Drupal is hot in government and everyone wants to play. While the Drupal project is fast-moving and community-driven, large government agencies are generally not. For Drupal to be successful in these environments, it's necessary to understand the perspectives and expectations of various government stakeholders including:
Information Security
Privacy
Accessible Technologies
Enterprise Architecture
Quality Assurance
Procurement
and others...
This presentation will provide an overview of the challenges and opportunities around managing Drupal inside the government enterprise, including behind the scenes experiences from our work with the Federal government. You'll come away with a better understanding of what it takes to leverage Drupal inside a large agency while staying compliant and keeping stakeholders happy.
Scanning the Internet for External Cloud Exposures via SSL Certs
Inside the Walled Garden - Drupal in the Federal Enterprise
1. Inside the Walled GardenDrupal in the Federal Enterprise CapitalCamp DC 2011 Presented by Dan Katz 7/24/2011 Blackstone Technology Group Proprietary and Confidential
2. Introductions 7/24/2011 Blackstone Technology Group Proprietary and Confidential Dan Katz dkatz@bstonetech.com Blackstone Technology Group 6 years working with Drupal 3 years working with Drupal inside Big Organizations Currently at Office of CIO in large Federal agency
3. 3 “If you wait to do everything until you’re sure it’s right, you’ll probably never do much of anything” – Win Borden
4. Disclaimer The content of this presentation is solely the thoughts and opinions of the speaker. I am not an employee of, nor do I represent the US Federal Government or the Department of Homeland Security.
5. Agenda 7/24/2011 Blackstone Technology Group Proprietary and Confidential Who does Drupal impact inside an agency? What are their perspectives and expectations? Perceived Risks Technology Flow Model of Open Source in Gov Some Tips and Gotchas Opportunities
6. Wow we can download anything we want! Does it fit within our Enterprise Arch? What are the security controls? …and share our work with the world! It better be 508 compliant. Goal – Balance & Perspective
7. 7/24/2011 Blackstone Technology Group Proprietary and Confidential 7 Will it get meappointed? What is this going to cost over time?
8. A Challenge and Opportunity “There is a fundamental dichotomy between what Drupal is in essence and what the government needs. The government needs a 70% solution – the ability to solve a problem. Drupal is a free form landscape, not tailored. It’s a toolset that covers too much ground. The government doesn’t want a toolbox. I don’t care about tools. What I care about is solving a business problem and what it’s going to cost over time.”- Federal Executive
9. 7/24/2011 Blackstone Technology Group Proprietary and Confidential 9 “My goal is basically to keep you developers out of a jumpsuit.” – an ISM I know
10. Code Intake Gov Contributions Procurement Contracts Internet and Open Source Community Contractors and Vendor Community Accessibility SELC/QA Security Privacy
11. Perceived Risks Open Source FUD Immature CM/ALM Immature enterprise level vendor landscape Limited to MySQL database Lack of governance for community contributions Limited clustering support within Drupal itself Rapidly evolving technology requires engagement in community to stay current – a “DIY” culture Documentation, training and developer information requires network access to blogs, twitter, youtube, etc… Another technology stack End users not comfortable with non-Microsoft like web interfaces 11
12. Security & Privacy FISMA Controls Controls flow up the stack Don’t assume it’s all data center Think of Drupal as providing services – not an app Drupal access controls – 800.53 mapping DrupalGotchas Plain text password settings file Editing permissions for “anonymous users” Views – admin power and permissions PHP input filter
13. Procurement & Contracts FUD around open source Pre-defined product/vehicle “shrink-wrapped” Federal acquisition regulation (FAR) Open competes without SME’s in procurement Subs to subs to subs O&M, documentation needs Supply and Demand problems
14. Compliance – 508 Myths “Drupal” is 508 compliant out of the box Only the “front-end” needs to be 508 compliant Accessibility is regulated the same way across all the Federal agencies DrupalGotchas Core forms – title attributes on form elements Alt text on images Tables – scopes Community – get involved
15. Compliance – EA/SELC 7/24/2011 Blackstone Technology Group Proprietary and Confidential Documentation Change Control More Drupal Culture Conflicts
16. Opportunities Drupal distributions Unified processes and communities around Drupal/OSS in gov Maturing vendor landscape Training and bringing more Drupal knowledge “in house” to the government
17. In Summary 7/24/2011 Blackstone Technology Group Proprietary and Confidential 17 Technology moves faster than government Drupal is a catalyst Maturity doesn’t mean moving backwards Vendor and Open Source Communities can help
18. Questions Thank you! Feel free to contact me with your questions: Dan Katzdkatz@bstonetech.com