Skillsoft Security Audit Information
Skillsoft offers its learning platforms to a variety of customers in all industry verticals worldwide, including Federal government and DoD. To address the needs of all customers, Skillsoft selected the strictest security framework for its platforms. One of the strictest security frameworks is the Federal Risk and Authorization Management Program (FedRAMP).
The FedRAMP initiative is based on NIST 800-53 Rev.4 framework. The graph below shows how FedRAMP compares to other security frameworks:
Skillsoft invests vast resources to maintain its FedRAMP authorizations and securing its SaaS. Skillsoft does not allow customers to conduct their own independent audits. The industry offers a variety of security frameworks aiming to set security standards considered best practices. Skillsoft aims to use a common set of security controls considered best practices, instead of having each customer "invent the wheel".
How to Request Security Audit Information
Skillsoft encourages customers to review our security documentation and engage in security dialogs that can improve our posture. We are always open to meet with customers and discuss security matters. Work with your Skillsoft account team to ensure the right resources from our proposal and security teams are available during the discussion.
Federal and DoD customers
For Federal and DoD customers the audit process is well established. Federal customers can request the FedRAMP audit package directly from the FedRAMP site. Department of Defense customers rely on the Defense Information Systems Agency (DISA) which published the Cloud Computing Security Requirements Guide (CC SRG). The CC SRG defines the security requirements based on Impact Levels (IL2, IL4, IL5 & IL6).
The learning products sold by Skillsoft are defined within FedRAMP as “Moderate”. The “Moderate” level for FedRAMP is equivalent to Impact Level 2 for DoD. On August 15, 2019, DISA published a Memorandum of Reciprocity between FedRAMP and DoD for Cloud Service Offerings at Impact Level 2.
Non-Federal and non-DoD customers can obtain from Skillsoft an attestation letter of the FedRAMP annual audits conducted by an independent third party appointed by FedRAMP authority.
Additional information available
Working with your Skillsoft account team, you can ask to see any of the following in making your decisions:
- Results of Application Scans conducted by an independent third party
- Results of Network Penetration Tests conducted by an independent third party
- Plan of Action and Milestones (POA&M) that shows how and when vulnerability findings are addressed
- SOC2 audit results from data centers (AWS, SunGard and Iron Mountain)
- ISO 27001 audit results from British Telecom data center in Frankfurt, Germany
- Proof that Skillsoft is FedRAMP authorized on Skillport
- Proof that Skillsoft is FedRAMP authorized for Percipio
- Both platforms’ authorizations include Skillsoft Compliance (Academy)
- We also offer a detailed Cloud Ops Services documentation for each platform in each country. For Percipio deployed in the European Union (EU), we have a French version as well.