Cloud Based usage and approval (FEDRamp?)

Hi all,

Currently my department states that I cannot use Zotero Connector (or Zotero), primarily because Zotero has the option to sync with an unapproved cloud based system. I realize this can be toggled off, but the department imposed this as a blanket ban, and the cloud based system must be approved by FEDRamp for it to be unbanned (i.e. approved). (https://marketplace.fedramp.gov/#/products?status=In Process&sort=productName)
That said, no one is yet sure what cloud system Zotero uses (e.g. Amazon? Oracle?), and so I cannot find documentation for or against its use.

I may be forced to use RefWorks (though I am also not sure what cloud system it uses), but I truly like the modifiable open access model and would like to be able to continue to use Zotero.

Any guidance would be much appreciated,

Adam
  • Zotero is entirely run from AWS US-East servers which seem like they're approved (https://marketplace.fedramp.gov/#/product/aws-us-eastwest) -- but I honestly don't know where they document that -- but if that alone helps, I'm sure they'd be happy to officially confirm.

    But it also seems like Zotero would have to be separately certified as a dependent product? If that's necessary, I think the chances of that happening are slim given the time and resource (you have to hire someone to do the assessment, which presumably is quite expensive)
  • Much appreciated Adam!

    That may help quite a bit. It would definitly be problematic if it had to be seperately certified. At that point I would definitly give up. I am going to contact AWS US-East to see if I can get that in writing. Any recommendations on who to contact? I was just going to go to the website.

    Best,

    Adam
  • what do you need in writing? That Zotero is on AWS-East? You'd want that from Zotero, not from Amazon. @dstillman should be able to help with that.
  • Yes, I think that would essnentially be what I need. I contacted AWS-East just in case, but I agree, they probably don't want to give out customer information.
  • I realize this can be toggled off, but the department imposed this as a blanket ban, and the cloud based system must be approved by FEDRamp for it to be unbanned (i.e. approved).
    It's not just that it can be toggled off. Zotero saves all data locally unless you explicitly set up syncing. Banning open-source software that purposely protects your privacy by saving your data locally by default is pretty ridiculous, so I would try to push back on that.

    As for syncing, I can confirm (as Zotero's lead developer) that Zotero stores all data in AWS US-East-1. If you email support@zotero.org we can put that in an email, but that's all we can do — this is pretty straightforward, so we don't provide custom documentation.

    Amazon definitely isn't going to confirm anything about Zotero (and it would be deeply concerning if they did).
  • I completely agree, thank you for this!! I think an email should be sufficient, and I will contact support again if it's not. As I've been useing Zotero for some time, and feel that RefWorks is an inferior product, I truly hope that this is resolved appropriately.

    It is truly odd to me that open source software, especially those like Zotero, are not the default option for use by USG employees.
  • edited December 12, 2017
    Especially given that RefWorks is cloud only and apparently not certified by FEDRamp... Goodluck!

    Small tangent:
    It is truly odd to me that open source software, especially those like Zotero, are not the default option for use by USG employees.
    There's a long&complicated history there. The Obama administration had some very serious open source advocates in key IT procurement positions, but there was a lot of lobbying against that (the letter by Oracle as comment on new procurement guidelines went viral-ish), so they only got so far. I'd be surprised if the current administration followed in those steps but haven't heard anything either way.
  • Thanks Adam! hopefully those officials are still present...

    Huh, that was my impression of RefWorks as well. I just assumed that it was FEDRamp approved, but it would be a bit hilarious if it's not.

    As for the tangent... I would like to write a long comment on this, but sadly I cannot as I'm still at work and the whole hatch act thing prevents me from doing so. Suffice to say that as a USG ecologist I am saddened by quite a few things now-a-days.....
  • I've added an official documentation page with the relevant information:

    https://www.zotero.org/support/security
  • @USFWS-PIFWO-CCSHC
    I am a Fed that was recently told that zotero isn't allowed. I'm curious to know if you had any luck with your agency.
Sign In or Register to comment.