Security

Security and GovCMS: what you need to know

Security classification

GovCMS is certified to host websites information with a classification level up to OFFICIAL: Sensitive.

Security for SaaS vs PaaS customers

GovCMS Software as a Service (SaaS):

SaaS customers benefit from high-level security, including:

Website protection - Part of the GovCMS service at no extra cost.
Ongoing security assessments (including IRAP)
Security patching and updates
24/7 monitoring and support

However, you are responsible for your site’s theme, content and user account management.

GovCMS Platform as a Service (PaaS):

While the platform layer is rated for OFFICIAL: Sensitive, PaaS customers have greater security responsibilities than SaaS. You are responsible for:

Security updates and patching
Module installation and updates
Theme management and updates
Managing the Drupal application layer, content, and user accounts
Optional web protection services are available.

You can access the GovCMS Distribution for updates. However, you need to deploy the changes to your own websites or you can pay a service provider. Be cautious with custom development, and ensure third parties (e.g. developers, external service providers) follow proper security practices.

IRAP assessment

The Information Security Registered Assessors Program (IRAP) involves security assessments by ASD-endorsed professionals.

The GovCMS platform has completed an IRAP assessment aligned with the 2019 Australian Government Information Security Manual (ISM) at the OFFICIAL: Sensitive level.

For SaaS Customers, everything is covered. You don’t need to undertake your own assessment. However, you still need to consider undertaking a risk assessment.

For PaaS Customers, only the infrastructure layer is covered by our IRAP assessment. You are responsible for the IRAP assessment of your Drupal application layer at your own cost.

What this means for you

Although the platform supports storing OFFICIAL: Sensitive information, this doesn’t mean it’s always appropriate. You must comply with:

The Privacy Act
The Australian Privacy Principles (APPs)

Before collecting personal information (especially through web forms), consult your Privacy Officer. Your obligations under the ISM and Protective Security Policy Framework (PSPF) include conducting risk assessments and maintaining due diligence.

User account best practices

To meet ISM standards:

All users must have unique, identifiable accounts
Generic, common, or shared accounts are not supported on GovCMS

This ensures accountability and security.

SSL certificates and HTTPS

All GovCMS sites must use HTTPS with TLS encryption.

SaaS and PaaS sites using the GovCMS CDN will automatically receive a managed TLS/SSL certificate
PaaS sites not using the CDN must arrange their own certificate and ensure it meets current ISM requirements

Setup instructions are provided during onboarding for CDN users.

Risk assessments & security plans

Under the ISM(Opens in a new tab/window) and PSPF(Opens in a new tab/window), organisations are responsible for assessing risks related to their cloud services. This includes:

Financial and legal risks
Data ownership and sovereignty
Privacy obligations

System Security Plans are available on request and can be shared with your organisation’s IT Security Advisor.

Privacy Impact Assessments (PIAs)

A PIA helps identify and address privacy risks in a project. It is a key part of risk management and compliance with the APPs.

GovCMS provides a PIA template, developed in consultation with legal advisors, for agency use. However:

You must decide if a PIA is necessary in consultation with your privacy team
GovCMS does not review or approve PIAs

For guidance, see the Office of the Australian Information Commissioner (OAIC) website, which includes resources like the PIA threshold assessment.

More information and resources

We’ve included some links to resources you may find useful: