At a glance
The purpose
To help government agencies manage online risk by providing a whole-of-government digital platform with an OFFICIAL:Sensitive security rating. This also means agencies can do more on the platform, such as collect, transmit and store more sensitive information - this enables them to streamline business processes and doesn't necessarily require the use of additional services and tools.
The players
The Department of (Finance) owns the GovCMS platform, a whole-of-government digital platform for use across all levels of government in Australia. GovCMS is built on Drupal, an award-winning, enterprise-grade CMS that’s easy to use, stable, highly secure and open source (no license fees).
The challenge
When Salsa and amazee.io won the contract to build the second-generation GovCMS platform, the new solution was a complete re-architecture of platform, services and people. This meant the whole platform needed to be re-accredited. The first-generation platform had a security posture that needed to be matched and then uplifted.
The Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) produces a security standard. This standard is the Australian Government Information Security (ISM). The ISM outlines a cyber security framework that organisations can apply to protect information and systems from cyber threats. The security accreditation process is onerous--as it should be.
The solution
The second-generation GovCMS build was run as an agile, multi-disciplinary project with four parallel streams:
Platform setup
Site migration
Security accreditation
Program setup
The security accreditation stream focused on ensuring the second-generation GovCMS met the required security levels ready for launch, and received an Authority to Operate. The security accreditation was done in two phases:
Securing an UNCLASSIFIED rating to match the original GovCMS platform
Securing an ISM OFFICIAL:Sensitive rating to elevate the platform’s security
The UNCLASSIFIED rating was achieved in November 2018 and the OFFICIAL:Sensitive rating was achieved in October 2019.
You can read general information about the Australian Signals Directorate’s accreditation and for more information about GovCMS and security visit GovCMS
It was a considerable stream of work that took many months, covering the analysis of systems, people and processes and subsequent changes to address compliance, evidence capture, and aligning Salsa processes with Department of Finance processes.
The benefits
The benefits delivered from the IRAP certification include:
GovCMS now has a cutting-edge, whole-of-government digital platform with a higher level of security accreditation than the original GovCMS
All government agencies coming onto GovCMS platform can access the security benefits
If an agency needed to IRAP assess its own platform, each agency’s project would need to have an IRAP assessment, which would be inefficient, not to mention cost prohibitive
Each agency is afforded the benefit of security enhancements on GovCMS; as further security controls are added to GovCMS each agency’s site receives these benefits
GovCMS takes away (manages) the complexity of security on behalf of each agency - agencies still have the same compliance obligations, but the effort and cost required is greatly reduced, and where it’s needed, documentation can be shared across projects
Citizens receive peace of mind, knowing that GovCMS sites are on a highly secure platform