[development] Certify Drupal for use in Government (US) Projects

Bryan Ruby bryan at cmsreport.com
Wed Oct 1 02:47:44 UTC 2008

I've read all the messages in this thread, but I want to build on what 
Steven has to say here.  Please allow one disclaimer so I don't get 
myself in trouble.  Although I work for the federal government, I do not 
speak for the federal government nor from my position in the federal 
government.  I'm simply a Drupal fan.

Steven is right about the number of competing standards/programs and 
levels of reviews/audits/and certification that go on in the federal 
government.  In many of the cases with FISMA (one of the standards Joe 
links to in his first message), the certification that takes place in 
most agencies are for systems and not in particular a single application 
such as Drupal.  In many respects this is a bottom-up certification 
where each person in the chain certifies to their supervisor that a 
system follows agency rules, guidelines and federal laws in making sure 
the system is secure, properly patched, and all risks have been 
identified/minimized.  It is a very difficult and laborious process in 
trying to policy put into practice.

My agency utilizes a mix of Unix, Linux, and Windows systems.  On our 
administrative PCs we run a mix of propriety and open source software 
(we've used Thunderbird as our official email client for years).  On our 
operational systems all our applications and OS are open source or built 
in-house applications (utilizing Java, Tcl, Python, and variations of 
C).  Federal agencies can and do adopt open source for their 
applications.   In fact, I've seen the certification process knock out 
more propriety systems than open source systems especially if they're 
aging systems with little in the way of user access control granted.  
Every year, I have to have one necessary propriety system given an 
exception since it doesn't quite meet the requirements...and this system 
can't even be networked into the office LAN.

Here is my guess as to why Drupal wasn't accepted, without getting deep 
into the policy.  As I said at the start, from the system owner all the 
way up through the agency's management up to the CIO...EVERYONE has to 
certify that the system is secure and risks have been 
identified/minimized.  This is especially true when it comes to 
personally identifiable information (PII) and/or if the system is 
outside the firewall.  In order for all those people to sign on to the 
certification, they each have to have an understanding of the system.  
My guess is that someone was not comfortable with their own 
understanding of Drupal or open source to know whether the system would 
meet all the requirements (especially if they're racing to complete 
budgets/certifications during the final hours of the fiscal year.  The 
fact is some agencies or managers in those agencies just don't have an 
understanding of the open source model and are very cautious in moving  
away from what they know.  Eventually, we'll have to educate them.

Joe, what strikes me as odd though is that before a project is approved 
these days the security requirements are understood.  It sounds to me as 
if someone on the federal side didn't do their job in working with and 
informing the IT Security Officer about what this project was all 
about.  Very interesting and I hope it never happens to me.


Steven Peck wrote:
> Which government security review/standard?
> There are dozens if not hundreds of competing standards/programs and
> levels of auditing and determination depending on which department you
> are dealing with.  For example just one program was formerly known as
> DITSCAP and is now DIACAP.
> Many of these have more to do with procedures and policies then code.
> Steven
> On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd at gmail.com> wrote:
>> The names of Citizens are collected on the website along with some personal
>> contact information.  We were told that our application required the Medium
>> level security certification.
>> For collecting more sensitive information, certification becomes nearly
>> impossible.
>> Thanks
>> Jon
>> On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter
>> <gerhard at killesreiter.de> wrote:
>>> Hash: SHA1
>>> Jon Saints schrieb:
>>>> On a recent project for the US government, half way through the
>>>> development process, our work was stopped by a government security
>>>> review which said that Drupal (and open source software in general)
>>>> is not suitable for use in government projects that house personal
>>>> information due to security concerns.
>>> Just out of interest: What kind of information are we talking about?
>>> Tax numbers, bank accounts?
>>> [...]
>>>> I notice other governments around the world are using Drupal with great
>>>> success and savings to citizens:
>>>> http://buytaert.net/new-zealand-government-using-drupal
>>> Seems like a showcase site only.
>>> Cheers,
>>>        Gerhard
>>> Version: GnuPG v1.4.6 (GNU/Linux)
>>> iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK
>>> BX1vLaioeWG348yH/V/ufKs=
>>> =yFhK
>>> -----END PGP SIGNATURE-----

More information about the development mailing list