[development] Certify Drupal for use in Government (US) Projects

Chris Johnson cxjohnson at gmail.com
Tue Sep 30 21:30:36 UTC 2008 

Indeed.  In the article I provided the first link to, there is also this
quote:

"Not everyone has been pleased with how the bill calls out open-source
software by name, though. Analysts at the Business Software Alliance met
with members of the committee to voice their concern that the bill
unfavorably offers open-source software products an unfair competitive
advantage over other commercial software, according to a BSA spokesperson
who declined to be named."

I think we all know who the BSA is, and who they represent.  Clearly the
proprietary software vendors are upset and lobbying against FOSS.


On Tue, Sep 30, 2008 at 3:55 PM, Laura Scott <pinglaura at gmail.com> wrote:

> Consider that one big difference between proprietary and open source is
> lobbying and existing contract relationships. Chris DiBona I believe spoke
> about how a defense contractor tried to get OSS banned from military
> systems, but after an internal audit of such systems revealed that a huge %
> of such systems (30%? More? I confess I don't recall) depended upon OSS, the
> DOD rejected the proposal.
> There is more to this than simple perceptions about FOSS.
>
> Laura
>
>
> On Sep 30, 2008, at 9:14 AM, Jon Saints wrote:
>
> On a recent project for the US government, half way through the development
> process, our work was stopped by a government security review which said
> that Drupal (and open source software in general) is not suitable for use in
> government projects that house personal information due to security
> concerns.
>
> Because our project had been approved by higher ups within the department,
> we were paid for our work up to that point and asked to stop.  Now, its up
> to the tax payers to foot a much larger bill for other developers to
> implement a proprietary and more "secure" (or secretive) solution.
>
> The "transparency" of the Drupal project was one of the government's big
> objections.  In their eyes, disclosing and fixing securit holes in a timely
> manner, is not the same thing as security.  They pointed out the 100+
> security disclosures since drupal 4.0 as a reason that the system could not
> be used.  We noted that all these disclosures where quickly addressed, but
> that did not seem to matter.
>
> I notice other governments around the world are using Drupal with great
> success and savings to citizens:
> http://buytaert.net/new-zealand-government-using-drupal
>
> The standards we would need to meet with drupal are:
> http://csrc.nist.gov/groups/SMA/fisma/index.html
>
> My questions are the following:
>  - Have any other developers run into this cerfication problem before?
>  - Is anyone in the drupal community currently working to get Drupal
> certified for use in US Government projects?
>  - Does anyone know exactly what cerfication would require from a
> development standpoint?
>
> If there is interest in investigating this type of certification further,
> let me know. NIST, the department that certifies software, is just down the
> road from me.  I could go investigate further.
>
> Thanks
> Jon
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080930/855ffd3a/attachment.htm

More information about the development mailing list