[development] Certify Drupal for use in Government (US) Projects

Chuck D'Antonio chuck at acquia.com
Tue Sep 30 15:34:44 UTC 2008 

Jon,

I've used Open Source and on government projects before, primarily on  
the defense side -- I'm not sure if this was a civilian or defense  
project.  I know that in my previous company, we even needed our  
commercial software certified, and it was a pretty lengthy process to  
get it completed based on the updates I heard of the course of several  
months.  Unfortunately, I was only peripherally involved so I don't  
have many details of the process.

I do know from some folks I've talked to quite recently that multiple  
agencies in the Defense Department are using Drupal -- though  
primarily for non-classified work.  There is an arduous process to get  
your software cleared for deployment on the classified networks and it  
typically involves not only the software itself, but lots of  
bureaucratic questions about how it's created.

Chuck

	Chuck D'Antonio
Sr. Director Professional Services
Acquia, Inc.
Mobile +1.617.388.1120


On Sep 30, 2008, at 11:14 AM, Jon Saints wrote:

> On a recent project for the US government, half way through the  
> development process, our work was stopped by a government security  
> review which said that Drupal (and open source software in general)  
> is not suitable for use in government projects that house personal  
> information due to security concerns.
>
> Because our project had been approved by higher ups within the  
> department, we were paid for our work up to that point and asked to  
> stop.  Now, its up to the tax payers to foot a much larger bill for  
> other developers to implement a proprietary and more "secure" (or  
> secretive) solution.
>
> The "transparency" of the Drupal project was one of the government's  
> big objections.  In their eyes, disclosing and fixing securit holes  
> in a timely manner, is not the same thing as security.  They pointed  
> out the 100+ security disclosures since drupal 4.0 as a reason that  
> the system could not be used.  We noted that all these disclosures  
> where quickly addressed, but that did not seem to matter.
>
> I notice other governments around the world are using Drupal with  
> great success and savings to citizens:
> http://buytaert.net/new-zealand-government-using-drupal
>
> The standards we would need to meet with drupal are:
> http://csrc.nist.gov/groups/SMA/fisma/index.html
>
> My questions are the following:
>  - Have any other developers run into this cerfication problem before?
>  - Is anyone in the drupal community currently working to get Drupal  
> certified for use in US Government projects?
>  - Does anyone know exactly what cerfication would require from a  
> development standpoint?
>
> If there is interest in investigating this type of certification  
> further, let me know. NIST, the department that certifies software,  
> is just down the road from me.  I could go investigate further.
>
> Thanks
> Jon




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080930/a106d1bc/attachment-0001.htm

More information about the development mailing list