The security of your website is our priority. Learn more about GovCMS security measures.

What you need to know about security and GovCMS

GovCMS is for websites that contain unclassified information that’s publicly available.

GovCMS Software as a Service (SaaS) customers get high quality security protection and compliance. Our services include website protection and ongoing website security assessments including IRAP. We also provide security patching, support and 24/7 monitoring. You are responsible for staff user accounts and content. Also be mindful of your responsibility for others working with you such as external service providers and developers.

GovCMS Platform as a Service (PaaS) customers have greater responsibilities. PaaS sites don’t receive the same level of protection as provided to SaaS customers. PaaS customers need to ensure their website is secure. You'll need to do your own security updates and patching as well as installation of module updates features. Web protection services are an optional extra.

The Platform layer for PaaS is rated to OFFICIAL: Sensitive. Custom development can expose you to vulnerabilities. Customers are responsible for the Drupal application layer.

If incidents are detected or suspected, you will need to raise a support ticket.


Security features

Software as a Service (SaaS)

Platform as a Service (PaaS)

Security accredited (IRAP assessed) 

Everything is covered.  You don’t need to undertake your own assessment.

You still need to consider undertaking a risk assessment.

Infrastructure layer only is covered. You are responsible for the Drupal application layer.

You need to do your own IRAP at your own cost.

Security updates

All patching including security updates is managed by us.

You’re responsible for all patching including security updates or you can pay a service provider.

Web protection service  

CDN, WAF and

Part of the service - no extra cost.

Web protection is an additional cost.

CMS Maintenance

We do it for you.

Updates to the CMS are rolled out to all SaaS customers.

You can access the GovCMS Distribution for updates but need to deploy the changes to your own websites or you can pay a service provider.