CMS content management system (Bakhtiar Zein/

The basics of content management systems

A content management system is the engine of a website. It allows users to create websites with text, photos and streaming media and can also send digests to customers via email and offer a fully functional and secure e-commerce gateway. And it can automatically update the user’s Facebook, Twitter and Instagram feeds.

Although a CMS ensures that even the smallest agency can create a website, security, accountability, accessibility and the  political scrutiny that comes with a website can place agency IT leaders in a fragile position.

An agency’s CMS is the point at which public service meets the public eye. Once agency information is posted online, it is in the public domain forever. That means content must meet archiving requirements that ensure information doesn’t disappear and is accessible for filling Freedom of Information Act requests. And any website failure will be visible to the public.

Delivering content management in the public or private sector involves “a lot of the same demands  -- internal stakeholders with differing needs,” said Eric Uhlir, an associate creative director at Deloitte Digital. Even so, he noted that the government has an added layer of requirements. “Your customers are the citizens of the United States, which is a bigger tent of users.”

The fundamentals

CMS refers to web-based applications that publish content. Such systems comprise an interface that allows users with limited training to push content into the world and a delivery system that makes sure it gets there. Technically speaking, a CMS can be used for internal communications, but in those cases, it’s basically indistinguishable from collaboration software.

The three options with the greatest presence on the web are:

1. WordPress. It is easily the most popular CMS. Virtually every small-business website sits on WordPress. Its major advantages are ease of use and the broad universe of designers and developers with WordPress expertise.

2. Drupal. It is the most popular platform in the federal government. Although often less intuitive than WordPress, it is considered far more robust and secure. Even so, the Drupal Association’s website downplays the perceived security advantages in favor of touting other attributes, including speed to deployment, low cost and scalability. Drupal also enjoys substantial developer support, and several Drupal-centric firms have teams dedicated to public-sector customers and sell through existing government acquisition vehicles.

3. Joomla. Second in popularity worldwide to WordPress, Joomla has yet to gain a foothold in government service. Its major strength is the expansive array of third-party components that can be used to customize the system.

All three platforms include account registration, menu management and page layout templates. They are also coded in PHP and available for free via a GNU General Public License. Hosting and site maintenance, of course, are ongoing expenses, and there are upfront costs for the consulting, architecture and design professionals who work on an agency’s CMS solution.

Security isn’t the only reason Drupal has deep government roots. Its proponents have been edging their way in ever since Howard Dean’s 2004 presidential primary campaign became the first major political organization to base its web presence on Drupal.

Within months of taking office in 2009, then-President Barack Obama’s team migrated the White House site to Drupal from a proprietary system developed on site. Drupal was selected in part because its developers favored open-source collaboration, but the Trump administration might favor proprietary systems such as Microsoft’s SharePoint, Oracle’s UCM or Percussion’s CM1, all of which have some presence at government agencies. The administration’s preference will likely be revealed if the White House website gets a new platform in the next few months.

The hurdles

There are three main challenges to developing CMS solutions in the federal government: security, expertise and accessibility.

When it comes to security, Drupal has the confidence of the Justice Department, the State Department and, for now, the White House. Even so, the Defense Department has not been as quick to embrace it.

In a 2013 alert that is particularly critical of Joomla, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team said the security issue with CMS solutions in general is that malicious actors can “gain control of web servers and launch distributed denial-of-service attacks against critical infrastructure organizations.”

The alert states that the key to reducing the risk is for IT teams to stay up-to-date on patches for the CMS tools it uses. More detailed instructions for securing web-based servers and services are available in a technical paper published by US-CERT.

As big a concern as security is, however, it’s moot if an agency can’t build something worth securing. The Drupal community’s wiki defined the skill sets needed to implement its CMS, and they are extensive. And even though WordPress is an order of magnitude easier, it is still something agencies might not be able to work with on their own. In fact, many developers say that an agency’s existing systems might actually be an obstacle.

“Setting up Drupal in development boxes is one thing,” said an expert who spoke on condition of anonymity, “but being forced at times to implement the CMS in existing enterprise infrastructures can be a pain in the ass.”

Accessibility is another unique requirement of government work, ever since Section 508 of the Rehabilitation Act was amended in 1998 to require agencies to make IT-based services available to people with disabilities.

“We are legally required to make government services accessible to those with disabilities, and that includes websites and web content, especially as more and more government services are delivered digitally,” said Matthew Burrell, a General Services Administration spokesman.

Next steps

What an agency does next is in large part a function of what it has already done.

“Few agencies are starting from zero as content producers,” Burrell said. “Many of them have been publishing since their inception. However, transitioning to a mix of content that includes digital, and then eventually to a digital-first mode, is a major change.”

Perhaps the best way to assess organizational needs would be with the help of 18F, GSA’s digital services consultancy. Born in the wake of the troubled rollout of in 2013, 18F’s staff knows all the mistakes that have already been made.

Agencies should begin by defining pain points and making an honest assessment of their current array of technologies and skills. Then they should look for a solution that at a minimum complies with the Federal Risk and Authorization Management Program, the Federal Information Security Modernization Act and Section 508.

In addition, Burrell said that “connecting with communities of practice either within government or outside of government can be extremely helpful.”

Once agencies choose a solution, they must ask themselves who is going to run it. “This requires a lot of ongoing support,” Uhlir said. “You should consider entering into partnership with an agency” that does it full-time.

If an agency decides to run a CMS in-house, his advice is to ensure that the team is expertly trained.

About the Author

William Freedman, MBA, is a technology journalist and IT management consultant in New York City.


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination 

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected