Security certifying a whole-of-government digital platform

Adoption and the ongoing success of whole-of-government digital platforms requires a security profile agencies can leverage. GovCMS 2.0 needed to be security re-accredited from the ground up given the transformation of the GovCMS program. This was a significant undertaking.

On this page:

Date:
18 February 2019
Author:
Paul Morriss

Whole-of-government digital platforms

The promise of whole-of-government digital platforms includes consolidation of digital services, uniform application of best-of-breed technical approaches, rationalisation of digital channels, lowering barriers for processes such as procurement, and increasing collaboration, re-use and sharing across agencies. Government agencies obtain access to proven features, may contribute platform features themselves and may take on the contribution and benefits from other agencies. Agencies are part of an ecosystem using the platform. Agencies gain access to mature service offerings and governance across the platform rather than needing to define (invest in) their own. Agencies are able to do more for less.

Whole-of-government digital platforms enable a better, more connected government to benefit all citizens.

The need to secure

It’s imperative to appropriately secure whole-of-government digital platforms. Each agency needs to manage its online risk and whole-of-government digital platforms are a way agencies can adopt consolidated, enterprise-level, security solutions. Agencies don’t need to build their own costly (typically prohibitive) security solution but rather adopt the security profile of the platform. Agencies benefit from security assessment and accreditation of whole-of-government digital platforms.

A truly whole-of-government digital platform requires a rigorous security approach across technology, process and people.

GovCMS as an example

The Department of Finance (Finance) offers GovCMS ( https://www.govcms.gov.au/External Link ) as a whole-of-government digital platform. Finance lowers the barrier for agencies to create web presences to better connect government with citizens. Agencies using the service benefit from an open and secure platform. Over 200 sites are live on GovCMS across a landscape of 87 discrete agencies. Each agency benefits from, and is assured by, investment in security made into the GovCMS platform.

The GovCMS platform has always placed a strong emphasis on the security of its agency sites, and as such, conducts regular independent testing of its various systems, and will always work with agencies to ensure that their individual sites meet the high expectations required of web digital presences.

GovCMS was officially launched by Finance in February 2015. The intent was to provide a stable and reliable CMS, enterprise support, enterprise-grade security, mature processes and low barrier to procurement.

Salsa Digital in partnership with amazee.io were selected by Finance to build and support GovCMS 2.0 (see Salsa Digital and amazee.io to build next generation GovCMS platform and Getting developers ready for the next iteration of GovCMS). The Salsa/amazee.io solution is a complete re-architecture of platform, services and people. The previous security accreditation was not applicable to the new platform so Salsa needed to broker a re-accreditation from the ground (platform) up.

ASD, ISM, IRAP and more

The Australian Signals Directorate (ASD) is an authority used by Australian Government for cyber security. The Australian Cyber Security Centre (ACSC) within ASD produces the Australian Government Information Security Manual (ISM). The ISM presents a risk management framework to protect information and systems from cyber threats. Security accreditations are assessments against the ISM (see https://acsc.gov.au/infosec/ism/index.htmExternal Link ).

The ISM is broken into individual areas of security, for example, personnel security, system monitoring, and email management to name a few. ISM controls are applicable per area. ISM controls cover people, process and technology. Each ISM control has an applicability marking that indicates the information, systems and/or areas that it’s applicable to. The applicability markings are based on protective markings from the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF). The latest PSPF has ratings of:

  • O: OFFICIAL (including OFFICIAL: Sensitive)

  • P: PROTECTED, S: SECRET

  • TS: TOP SECRET

ISM 2018, a recent update for ISM (released December 2018), adopts these ratings. The previous ISM version, which was applicable during the security accreditation process for GovCMS, used ratings including, UNCLASSIFIED, U-DLM, PROTECTED and higher.

GovCMS IRAP

GovCMS is IRAP assessed. IRAP is a certification process where an assessor assesses implementation, appropriateness and effectiveness of applicable ISM controls. An IRAP Assessor uses a two-stage security assessment process. Stage 1 is a review and findings report. Stage 2 is evidence-based assessment leading to a report to the certification authority detailing compliance, non-compliance, remediations and actions. GovCMS 1.0 (prior to Salsa’s GovCMS 2.0 solution) was accredited to IRAP public UNCLASSIFIED.

The objective of GovCMS 2.0 was to match the IRAP accreditation level of GovCMS 1.0 while planning/aiming for the increased level of U-DLM.

Based on the outcomes and recommendations of the independent IRAP process, GovCMS 2.0 was given an Authority to Operate at the UNCLASSIFIED level in advance of the switchover from the previous hosting arrangement. The rigour of the preparation and process undertaken has positioned Finance well to achieve an UNCLASSIFIED-DLM (or OFFICIAL: SENSITIVE) rating in the near future.

The process, people

The process to achieve Authority to Operate was not a light undertaking. On Salsa’s side documents were authored, technical remediations were implemented, staff were trained, evidence was captured and more. As Salsa, amazee.io and Finance all share responsibility for administering parts of the system, all three parties needed to undergo the same rigorous assessment of their processes and procedures. Salsa's and amazee.io’s efforts dovetailed into Finance’s own GovCMS IRAP assessment and accreditation.

The Authority to Operate was the last major milestone marking the new GovCMS 2.0 whole-of-government digital platform as fit-for-purpose across people, process and technology.

Salsa Digital’s take

A security assessment of any system is important. A whole-of-government digital platform has a heightened importance given the scale of use, the number of agencies who have data (and reputation) at risk, and to realise the potential economies of scale afforded by whole-of-government platforms. In achieving Authority to Operate, GovCMS 2.0 is fit-for-purpose for public unclassified with the foundation set for U-DLM (or Official: Sensitive). Security is a potential area for sharing of investment across government, particularly when the same technical solutions are deployed. For example GovCMS is in active discussions with Victoria’s Single Digital Presence program (which uses the same open source technical stack) regarding the sharing potential of security approaches.

Subscribe to Salsa Source

Subscribe to Salsa Source to keep up to date with technical blogs. 

Subscribe