[development] Certify Drupal for use in Government (US) Projects
chuck at acquia.com
Tue Sep 30 15:34:44 UTC 2008
I've used Open Source and on government projects before, primarily on
the defense side -- I'm not sure if this was a civilian or defense
project. I know that in my previous company, we even needed our
commercial software certified, and it was a pretty lengthy process to
get it completed based on the updates I heard of the course of several
months. Unfortunately, I was only peripherally involved so I don't
have many details of the process.
I do know from some folks I've talked to quite recently that multiple
agencies in the Defense Department are using Drupal -- though
primarily for non-classified work. There is an arduous process to get
your software cleared for deployment on the classified networks and it
typically involves not only the software itself, but lots of
bureaucratic questions about how it's created.
Sr. Director Professional Services
On Sep 30, 2008, at 11:14 AM, Jon Saints wrote:
> On a recent project for the US government, half way through the
> development process, our work was stopped by a government security
> review which said that Drupal (and open source software in general)
> is not suitable for use in government projects that house personal
> information due to security concerns.
> Because our project had been approved by higher ups within the
> department, we were paid for our work up to that point and asked to
> stop. Now, its up to the tax payers to foot a much larger bill for
> other developers to implement a proprietary and more "secure" (or
> secretive) solution.
> The "transparency" of the Drupal project was one of the government's
> big objections. In their eyes, disclosing and fixing securit holes
> in a timely manner, is not the same thing as security. They pointed
> out the 100+ security disclosures since drupal 4.0 as a reason that
> the system could not be used. We noted that all these disclosures
> where quickly addressed, but that did not seem to matter.
> I notice other governments around the world are using Drupal with
> great success and savings to citizens:
> The standards we would need to meet with drupal are:
> My questions are the following:
> - Have any other developers run into this cerfication problem before?
> - Is anyone in the drupal community currently working to get Drupal
> certified for use in US Government projects?
> - Does anyone know exactly what cerfication would require from a
> development standpoint?
> If there is interest in investigating this type of certification
> further, let me know. NIST, the department that certifies software,
> is just down the road from me. I could go investigate further.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the development