[development] Certify Drupal for use in Government (US) Projects

Khalid Baheyeldin kb at 2bits.com
Tue Sep 30 15:32:05 UTC 2008

On Tue, Sep 30, 2008 at 11:14 AM, Jon Saints <saintsjd at gmail.com> wrote:

> On a recent project for the US government, half way through the development
> process, our work was stopped by a government security review which said
> that Drupal (and open source software in general) is not suitable for use in
> government projects that house personal information due to security
> concerns.

Hello Jon

Apart from the "100+ since 4.0" mentioned below, what else did they

If there is a report that they issued, you can share it with the security
team for a review.

Email it to security at drupal.org.

> Because our project had been approved by higher ups within the department,
> we were paid for our work up to that point and asked to stop.  Now, its up
> to the tax payers to foot a much larger bill for other developers to
> implement a proprietary and more "secure" (or secretive) solution.
> The "transparency" of the Drupal project was one of the government's big
> objections.  In their eyes, disclosing and fixing securit holes in a timely
> manner, is not the same thing as security.  They pointed out the 100+
> security disclosures since drupal 4.0 as a reason that the system could not
> be used.  We noted that all these disclosures where quickly addressed, but
> that did not seem to matter.
> I notice other governments around the world are using Drupal with great
> success and savings to citizens:
> http://buytaert.net/new-zealand-government-using-drupal
> The standards we would need to meet with drupal are:
> http://csrc.nist.gov/groups/SMA/fisma/index.html
> My questions are the following:
>  - Have any other developers run into this cerfication problem before?
>  - Is anyone in the drupal community currently working to get Drupal
> certified for use in US Government projects?
>  - Does anyone know exactly what cerfication would require from a
> development standpoint?
> If there is interest in investigating this type of certification further,
> let me know. NIST, the department that certifies software, is just down the
> road from me.  I could go investigate further.
> Thanks
> Jon

Khalid M. Baheyeldin
2bits.com, Inc.
Drupal optimization, development, customization and consulting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080930/ebead3e1/attachment-0001.htm 

More information about the development mailing list