What it takes to security certify a whole-of-government digital platform
Whole-of-government digital platforms must be appropriately secured to ensure that they protect data and ensure confidentiality, integrity and availability. Adoption of the platform and the platform’s ongoing success requires a security profile agencies can leverage. Salsa Digital and amazee.io delivered the platform, services, process and people for GovCMS 2.0. The solution needed to be security re-accredited from the ground up given the transformation of the GovCMS program. This was a significant undertaking.
Whole-of-government digital platforms
The promise of whole-of-government digital platforms includes consolidation of digital services, uniform application of best-of-breed technical approaches, rationalisation of digital channels, lowering barriers for processes such as procurement, and increasing collaboration, re-use and sharing across agencies. Government agencies obtain access to proven features, may contribute platform features themselves and may take on the contribution and benefits from other agencies. Agencies are part of an ecosystem using the platform. Agencies gain access to mature service offerings and governance across the platform rather than needing to define (invest in) their own. Agencies are able to do more for less.
Whole-of-government digital platforms enable a better, more connected government to benefit all citizens.
The need to secure
It’s imperative to appropriately secure whole-of-government digital platforms. Each agency needs to manage its online risk and whole-of-government digital platforms are a way agencies can adopt consolidated, enterprise-level, security solutions. Agencies don’t need to build their own costly (typically prohibitive) security solution but rather adopt the security profile of the platform. Agencies benefit from security assessment and accreditation of whole-of-government digital platforms.
A truly whole-of-government digital platform requires a rigorous security approach across technology, process and people.
GovCMS as an example
The Department of Finance (Finance) offers GovCMS (https://www.govcms.gov.au/) as a whole-of-government digital platform. Finance lowers the barrier for agencies to create web presences to better connect government with citizens. Agencies using the service benefit from an open and secure platform. Over 200 sites are live on GovCMS across a landscape of 87 discrete agencies. Each agency benefits from, and is assured by, investment in security made into the GovCMS platform.
The GovCMS platform has always placed a strong emphasis on the security of its agency sites, and as such, conducts regular independent testing of its various systems, and will always work with agencies to ensure that their individual sites meet the high expectations required of web digital presences.
GovCMS was officially launched by Finance in February 2015. The intent was to provide a stable and reliable CMS, enterprise support, enterprise-grade security, mature processes and low barrier to procurement.
Salsa Digital in partnership with amazee.io were selected by Finance to build and support GovCMS 2.0 (see https://salsadigital.com.au/news/salsa-digital-and-amazeeio-build-next-generation-govcms-platform and https://salsadigital.com.au/news/getting-developers-ready-for-the-next-iteration-of-govcms). The Salsa/amazee.io solution is a complete re-architecture of platform, services and people. The previous security accreditation was not applicable to the new platform so Salsa needed to broker a re-accreditation from the ground (platform) up.
ASD, ISM, IRAP and more
The Australian Signals Directorate (ASD) is an authority used by Australian Government for cyber security. The Australian Cyber Security Centre (ACSC) within ASD produces the Australian Government Information Security Manual (ISM). The ISM presents a risk management framework to protect information and systems from cyber threats. Security accreditations are assessments against the ISM (see https://acsc.gov.au/infosec/ism/index.htm).
The ISM is broken into individual areas of security, for example, personnel security, system monitoring, and email management to name a few. ISM controls are applicable per area. ISM controls cover people, process and technology. Each ISM control has an applicability marking that indicates the information, systems and/or areas that it’s applicable to. The applicability markings are based on protective markings from the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF). The latest PSPF has ratings of:
O: OFFICIAL (including OFFICIAL: Sensitive)
P: PROTECTED, S: SECRET
TS: TOP SECRET
ISM 2018, a recent update for ISM (released December 2018), adopts these ratings. The previous ISM version, which was applicable during the security accreditation process for GovCMS, used ratings including, UNCLASSIFIED, U-DLM, PROTECTED and higher.
GovCMS is IRAP assessed. IRAP is a certification process where an assessor assesses implementation, appropriateness and effectiveness of applicable ISM controls. An IRAP Assessor uses a two-stage security assessment process. Stage 1 is a review and findings report. Stage 2 is evidence-based assessment leading to a report to the certification authority detailing compliance, non-compliance, remediations and actions. GovCMS 1.0 (prior to Salsa’s GovCMS 2.0 solution) was accredited to IRAP public UNCLASSIFIED.
The objective of GovCMS 2.0 was to match the IRAP accreditation level of GovCMS 1.0 while planning/aiming for the increased level of U-DLM.
Based on the outcomes and recommendations of the independent IRAP process, GovCMS 2.0 was given an Authority to Operate at the UNCLASSIFIED level in advance of the switchover from the previous hosting arrangement. The rigour of the preparation and process undertaken has positioned Finance well to achieve an UNCLASSIFIED-DLM (or OFFICIAL: SENSITIVE) rating in the near future.
The process, people
The process to achieve Authority to Operate was not a light undertaking. On Salsa’s side documents were authored, technical remediations were implemented, staff were trained, evidence was captured and more. As Salsa, amazee.io and Finance all share responsibility for administering parts of the system, all three parties needed to undergo the same rigorous assessment of their processes and procedures. Salsa's and amazee.io’s efforts dovetailed into Finance’s own GovCMS IRAP assessment and accreditation.
The Authority to Operate was the last major milestone marking the new GovCMS 2.0 whole-of-government digital platform as fit-for-purpose across people, process and technology.
Salsa Digital’s take
A security assessment of any system is important. A whole-of-government digital platform has a heightened importance given the scale of use, the number of agencies who have data (and reputation) at risk, and to realise the potential economies of scale afforded by whole-of-government platforms. In achieving Authority to Operate, GovCMS 2.0 is fit-for-purpose for public unclassified with the foundation set for U-DLM (or Official: Sensitive). Security is a potential area for sharing of investment across government, particularly when the same technical solutions are deployed. For example GovCMS is in active discussions with Victoria’s Single Digital Presence program (which uses the same open source technical stack) regarding the sharing potential of security approaches.