Across government, open source web content management system Drupal is increasing in popularity. But most of the buzz has been around sites such as WhiteHouse.gov and Energy.gov, not from Defense or Homeland Security department projects. 

According to one content management expert, Drupal can gain the cybersecurity certification and accreditation to operate in those highly controlled information technology environments--but it is not easy.

RestoreTheGulf.gov was the DHS's foray into Drupal, said Richard Bullington-McGuire, senior architect at Blackstone Technology Group, while speaking Aug. 30 at Mil-OSS WG3 in Atlanta, Ga. The interagency effort was hosted on Amazon's EC2 public cloud and took less than 40 days to launch. Acquia was able to map the security controls to NIST SP 800-53 (.pdf), which allowed basic enough security that DHS could sign off on it, even though it wasn't hosted internally by DHS.

The site was public-facing and used mostly public information, so little was at risk. When DHS decided to use Drupal to deploy an enterprise service catalog for uniformly requesting IT services--a program especially important at an agency such as DHS with many components--the process was more difficult, said Bullington-McGuire.

"There were some serious challenges in C&A, there's something in DHS called the Enterprise TRM. It's DHS approved list of technologies. It took a 4 month process including an analysis of alternatives, security, functional characteristics, sustainment, access controls, who's allowed to use it and when. And after this 4 month process this was listed as an emerging technology," said Bullington-McGuire.

Buy-in from an agency executive is always helpful when deploying a new technology, said Bullington-McGuire. In this case, "because this was a CIO, high-priority initiative there were a lot of schedule and resource constraints," he added.

A pilot project may be essential to the success of a Drupal deployment inside the government. In order to launch the internal pilot quickly in the DHS private cloud, it was also essential to get commercial support, said Bullington-McGuire.

Multiple vendors, up an down the technology stack provided commercial support and eased the burden of completing the C&A, he said. The controls inherited from the virtual machines were already vetted by the enterprise service division--allowing a certain level of comfort with the baseline functionality.

Drupal is built on a modular system, which presented another challenge for security personnel. "It was difficult to help the security people to understand just what was going on with this ecosystem of modules," said Bullington-McGuire.

"It turned out to satisfy the C&A requirements in this environment, we had to develop a scoring matrix to help assess the risk of using the module. It had country of origin, frequency of commits, date of last commit, use by others, there were a lot of different metrics that went into this and only once you had the appropriate documentation is that module allowed. This represents a fairly high C&A burden, essentially similar to the burden that is in a lot of DoD projects," said Bullington-McGuire.

This represents a barrier to adoption in a lot of cases, he said. Conducting C&A for a program with multiple moving parts that is constantly updating, is very difficult.

"To actually read the sourcecode and audit it in a meaningful way is extraordinarily expensive. And I haven't run across a project yet that has had the time or the resources to be able to do that kind of source-level audit," said Bullington-McGuire.

"You have to rely on the contractual and professional measures that are ordinary and reasonable in commercial development to deal with that in practice, unless you're made of money--but I don't think the federal budget is prepared to deal with that right now."

For more:
- watch  Bullington-McGuire's presentation on UStream

Related Articles:
The case for decoupled federal websites 
Beta: The future of government websites 
Five tips for government web portal adoption