bluefly/gov_compliance

Government compliance module for security policies and regulatory requirements

0.1.0 2025-07-27 17:47 UTC

README

Overview

The Government Compliance module provides comprehensive compliance frameworks for government and regulated industries, including FISMA, FedRAMP, HIPAA, and other federal standards.

Status

  • Production Ready: 65%
  • Security Score: A-
  • Code Quality: B
  • Test Coverage: C+

Features

Compliance Frameworks

  • FISMA compliance automation
  • FedRAMP authorization support
  • HIPAA data protection
  • PCI DSS security standards
  • SOC 2 Type II controls

Data Classification

  • Automatic data classification
  • PII/PHI detection and protection
  • Data labeling and marking
  • Access control enforcement
  • Audit trail generation

Policy Management

  • Policy definition and enforcement
  • Workflow validation against policies
  • Automated compliance checking
  • Exception handling and reporting
  • Policy update management

🏛️ Government Compliance Architecture

graph TB
    subgraph "🌐 User Interfaces"
        ADMIN[🔐 Admin Dashboard<br/>Compliance Officer]
        AUDIT[📊 Audit Interface<br/>Security Auditor]
        DEV[💻 Developer Tools<br/>Integration APIs]
        REPORT[📋 Reporting Portal<br/>Management View]
    end
    
    subgraph "🛡️ Compliance Engine"
        POLICY[📜 Policy Engine<br/>Rule Definition & Enforcement]
        SCANNER[🔍 Compliance Scanner<br/>Automated Validation]
        CLASSIFIER[🏷️ Data Classifier<br/>PII/PHI Detection]
        VALIDATOR[✅ Workflow Validator<br/>Process Compliance]
    end
    
    subgraph "📋 Audit & Logging"
        AUDIT_LOG[📝 Audit Logger<br/>Complete Activity Trails]
        EVIDENCE[📁 Evidence Collector<br/>Compliance Artifacts]
        METRICS[📊 Compliance Metrics<br/>Performance Tracking]
        ALERTS[🚨 Alert System<br/>Violation Notifications]
    end
    
    subgraph "🏛️ Framework Modules"
        FISMA[🏛️ FISMA Module<br/>Federal Security Standards]
        FEDRAMP[☁️ FedRAMP Module<br/>Cloud Authorization]
        HIPAA[🏥 HIPAA Module<br/>Healthcare Privacy]
        PCI[💳 PCI DSS Module<br/>Payment Security]
        SOC2[🔒 SOC 2 Module<br/>Service Controls]
    end
    
    subgraph "🔗 Integration Points"
        DRUPAL_CORE[🌐 Drupal Core<br/>User Management]
        AI_PLATFORM[🤖 AI Platform<br/>LLM Compliance]
        CODE_EXEC[⚙️ Code Executor<br/>Secure Execution]
        VECTOR_DB[🔍 Vector Database<br/>Document Analysis]
    end
    
    subgraph "📊 External Systems"
        NIST[📚 NIST Framework<br/>Control Mappings]
        CISA[🛡️ CISA Guidelines<br/>Security Standards]
        OMB[🏛️ OMB Memoranda<br/>Federal Policies]
        VENDOR_DB[🏢 Vendor Database<br/>Supply Chain Risk]
    end
    
    %% User Interface Connections
    ADMIN --> POLICY
    AUDIT --> AUDIT_LOG
    DEV --> VALIDATOR
    REPORT --> METRICS
    
    %% Compliance Engine Flow
    POLICY --> SCANNER
    SCANNER --> CLASSIFIER
    CLASSIFIER --> VALIDATOR
    VALIDATOR --> AUDIT_LOG
    
    %% Audit System
    SCANNER --> EVIDENCE
    CLASSIFIER --> EVIDENCE
    VALIDATOR --> EVIDENCE
    EVIDENCE --> METRICS
    METRICS --> ALERTS
    
    %% Framework Integration
    POLICY --> FISMA
    POLICY --> FEDRAMP
    POLICY --> HIPAA
    POLICY --> PCI
    POLICY --> SOC2
    
    FISMA --> SCANNER
    FEDRAMP --> SCANNER
    HIPAA --> CLASSIFIER
    PCI --> VALIDATOR
    SOC2 --> AUDIT_LOG
    
    %% Platform Integration
    DRUPAL_CORE <--> POLICY
    AI_PLATFORM <--> CLASSIFIER
    CODE_EXEC <--> VALIDATOR
    VECTOR_DB <--> EVIDENCE
    
    %% External Standards
    NIST --> FISMA
    CISA --> FEDRAMP
    OMB --> POLICY
    VENDOR_DB --> SCANNER
    
    %% Styling
    classDef interface fill:#e3f2fd
    classDef engine fill:#e8f5e8
    classDef audit fill:#fff3e0
    classDef framework fill:#fce4ec
    classDef integration fill:#f3e5f5
    classDef external fill:#e1f5fe
    
    class ADMIN,AUDIT,DEV,REPORT interface
    class POLICY,SCANNER,CLASSIFIER,VALIDATOR engine
    class AUDIT_LOG,EVIDENCE,METRICS,ALERTS audit
    class FISMA,FEDRAMP,HIPAA,PCI,SOC2 framework
    class DRUPAL_CORE,AI_PLATFORM,CODE_EXEC,VECTOR_DB integration
    class NIST,CISA,OMB,VENDOR_DB external

🔄 Compliance Workflow Process

sequenceDiagram
    participant USER as 👤 User/System
    participant POLICY as 📜 Policy Engine
    participant SCANNER as 🔍 Compliance Scanner
    participant CLASSIFIER as 🏷️ Data Classifier
    participant AUDIT as 📝 Audit Logger
    participant ALERT as 🚨 Alert System
    participant ADMIN as 🔐 Admin Dashboard
    
    Note over USER,ADMIN: Data Processing Request
    
    USER->>POLICY: Submit data/workflow
    POLICY->>POLICY: Check applicable frameworks
    POLICY->>SCANNER: Initiate compliance scan
    
    SCANNER->>CLASSIFIER: Analyze data content
    CLASSIFIER->>CLASSIFIER: Detect PII/PHI/sensitive data
    CLASSIFIER-->>SCANNER: Classification results
    
    SCANNER->>SCANNER: Validate against policies
    alt Compliance Pass
        SCANNER->>AUDIT: Log successful validation
        SCANNER-->>USER: Approve request
        AUDIT->>ADMIN: Update compliance metrics
    else Compliance Violation
        SCANNER->>ALERT: Trigger violation alert
        SCANNER->>AUDIT: Log violation details
        ALERT->>ADMIN: Send notification
        SCANNER-->>USER: Reject with reasons
    end
    
    Note over USER,ADMIN: Continuous Monitoring
    
    loop Every 15 minutes
        SCANNER->>SCANNER: Automated compliance check
        SCANNER->>AUDIT: Log monitoring results
        alt New violations detected
            SCANNER->>ALERT: Send alerts
            ALERT->>ADMIN: Notify administrators
        end
    end
    
    Note over USER,ADMIN: Audit Trail Generation
    
    ADMIN->>AUDIT: Request compliance report
    AUDIT->>AUDIT: Generate evidence package
    AUDIT-->>ADMIN: Compliance documentation

🎯 Key Compliance Features:

  • 🔍 Real-time Scanning: Continuous compliance validation for all operations
  • 🏷️ Intelligent Classification: AI-powered detection of sensitive data
  • 📋 Complete Audit Trails: Every action logged with detailed evidence
  • 🚨 Proactive Alerting: Immediate notifications for policy violations
  • 📊 Compliance Dashboards: Real-time metrics and reporting
  • 🏛️ Framework Support: FISMA, FedRAMP, HIPAA, PCI DSS, SOC 2

Installation

# Enable the module
ddev drush en gov_compliance -y

# Configure compliance framework
ddev drush gov:configure-framework fisma

# Run initial compliance scan
ddev drush gov:compliance-scan

Configuration

Basic Setup

  1. Navigate to /admin/config/system/gov-compliance
  2. Select primary compliance framework
  3. Configure data classification levels
  4. Set up audit logging
  5. Define compliance policies

Framework Configuration

# FISMA Configuration
framework: 'fisma'
compliance_level: 'moderate'
enforce_classification: true
require_clearance_validation: true
audit_all_operations: true

Usage

Data Classification

$classifier = \Drupal::service('gov_compliance.classifier');
$classification = $classifier->classifyData($content);
// Returns: 'PUBLIC', 'OFFICIAL', 'SECRET', etc.

Policy Validation

$validator = \Drupal::service('gov_compliance.policy_validator');
$result = $validator->validateOperation($operation, $context);
if (!$result->isCompliant()) {
  // Handle policy violation
}

Audit Logging

$auditor = \Drupal::service('gov_compliance.auditor');
$auditor->logOperation('data_access', $user, $data, $context);

API Reference

Services

  • gov_compliance.framework_manager - Framework management
  • gov_compliance.classifier - Data classification
  • gov_compliance.policy_validator - Policy enforcement
  • gov_compliance.auditor - Audit logging
  • gov_compliance.reporter - Compliance reporting

Events

  • ComplianceViolationEvent - Policy violation detected
  • DataClassificationEvent - Data classified
  • AuditLogEvent - Audit entry created

Drush Commands

# Framework management
ddev drush gov:list-frameworks        # List available frameworks
ddev drush gov:set-framework fisma    # Set active framework
ddev drush gov:framework-status       # Show framework status

# Compliance checking
ddev drush gov:compliance-scan        # Full compliance scan
ddev drush gov:policy-check           # Check policy compliance
ddev drush gov:validate-data          # Validate data classification

# Audit management
ddev drush gov:audit-export           # Export audit logs
ddev drush gov:audit-summary          # Audit summary report
ddev drush gov:compliance-report      # Generate compliance report

Compliance Frameworks

FISMA (Federal Information Security Management Act)

  • Levels: Low, Moderate, High
  • Controls: 800+ security controls
  • Certification: Continuous monitoring
  • Audit: Comprehensive logging

FedRAMP (Federal Risk and Authorization Management Program)

  • Baselines: Low, Moderate, High
  • Authorization: JAB or Agency ATO
  • Monitoring: Continuous compliance
  • Documentation: Complete artifact package

HIPAA (Health Insurance Portability and Accountability Act)

  • Requirements: PHI protection
  • Safeguards: Administrative, Physical, Technical
  • Risk Assessment: Regular evaluations
  • Training: Staff awareness programs

Data Classification Levels

Public Information

  • No access restrictions
  • General business information
  • Public marketing materials
  • Open source documentation

Official Information

  • Internal use only
  • Business sensitive data
  • Employee information
  • Operational procedures

Confidential Information

  • Restricted access required
  • Customer data (PII/PHI)
  • Financial information
  • Strategic plans

Secret/Top Secret

  • Government classified information
  • National security data
  • Intelligence information
  • Controlled by specific agencies

Security Features

Access Controls

  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • Mandatory access control (MAC)
  • Clearance level validation

Encryption

  • Data at rest encryption
  • Data in transit encryption
  • Key management integration
  • FIPS 140-2 compliance

Audit Trail

  • Comprehensive activity logging
  • Tamper-evident logs
  • Long-term retention
  • Export capabilities

Monitoring & Reporting

Real-time Monitoring

  • Policy violation alerts
  • Data access monitoring
  • System health checks
  • Compliance status dashboard

Reporting

  • Compliance status reports
  • Audit trail summaries
  • Risk assessment reports
  • Certification artifacts

Development

Adding New Frameworks

  1. Implement ComplianceFrameworkInterface
  2. Create framework plugin
  3. Define policy rules
  4. Add configuration schema

Custom Policies

class CustomPolicy extends PolicyBase {
  public function validate($operation, $context): PolicyResult {
    // Implementation
  }
}

Troubleshooting

Common Issues

  • Classification errors: Review data patterns
  • Policy violations: Check rule definitions
  • Audit failures: Verify logging configuration
  • Performance issues: Optimize policy checks

Debug Commands

# Enable debug mode
ddev drush config:set gov_compliance.settings debug_mode 1

# View compliance logs
ddev drush watchdog:show --type=gov_compliance

# Test specific policy
ddev drush gov:test-policy policy_name

Certification Support

FedRAMP Authorization

  • Complete control implementation
  • Security assessment and authorization
  • Continuous monitoring plan
  • Incident response procedures

FISMA Certification

  • Risk assessment framework
  • Security control implementation
  • Authority to operate (ATO)
  • Ongoing compliance monitoring

Related Modules

  • llm - Core AI platform
  • encrypt - Data encryption
  • key - Key management
  • audit_log - Enhanced audit logging

Support

  • Documentation: /admin/help/gov_compliance
  • Compliance Portal: [Government portal]
  • Training: [Compliance training]
  • Certification: [Authority contacts]

Version: 1.0
Drupal Compatibility: 10.3+, 11.x
License: GPL-2.0+
Security: Government Grade