New IRAP security accreditation for GovCMS
When developing the second-generation GovCMS, the solution needed its security accreditation redone from the ground up, given the transformation of the GovCMS program.
To help government agencies manage online risk by providing a whole-of-government digital platform with an OFFICIAL:Sensitive security rating. This also means agencies can do more on the platform, such as collect, transmit and store more sensitive information - this enables them to streamline business processes and doesn't necessarily require the use of additional services and tools.
The Department of Finance (Finance) owns the GovCMS platform, a whole-of-government digital platform for use across all levels of government in Australia. GovCMS is built on Drupal, an award-winning, enterprise-grade CMS that’s easy to use, stable, highly secure and open source (no license fees).
When Salsa and amazee.io won the contract to build the second-generation GovCMS platform, the new solution was a complete re-architecture of platform, services and people. This meant the whole platform needed to be re-accredited. The first-generation platform had a security posture that needed to be matched and then uplifted.
The Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) produces a security standard. This standard is the Australian Government Information Security Manual(ISM). The ISM outlines a cyber security framework that organisations can apply to protect information and systems from cyber threats. The security accreditation process is onerous--as it should be.
The second-generation GovCMS build was run as an agile, multi-disciplinary project with four parallel streams:
- Platform setup
- Site migration
- Security accreditation
- Program setup
The security accreditation stream focused on ensuring the second-generation GovCMS met the required security levels ready for launch, and received an Authority to Operate. The security accreditation was done in two phases:
Securing an UNCLASSIFIED rating to match the original GovCMS platform
Securing an ISM OFFICIAL:Sensitive rating to elevate the platform’s security
The UNCLASSIFIED rating was achieved in November 2018 and the OFFICIAL:Sensitive rating was achieved in October 2019.
It was a considerable stream of work that took many months, covering the analysis of systems, people and processes and subsequent changes to address compliance, evidence capture, and aligning Salsa processes with Department of Finance processes.
The benefits delivered from the IRAP certification include:
GovCMS now has a cutting-edge, whole-of-government digital platform with a higher level of security accreditation than the original GovCMS
All government agencies coming onto GovCMS platform can access the security benefits
If an agency needed to IRAP assess its own platform, each agency’s project would need to have an IRAP assessment, which would be inefficient, not to mention cost prohibitive
Each agency is afforded the benefit of security enhancements on GovCMS; as further security controls are added to GovCMS each agency’s site receives these benefits
GovCMS takes away (manages) the complexity of security on behalf of each agency - agencies still have the same compliance obligations, but the effort and cost required is greatly reduced, and where it’s needed, documentation can be shared across projects
Citizens receive peace of mind, knowing that GovCMS sites are on a highly secure platform
Why Salsa Digital?
Finance chose Salsa/amazee.io as the implementation partner for the next-generation GovCMS based on our innovative tender response. However, a complete re-engineer of systems, processes and service partners required security to be reassessed from the ground up. Salsa’s strategy to lower this barrier was to offer to share the cost with GovCMS, to sponsor one-third of the cost to achieve IRAP accreditation of systems, processes and people. Read IRAP sponsorship for more information.