[development] Certify Drupal for use in Government (US) Projects
pinglaura at gmail.com
Tue Sep 30 20:55:22 UTC 2008
Consider that one big difference between proprietary and open source
is lobbying and existing contract relationships. Chris DiBona I
believe spoke about how a defense contractor tried to get OSS banned
from military systems, but after an internal audit of such systems
revealed that a huge % of such systems (30%? More? I confess I don't
recall) depended upon OSS, the DOD rejected the proposal.
There is more to this than simple perceptions about FOSS.
On Sep 30, 2008, at 9:14 AM, Jon Saints wrote:
> On a recent project for the US government, half way through the
> development process, our work was stopped by a government security
> review which said that Drupal (and open source software in general)
> is not suitable for use in government projects that house personal
> information due to security concerns.
> Because our project had been approved by higher ups within the
> department, we were paid for our work up to that point and asked to
> stop. Now, its up to the tax payers to foot a much larger bill for
> other developers to implement a proprietary and more "secure" (or
> secretive) solution.
> The "transparency" of the Drupal project was one of the government's
> big objections. In their eyes, disclosing and fixing securit holes
> in a timely manner, is not the same thing as security. They pointed
> out the 100+ security disclosures since drupal 4.0 as a reason that
> the system could not be used. We noted that all these disclosures
> where quickly addressed, but that did not seem to matter.
> I notice other governments around the world are using Drupal with
> great success and savings to citizens:
> The standards we would need to meet with drupal are:
> My questions are the following:
> - Have any other developers run into this cerfication problem before?
> - Is anyone in the drupal community currently working to get Drupal
> certified for use in US Government projects?
> - Does anyone know exactly what cerfication would require from a
> development standpoint?
> If there is interest in investigating this type of certification
> further, let me know. NIST, the department that certifies software,
> is just down the road from me. I could go investigate further.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the development