Close

Contact us

Call Us on 1300 727 952
Find us

First Floor, 159 Victoria Pde
Collingwood, VIC 3066
(Google Map)

1300 727 952 
or
+61 3 9910 4099

 

Contact us

Close

New IRAP security accreditation for GovCMS

When developing the second-generation GovCMS, the solution needed its security accreditation redone from the ground up, given the transformation of the GovCMS program.

The purpose

To help government agencies manage online risk by providing a whole-of-government digital platform with an OFFICIAL:Sensitive security rating. This also means agencies can do more on the platform, such as collect, transmit and store more sensitive information - this enables them to streamline business processes and doesn't necessarily require the use of additional services and tools.

The players

The Department of Finance (Finance) owns the GovCMS platform, a whole-of-government digital platform for use across all levels of government in Australia. GovCMS is built on Drupal, an award-winning, enterprise-grade CMS that’s easy to use, stable, highly secure and open source (no license fees).

The challenge

When Salsa and amazee.io won the contract to build the second-generation GovCMS platform, the new solution was a complete re-architecture of platform, services and people. This meant the whole platform needed to be re-accredited. The first-generation platform had a security posture that needed to be matched and then uplifted.

The Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) produces a security standard. This standard is the Australian Government Information Security Manual(ISM). The ISM outlines a cyber security framework that organisations can apply to protect information and systems from cyber threats. The security accreditation process is onerous--as it should be.

The solution

The second-generation GovCMS build was run as an agile, multi-disciplinary project with four parallel streams:

  1. Platform setup
  2. Site migration
  3. Security accreditation
  4. Program setup

The security accreditation stream focused on ensuring the second-generation GovCMS met the required security levels ready for launch, and received an Authority to Operate. The security accreditation was done in two phases:

  1. Securing an UNCLASSIFIED rating to match the original GovCMS platform

  2. Securing an ISM OFFICIAL:Sensitive rating to elevate the platform’s security

The UNCLASSIFIED rating was achieved in November 2018 and the OFFICIAL:Sensitive rating was achieved in October 2019.

You can read general information about the Australian Signals Directorate’s accreditation process and for more information about GovCMS and security visit GovCMS security

It was a considerable stream of work that took many months, covering the analysis of systems, people and processes and subsequent changes to address compliance, evidence capture, and aligning Salsa processes with Department of Finance processes.

The benefits

The benefits delivered from the IRAP certification include:

  • GovCMS now has a cutting-edge, whole-of-government digital platform with a higher level of security accreditation than the original GovCMS

  • All government agencies coming onto GovCMS platform can access the security benefits

    • If an agency needed to IRAP assess its own platform, each agency’s project would need to have an IRAP assessment, which would be inefficient, not to mention cost prohibitive

    • Each agency is afforded the benefit of security enhancements on GovCMS; as further security controls are added to GovCMS each agency’s site receives these benefits

    • GovCMS takes away (manages) the complexity of security on behalf of each agency - agencies still have the same compliance obligations, but the effort and cost required is greatly reduced, and where it’s needed, documentation can be shared across projects

  • Citizens receive peace of mind, knowing that GovCMS sites are on a highly secure platform

Why Salsa Digital?

Finance chose Salsa/amazee.io as the implementation partner for the next-generation GovCMS based on our innovative tender response. However, a complete re-engineer of systems, processes and service partners required security to be reassessed from the ground up. Salsa’s strategy to lower this barrier was to offer to share the cost with GovCMS, to sponsor one-third of the cost to achieve IRAP accreditation of systems, processes and people. Read IRAP sponsorship for more information.

Related links

More Case Studies

Classification site assessment thumbnail
Department of Treasury and Finance website

Contact us

Subscribe to the Salsa Newsletter

Subscribe to the Salsa newsletter

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×