bluefly / gov_compliance
Government compliance module for security policies and regulatory requirements
0.1.0
2025-07-27 17:47 UTC
Requires
- php: >=8.1
- drupal/core: ^10.3 || ^11
Requires (Dev)
- drupal/core-dev: ^10.3 || ^11
- phpspec/prophecy-phpunit: ^2.0
- phpunit/phpunit: ^10
Suggests
- drupal/admin_audit_trail: Enhanced audit logging (^1.0)
- drupal/captcha: Bot prevention (^2.0)
- drupal/encrypt: Field encryption support (^3.2)
- drupal/field_encrypt: Encrypt sensitive data fields (^3.2)
- drupal/flood_control: Brute force protection (^3.0)
- drupal/key: Key management for encryption (^1.20)
- drupal/password_policy: Password compliance enforcement (^4.0)
- drupal/seckit: Security hardening (^2.0)
- drupal/security_review: Automated security scanning (^3.0)
- drupal/tfa: Two-factor authentication (^1.11)
- firebase/php-jwt: JWT authentication support (^6.0)
This package is auto-updated.
Last update: 2025-07-30 03:16:48 UTC
README
Overview
The Government Compliance module provides comprehensive compliance frameworks for government and regulated industries, including FISMA, FedRAMP, HIPAA, and other federal standards.
Status
- Production Ready: 65%
- Security Score: A-
- Code Quality: B
- Test Coverage: C+
Features
Compliance Frameworks
- FISMA compliance automation
- FedRAMP authorization support
- HIPAA data protection
- PCI DSS security standards
- SOC 2 Type II controls
Data Classification
- Automatic data classification
- PII/PHI detection and protection
- Data labeling and marking
- Access control enforcement
- Audit trail generation
Policy Management
- Policy definition and enforcement
- Workflow validation against policies
- Automated compliance checking
- Exception handling and reporting
- Policy update management
🏛️ Government Compliance Architecture
graph TB
subgraph "🌐 User Interfaces"
ADMIN[🔐 Admin Dashboard<br/>Compliance Officer]
AUDIT[📊 Audit Interface<br/>Security Auditor]
DEV[💻 Developer Tools<br/>Integration APIs]
REPORT[📋 Reporting Portal<br/>Management View]
end
subgraph "🛡️ Compliance Engine"
POLICY[📜 Policy Engine<br/>Rule Definition & Enforcement]
SCANNER[🔍 Compliance Scanner<br/>Automated Validation]
CLASSIFIER[🏷️ Data Classifier<br/>PII/PHI Detection]
VALIDATOR[✅ Workflow Validator<br/>Process Compliance]
end
subgraph "📋 Audit & Logging"
AUDIT_LOG[📝 Audit Logger<br/>Complete Activity Trails]
EVIDENCE[📁 Evidence Collector<br/>Compliance Artifacts]
METRICS[📊 Compliance Metrics<br/>Performance Tracking]
ALERTS[🚨 Alert System<br/>Violation Notifications]
end
subgraph "🏛️ Framework Modules"
FISMA[🏛️ FISMA Module<br/>Federal Security Standards]
FEDRAMP[☁️ FedRAMP Module<br/>Cloud Authorization]
HIPAA[🏥 HIPAA Module<br/>Healthcare Privacy]
PCI[💳 PCI DSS Module<br/>Payment Security]
SOC2[🔒 SOC 2 Module<br/>Service Controls]
end
subgraph "🔗 Integration Points"
DRUPAL_CORE[🌐 Drupal Core<br/>User Management]
AI_PLATFORM[🤖 AI Platform<br/>LLM Compliance]
CODE_EXEC[⚙️ Code Executor<br/>Secure Execution]
VECTOR_DB[🔍 Vector Database<br/>Document Analysis]
end
subgraph "📊 External Systems"
NIST[📚 NIST Framework<br/>Control Mappings]
CISA[🛡️ CISA Guidelines<br/>Security Standards]
OMB[🏛️ OMB Memoranda<br/>Federal Policies]
VENDOR_DB[🏢 Vendor Database<br/>Supply Chain Risk]
end
%% User Interface Connections
ADMIN --> POLICY
AUDIT --> AUDIT_LOG
DEV --> VALIDATOR
REPORT --> METRICS
%% Compliance Engine Flow
POLICY --> SCANNER
SCANNER --> CLASSIFIER
CLASSIFIER --> VALIDATOR
VALIDATOR --> AUDIT_LOG
%% Audit System
SCANNER --> EVIDENCE
CLASSIFIER --> EVIDENCE
VALIDATOR --> EVIDENCE
EVIDENCE --> METRICS
METRICS --> ALERTS
%% Framework Integration
POLICY --> FISMA
POLICY --> FEDRAMP
POLICY --> HIPAA
POLICY --> PCI
POLICY --> SOC2
FISMA --> SCANNER
FEDRAMP --> SCANNER
HIPAA --> CLASSIFIER
PCI --> VALIDATOR
SOC2 --> AUDIT_LOG
%% Platform Integration
DRUPAL_CORE <--> POLICY
AI_PLATFORM <--> CLASSIFIER
CODE_EXEC <--> VALIDATOR
VECTOR_DB <--> EVIDENCE
%% External Standards
NIST --> FISMA
CISA --> FEDRAMP
OMB --> POLICY
VENDOR_DB --> SCANNER
%% Styling
classDef interface fill:#e3f2fd
classDef engine fill:#e8f5e8
classDef audit fill:#fff3e0
classDef framework fill:#fce4ec
classDef integration fill:#f3e5f5
classDef external fill:#e1f5fe
class ADMIN,AUDIT,DEV,REPORT interface
class POLICY,SCANNER,CLASSIFIER,VALIDATOR engine
class AUDIT_LOG,EVIDENCE,METRICS,ALERTS audit
class FISMA,FEDRAMP,HIPAA,PCI,SOC2 framework
class DRUPAL_CORE,AI_PLATFORM,CODE_EXEC,VECTOR_DB integration
class NIST,CISA,OMB,VENDOR_DB external
🔄 Compliance Workflow Process
sequenceDiagram
participant USER as 👤 User/System
participant POLICY as 📜 Policy Engine
participant SCANNER as 🔍 Compliance Scanner
participant CLASSIFIER as 🏷️ Data Classifier
participant AUDIT as 📝 Audit Logger
participant ALERT as 🚨 Alert System
participant ADMIN as 🔐 Admin Dashboard
Note over USER,ADMIN: Data Processing Request
USER->>POLICY: Submit data/workflow
POLICY->>POLICY: Check applicable frameworks
POLICY->>SCANNER: Initiate compliance scan
SCANNER->>CLASSIFIER: Analyze data content
CLASSIFIER->>CLASSIFIER: Detect PII/PHI/sensitive data
CLASSIFIER-->>SCANNER: Classification results
SCANNER->>SCANNER: Validate against policies
alt Compliance Pass
SCANNER->>AUDIT: Log successful validation
SCANNER-->>USER: Approve request
AUDIT->>ADMIN: Update compliance metrics
else Compliance Violation
SCANNER->>ALERT: Trigger violation alert
SCANNER->>AUDIT: Log violation details
ALERT->>ADMIN: Send notification
SCANNER-->>USER: Reject with reasons
end
Note over USER,ADMIN: Continuous Monitoring
loop Every 15 minutes
SCANNER->>SCANNER: Automated compliance check
SCANNER->>AUDIT: Log monitoring results
alt New violations detected
SCANNER->>ALERT: Send alerts
ALERT->>ADMIN: Notify administrators
end
end
Note over USER,ADMIN: Audit Trail Generation
ADMIN->>AUDIT: Request compliance report
AUDIT->>AUDIT: Generate evidence package
AUDIT-->>ADMIN: Compliance documentation
🎯 Key Compliance Features:
- 🔍 Real-time Scanning: Continuous compliance validation for all operations
- 🏷️ Intelligent Classification: AI-powered detection of sensitive data
- 📋 Complete Audit Trails: Every action logged with detailed evidence
- 🚨 Proactive Alerting: Immediate notifications for policy violations
- 📊 Compliance Dashboards: Real-time metrics and reporting
- 🏛️ Framework Support: FISMA, FedRAMP, HIPAA, PCI DSS, SOC 2
Installation
# Enable the module
ddev drush en gov_compliance -y
# Configure compliance framework
ddev drush gov:configure-framework fisma
# Run initial compliance scan
ddev drush gov:compliance-scan
Configuration
Basic Setup
- Navigate to
/admin/config/system/gov-compliance
- Select primary compliance framework
- Configure data classification levels
- Set up audit logging
- Define compliance policies
Framework Configuration
# FISMA Configuration
framework: 'fisma'
compliance_level: 'moderate'
enforce_classification: true
require_clearance_validation: true
audit_all_operations: true
Usage
Data Classification
$classifier = \Drupal::service('gov_compliance.classifier');
$classification = $classifier->classifyData($content);
// Returns: 'PUBLIC', 'OFFICIAL', 'SECRET', etc.
Policy Validation
$validator = \Drupal::service('gov_compliance.policy_validator');
$result = $validator->validateOperation($operation, $context);
if (!$result->isCompliant()) {
// Handle policy violation
}
Audit Logging
$auditor = \Drupal::service('gov_compliance.auditor');
$auditor->logOperation('data_access', $user, $data, $context);
API Reference
Services
gov_compliance.framework_manager
- Framework managementgov_compliance.classifier
- Data classificationgov_compliance.policy_validator
- Policy enforcementgov_compliance.auditor
- Audit logginggov_compliance.reporter
- Compliance reporting
Events
ComplianceViolationEvent
- Policy violation detectedDataClassificationEvent
- Data classifiedAuditLogEvent
- Audit entry created
Drush Commands
# Framework management
ddev drush gov:list-frameworks # List available frameworks
ddev drush gov:set-framework fisma # Set active framework
ddev drush gov:framework-status # Show framework status
# Compliance checking
ddev drush gov:compliance-scan # Full compliance scan
ddev drush gov:policy-check # Check policy compliance
ddev drush gov:validate-data # Validate data classification
# Audit management
ddev drush gov:audit-export # Export audit logs
ddev drush gov:audit-summary # Audit summary report
ddev drush gov:compliance-report # Generate compliance report
Compliance Frameworks
FISMA (Federal Information Security Management Act)
- Levels: Low, Moderate, High
- Controls: 800+ security controls
- Certification: Continuous monitoring
- Audit: Comprehensive logging
FedRAMP (Federal Risk and Authorization Management Program)
- Baselines: Low, Moderate, High
- Authorization: JAB or Agency ATO
- Monitoring: Continuous compliance
- Documentation: Complete artifact package
HIPAA (Health Insurance Portability and Accountability Act)
- Requirements: PHI protection
- Safeguards: Administrative, Physical, Technical
- Risk Assessment: Regular evaluations
- Training: Staff awareness programs
Data Classification Levels
Public Information
- No access restrictions
- General business information
- Public marketing materials
- Open source documentation
Official Information
- Internal use only
- Business sensitive data
- Employee information
- Operational procedures
Confidential Information
- Restricted access required
- Customer data (PII/PHI)
- Financial information
- Strategic plans
Secret/Top Secret
- Government classified information
- National security data
- Intelligence information
- Controlled by specific agencies
Security Features
Access Controls
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
- Mandatory access control (MAC)
- Clearance level validation
Encryption
- Data at rest encryption
- Data in transit encryption
- Key management integration
- FIPS 140-2 compliance
Audit Trail
- Comprehensive activity logging
- Tamper-evident logs
- Long-term retention
- Export capabilities
Monitoring & Reporting
Real-time Monitoring
- Policy violation alerts
- Data access monitoring
- System health checks
- Compliance status dashboard
Reporting
- Compliance status reports
- Audit trail summaries
- Risk assessment reports
- Certification artifacts
Development
Adding New Frameworks
- Implement
ComplianceFrameworkInterface
- Create framework plugin
- Define policy rules
- Add configuration schema
Custom Policies
class CustomPolicy extends PolicyBase {
public function validate($operation, $context): PolicyResult {
// Implementation
}
}
Troubleshooting
Common Issues
- Classification errors: Review data patterns
- Policy violations: Check rule definitions
- Audit failures: Verify logging configuration
- Performance issues: Optimize policy checks
Debug Commands
# Enable debug mode
ddev drush config:set gov_compliance.settings debug_mode 1
# View compliance logs
ddev drush watchdog:show --type=gov_compliance
# Test specific policy
ddev drush gov:test-policy policy_name
Certification Support
FedRAMP Authorization
- Complete control implementation
- Security assessment and authorization
- Continuous monitoring plan
- Incident response procedures
FISMA Certification
- Risk assessment framework
- Security control implementation
- Authority to operate (ATO)
- Ongoing compliance monitoring
Related Modules
llm
- Core AI platformencrypt
- Data encryptionkey
- Key managementaudit_log
- Enhanced audit logging
Support
- Documentation:
/admin/help/gov_compliance
- Compliance Portal: [Government portal]
- Training: [Compliance training]
- Certification: [Authority contacts]
Version: 1.0
Drupal Compatibility: 10.3+, 11.x
License: GPL-2.0+
Security: Government Grade