I've read all the messages in this thread, but I want to build on what
Steven has to say here. Please allow one disclaimer so I don't get
myself in trouble. Although I work for the federal government, I do not
speak for the federal government nor from my position in the federal
government. I'm simply a Drupal fan.
Steven is right about the number of competing standards/programs and
levels of reviews/audits/and certification that go on in the federal
government. In many of the cases with FISMA (one of the standards Joe
links to in his first message), the certification that takes place in
most agencies are for systems and not in particular a single application
such as Drupal. In many respects this is a bottom-up certification
where each person in the chain certifies to their supervisor that a
system follows agency rules, guidelines and federal laws in making sure
the system is secure, properly patched, and all risks have been
identified/minimized. It is a very difficult and laborious process in
trying to policy put into practice.
My agency utilizes a mix of Unix, Linux, and Windows systems. On our
administrative PCs we run a mix of propriety and open source software
(we've used Thunderbird as our official email client for years). On our
operational systems all our applications and OS are open source or built
in-house applications (utilizing Java, Tcl, Python, and variations of
C). Federal agencies can and do adopt open source for their
applications. In fact, I've seen the certification process knock out
more propriety systems than open source systems especially if they're
aging systems with little in the way of user access control granted.
Every year, I have to have one necessary propriety system given an
exception since it doesn't quite meet the requirements...and this system
can't even be networked into the office LAN.
Here is my guess as to why Drupal wasn't accepted, without getting deep
into the policy. As I said at the start, from the system owner all the
way up through the agency's management up to the CIO...EVERYONE has to
certify that the system is secure and risks have been
identified/minimized. This is especially true when it comes to
personally identifiable information (PII) and/or if the system is
outside the firewall. In order for all those people to sign on to the
certification, they each have to have an understanding of the system.
My guess is that someone was not comfortable with their own
understanding of Drupal or open source to know whether the system would
meet all the requirements (especially if they're racing to complete
budgets/certifications during the final hours of the fiscal year. The
fact is some agencies or managers in those agencies just don't have an
understanding of the open source model and are very cautious in moving
away from what they know. Eventually, we'll have to educate them.
Joe, what strikes me as odd though is that before a project is approved
these days the security requirements are understood. It sounds to me as
if someone on the federal side didn't do their job in working with and
informing the IT Security Officer about what this project was all
about. Very interesting and I hope it never happens to me.
Steven Peck wrote:
Which government security review/standard?
There are dozens if not hundreds of competing standards/programs and
levels of auditing and determination depending on which department you
are dealing with. For example just one program was formerly known as
DITSCAP and is now DIACAP.
Many of these have more to do with procedures and policies then code.
On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints wrote:
The names of Citizens are collected on the website along with some personal
contact information. We were told that our application required the Medium
level security certification.
For collecting more sensitive information, certification becomes nearly
On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter
-----BEGIN PGP SIGNED MESSAGE-----
Jon Saints schrieb:
On a recent project for the US government, half way through the
development process, our work was stopped by a government security
review which said that Drupal (and open source software in general)
is not suitable for use in government projects that house personal
information due to security concerns.
Just out of interest: What kind of information are we talking about?
Tax numbers, bank accounts?
Seems like a showcase site only.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----