CMS 101

“Content management system” is a fancy term for the back end of a website. Such systems do far more than manage web pages, however, and they put power in the hands of even the smallest organizations.

Even the most modest user can create a website whose content includes text, photos and streaming media. The site’s CMS can also send digests to customers via email and offer a fully functional and secure e-commerce gateway. And it can automatically update the user’s Facebook, Twitter and Instagram feeds.

But as things get easier for the average American, they get more complicated for the government. Security, accountability, accessibility, political concerns and scrutiny that intensifies in the wake of failures all place agency IT leaders in an increasingly fragile position.

Why it matters

An agency’s CMS is the point at which public service meets the public. Once agency content is posted online, it is in the public domain forever.

Delivering content management in the public or private sector involves “a lot of the same demands — internal stakeholders with differing needs,” said Eric Uhlir, an associate creative director at Deloitte Digital. Even so, he noted that the government has an added layer of requirements. “Your customers are the citizens of the United States, which is a bigger tent of users.”

That tent includes journalists and activists who file Freedom of Information Act requests. And all that content comes with archiving requirements to ensure that information doesn’t disappear.

All administrations are sensitive to public perception, but the Trump White House has demonstrated that it is fervently so. And considering that the current administration is presided over by one of the world’s most avid Twitter users, content management might be the one process an agency’s IT team must get right.

The fundamentals

CMS refers to web-based applications that publish content. Such systems comprise an interface that allows users with limited training to push content into the world and a delivery system that makes sure it gets there. Technically speaking, a CMS can be used for internal communications, but in those cases, it’s basically indistinguishable from collaboration software.

The three options with the greatest presence on the web are:

1. WordPress. It is easily the most popular CMS. Virtually every small-business website sits on WordPress. Its major advantages are ease of use and the broad universe of designers and developers with WordPress expertise.
2. Drupal. It is the most popular platform in the federal government. Although often less intuitive than WordPress, it is considered far more robust and secure. Even so, the Drupal Association’s website downplays the perceived security advantages in favor of touting other attributes, including speed to deployment, low cost and scalability. Drupal also enjoys substantial developer support, and several Drupal-centric firms have teams dedicated to public-sector customers and sell through existing government acquisition vehicles.
3. Joomla. Second in popularity worldwide to WordPress, Joomla has yet to gain a foothold in government service. Its major strength is the expansive array of third-party components that can be used to customize the system.

All three platforms include account registration, menu management and page layout templates. They are also coded in PHP and available for free via a GNU General Public License. Hosting and site maintenance, of course, are ongoing expenses, and there are upfront costs for the consulting, architecture and design professionals who work on your CMS solution.

Security isn’t the only reason Drupal has deep government roots. Its proponents have been edging their way in ever since Howard Dean’s 2004 presidential primary campaign became the first major political organization to base its web presence on Drupal.

Within months of taking office in 2009, then-President Barack Obama’s team migrated the White House site to Drupal from a proprietary system developed on site. Drupal was selected in part because its developers favored open-source collaboration, but the Trump administration might favor proprietary systems such as Microsoft’s SharePoint, Oracle’s UCM or Percussion’s CM1, all of which have some presence at government agencies. The administration’s preference will likely be revealed if the White House website gets a new platform in the next few months.

The hurdles

There are three main challenges to developing CMS solutions in the federal government: security, expertise and accessibility.

When it comes to security, Drupal has the confidence of the Justice Department, the State Department and, for now, the White House. Even so, the Defense Department has not been as quick to embrace it.

In a 2013 alert that is particularly critical of Joomla, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team said the security issue with CMS solutions in general is that malicious actors can “gain control of web servers and launch distributed denial-of-service attacks against critical infrastructure organizations.”

The alert states that the key to reducing the risk is for IT teams to stay up-to-date on patches for the CMS tools it uses. More detailed instructions for securing web-based servers and services are available in a technical paper published by US-CERT.

As big a concern as security is, however, it’s moot if you can’t build something worth securing. The Drupal community’s wiki defined the skill sets needed to implement CMS, and they are extensive. And even though WordPress is an order of magnitude easier, it is still something agencies might not be able to accomplish in-house. In fact, many developers say that an agency’s existing systems might actually be an obstacle.

“Setting up Drupal in development boxes is one thing,” said an expert who spoke on condition of anonymity, “but being forced at times to implement the CMS in existing enterprise infrastructures can be a pain in the ass.”

Accessibility is another unique requirement of government work, ever since Section 508 of the Rehabilitation Act was amended in 1998 to require agencies to make IT-based services available to people with disabilities.

“We are legally required to make government services accessible to those with disabilities, and that includes websites and web content, especially as more and more government services are delivered digitally,” said Matthew Burrell, a General Services Administration spokesman.

Next steps

What an agency does next is in large part a function of what it has already done.

“Few agencies are starting from zero as content producers,” Burrell said. “Many of them have been publishing since their inception. However, transitioning to a mix of content that includes digital, and then eventually to a digital-first mode, is a major change.”

Perhaps the best way to assess organizational needs would be with the help of 18F, GSA’s digital services consultancy. Born in the wake of the troubled rollout of HealthCare.gov in 2013, 18F’s staff knows all the mistakes that have already been made.

Agencies should begin by defining pain points and making an honest assessment of its current array of technologies and skills. Then they should look for a solution that at a minimum complies with the Federal Risk and Authorization Management Program, the Federal Information Security Modernization Act and Section 508.

In addition, Burrell said that “connecting with communities of practice either within government or outside of government can be extremely helpful.”

Once agencies choose a solution, they must ask themselves who is going to run it. “This requires a lot of ongoing support,” Uhlir said. “You should consider entering into partnership with an agency” that does it full-time.

If an agency decides to run a CMS in-house, his advice is to ensure that the team is expertly trained.