The Department of Finance has issued a tender to supply web applications and API protection services to whole-of-government content management system GovCMS.
The AWS-hosted, Drupal-based platform manages more than 370 website sites for agencies such as Services Australia, The Australian Taxation Office, and the Australian Army.
It’s a demanding brief: in an average month, GovCMS has 120 terabytes of traffic, 500,000 DNS lookups and 1,500 million hits. During the beginning of the pandemic response, one of the sites it hosts, health.gov.au, withstood more than 6 million visits without crashing.
The two-year contract comes with a one-year extension option. No price range is specified in the tender documents.
The supplier will provide a content delivery network, a web application firewall, protection against distributed denial of service attacks, bot management, API management, storage, log file management, data purging, and web-based portal services.
The project has a tight delivery timeframe. The tender closes on 27 January 2023, and suppliers are required to ensure services are “operational and ready to respond automatically to any malicious attack traffic on or before 27 April 2023.”
The tender documents’ ‘data management’ clause prohibits suppliers from “data mining” services’ or customers’ material stored on the platform without authorisation. The clause clarifies that neither manual nor automated analysis of patterns in data sets is permitted “even if a user is required to click through and accept the supplier terms.”
The Department of Finance launched GovCMS in 2015 to reduce expenses and pain points for agencies delivering web channels. GovCMS offers agencies website templates on a software-as-a-service basis, or allows them to build their own on a platform-as-a-service basis.
In 2017, the Department of Finance awarded Telstra a $1.4 million contract to bolster the platform’s DDoS protection in the wake of the notorious attack that crashed the Australian Bureau of Statistics’ site during the 2016 census.