GovCMS — IRAP security accreditation

Managing online risk for government departments

When developing the second-generation GovCMS, the solution needed its security accreditation redone from the ground up, given the transformation of the GovCMS program.

At a glance

2018 - 2019
1 to 2 years
Completed
GovCMS
Federal government
Whole of government
Security, Open standards & common platforms

The purpose

To help government agencies manage online risk by providing a whole-of-government digital platform with an OFFICIAL:Sensitive security rating. This also means agencies can do more on the platform, such as collect, transmit and store more sensitive information - this enables them to streamline business processes and doesn't necessarily require the use of additional services and tools.

The players

The Department of FinanceExternal Link (Finance) owns the GovCMS platform, a whole-of-government digital platform for use across all levels of government in Australia. GovCMS is built on Drupal, an award-winning, enterprise-grade CMS that’s easy to use, stable, highly secure and open source (no license fees).

The challenge

When Salsa and amazee.io won the contract to build the second-generation GovCMS platform, the new solution was a complete re-architecture of platform, services and people. This meant the whole platform needed to be re-accredited. The first-generation platform had a security posture that needed to be matched and then uplifted.

The Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) produces a security standard. This standard is the Australian Government Information Security ManualExternal Link (ISM). The ISM outlines a cyber security framework that organisations can apply to protect information and systems from cyber threats. The security accreditation process is onerous--as it should be.

The solution

The second-generation GovCMS build was run as an agile, multi-disciplinary project with four parallel streams:

  1. Platform setup

  2. Site migration

  3. Security accreditation

  4. Program setup

The security accreditation stream focused on ensuring the second-generation GovCMS met the required security levels ready for launch, and received an Authority to Operate. The security accreditation was done in two phases:

  1. Securing an UNCLASSIFIED rating to match the original GovCMS platform

  2. Securing an ISM OFFICIAL:Sensitive rating to elevate the platform’s security

The UNCLASSIFIED rating was achieved in November 2018 and the OFFICIAL:Sensitive rating was achieved in October 2019.

You can read general information about the Australian Signals Directorate’s accreditation processExternal Link and for more information about GovCMS and security visit GovCMS securityExternal Link

It was a considerable stream of work that took many months, covering the analysis of systems, people and processes and subsequent changes to address compliance, evidence capture, and aligning Salsa processes with Department of Finance processes.

The benefits

The benefits delivered from the IRAP certification include:

  • GovCMS now has a cutting-edge, whole-of-government digital platform with a higher level of security accreditation than the original GovCMS

  • All government agencies coming onto GovCMS platform can access the security benefits

    • If an agency needed to IRAP assess its own platform, each agency’s project would need to have an IRAP assessment, which would be inefficient, not to mention cost prohibitive

    • Each agency is afforded the benefit of security enhancements on GovCMS; as further security controls are added to GovCMS each agency’s site receives these benefits

    • GovCMS takes away (manages) the complexity of security on behalf of each agency - agencies still have the same compliance obligations, but the effort and cost required is greatly reduced, and where it’s needed, documentation can be shared across projects

  • Citizens receive peace of mind, knowing that GovCMS sites are on a highly secure platform

Related links