bluefly/gov_compliance

Enterprise-grade security compliance for government agencies and regulated industries extending @bluefly/secure-project

dev-main 2025-07-09 18:29 UTC

This package is auto-updated.

Last update: 2025-07-09 18:31:07 UTC


README

Overview

The Government Compliance module provides a comprehensive framework for managing security policies and compliance requirements in Drupal applications. It enables organizations to implement, monitor, and enforce government compliance standards such as FedRAMP, FISMA, HIPAA, GDPR, and custom regulatory frameworks.

Features

🏛️ Multi-Framework Support

  • FedRAMP: Federal Risk and Authorization Management Program
  • FISMA: Federal Information Security Management Act
  • HIPAA: Health Insurance Portability and Accountability Act
  • GDPR: General Data Protection Regulation
  • Custom: Organization-specific compliance frameworks

🔐 Security Policy Management

  • Content Entity Architecture: Policies as content entities with full revision support
  • Bundle-Based Types: Policy types (FedRAMP, HIPAA, etc.) as configuration entities
  • Content Moderation: Full workflow support (draft → review → approved → archived)
  • Field API Integration: Extensible fields for compliance controls and enforcement rules

Real-Time Enforcement

  • Validation Engine: Real-time compliance checking against system state
  • Enforcement Rules: Automated policy enforcement with pluggable actions
  • Remediation Actions: Automatic remediation for policy violations
  • Audit Logging: Comprehensive audit trails for compliance reporting

🔌 Extensible Plugin System

  • Validator Plugins: Custom validation logic for specific compliance requirements
  • Enforcer Plugins: Custom enforcement actions for policy violations
  • Import Sources: Pluggable policy import from external standards repositories

Installation

Requirements

  • Drupal 10.3+ or 11.x
  • PHP 8.1+
  • Content Moderation module (core)
  • Workflows module (core)

Install via Composer

composer require drupal/gov_compliance
drush en gov_compliance

Install from Source

  1. Download and extract to modules/contrib/gov_compliance
  2. Enable the module: drush en gov_compliance
  3. Configure permissions and workflows

Configuration

1. Enable Content Moderation

drush en content_moderation workflows

2. Configure Policy Types

Navigate to Administration > Structure > Security Policy Types to:

  • Create custom policy types
  • Configure frameworks (FedRAMP, HIPAA, etc.)
  • Set default severity levels
  • Define required fields

3. Set Up Workflows

The module installs a default security_policy_review workflow with states:

  • Draft: Initial policy creation
  • Needs Review: Submitted for compliance review
  • Reviewed: Technical review completed
  • Approved: Policy active and enforced
  • Rejected: Policy rejected with feedback
  • Archived: Deprecated/replaced policies

4. Configure Permissions

Assign these permissions to appropriate roles:

  • view security policies
  • create security policies
  • edit security policies
  • delete security policies
  • administer security policy types
  • approve security policies

Usage

Creating Security Policies

  1. Navigate to Policy Management

    Administration > Security > Policies > Add Security Policy
    
  2. Select Policy Type Choose from available types (FedRAMP, HIPAA, GDPR, Custom)

  3. Configure Policy Details

    // Example policy structure
    $policy = SecurityPolicy::create([
      'type' => 'fedramp',
      'title' => 'Access Control Policy',
      'description' => 'Implements FedRAMP AC-2 controls',
      'framework' => 'fedramp',
      'severity_level' => 'high',
      'compliance_controls' => [
        'AC-2' => [
          'description' => 'Account Management',
          'implementation' => 'Multi-factor authentication required',
          'testing' => 'Quarterly access reviews',
        ],
      ],
      'enforcement_rules' => [
        'mfa_required' => [
          'action' => 'block_access',
          'conditions' => [
            ['type' => 'user_role', 'roles' => ['administrator']],
          ],
        ],
      ],
      'validation_rules' => [
        'tfa_module' => [
          'type' => 'module_required',
          'modules' => ['tfa'],
        ],
      ],
    ]);
    

Policy Validation

Policies automatically validate system compliance:

// Programmatic validation
$violations = $policy->validateCompliance([
  'modules' => \Drupal::moduleHandler()->getModuleList(),
  'config' => [
    'system.site' => \Drupal::config('system.site')->getRawData(),
  ],
  'permissions' => $this->getUserPermissions(),
]);

foreach ($violations as $violation) {
  \Drupal::logger('gov_compliance')->warning($violation['message']);
}

Policy Enforcement

Policies can automatically enforce compliance:

// Real-time enforcement
$context = [
  'user_id' => \Drupal::currentUser()->id(),
  'user_roles' => \Drupal::currentUser()->getRoles(),
  'ip_address' => \Drupal::request()->getClientIp(),
  'action' => 'login',
];

$actions = $policy->enforcePolicy($context);
foreach ($actions as $action) {
  // Actions are automatically executed
  \Drupal::logger('gov_compliance')->info('Policy enforced: @action', [
    '@action' => $action['action'],
  ]);
}

API Reference

Entities

SecurityPolicyType (Config Entity)

  • Purpose: Defines policy types/bundles
  • Examples: FedRAMP, HIPAA, GDPR, Custom
  • Configuration: Framework, jurisdiction, industry, default severity

SecurityPolicy (Content Entity)

  • Purpose: Actual security policies with moderation support
  • Features: Revisions, workflows, field API, translations
  • Bundle Entity: SecurityPolicyType

Services

SecurityPolicyManager

$manager = \Drupal::service('gov_compliance.security_policy_manager');

// Get active policies
$policies = $manager->getActivePolicies();

// Validate system compliance
$violations = $manager->validateSystemCompliance();

// Enforce policies
$manager->enforceActivePolicies($context);

ContentModerationIntegration

$moderation = \Drupal::service('gov_compliance.content_moderation_integration');

// Create moderated policy
$policy = $moderation->createSecurityPolicy($policy_data);

// Submit for review
$moderation->submitForReview($policy->id());

// Approve policy
$moderation->approveSecurityPolicy($policy->id(), 'Approved by CISO');

PolicyImportService

$import = \Drupal::service('gov_compliance.policy_import');

// Import from NIST
$policies = $import->importFromNist('moderate');

// Import from external source
$policies = $import->importFromUrl('https://example.com/policies.json');

Plugin Development

Creating Validator Plugins

<?php

namespace Drupal\my_module\Plugin\SecurityPolicyValidator;

use Drupal\gov_compliance\Plugin\SecurityPolicyValidatorBase;

/**
 * @SecurityPolicyValidator(
 *   id = "my_custom_validator",
 *   label = @Translation("Custom Validator"),
 *   description = @Translation("Custom validation logic")
 * )
 */
class MyCustomValidator extends SecurityPolicyValidatorBase {
  
  public function validate(array $system_state): array {
    // Custom validation logic
    return [
      'compliant' => TRUE,
      'message' => 'System is compliant',
    ];
  }
}

Creating Enforcer Plugins

<?php

namespace Drupal\my_module\Plugin\SecurityPolicyEnforcer;

use Drupal\gov_compliance\Plugin\SecurityPolicyEnforcerBase;

/**
 * @SecurityPolicyEnforcer(
 *   id = "my_custom_enforcer",
 *   label = @Translation("Custom Enforcer"),
 *   description = @Translation("Custom enforcement actions")
 * )
 */
class MyCustomEnforcer extends SecurityPolicyEnforcerBase {
  
  public function enforce(array $context): array {
    // Custom enforcement logic
    return [
      'success' => TRUE,
      'message' => 'Policy enforced successfully',
    ];
  }
}

Compliance Frameworks

FedRAMP Integration

# Example FedRAMP Low baseline policy
framework: fedramp
baseline: low
controls:
  AC-2: # Account Management
    implementation: "Multi-factor authentication for privileged accounts"
    testing: "Quarterly access reviews"
    documentation: "User access control procedures"
  AU-2: # Audit Events  
    implementation: "Comprehensive logging of all system events"
    testing: "Monthly log review"
    documentation: "Audit log management procedures"

HIPAA Integration

# Example HIPAA Security Rule policy
framework: hipaa
rule: security
safeguards:
  administrative:
    - assigned_security_responsibility
    - workforce_training
    - access_management
  physical:
    - facility_controls
    - workstation_controls
    - device_controls
  technical:
    - access_control
    - audit_controls
    - integrity
    - transmission_security

Reporting

Compliance Reports

Generate comprehensive compliance reports:

$reporter = \Drupal::service('gov_compliance.compliance_reporter');

// Generate FedRAMP ATO package
$ato_package = $reporter->generateATOPackage('fedramp', 'moderate');

// Generate HIPAA risk assessment
$risk_assessment = $reporter->generateRiskAssessment('hipaa');

// Generate custom compliance report
$custom_report = $reporter->generateComplianceReport([
  'frameworks' => ['fedramp', 'hipaa'],
  'date_range' => ['start' => '2024-01-01', 'end' => '2024-12-31'],
  'format' => 'pdf',
]);

Contributing

Development Setup

git clone https://www.drupal.org/project/gov_compliance.git
cd gov_compliance
composer install

Running Tests

# Unit tests
phpunit --group gov_compliance

# Kernel tests  
phpunit tests/src/Kernel/

# Functional tests
phpunit tests/src/Functional/

Coding Standards

phpcs --standard=Drupal,DrupalPractice src/
phpcbf --standard=Drupal,DrupalPractice src/

Support

License

GPL-2.0-or-later

Maintainers

Related Modules

  • Content Moderation: Core workflow support
  • Workflows: Core workflow definitions
  • Field Encrypt: Encrypt sensitive policy data
  • Security Review: Automated security scanning
  • Password Policy: Password compliance enforcement