DrupalCon Denver 2012: BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD

ABOUT THE SESSION

Federal regulations stipulate that information systems serving federal agencies must undergo a formal security assessment and accreditation process which is designed to ensure baseline information security requirements are met. There are two formalized accreditation standards: FISMA is the accreditation process for non-DoD agencies while DIACAP is pertinent to DoD agencies. Additionally there is a new standard which is meant to apply to cloud service providers: FedRAMP. The accreditation process can be a daunting task for firms whom develop web sites serving federal customers in the cloud. However, there is much benefit to an organization in achieving accreditation; these compliance standards are designed to ensure information systems and the organizations that support and operate them are secure and follow best practices. This session will focus on a review of the current US government compliance landscape, trends in the international government landscape, and a great deal of insight regarding our experience working with our customers in the federal space and obtaining accreditation for Drupal-based sites using a commercial cloud. Further, we will review how these standards are evolving internationally by talking about how NIST 800-53 fits within the global standards landscape including the ISO.
CASE STUDY EXAMPLES

Two case studies will be presented:
The Defense Security Cooperation Agency (DSCA) - an organization using a platform built on Drupal and hosted in a commercial cloud hosting facility. This organization will receive DIACAP accreditation in order to comply with DoD policy.
A major non-DoD government organization that achieved FISMA certification for it's site built in Drupal and hosted in a commercial cloud hosting facility.

Questions answered by this session:
What were the challenges of building FISMA and DIACAP certified sites in the cloud?
What certifications and hurdles had to be overcome to launch the site? How was security for the site tested, verified, and managed?
What is FedRAMP and will Drupal meet the requirements?
How do you integrate other government systems with Drupal that must also conform to these standards?
How do standards determined by NIST translate internationally to ISO or other international standards?

Drupal is a registered trademark of Dries Buytaert.