bluefly / gov_compliance
Enterprise-grade security compliance for government agencies and regulated industries extending @bluefly/secure-project
Requires
- php: >=8.1
- robthree/twofactorauth: ^1.8
Requires (Dev)
- drupal/core-dev: ^10.3 || ^11
- phpspec/prophecy-phpunit: ^2.0
- phpunit/phpunit: ^10
Suggests
- @bluefly/secure-project: Install globally via npm for compliance validation and audit features
This package is auto-updated.
Last update: 2025-07-09 18:31:07 UTC
README
Overview
The Government Compliance module provides a comprehensive framework for managing security policies and compliance requirements in Drupal applications. It enables organizations to implement, monitor, and enforce government compliance standards such as FedRAMP, FISMA, HIPAA, GDPR, and custom regulatory frameworks.
Features
🏛️ Multi-Framework Support
- FedRAMP: Federal Risk and Authorization Management Program
- FISMA: Federal Information Security Management Act
- HIPAA: Health Insurance Portability and Accountability Act
- GDPR: General Data Protection Regulation
- Custom: Organization-specific compliance frameworks
🔐 Security Policy Management
- Content Entity Architecture: Policies as content entities with full revision support
- Bundle-Based Types: Policy types (FedRAMP, HIPAA, etc.) as configuration entities
- Content Moderation: Full workflow support (draft → review → approved → archived)
- Field API Integration: Extensible fields for compliance controls and enforcement rules
⚡ Real-Time Enforcement
- Validation Engine: Real-time compliance checking against system state
- Enforcement Rules: Automated policy enforcement with pluggable actions
- Remediation Actions: Automatic remediation for policy violations
- Audit Logging: Comprehensive audit trails for compliance reporting
🔌 Extensible Plugin System
- Validator Plugins: Custom validation logic for specific compliance requirements
- Enforcer Plugins: Custom enforcement actions for policy violations
- Import Sources: Pluggable policy import from external standards repositories
Installation
Requirements
- Drupal 10.3+ or 11.x
- PHP 8.1+
- Content Moderation module (core)
- Workflows module (core)
Install via Composer
composer require drupal/gov_compliance
drush en gov_compliance
Install from Source
- Download and extract to
modules/contrib/gov_compliance
- Enable the module:
drush en gov_compliance
- Configure permissions and workflows
Configuration
1. Enable Content Moderation
drush en content_moderation workflows
2. Configure Policy Types
Navigate to Administration > Structure > Security Policy Types to:
- Create custom policy types
- Configure frameworks (FedRAMP, HIPAA, etc.)
- Set default severity levels
- Define required fields
3. Set Up Workflows
The module installs a default security_policy_review
workflow with states:
- Draft: Initial policy creation
- Needs Review: Submitted for compliance review
- Reviewed: Technical review completed
- Approved: Policy active and enforced
- Rejected: Policy rejected with feedback
- Archived: Deprecated/replaced policies
4. Configure Permissions
Assign these permissions to appropriate roles:
view security policies
create security policies
edit security policies
delete security policies
administer security policy types
approve security policies
Usage
Creating Security Policies
Navigate to Policy Management
Administration > Security > Policies > Add Security Policy
Select Policy Type Choose from available types (FedRAMP, HIPAA, GDPR, Custom)
Configure Policy Details
// Example policy structure $policy = SecurityPolicy::create([ 'type' => 'fedramp', 'title' => 'Access Control Policy', 'description' => 'Implements FedRAMP AC-2 controls', 'framework' => 'fedramp', 'severity_level' => 'high', 'compliance_controls' => [ 'AC-2' => [ 'description' => 'Account Management', 'implementation' => 'Multi-factor authentication required', 'testing' => 'Quarterly access reviews', ], ], 'enforcement_rules' => [ 'mfa_required' => [ 'action' => 'block_access', 'conditions' => [ ['type' => 'user_role', 'roles' => ['administrator']], ], ], ], 'validation_rules' => [ 'tfa_module' => [ 'type' => 'module_required', 'modules' => ['tfa'], ], ], ]);
Policy Validation
Policies automatically validate system compliance:
// Programmatic validation
$violations = $policy->validateCompliance([
'modules' => \Drupal::moduleHandler()->getModuleList(),
'config' => [
'system.site' => \Drupal::config('system.site')->getRawData(),
],
'permissions' => $this->getUserPermissions(),
]);
foreach ($violations as $violation) {
\Drupal::logger('gov_compliance')->warning($violation['message']);
}
Policy Enforcement
Policies can automatically enforce compliance:
// Real-time enforcement
$context = [
'user_id' => \Drupal::currentUser()->id(),
'user_roles' => \Drupal::currentUser()->getRoles(),
'ip_address' => \Drupal::request()->getClientIp(),
'action' => 'login',
];
$actions = $policy->enforcePolicy($context);
foreach ($actions as $action) {
// Actions are automatically executed
\Drupal::logger('gov_compliance')->info('Policy enforced: @action', [
'@action' => $action['action'],
]);
}
API Reference
Entities
SecurityPolicyType (Config Entity)
- Purpose: Defines policy types/bundles
- Examples: FedRAMP, HIPAA, GDPR, Custom
- Configuration: Framework, jurisdiction, industry, default severity
SecurityPolicy (Content Entity)
- Purpose: Actual security policies with moderation support
- Features: Revisions, workflows, field API, translations
- Bundle Entity: SecurityPolicyType
Services
SecurityPolicyManager
$manager = \Drupal::service('gov_compliance.security_policy_manager');
// Get active policies
$policies = $manager->getActivePolicies();
// Validate system compliance
$violations = $manager->validateSystemCompliance();
// Enforce policies
$manager->enforceActivePolicies($context);
ContentModerationIntegration
$moderation = \Drupal::service('gov_compliance.content_moderation_integration');
// Create moderated policy
$policy = $moderation->createSecurityPolicy($policy_data);
// Submit for review
$moderation->submitForReview($policy->id());
// Approve policy
$moderation->approveSecurityPolicy($policy->id(), 'Approved by CISO');
PolicyImportService
$import = \Drupal::service('gov_compliance.policy_import');
// Import from NIST
$policies = $import->importFromNist('moderate');
// Import from external source
$policies = $import->importFromUrl('https://example.com/policies.json');
Plugin Development
Creating Validator Plugins
<?php
namespace Drupal\my_module\Plugin\SecurityPolicyValidator;
use Drupal\gov_compliance\Plugin\SecurityPolicyValidatorBase;
/**
* @SecurityPolicyValidator(
* id = "my_custom_validator",
* label = @Translation("Custom Validator"),
* description = @Translation("Custom validation logic")
* )
*/
class MyCustomValidator extends SecurityPolicyValidatorBase {
public function validate(array $system_state): array {
// Custom validation logic
return [
'compliant' => TRUE,
'message' => 'System is compliant',
];
}
}
Creating Enforcer Plugins
<?php
namespace Drupal\my_module\Plugin\SecurityPolicyEnforcer;
use Drupal\gov_compliance\Plugin\SecurityPolicyEnforcerBase;
/**
* @SecurityPolicyEnforcer(
* id = "my_custom_enforcer",
* label = @Translation("Custom Enforcer"),
* description = @Translation("Custom enforcement actions")
* )
*/
class MyCustomEnforcer extends SecurityPolicyEnforcerBase {
public function enforce(array $context): array {
// Custom enforcement logic
return [
'success' => TRUE,
'message' => 'Policy enforced successfully',
];
}
}
Compliance Frameworks
FedRAMP Integration
# Example FedRAMP Low baseline policy
framework: fedramp
baseline: low
controls:
AC-2: # Account Management
implementation: "Multi-factor authentication for privileged accounts"
testing: "Quarterly access reviews"
documentation: "User access control procedures"
AU-2: # Audit Events
implementation: "Comprehensive logging of all system events"
testing: "Monthly log review"
documentation: "Audit log management procedures"
HIPAA Integration
# Example HIPAA Security Rule policy
framework: hipaa
rule: security
safeguards:
administrative:
- assigned_security_responsibility
- workforce_training
- access_management
physical:
- facility_controls
- workstation_controls
- device_controls
technical:
- access_control
- audit_controls
- integrity
- transmission_security
Reporting
Compliance Reports
Generate comprehensive compliance reports:
$reporter = \Drupal::service('gov_compliance.compliance_reporter');
// Generate FedRAMP ATO package
$ato_package = $reporter->generateATOPackage('fedramp', 'moderate');
// Generate HIPAA risk assessment
$risk_assessment = $reporter->generateRiskAssessment('hipaa');
// Generate custom compliance report
$custom_report = $reporter->generateComplianceReport([
'frameworks' => ['fedramp', 'hipaa'],
'date_range' => ['start' => '2024-01-01', 'end' => '2024-12-31'],
'format' => 'pdf',
]);
Contributing
Development Setup
git clone https://www.drupal.org/project/gov_compliance.git
cd gov_compliance
composer install
Running Tests
# Unit tests
phpunit --group gov_compliance
# Kernel tests
phpunit tests/src/Kernel/
# Functional tests
phpunit tests/src/Functional/
Coding Standards
phpcs --standard=Drupal,DrupalPractice src/
phpcbf --standard=Drupal,DrupalPractice src/
Support
- Issue Queue: https://www.drupal.org/project/issues/gov_compliance
- Documentation: https://www.drupal.org/docs/contributed-modules/gov-compliance
- Security Issues: Use the standard Drupal security reporting process
License
GPL-2.0-or-later
Maintainers
- [Your Name] - https://www.drupal.org/u/your-username
Related Modules
- Content Moderation: Core workflow support
- Workflows: Core workflow definitions
- Field Encrypt: Encrypt sensitive policy data
- Security Review: Automated security scanning
- Password Policy: Password compliance enforcement