eLearning is integral to learning and development for all organizations, and getting it right is particularly critical for governments. In the United States, federal government departments and agencies like the National Institutes of Health, Department of Defense, and General Services Administration have offices and employees across the United States and worldwide. The only practical way for them to deliver standardized training is through eLearning.
Governments require high security and privacy compliance standards, particularly in high-consequence domains like defense. The compliance environment can be daunting for governments engaged in creating and delivering eLearning content and private sector vendors providing eLearning platform technologies. For vendors seeking to work with government agencies, deciding which compliance certifications to pursue is particularly daunting.
The requirements for achieving and maintaining certifications are often demanding and expensive, and it’s not always clear what opportunities a particular certification can unlock with government customers. Striking the right balance between certification capabilities and their costs requires the right certification mindset and a practical understanding of the distinctions among the array of compliance certifications available.
Assets and Liabilities
Compliance may seem like merely a hurdle that must be overcome to do business with government customers. However, the investment in certifications and the opportunities they create make the situation more like a balance sheet assessment. By focusing purely on the economic effects different certifications will have on the business and how they align with their product or service, eLearning platform vendors will set themselves up for success in the government sector.
Certifications in Practice
It’s easy enough to read the specifications on a certification and get an idea of its purpose and rigorousness. However, figuring out how that translates to the real world of selling to government customers is an entirely different game. The following sections offer a quick-start guide for considering which certifications are an asset to government sales and which may push a business into liability territory.
SOC 2 Type 2
SOC 2 Type 2 is an industry standard for eLearning service providers in North America. It covers basic system-agnostic security controls across multiple domains. SOC 2 Type 2 is relatively inexpensive and highly demanded by the private sector and government customers, giving it a good chance of being a net asset to a business that achieves and maintains it.
HITRUST has several similarities with SOC 2 Type 2 in covering multi-domain, system-agnostic security controls. While it does cover more controls, its cost is as much as twice that of SOC 2 Type 2. HITRUST’s most notable feature is that it aligns with the Health Insurance Portability and Accountability Act (HIPAA), so it’s particularly valuable for vendors that want to do business with entities like the Veterans Health Administration and National Institutes of Health, both of which (among other agencies) must comply with HIPAA.
In the realm of government-specific certifications, FedRAMP is one of the most versatile and valuable. Despite its name, FedRAMP also applies to state and local government compliance requirements.
Choosing which of its three “Impact Levels” (Low, Moderate, and High) to aim for is the only question that should complicate the decision to achieve FedRAMP certification for vendors looking for government customers. For example, many vendors aim for FedRAMP Moderate, but achieving this level isn’t easy. Moderate requires a vendor to meet 325 controls and submit dozens of extensive documents.
Meeting these requirements in a reasonable time frame usually involves engaging a consulting service that can in itself cost hundreds of thousands of dollars. When specialized consulting isn’t engaged, the process will still likely cost a vendor hundreds of thousands to millions of dollars in some cases. After this significant investment, the assessment will also come with a nonrefundable fee of more than $100,000. The significant investment required for FedRAMP certification makes it highly valuable, as FedRAMP certification is a requirement throughout much of the U.S. federal government.
A relatively new certification, StateRAMP has significant overlap and backward compatibility with FedRAMP. Still, it offers a lower barrier to entry for vendors seeking to work only with state governments that require it. While it has lower barriers to entry, it’s also less valuable, and it’s often better to reach FedRAMP first if possible. However, if a vendor’s exclusive focus is on state services, this is all it may need.
DoD CC SRG
The Department of Defense Cloud Computing System Requirements Guide (DoD CC SRG), which is produced by the Defense Information Systems Agency (DISA), shares several things in common with FedRAMP but adds additional controls that allow for a higher classification of data to be used in each successive level.
The DISA certification’s Impact Levels are called IL2, IL4, IL5, and IL6. IL2 is directly equivalent to FedRAMP Moderate, so it’s easy to imagine how difficult it is to achieve the higher-level certifications. Indeed, as of early 2023, only 50 companies have achieved IL4 or higher. Consequently, these higher-level certifications are extremely valuable, as agencies have few vendor options for creating eLearning modules dealing with mission-critical and classified data.
Is It Worth It?
Delivering a compliant environment for government training is clearly not something an eLearning vendor would take on casually. In fact, most vendors that sell to the government have built their businesses around high-value certifications and have specialized in the government space. For providers willing to invest, the rewards can be high. In addition to working directly with government customers, vendors that have achieved hard-to-get certifications can become Managed Security Service Providers (MSSPs), helping others get their platforms into government environments.
Alternatively, if a vendor isn’t seeking to build a business around selling to government agencies, it might make more sense for it to work with an already authorized company that can help push a product into its target space much more quickly.
Rob Porter is Head of Market and Business Development for CoSo’s eLearning solutions. He’s responsible for developing and executing corporate communications, market programs, market visibility, and positioning strategy to expand CoSo’s market share in eLearning. He also has a successful 25-year track record in instructional design and eLearning programs, as well as in authoring and presenting on a variety of corporate topics and learning techniques. During his career, he has built hundreds of hours of eLearning content, workshop curricula, webinars, presentations, and multiple custom learning platforms for his customers. Additionally, Porter has supported hundreds of enterprises by designing and deploying custom learning solutions that deliver content to millions of learners. He has developed state-of-the-art learning programs for organizations such as BMW, Nike, Nikon, Johns Hopkins, Microsoft, NVIDIA, Dassault, and Domino’s. Before joining CoSo Cloud, he founded and was a principal at Training Objectives Corp.