Register to comment.