Re: [development] development Digest, Vol 70, Issue 1
I'm coming in a bit late to the U.S. government discussion but as it's an area of expertise for me I'll weigh in with some thoughts that may (or may not) be of some help. ===Warning, these are my thoughts. They are not your thoughts. They are given for free. Take them for what they are worth. Question them and do some research before taking my word for things!!!=== Software Certification Software certification in the U.S. federal government is handled under either the Common Criteria program or the Cryptographic Module Validation Program. Generally, software is (generally) certified under Common Criteria at level 2 or 4, and that software uses cryptographic modules that were/are certified under the Cryptographic Module Validation Program. For example, Drupal would qualify for a Common Criteria certification. The PHP cryptographic module used in Drupal would be certified under the Cryptographic Module Validation Program. Separating these two pieces is very important in order to assure security (the old adage about never writing "new" cryptographic functions yourself) and to make sure the government security reviewers understand what was reviewed and how it was reviewed. FISMA and NIST The Federal Information Security Management Act of 2002 consolidated most of the U.S. federal government's information security requirements and specifically tasked the U.S. National Institutes of Standards and Technology (NIST) with developing information security guidelines for all U.S. government programs. These guidelines are published in Special Publications, the most important of which is 800-53, Recommended Security Controls for Federal Information Systems. This Special Publication provides the baseline security guidance for all federal information systems, and one of those requirements is for the certification and accreditation of systems prior to deployment. Enterprise Architecture Another aspect of U.S. federal information systems is the recent (last 10 years) move to a standardized enterprise architecture. Unfortunately, the "architecture" term tends to deceive people. What enterprise architecture normally focuses on is not "architecture" as an information architect might envision it, rather it's the selection of products, software and hardware, to be used throughout an organization. For example, an agency's enterprise architecture will state which content management systems are authorized for use within the organization. This list is maintained by the agency's chief information officer and updated on a semi-regular basis. Drupal and Uncle Sam Using Drupal on a federal task requires a couple of specific steps. First, the cryptographic modules used in the system, including those used by Drupal, must be approved by the Cryptographic Module Validation Program. This is the first and most critical security hurdle, and it should be the first question the government's independent security analyst asks when they are vetting the program. Second, if Drupal is not Common Criteria certified (at least level 2), then the program needs to include security testing to ensure the product meets or exceeds the stated claims. What's this mean? It means checking to make sure Drupal performs the functions that it claims to be able to handle, such as session management or access control. Without a Common Criteria certification this testing falls on the development/program office for the new project trying to use Drupal. Third, the actual development effort must meet all of the requirements as dictated by NIST under FISMA, i.e., Special Publication 800-53. These requirements are scaled according to the security level of the system being built, from low (that means standard) to moderate (that means enhanced) to high (that means critical to the nation). All government systems must be secure, obviously, so even low (standard) security requirements are fairly onerous. High (critical) systems true enterprise class efforts with very robust security requirements. Unfortunately, the inclusion of any personally identifiable information, such as names and addresses, elevates a system to moderate (enhanced) security right off the bat. This makes development of even small systems quite complex. Fourth, the development office needs to expand on the NIST security requirements to include functional security requirements, and any other areas specific to the application being developed. Fifth, the application must be scanned and/or tested for vulnerabilities prior to deployment. Sixth, the application must be accredited (this is the second half of certification and accreditation) prior to deployment. Typically, a certification official, independent from the development office, provides an executive (the accrediting authority) with a report on the application's security posture and any deficiencies. This report is the basis for the executive's decision about whether or not to approve deployment. Deploying Drupal My recommendation for anyone trying to deploy Drupal on a federal task is to first and foremost get it on the agency's list of approved products, i.e., the enterprise architecture. This is a time consuming task but it will pay dividends. Second, standardize on a Drupal version and document exactly what cryptographic functions will be used. Cryptography is a complex and touchy subject, probably because most of us (me included) can't really understand it directly, so using an approved cryptographic module is the only way to go. If you don't, and someone asks about it, your entire project may come to a screeching halt. I'd also take the time to go through all of the requirements for the system, whether it's low, moderate, or high, in NIST Special Publication 800-53. Doing that will allow you to interact with the certification and accreditation team on their level and you'll already know all of their questions, it's also a halfway decent security requirements reference. And don't forget to also document and work to fulfill all of your application's specific security requirements! Finally, plan on doing some actual scanning testing of the application and providing this report to the accrediting authority prior to their decision about deploying the application. <self serving promotion>Penetration testing of web applications is really helpful when it comes time to answer the question, "Is this application secure enough to put out on the Internet?"</self serving promotion>. I guess that's a lot of info, to the point of being a TLDR post :-). Sorry for rambling a bit but it's a complex subject and one I've spent more time with than I care to admit. If anyone's interested in more information (you must be crazy!) feel free to drop me a line. Oh, and all this stuff only applies to normal government tasks, sensitive but unclassified stuff, not to national security efforts, those are governed under Department of Defense guidelines, not by NIST. Micah Tapman Principal Quest Consultants LLC 240-297-1014 development-request@drupal.org wrote:
Send development mailing list submissions to development@drupal.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.drupal.org/listinfo/development or, via email, send a message with subject or body 'help' to development-request@drupal.org
You can reach the person managing the list at development-owner@drupal.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of development digest..."
Today's Topics:
1. Re: Certify Drupal for use in Government (US) Projects (Piermaria Maraziti) 2. Re: Certify Drupal for use in Government (US) Projects (Bryan Ruby) 3. Re: Certify Drupal for use in Government (US) Projects (Jon Saints) 4. Announcing DRUPAL-7-0-UNSTABLE-1 (Angela Byron)
----------------------------------------------------------------------
Message: 1 Date: Wed, 01 Oct 2008 01:02:15 +0200 From: Piermaria Maraziti <piermaria@maraziti.it> Subject: Re: [development] Certify Drupal for use in Government (US) Projects To: development@drupal.org Message-ID: <20080930230359.675E31440B8@polimnia.eridia.it> Content-Type: text/plain; charset="us-ascii"; format=flowed
At 17.14 30/09/2008, you wrote:
The "transparency" of the Drupal project was one of the government's big objections.
Just as a quick note by a lurker: various organs of the Italian government (Finance Ministery but not only) judged the "open" is OS projects to be a very good element for the usual reasons addressed by OS evangelists, also about security issues. It's a priority, to them, also the active participation in community: giving help when they can to receive help when they need (yep: most utilitary, not so idealistic - but pragmatic and correct).
Ciao!
--8<-----------------------------------fnord----- Piermaria Maraziti piermaria@maraziti.it KALLISTI ICQ744473 MSN:kallisti@hotmail.it +3934735GILDA www.gilda.it www.eridia.it www.hovistocose.it
------------------------------
Message: 2 Date: Tue, 30 Sep 2008 21:47:44 -0500 From: Bryan Ruby <bryan@cmsreport.com> Subject: Re: [development] Certify Drupal for use in Government (US) Projects To: development@drupal.org Message-ID: <48E2E4D0.9060502@cmsreport.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I've read all the messages in this thread, but I want to build on what Steven has to say here. Please allow one disclaimer so I don't get myself in trouble. Although I work for the federal government, I do not speak for the federal government nor from my position in the federal government. I'm simply a Drupal fan.
Steven is right about the number of competing standards/programs and levels of reviews/audits/and certification that go on in the federal government. In many of the cases with FISMA (one of the standards Joe links to in his first message), the certification that takes place in most agencies are for systems and not in particular a single application such as Drupal. In many respects this is a bottom-up certification where each person in the chain certifies to their supervisor that a system follows agency rules, guidelines and federal laws in making sure the system is secure, properly patched, and all risks have been identified/minimized. It is a very difficult and laborious process in trying to policy put into practice.
My agency utilizes a mix of Unix, Linux, and Windows systems. On our administrative PCs we run a mix of propriety and open source software (we've used Thunderbird as our official email client for years). On our operational systems all our applications and OS are open source or built in-house applications (utilizing Java, Tcl, Python, and variations of C). Federal agencies can and do adopt open source for their applications. In fact, I've seen the certification process knock out more propriety systems than open source systems especially if they're aging systems with little in the way of user access control granted. Every year, I have to have one necessary propriety system given an exception since it doesn't quite meet the requirements...and this system can't even be networked into the office LAN.
Here is my guess as to why Drupal wasn't accepted, without getting deep into the policy. As I said at the start, from the system owner all the way up through the agency's management up to the CIO...EVERYONE has to certify that the system is secure and risks have been identified/minimized. This is especially true when it comes to personally identifiable information (PII) and/or if the system is outside the firewall. In order for all those people to sign on to the certification, they each have to have an understanding of the system. My guess is that someone was not comfortable with their own understanding of Drupal or open source to know whether the system would meet all the requirements (especially if they're racing to complete budgets/certifications during the final hours of the fiscal year. The fact is some agencies or managers in those agencies just don't have an understanding of the open source model and are very cautious in moving away from what they know. Eventually, we'll have to educate them.
Joe, what strikes me as odd though is that before a project is approved these days the security requirements are understood. It sounds to me as if someone on the federal side didn't do their job in working with and informing the IT Security Officer about what this project was all about. Very interesting and I hope it never happens to me.
BryanSD
Steven Peck wrote:
Which government security review/standard?
There are dozens if not hundreds of competing standards/programs and levels of auditing and determination depending on which department you are dealing with. For example just one program was formerly known as DITSCAP and is now DIACAP.
Many of these have more to do with procedures and policies then code.
Steven
On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd@gmail.com> wrote:
The names of Citizens are collected on the website along with some personal contact information. We were told that our application required the Medium level security certification.
For collecting more sensitive information, certification becomes nearly impossible.
Thanks Jon
On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Saints schrieb:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Just out of interest: What kind of information are we talking about? Tax numbers, bank accounts?
[...]
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
Seems like a showcase site only.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK BX1vLaioeWG348yH/V/ufKs= =yFhK -----END PGP SIGNATURE-----
------------------------------
Message: 3 Date: Tue, 30 Sep 2008 23:27:17 -0600 From: "Jon Saints" <saintsjd@gmail.com> Subject: Re: [development] Certify Drupal for use in Government (US) Projects To: development@drupal.org Message-ID: <8e779d5d0809302227y6a2d6f41q4bf6f728a496dd9a@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Thanks for all the informative comments. The discussion has been most helpful.
Its does appear that our case was the result of a decision of an individual (who maybe is not familiar with Drupal), and not a sign of general opposition by the government to Open Source software.
That is good to know.
Reading through NIST's documentation it seems that certification for software to meet the FISMA standards usually takes years. As others have pointed out, this is just one of many different standards that the government has for software. Its unclear to me where we could even start to certify Drupal for government use.
The lesson here... approval of open source tools seems to happen on a case by case and department by department basis. Even if your project is approved by a Department heads, ask for a review of the proposal by the Security Officer in charge before work begins. In our case, I am not sure why that did not happen until half way through the project. We are just learning to work for the government. So this is a lesson we will take carefully into all our work from here on.
I have contacted NIST to see if I could sit down and chat with someone to bring up some of our questions posted in this thread. If I do get a conversation, I will be sure to post the comments back to the group here. I have also asked them for alist of the approved content management systems so we can get an idea of which companies/projects have achieved certification.
Thanks Jon
On Tue, Sep 30, 2008 at 8:47 PM, Bryan Ruby <bryan@cmsreport.com> wrote:
I've read all the messages in this thread, but I want to build on what Steven has to say here. Please allow one disclaimer so I don't get myself in trouble. Although I work for the federal government, I do not speak for the federal government nor from my position in the federal government. I'm simply a Drupal fan.
Steven is right about the number of competing standards/programs and levels of reviews/audits/and certification that go on in the federal government. In many of the cases with FISMA (one of the standards Joe links to in his first message), the certification that takes place in most agencies are for systems and not in particular a single application such as Drupal. In many respects this is a bottom-up certification where each person in the chain certifies to their supervisor that a system follows agency rules, guidelines and federal laws in making sure the system is secure, properly patched, and all risks have been identified/minimized. It is a very difficult and laborious process in trying to policy put into practice.
My agency utilizes a mix of Unix, Linux, and Windows systems. On our administrative PCs we run a mix of propriety and open source software (we've used Thunderbird as our official email client for years). On our operational systems all our applications and OS are open source or built in-house applications (utilizing Java, Tcl, Python, and variations of C). Federal agencies can and do adopt open source for their applications. In fact, I've seen the certification process knock out more propriety systems than open source systems especially if they're aging systems with little in the way of user access control granted. Every year, I have to have one necessary propriety system given an exception since it doesn't quite meet the requirements...and this system can't even be networked into the office LAN.
Here is my guess as to why Drupal wasn't accepted, without getting deep into the policy. As I said at the start, from the system owner all the way up through the agency's management up to the CIO...EVERYONE has to certify that the system is secure and risks have been identified/minimized. This is especially true when it comes to personally identifiable information (PII) and/or if the system is outside the firewall. In order for all those people to sign on to the certification, they each have to have an understanding of the system. My guess is that someone was not comfortable with their own understanding of Drupal or open source to know whether the system would meet all the requirements (especially if they're racing to complete budgets/certifications during the final hours of the fiscal year. The fact is some agencies or managers in those agencies just don't have an understanding of the open source model and are very cautious in moving away from what they know. Eventually, we'll have to educate them.
Joe, what strikes me as odd though is that before a project is approved these days the security requirements are understood. It sounds to me as if someone on the federal side didn't do their job in working with and informing the IT Security Officer about what this project was all about. Very interesting and I hope it never happens to me.
BryanSD
Steven Peck wrote:
Which government security review/standard?
There are dozens if not hundreds of competing standards/programs and levels of auditing and determination depending on which department you are dealing with. For example just one program was formerly known as DITSCAP and is now DIACAP.
Many of these have more to do with procedures and policies then code.
Steven
On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd@gmail.com> wrote:
The names of Citizens are collected on the website along with some personal contact information. We were told that our application required the Medium level security certification.
For collecting more sensitive information, certification becomes nearly impossible.
Thanks Jon
On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Saints schrieb:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Just out of interest: What kind of information are we talking about? Tax numbers, bank accounts?
[...]
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
Seems like a showcase site only.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK BX1vLaioeWG348yH/V/ufKs= =yFhK -----END PGP SIGNATURE-----
participants (1)
-
Micah Tapman