[development] Certify Drupal for use in Government (US) Projects

[Jon Saints]

On a recent project for the US government, half way through the development
process, our work was stopped by a government security review which said
that Drupal (and open source software in general) is not suitable for use in
government projects that house personal information due to security
concerns.

Because our project had been approved by higher ups within the department,
we were paid for our work up to that point and asked to stop.  Now, its up
to the tax payers to foot a much larger bill for other developers to
implement a proprietary and more "secure" (or secretive) solution.

The "transparency" of the Drupal project was one of the government's big
objections.  In their eyes, disclosing and fixing securit holes in a timely
manner, is not the same thing as security.  They pointed out the 100+
security disclosures since drupal 4.0 as a reason that the system could not
be used.  We noted that all these disclosures where quickly addressed, but
that did not seem to matter.

I notice other governments around the world are using Drupal with great
success and savings to citizens:
http://buytaert.net/new-zealand-government-using-drupal

The standards we would need to meet with drupal are:
http://csrc.nist.gov/groups/SMA/fisma/index.html

My questions are the following:
 - Have any other developers run into this cerfication problem before?
 - Is anyone in the drupal community currently working to get Drupal
certified for use in US Government projects?
 - Does anyone know exactly what cerfication would require from a
development standpoint?

If there is interest in investigating this type of certification further,
let me know. NIST, the department that certifies software, is just down the
road from me.  I could go investigate further.

Thanks
Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080930/c1d312bc/attachment-0001.htm