[development] Certify Drupal for use in Government (US) Projects

Laura Scott pinglaura at gmail.com
Tue Sep 30 20:55:22 UTC 2008


Consider that one big difference between proprietary and open source  
is lobbying and existing contract relationships. Chris DiBona I  
believe spoke about how a defense contractor tried to get OSS banned  
from military systems, but after an internal audit of such systems  
revealed that a huge % of such systems (30%? More? I confess I don't  
recall) depended upon OSS, the DOD rejected the proposal.

There is more to this than simple perceptions about FOSS.

Laura


On Sep 30, 2008, at 9:14 AM, Jon Saints wrote:

> On a recent project for the US government, half way through the  
> development process, our work was stopped by a government security  
> review which said that Drupal (and open source software in general)  
> is not suitable for use in government projects that house personal  
> information due to security concerns.
>
> Because our project had been approved by higher ups within the  
> department, we were paid for our work up to that point and asked to  
> stop.  Now, its up to the tax payers to foot a much larger bill for  
> other developers to implement a proprietary and more "secure" (or  
> secretive) solution.
>
> The "transparency" of the Drupal project was one of the government's  
> big objections.  In their eyes, disclosing and fixing securit holes  
> in a timely manner, is not the same thing as security.  They pointed  
> out the 100+ security disclosures since drupal 4.0 as a reason that  
> the system could not be used.  We noted that all these disclosures  
> where quickly addressed, but that did not seem to matter.
>
> I notice other governments around the world are using Drupal with  
> great success and savings to citizens:
> http://buytaert.net/new-zealand-government-using-drupal
>
> The standards we would need to meet with drupal are:
> http://csrc.nist.gov/groups/SMA/fisma/index.html
>
> My questions are the following:
>  - Have any other developers run into this cerfication problem before?
>  - Is anyone in the drupal community currently working to get Drupal  
> certified for use in US Government projects?
>  - Does anyone know exactly what cerfication would require from a  
> development standpoint?
>
> If there is interest in investigating this type of certification  
> further, let me know. NIST, the department that certifies software,  
> is just down the road from me.  I could go investigate further.
>
> Thanks
> Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080930/2bdc1660/attachment.htm 


More information about the development mailing list