Supporting RMF Controls with Drupal Tools & Practices
RMF | Control Title | Drupal Tool / Practices | Notes |
---|---|---|---|
AC-2 | Account Management | User module | core |
AC-2(5) | Inactivity Logout | autologout | contrib |
AC-6 | Least Privilege | Roles and perms | core |
AC-6(9) | Audit Use of Privileged Functions | SELinux auditd | Red Hat SELinux |
IA-5 | Authenticator Management | password_policy | contrib |
AU-2 | List the Auditable Events | logging_alerts | contrib |
AU-6 | Audit Review, Analysis, And Reporting | Syslog / ELK | DevOps |
SA-3 | System Development Lifecycle | Agile Methodology | Agile Government Leadership |
SA-5 | Use of Live Data | Drush sqlsanitize, Devel Generate (or Faker) | drush contrib |
SA-10 | Developer Configuration Management | Code Reviews Automated Testing | Team structure, DevOps |
SA-15 | Development Process | E.g. GitFlow | Jenkins, DevOps |
CM-3 | Configuration Change Control | Drupal 7 Features, Drupal 8 CMI | contrib, core |
PS-1 | Personnel Security Policy | CivicActions/security-policy | Write one |
RA-5 | Vulnerability Scanning | Security Review, Paranoia, OpenSCAP/GovReady | contrib, contrib, GitHub |
SC-7 | Deny by Default / Allow by Exception | CDN, VPC, iptables, Bastion SSH | Sysadmin |
SC-13 | Cryptographic Protection | Encrypt, Field Encrypt, File Encrypt | contrib |
SC-18 | Prevent Downloading Execution | SecKit Private file system | contrib, core |
This page was last
updated on August 8, 2023.