Cloud Based usage and approval (FEDRamp?)
Hi all,
Currently my department states that I cannot use Zotero Connector (or Zotero), primarily because Zotero has the option to sync with an unapproved cloud based system. I realize this can be toggled off, but the department imposed this as a blanket ban, and the cloud based system must be approved by FEDRamp for it to be unbanned (i.e. approved). (https://marketplace.fedramp.gov/#/products?status=In Process&sort=productName)
That said, no one is yet sure what cloud system Zotero uses (e.g. Amazon? Oracle?), and so I cannot find documentation for or against its use.
I may be forced to use RefWorks (though I am also not sure what cloud system it uses), but I truly like the modifiable open access model and would like to be able to continue to use Zotero.
Any guidance would be much appreciated,
Adam
Currently my department states that I cannot use Zotero Connector (or Zotero), primarily because Zotero has the option to sync with an unapproved cloud based system. I realize this can be toggled off, but the department imposed this as a blanket ban, and the cloud based system must be approved by FEDRamp for it to be unbanned (i.e. approved). (https://marketplace.fedramp.gov/#/products?status=In Process&sort=productName)
That said, no one is yet sure what cloud system Zotero uses (e.g. Amazon? Oracle?), and so I cannot find documentation for or against its use.
I may be forced to use RefWorks (though I am also not sure what cloud system it uses), but I truly like the modifiable open access model and would like to be able to continue to use Zotero.
Any guidance would be much appreciated,
Adam
But it also seems like Zotero would have to be separately certified as a dependent product? If that's necessary, I think the chances of that happening are slim given the time and resource (you have to hire someone to do the assessment, which presumably is quite expensive)
That may help quite a bit. It would definitly be problematic if it had to be seperately certified. At that point I would definitly give up. I am going to contact AWS US-East to see if I can get that in writing. Any recommendations on who to contact? I was just going to go to the website.
Best,
Adam
As for syncing, I can confirm (as Zotero's lead developer) that Zotero stores all data in AWS US-East-1. If you email support@zotero.org we can put that in an email, but that's all we can do — this is pretty straightforward, so we don't provide custom documentation.
Amazon definitely isn't going to confirm anything about Zotero (and it would be deeply concerning if they did).
It is truly odd to me that open source software, especially those like Zotero, are not the default option for use by USG employees.
Small tangent: There's a long&complicated history there. The Obama administration had some very serious open source advocates in key IT procurement positions, but there was a lot of lobbying against that (the letter by Oracle as comment on new procurement guidelines went viral-ish), so they only got so far. I'd be surprised if the current administration followed in those steps but haven't heard anything either way.
Huh, that was my impression of RefWorks as well. I just assumed that it was FEDRamp approved, but it would be a bit hilarious if it's not.
As for the tangent... I would like to write a long comment on this, but sadly I cannot as I'm still at work and the whole hatch act thing prevents me from doing so. Suffice to say that as a USG ecologist I am saddened by quite a few things now-a-days.....
https://www.zotero.org/support/security
I am a Fed that was recently told that zotero isn't allowed. I'm curious to know if you had any luck with your agency.