Key Takeaways
- A government Learning Management System (LMS) purchase has 3 reviewers, not 1: the Chief Information Officer’s security team, the procurement officer, and the Inspector General. Picking the LMS means picking one that holds up at all 3 reviews.
- The Federal Information Security Modernization Act (FISMA) classification of the training data, Low, Moderate, or High, decides what the LMS has to meet before procurement begins. Classifying the data first shrinks the shortlist on its own.
- The vendor security review is not abstract. It is 8 specific questions the procurement officer needs answered in writing before contract signing.
- One LMS that clears one security review and rolls out to 14 cabinet agencies beats 14 separate procurements. This is where the central HR Director earns the budget back.
- The Inspector General (IG) audit is the test the LMS finally has to pass. A defensible training record carries 5 fields and exports on demand in CSV, PDF, and JSON formats.
A federal HR Director at a Cabinet agency with 12,000 employees needs a learning management system. The Chief Information Officer’s security team hands over a 50-item checklist. The procurement officer asks for the General Services Administration (GSA) Schedule number on Friday. The Inspector General will audit the training records next year. The HR Director has not run a federal LMS procurement before, and the 6 vendors on the shortlist all appear acceptable on the surface.
This is the buying view from within a public-sector LMS purchase. The challenge isn’t finding an enterprise LMS. The challenge is picking one whose documentation package, security profile, and audit output hold up when the security team, the procurement officer, and the Inspector General each ask their questions in turn.
This guide walks first-time HR Directors through the 5 decisions that shape the purchase: how to classify the training data, what to ask each vendor in writing, how to roll one LMS out across multiple agencies on a single security review, what the LMS has to produce when the Inspector General calls, and what to do next.
Classify the Training Data First, Then Build the Shortlist
The first decision is the one most HR Directors skip on their first procurement. Before talking to any vendor, classify the impact level of the training data the LMS will hold. The classification determines what the LMS must meet, narrowing the vendor list before evaluation begins.
The Federal Information Security Modernization Act of 2014, known as FISMA (Public Law 113-283, codified at 44 U.S.C. §3551 et seq., signed into law December 18, 2014), requires every federal agency to develop, document, and implement an agency-wide information security program. For an LMS, FISMA flows through to one practical question: what is the impact level of the data the system will hold?
Federal Information Processing Standard 199 (FIPS 199), a federal standard from the National Institute of Standards and Technology (NIST), sets 3 impact levels.
Low Impact
Limited adverse effect if the data is compromised. A general workforce training catalog with no Personally Identifiable Information (PII, the term federal agencies use for information that can identify an individual employee) beyond employee name and identifier sits here.
Moderate Impact
Serious adverse effect if compromised. A training record that includes personnel data, demographic data, financial disclosure attestation, ethics training records, or performance review data tied to training sits here. This is the typical floor for a federal LMS handling employee training at scale.
High Impact
Severe or catastrophic effect if compromised. National security training records, classified-environment training, or training tied to sensitive law enforcement or intelligence data sits here.
The classification matters because it sets the FedRAMP authorization level the LMS needs and the security control baseline the vendor inherits.
What is FedRAMP? The Federal Risk and Authorization Management Program is the federal government’s standardized program that authorizes cloud services for use by federal agencies. It uses the same 3 impact levels (Low, Moderate, High) as FIPS 199. A cloud-based LMS handling federal employee training data typically requires FedRAMP Moderate authorization at a minimum.
Classifying the training data first means an HR Director can rule out vendors that can’t meet the required level, instead of finding out 6 months into the evaluation. Once the classification is set, the conversation with each vendor follows a script.
Ask Each Vendor These 8 Security Questions in Writing
The CIO security team will not approve the LMS without documentation that answers a specific set of questions. The HR Director’s job is to get those answers in writing from each shortlisted vendor before the procurement officer narrows to a final 2.
Question 1: What is the FedRAMP authorization status?
Low, Moderate, or High. Confirm that the authorization is current under FedRAMP’s single-agency-sponsored path (the Joint Authorization Board and its P-ATO were retired in 2024, when the FedRAMP Board took over governance; legacy JAB authorizations transitioned to the unified FedRAMP authorization). Confirm the current listing on the FedRAMP Marketplace at marketplace.fedramp.gov.
Question 2: What does the Customer Responsibility Matrix split between vendor and agency?
The Customer Responsibility Matrix (CRM) is a vendor-produced document that shows which security controls under NIST SP 800-53 the vendor handles and which the customer agency handles. NIST SP 800-53 Revision 5 (the federal security and privacy controls catalog, published September 23, 2020, by NIST) defines those controls. An HR Director who waits until contract signing to see the CRM gets a CRM that splits responsibilities in ways neither side expected.
Question 3: Does the LMS support PIV and CAC single sign-on?
Federal employees and contractors use a Personal Identity Verification (PIV) card issued under Homeland Security Presidential Directive 12 (HSPD-12, signed by President George W. Bush on August 27, 2004) and FIPS 201 (the federal standard for identity verification). The Department of Defense equivalent is the Common Access Card (CAC). Single sign-on (SSO) means the employee logs in once with their card and is authenticated across systems. The LMS must support PIV and CAC SSO through standard identity protocols (Security Assertion Markup Language, or SAML 2.0, and OpenID Connect), federated to each agency’s own identity provider.
Question 4: Is the cryptography FIPS-validated?
FISMA requires federal systems to use cryptographic modules validated under the federal cryptographic standard. FIPS 140-3 (approved March 22, 2019) is the current standard. The previous standard, FIPS 140-2, remains active until September 21, 2026, after which validated modules move to the Historical List and federal agencies should not include them in new procurements. The vendor should document its FIPS 140-3 (or current FIPS 140-2) validated cryptographic modules.
Question 5: Where does the data live?
U.S.-only data centers, with documented backup and cross-border transit policies. Federal training data outside the United States is a buying gate for most agencies.
Question 6: Where is the Section 508 documentation?
Section 508 of the Rehabilitation Act of 1973 (codified at 29 U.S.C. §794d) requires federal Information and Communication Technology to be accessible to people with disabilities. The Revised 508 Standards (final rule January 18, 2017, with compliance date January 18, 2018) align with the Web Content Accessibility Guidelines (WCAG) 2.0 Level A and AA. The vendor must produce a current Voluntary Product Accessibility Template (VPAT) or Accessibility Conformance Report (ACR) before the procurement officer can complete the award.
Question 7: What is the NIST 800-171 vendor posture?
NIST Special Publication 800-171 Revision 3 (published May 14, 2024) sets 97 security requirements for protecting Controlled Unclassified Information (CUI, the federal term for sensitive information that is not classified but still requires safeguarding) in systems run by federal contractors. The vendor should document its 800-171 posture. For Department of Defense procurements and DoD subcontracts, the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework applies with 3 maturity levels: Foundational, Advanced (built on NIST 800-171), and Expert (built on NIST 800-172).
Question 8: Does the vendor accept the Federal Acquisition Regulation clause flow-down?
The Federal Acquisition Regulation (FAR) is the rulebook that governs how federal agencies buy goods and services. Certain clauses must flow down from the agency to the vendor in the contract: FAR 52.204-21 (15 basic safeguarding requirements for vendor information systems), 52.204-25 (prohibition on covered telecommunications equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua), 52.204-27 (TikTok and ByteDance prohibition on devices used for federal work), and FAR Subpart 39.2 (Section 508 requirements in federal IT procurement). Each clause should be accepted in writing.
A vendor that cannot answer all 8 in writing does not meet federal procurement requirements. State and local HR Directors run the parallel scrub using GovRAMP (formerly StateRAMP, rebranded on February 14, 2025), the state-and-local equivalent of FedRAMP, adopted by 27 states as of 2025. The 8 questions become the procurement officer’s qualification gate, which makes the next decision easier.
Roll One LMS Out Across Multiple Agencies on a Single Security Review
The most expensive procurement mistake a central HR Director makes is conducting 14 separate security reviews for a single platform across 14 cabinet agencies. The 6-month duplicate scrub that follows is the part the budget cannot absorb.
An LMS evaluated and authorized at the central level can be rolled out to every downstream agency under the same authorization package, provided 3 conditions are met.
Condition 1: One Authorization Package, Reused Across Agencies
A FedRAMP Agency ATO sponsored by one agency is reusable by every other agency under the FedRAMP authorization reuse model. The LMS listing on the FedRAMP Marketplace is the public record other agencies use to consume the same authorization. A central HR Director who sponsors the Agency ATO at the parent department delivers a platform every downstream agency can adopt without a separate security review.
Condition 2: One Identity Model, Federated to Every Agency
The LMS connects to each agency’s identity provider through SAML 2.0 or OpenID Connect, with PIV and CAC single sign-on at the front. Each agency administers its own identity directory. The LMS authenticates everyone the same way.
Condition 3: One Reporting Layer, Agency-Specific Views
The LMS rolls up to the central HR Director and breaks down to the agency HR Director, the bureau training officer, and the manager at the field office. One platform, multiple views. The central office gets the cross-agency rollup. Each agency sees only its own employees.
The payoff is procurement velocity. A 14-agency rollout that relies on a single security review and a single identity model can go live in 90 days. A 14-agency rollout that runs on 14 separate security reviews goes live in 18 months. The 17 months of saved time is the budget the central HR Director can spend on the actual training program.
Make Sure the LMS Produces What the Inspector General Asks For
The Inspector General audit is the test the LMS must finally pass. The Inspector General Act of 1978 (as amended) gives every federal Office of Inspector General the authority to audit agency programs and report findings semiannually to Congress. When the IG arrives, the question is direct: which employees completed which training, on which date, against which version, with what attestation evidence. The LMS that can answer in 30 minutes wins. The LMS that needs 30 days of manual reconciliation produces a delay finding in the IG’s report.
A defensible, audit-ready record carries 5 fields.
Field 1: Course or Policy Identifier and Version
Every training assignment is tied to a specific version of the course or policy. The IG cross-checks the version against the published source to confirm the employee was trained on the right material.
Field 2: Employee Identifier
The employee’s HR identifier (the unique number the agency assigns to each employee), not their name. The IG ties the identifier back to current personnel records to confirm the employee was active on the training date.
Field 3: Timestamp
Generated by the LMS server, expressed in Coordinated Universal Time (UTC) with the local timezone offset, and not editable by the user. A timestamp the user can edit is not a defensible timestamp.
Field 4: Attestation Language
The exact text the employee read at the moment of acknowledgment. If the language changed between versions of the policy or course, the record preserves which version the employee saw.
Field 5: Source-of-Truth Chain
A description of where the record came from, who has access to it, and what can’t be edited. The chain documents the path from the moment of training, through the system that stores the record, to the report the IG reads, with no gaps where a record could be changed.
The LMS that exports these 5 fields in CSV (a simple spreadsheet format), PDF, and JSON (a system-to-system data format) on demand reduces IG audit response time from weeks to hours. Federal Freedom of Information Act (FOIA, 5 U.S.C. §552) requests also pull training records into the 20-business-day response window, with 9 statutory exemptions defining what an agency can withhold. Parallel state public records laws (California Public Records Act, New York Freedom of Information Law, Illinois Freedom of Information Act, and the Texas Public Information Act) carry similar response windows. On-demand export is a procurement requirement, not a feature.
What to Do Next
A first-time HR Director who runs this guide top to bottom does 4 things before the next vendor call:
First, classify the training data under FIPS 199 to set the FedRAMP authorization level the LMS needs.
Second, send all 8 security questions to each shortlisted vendor in writing, with a deadline. The vendor’s response shortens the list on its own.
Third, plan the rollout for one security review across all agencies, not 14 separate ones. Sponsor the Agency ATO at the central level if the budget allows.
Fourth, scope the IG audit output up front. Ask each vendor for a sample of the 5-field export in CSV, PDF, and JSON formats. The vendor that can produce the export in the demo is the vendor that will produce it under audit pressure 18 months later.
The HR Director who follows these 4 steps walks into the next procurement meeting with the shortlist, the security documentation, the rollout plan, and the audit-ready evidence already in hand. The CIO security team approves faster. The procurement officer signs faster. The IG audit lands cleanly when it comes.
KnowledgeCity’s LMS supports multi-agency rollout under one authorization package with agency-specific reporting views.
Frequently Asked Questions
- Where do first-time HR Directors usually go wrong in a government LMS purchase?
The 3 most common first-timer mistakes are skipping the FIPS 199 classification (which means the shortlist includes vendors that cannot meet the required FedRAMP level), not asking for the Customer Responsibility Matrix until contract signing (which means responsibilities are split in ways neither side expected), and treating multi-agency rollout as 14 separate procurements (which adds 17 months of duplicate security reviews to the timeline). All 3 are avoidable with the right setup before vendor conversations start.
- Can one LMS support multiple agencies under one security review?
Yes, when the LMS holds a FedRAMP Agency ATO that is reusable across agencies under the FedRAMP authorization reuse model, supports SAML 2.0 or OpenID Connect federated identity to each agency’s directory, and produces agency-specific reporting views on top of one central rollup. The central HR Director authorizes it once, and each downstream agency adopts it under the same package. A 14-agency rollout can go live in 90 days instead of 18 months under this model.
- What does an Inspector General audit-ready training record actually look like?
It carries 5 fields: course or policy identifier and version, employee HR identifier, server-generated timestamp in UTC with timezone, exact attestation language, and a source-of-truth chain that documents how the record was created, stored, and exported. Export formats include CSV, PDF, and JSON. The LMS that produces this export on demand reduces IG audit response from weeks to hours.
- Does FedRAMP authorization apply to state and local agencies?
FedRAMP is the federal government authorization program. State and local agencies use the parallel program GovRAMP (formerly StateRAMP, rebranded on February 14, 2025), which has its own Low, Low+, Moderate, and High impact levels with Ready, Provisional, and Authorized status milestones. State and local LMS purchases run on GovRAMP rather than FedRAMP, with the same general structure of authorization and authorization reuse.
References
- U.S. Congress. Federal Information Security Modernization Act of 2014, Public Law 113-283, codified at 44 U.S.C. §3551 et seq., signed December 18, 2014.
- National Institute of Standards and Technology. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems.
- National Institute of Standards and Technology. NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, published September 23, 2020.
- FedRAMP Program Management Office. FedRAMP authorization model (Low, Moderate, High impact levels; single agency-sponsored authorization path following the 2024 retirement of the Joint Authorization Board).
- Federal CIO Council and NIST. Homeland Security Presidential Directive 12 (signed August 27, 2004) and FIPS 201 Personal Identity Verification of Federal Employees and Contractors.
- National Institute of Standards and Technology. FIPS 140-3 Transition Effort and Cryptographic Module Validation Program. FIPS 140-2 modules move to the Historical List on September 21, 2026.
- U.S. Access Board and GSA. Section 508 of the Rehabilitation Act, 29 U.S.C. §794d. Revised 508 Standards published January 18, 2017, with compliance date January 18, 2018, aligned to WCAG 2.0 Level A and AA.
- National Institute of Standards and Technology and DoD. NIST SP 800-171 Revision 3 (published May 14, 2024) with 97 security requirements; CMMC 2.0 with 3 maturity levels (Foundational, Advanced, Expert).
- General Services Administration. Federal Acquisition Regulation 52.204-21 (Basic Safeguarding, 15 requirements), 52.204-25 (Covered Telecommunications Equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua), 52.204-27 (TikTok and ByteDance Prohibition), and FAR Subpart 39.2 Information and Communication Technology.
- GovRAMP (formerly StateRAMP, rebranded February 14, 2025). State and local government cloud authorization program with Low, Low+, Moderate, and High impact levels and Ready, Provisional, and Authorized status milestones; adoption across 27 states.
- U.S. Department of Justice. Freedom of Information Act, 5 U.S.C. §552 (20-business-day response window, 9 statutory exemptions).
- Inspector General Act of 1978, as amended, codified at 5 U.S.C. §401 et seq., establishing federal Offices of Inspector General with semiannual reporting requirements.


