[development] Certify Drupal for use in Government (US) Projects

Jon Saints saintsjd at gmail.com
Wed Oct 1 05:27:17 UTC 2008 

Thanks for all the informative comments. The discussion has been most
helpful.

Its does appear that our case was the result of a decision of an individual
(who maybe is not familiar with Drupal), and not a sign of general
opposition by the government to Open Source software.

That is good to know.

Reading through NIST's documentation it seems that certification for
software to meet the FISMA standards usually takes years.  As others have
pointed out, this is just one of many different standards that the
government has for software.  Its unclear to me where we could even start to
certify Drupal for government use.

The lesson here... approval of open source tools seems to happen on a case
by case and department by department basis.  Even if your project is
approved by a Department heads, ask for a review of the proposal by the
Security Officer in charge before work begins. In our case, I am not sure
why that did not happen until half way through the project. We are just
learning to work for the government. So this is a lesson we will take
carefully into all our work from here on.

I have contacted NIST to see if I could sit down and chat with someone to
bring up some of our questions posted in this thread.  If I do get a
conversation, I will be sure to post the comments back to the group here.  I
have also asked them for alist of the approved content management systems so
we can get an idea of which companies/projects have achieved certification.

Thanks
Jon

On Tue, Sep 30, 2008 at 8:47 PM, Bryan Ruby <bryan at cmsreport.com> wrote:

> I've read all the messages in this thread, but I want to build on what
> Steven has to say here.  Please allow one disclaimer so I don't get myself
> in trouble.  Although I work for the federal government, I do not speak for
> the federal government nor from my position in the federal government.  I'm
> simply a Drupal fan.
>
> Steven is right about the number of competing standards/programs and levels
> of reviews/audits/and certification that go on in the federal government.
>  In many of the cases with FISMA (one of the standards Joe links to in his
> first message), the certification that takes place in most agencies are for
> systems and not in particular a single application such as Drupal.  In many
> respects this is a bottom-up certification where each person in the chain
> certifies to their supervisor that a system follows agency rules, guidelines
> and federal laws in making sure the system is secure, properly patched, and
> all risks have been identified/minimized.  It is a very difficult and
> laborious process in trying to policy put into practice.
>
> My agency utilizes a mix of Unix, Linux, and Windows systems.  On our
> administrative PCs we run a mix of propriety and open source software (we've
> used Thunderbird as our official email client for years).  On our
> operational systems all our applications and OS are open source or built
> in-house applications (utilizing Java, Tcl, Python, and variations of C).
>  Federal agencies can and do adopt open source for their applications.   In
> fact, I've seen the certification process knock out more propriety systems
> than open source systems especially if they're aging systems with little in
> the way of user access control granted.  Every year, I have to have one
> necessary propriety system given an exception since it doesn't quite meet
> the requirements...and this system can't even be networked into the office
> LAN.
>
> Here is my guess as to why Drupal wasn't accepted, without getting deep
> into the policy.  As I said at the start, from the system owner all the way
> up through the agency's management up to the CIO...EVERYONE has to certify
> that the system is secure and risks have been identified/minimized.  This is
> especially true when it comes to personally identifiable information (PII)
> and/or if the system is outside the firewall.  In order for all those people
> to sign on to the certification, they each have to have an understanding of
> the system.  My guess is that someone was not comfortable with their own
> understanding of Drupal or open source to know whether the system would meet
> all the requirements (especially if they're racing to complete
> budgets/certifications during the final hours of the fiscal year.  The fact
> is some agencies or managers in those agencies just don't have an
> understanding of the open source model and are very cautious in moving  away
> from what they know.  Eventually, we'll have to educate them.
>
> Joe, what strikes me as odd though is that before a project is approved
> these days the security requirements are understood.  It sounds to me as if
> someone on the federal side didn't do their job in working with and
> informing the IT Security Officer about what this project was all about.
>  Very interesting and I hope it never happens to me.
>
> BryanSD
>
>
> Steven Peck wrote:
>
>> Which government security review/standard?
>>
>> There are dozens if not hundreds of competing standards/programs and
>> levels of auditing and determination depending on which department you
>> are dealing with.  For example just one program was formerly known as
>> DITSCAP and is now DIACAP.
>>
>> Many of these have more to do with procedures and policies then code.
>>
>> Steven
>>
>> On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd at gmail.com> wrote:
>>
>>
>>> The names of Citizens are collected on the website along with some
>>> personal
>>> contact information.  We were told that our application required the
>>> Medium
>>> level security certification.
>>>
>>> For collecting more sensitive information, certification becomes nearly
>>> impossible.
>>>
>>> Thanks
>>> Jon
>>>
>>> On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter
>>> <gerhard at killesreiter.de> wrote:
>>>
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Jon Saints schrieb:
>>>>
>>>>
>>>>
>>>>> On a recent project for the US government, half way through the
>>>>> development process, our work was stopped by a government security
>>>>> review which said that Drupal (and open source software in general)
>>>>> is not suitable for use in government projects that house personal
>>>>> information due to security concerns.
>>>>>
>>>>>
>>>> Just out of interest: What kind of information are we talking about?
>>>> Tax numbers, bank accounts?
>>>>
>>>> [...]
>>>>
>>>>
>>>>
>>>>> I notice other governments around the world are using Drupal with great
>>>>> success and savings to citizens:
>>>>> http://buytaert.net/new-zealand-government-using-drupal
>>>>>
>>>>>
>>>> Seems like a showcase site only.
>>>>
>>>> Cheers,
>>>>       Gerhard
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.6 (GNU/Linux)
>>>>
>>>> iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK
>>>> BX1vLaioeWG348yH/V/ufKs=
>>>> =yFhK
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>
>>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080930/1f9a91d6/attachment.htm

More information about the development mailing list