Thanks for all the informative comments. The discussion has been most helpful.

Its does appear that our case was the result of a decision of an individual (who maybe is not familiar with Drupal), and not a sign of general opposition by the government to Open Source software.

That is good to know. 

Reading through NIST's documentation it seems that certification for software to meet the FISMA standards usually takes years.  As others have pointed out, this is just one of many different standards that the government has for software.  Its unclear to me where we could even start to certify Drupal for government use.

The lesson here... approval of open source tools seems to happen on a case by case and department by department basis.  Even if your project is approved by a Department heads, ask for a review of the proposal by the Security Officer in charge before work begins. In our case, I am not sure why that did not happen until half way through the project. We are just learning to work for the government. So this is a lesson we will take carefully into all our work from here on.

I have contacted NIST to see if I could sit down and chat with someone to bring up some of our questions posted in this thread.  If I do get a conversation, I will be sure to post the comments back to the group here.  I have also asked them for alist of the approved content management systems so we can get an idea of which companies/projects have achieved certification.

Thanks
Jon   

On Tue, Sep 30, 2008 at 8:47 PM, Bryan Ruby <bryan@cmsreport.com> wrote:
I've read all the messages in this thread, but I want to build on what Steven has to say here.  Please allow one disclaimer so I don't get myself in trouble.  Although I work for the federal government, I do not speak for the federal government nor from my position in the federal government.  I'm simply a Drupal fan.

Steven is right about the number of competing standards/programs and levels of reviews/audits/and certification that go on in the federal government.  In many of the cases with FISMA (one of the standards Joe links to in his first message), the certification that takes place in most agencies are for systems and not in particular a single application such as Drupal.  In many respects this is a bottom-up certification where each person in the chain certifies to their supervisor that a system follows agency rules, guidelines and federal laws in making sure the system is secure, properly patched, and all risks have been identified/minimized.  It is a very difficult and laborious process in trying to policy put into practice.

My agency utilizes a mix of Unix, Linux, and Windows systems.  On our administrative PCs we run a mix of propriety and open source software (we've used Thunderbird as our official email client for years).  On our operational systems all our applications and OS are open source or built in-house applications (utilizing Java, Tcl, Python, and variations of C).  Federal agencies can and do adopt open source for their applications.   In fact, I've seen the certification process knock out more propriety systems than open source systems especially if they're aging systems with little in the way of user access control granted.  Every year, I have to have one necessary propriety system given an exception since it doesn't quite meet the requirements...and this system can't even be networked into the office LAN.

Here is my guess as to why Drupal wasn't accepted, without getting deep into the policy.  As I said at the start, from the system owner all the way up through the agency's management up to the CIO...EVERYONE has to certify that the system is secure and risks have been identified/minimized.  This is especially true when it comes to personally identifiable information (PII) and/or if the system is outside the firewall.  In order for all those people to sign on to the certification, they each have to have an understanding of the system.  My guess is that someone was not comfortable with their own understanding of Drupal or open source to know whether the system would meet all the requirements (especially if they're racing to complete budgets/certifications during the final hours of the fiscal year.  The fact is some agencies or managers in those agencies just don't have an understanding of the open source model and are very cautious in moving  away from what they know.  Eventually, we'll have to educate them.

Joe, what strikes me as odd though is that before a project is approved these days the security requirements are understood.  It sounds to me as if someone on the federal side didn't do their job in working with and informing the IT Security Officer about what this project was all about.  Very interesting and I hope it never happens to me.

BryanSD


Steven Peck wrote:
Which government security review/standard?

There are dozens if not hundreds of competing standards/programs and
levels of auditing and determination depending on which department you
are dealing with.  For example just one program was formerly known as
DITSCAP and is now DIACAP.

Many of these have more to do with procedures and policies then code.

Steven

On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd@gmail.com> wrote:
 
The names of Citizens are collected on the website along with some personal
contact information.  We were told that our application required the Medium
level security certification.

For collecting more sensitive information, certification becomes nearly
impossible.

Thanks
Jon

On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter
<gerhard@killesreiter.de> wrote:
   
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jon Saints schrieb:

     
On a recent project for the US government, half way through the
development process, our work was stopped by a government security
review which said that Drupal (and open source software in general)
is not suitable for use in government projects that house personal
information due to security concerns.
       
Just out of interest: What kind of information are we talking about?
Tax numbers, bank accounts?

[...]

     
I notice other governments around the world are using Drupal with great
success and savings to citizens:
http://buytaert.net/new-zealand-government-using-drupal
       
Seems like a showcase site only.

Cheers,
      Gerhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK
BX1vLaioeWG348yH/V/ufKs=
=yFhK
-----END PGP SIGNATURE-----