• UC Davis
• IET Home

UComm/IET: Web CMS (Content Management System)

Sponsors

• Lisa Lapin - Assistant Vice Chancellor - University Communications
• Beverly "Babs" Sandeen - Vice Chancellor - University Relations
• Peter Siegel - Vice Provost - Information and Educational Technology (IET)

Contacts

Project Manager

Elliot Lopez, University Communications

To View Entire Submission

• Web Content Management System
• Web CMS Requirements
• Summary of Selection Process
• Section 1194.21 Software Applications and Operating Systems
  Voluntary Product Accessibility Template
• Section 1194.22 Web-based Internet Information and Applications
  Voluntary Product Accessibility Template
• Additional materials are available at the project web site: http://cms.ucdavis.edu/

Reviewers

Core contributors to this review included Tim Akin (Graduate School of Management), Pamela Davis (School of Education), Paul Drobny (Student Affairs), Adam Getchell (College of Agricultural and Environmental Sciences), Jason Hammons (Sociology), Minh Nguyen (College of Letters and Science), Bob Ono (IET), Eric Rothgarn (Office of Resource Management and Planning), and Jeremy Smith (Center for Mind and Brain).

Comments and discussion were also solicited via the Dean’s Technology Council (DTC), and members of the Campus Council for Information Technology (CCFIT) and Technology Infrastructure Forum (TIF) received presentations from project representatives at group meetings held in April. Participants were able to pose questions at these venues directly.

Feedback Received to Date (6-6-2008)

Revision History

5-12-08

Initial feedback and responses.

6-6-2008

Security requirements clarified within IET recommendation

Contents

• IET Recommendations
• Reviewer Observations and Comments
• Reviewer Suggestions and Advice
• Questions, Potential Gaps, and Requests for Clarification
• Campus IT Security Coordinator Review

IET Recommendations

The core goal of the Web CMS project is a challenging one: to provide a web content management solution that is cost-effective and centrally maintained, yet flexible enough to support a wide variety of underlying skill levels, publishing models, and web technologies. While some departments with substantial technical resources or existing content management systems may continue to prefer their own solutions, Hannon Hill Cascade Server has the potential to provide a very effective centralized solution for those that wish to take advantage of it.

As the project team prepares to enter the product acquisition and implementation phase, several critical tasks remain. In order for the project to succeed, sponsors must:

• Complete and clearly communicate the project budget and timeline.
• Formalize the security requirements as part of the license acquisition. (Responses to the questions below pertaining to audit logs, authentication, authorization, application vulnerability detection and remediation, API availability and compatibility with operating system platform patches should be formally included as vendor deliverables.)
• Heavily involve stakeholders in the detailed planning of use policies, workflow support, and systems integration. The planned pilot or "soft launch" phase should greatly assist in exploring and validating these decisions.

In addition, reviewers rightly noted the potential value of a centrally-supported web hosting service. Given that the proposed CMS directly targets those lacking local web development resources, pairing it with an optional web server/hosting service makes tremendous sense. The project team should incorporate this idea into their planning, working closely with stakeholders to determine when and how such a service could best be integrated.

Reviewer Observations and Comments

• A majority of reviewers praised the goals and methodology of the initiative, citing several potential benefits of a campus wide web content management solution:
  • Economy of scale / leveraging a common resource
  • Standardized tools, training, and support (with the added benefit of increased staff mobility)
  • Support for departments with limited resources and expertise
  • Ability to promote an integrated message and common branding/themes
  • Enhanced potential for broad integration (e.g., departmental and campus calendars that automatically update each other)
  • Departmental oversight and control over content maintenance and updates
  • Section 508 support
  As one reviewer stated, “I commend the superb work done by the committee to thoroughly vet and select a powerful new content management system tool for the campus community. The work done by the committee will allow campus communicators and web developers to build better sites much easier.”
• Reviewers also pointed out that some departments have already made substantial investments in CMS, and thus may perceive this initiative as too late.

Reviewer Suggestions and Advice

• The submission cites one benefit of Hannon Hill Cascade Server as: "alleviating existing constraints due wholly or in part to limitations in the availability of budget, time, resources, staff, or technical expertise upon those responsible for Web content publishing, development and management." While these constraints are not mentioned in the submission’s problem statement, it does indeed seem that the campus is experiencing resource constraints that effect web site support. As such, an even more complete solution — such as centralized web server service — should be an additional option included in the CMS solution.
• One of the most challenging aspects of CMS has to do with workflow. In some cases, departments are naturally organized to allow a single gatekeeper to be responsible for departmental content and accuracy. In other cases, a distributed set of personnel may be a better fit to provide broad-reaching information that has to be accurate and changes frequently. Given the variety of potential desired workflows, it will be critical for the CMS to provide flexibility in this area. Departments will also need effective workflow training that provides guidance on how to best support compliance, policy and accurate messaging.

Sponsor: Agreed. Powerful and flexible workflow functionality was a critical consideration for the Requirements and Evaluation committee, and a key differentiator of the product selected.

• CMS offers distributed content management, so it’s important to both provide an easy to use and robust distributed content manager that can be easily configured to a complex institution such as our own, and concomitantly training at the same level (or the software may be of limited interest to arbitrary customers).

Sponsor: Absolutely. One of the key features and benefits of Cascade Server is its ability to publish Web sites across a distributed hosting environment. This allows for centralization of the tools and functions associated with content management, while providing sufficient flexibility to accommodate the diverse technical and infrastructural needs of campus users. One of the Requirements and Evaluation committee’s goals was to choose a solution that would be easy to integrate with the current environment of dynamic content and applications, and Cascade Server stood out in this regard.

The Web CMS steering committee and project team agree that a comprehensive training program is critical to the successful adoption and maximization of the system on campus. We have made the development of a training curriculum a priority for the project’s Implementation committee, and expect to roll out Web CMS classes in conjunction with campuswide deployment of the system.

Questions, Potential Gaps, and Requests for Clarification

Intended Use

Q: How is the CMS conceived to be used? Does University Relations intend to formally or informally define how departments use the software? Will some other agency (above the divisional level) describe how the CMS is to be used, and then train to that target as well or will the department be responsible somewhere along the line?

Sponsor: Our intention is to offer the Web CMS as a centrally hosted resource for the management of official UC Davis Web sites and pages. University Relations, University Communications and IET will collaborate on the administration, management and maintenance of the system, but will not be involved in decisions related to the creation or management of specific content on individual participant sites. A project committee consisting of technical and non-technical adopters from across campus has been tasked with the creation, under the guidance of project leadership, of process and policy associated with system usage. The committee will also be responsible for development of a training curriculum that reflects the adoption and usage procedures established during initial implementation.

Q: How does the hierarchy of publishing requirements work? Does that include University Relations or is that intended to be up to departments to decide?

Sponsor: University Communications, University Relations and IET will not be involved in the workflows associated with publishing content to specific participant Web sites. The number and types of workflows that will be available within the system have not been defined at this point, but are included within the scope of work being executed by the project’s Implementation committee.

Q: Will some central authority use the software to check campus submissions for ADA compliance, or is that presumed a requirement of all departments as their websites are published?

Sponsor: A critical objective of the Web CMS initiative is the promotion of Web publishing practices that comply with federal, state and campus requirements and policy. Tools for validating site content and addressing deficiencies will be available within the system; however, no Web CMS can completely eliminate the potential for publishing sites and content that are non-compliant. As such, owners and administrators of official UC Davis Web sites will continue to be responsible for ensuring that their sites meet standards and requirements defined by campus policy.

Integration/Overlap with Related Systems

Q: The submission appears to lack any reference to the need or ability to integrate with campus or local administrative systems. As such, the scope seems limited to bringing a CMS to campus that will assist departments in creating stand alone web pages/sites.  Is this an accurate perception?

Sponsor: The Requirements and Evaluation committee included the ability to integrate with existing systems, dynamic content sources and applications as one of the key requirements. The committee found that Cascade Server’s APIs and flexible publishing model allow for the integration of externally developed or published data regardless of the source technology platform. In addition to testing these capabilities during the initial adoption phase, the initiative’s Implementation committee will also work with IET to integrate the Web CMS into central campus systems for role management (LDAP) and authentication (CAS).

Timeline and Budget

Q: Has a budget or a timeline been set, along with a plan to sustain use indefinitely by providing for ongoing maintenance of the software and refresh of the hardware? The costs are not addressed in the proposal.

Sponsor: Costs for initial and ongoing software and hardware fees, as well as for development and programming, centralized hosting and maintenance of the system are currently being finalized. A substantial portion of the system will be financed by one-time funds furnished by the Provost at the onset of the initiative in 2006.

For the latest information about the project status and timeline, please visit http://cms.ucdavis.edu

Q: What costs can a department or division expect in using the software? What are the implications of a department volunteering to pilot the CMS?

Sponsor: A substantial portion of the system will be financed by one-time funds furnished by the Provost at the onset of the initiative in 2006. Our goal, pending finalization of a budget model to cover additional acquisition, deployment and recurring maintenance costs, is to provide the Web CMS to the campus as a centrally funded resource.

Participation in the first phase of implementation or "soft launch" of the Web CMS offers many benefits.

As part of a small group of initial adopters, units will be able to tap into the skills, expertise and experience of the diverse members of the Implementation committee. Participants will work collaboratively to identify migration and implementation issues and will help define and establish the standard processes, training and resources required for adoption. In addition to receiving the support of fellow committee members, initial adopters will also work closely with the vendor through the Implementation committee during this initial period.

The first adopters of the Web CMS will play a substantial role in deciding the nature and shape of the system on campus. As such, being an implementation partner is a significant commitment. In return for the opportunity to be among the first to adopt the campus Web CMS, we ask that participants agree to meet the requirements posted at http://cms.ucdavis.edu/requirements.shtml

Q: Is there a specific date by which departments already using some sort of CMS must migrate to the new system?

Sponsor: Use of the system will not be mandated; we recognize that there are many campus units with unique requirements, specific preferences and/or existing access to the resources and capabilities needed to maintain compliant, fresh UC Davis Web sites. As such, there will be no required “cut-over” date.

Under our current timeline, the system will be available to campus starting in the fall of 2008. However, adoption and Web site migration will proceed under a scheduled, standardized process defined in advance by the initiative’s Implementation committee.

Risk and Mitigations

Q: What risks and/or mitigations were considered during this process?

Sponsor: The Requirements and Evaluations committee sought to develop a uniquely comprehensive review and selection process that was inclusive, transparent and free of inherent bias. To this end, the committee included 14 staff and managers from academic and administrative units throughout campus: content managers (5), technologists (3), webmasters (2) and programmers (4).

The committee developed a comprehensive list of technical and functional requirements (http://cms.ucdavis.edu) through the extensive analysis of use cases, evaluation of the campus environment and a review of existing workflows and publishing processes, then applied these requirements in a methodical process guided by the objectives set forth in the Project Vision and Scope. The requirements also included consideration of publishing models, system architectures and technical platforms in the context of common risks associated with Web CMS: vendor lock-in, scalability, performance, vulnerability to and consequences of system failure, and migration costs.

The committee subsequently screened a group of more than 100 options to identify Web CMS systems that qualified for individual evaluation. The finalists chosen by the committee represented a range of Web CMS paradigms and approaches, including open source and commercial, large and mid-size, locally installed and software-as-a-service models, and were all solutions indicated by a recent survey to be currently employed at other higher-ed institutions across the nation.

To ensure consistency in the review process, the format and duration of vendor presentations were standardized. In addition, each vendor was asked to disclose compliance with accessibility requirements by completing and submitting sections 1194.21 and 1194.22 of the Voluntary Product Accessibility Template (VPAT). The review process culminated in the generation of a quantified score for each system, with the committee additionally vetting the system that received the highest score.

Selection Criteria/Scoring

Q: Can the project team provide the selection criteria and scoring matrix that were used in choosing the Hannon Hill product?

Sponsor: The selection criteria were posted to the Web CMS site at the onset of the review process in October, 2007, and may be accessed at http://cms.ucdavis.edu/documentation/WebCMSRequirements.pdf

Selection Process

One reviewer forwarded comments that were originally sent from a past member of the Web CMS Requirements and Evaluation Committee to the Plone Users Group of Davis. This former participant, no longer with UCD, expressed several concerns regarding the selection process. In summary, the individual alleged that:

• Plone specifically, and open source solutions in general, were not given fair consideration.
• The selection process was dominated by non-technical individuals and biased towards purchased solutions.
• No academic or research units were represented on the selection committee.

Another member of the Web CMS Requirements and Evaluation Committee provided a detailed rebuttal of these allegations, further stating:

I have been on committees where Open Source Software may have not been given a fair deal. If this were the case in the Requirements and Evaluations phase of the Web CMS project, I would have been one of the first people to point it out. I believe that Plone and all Open Source Software were given a fair chance…

In my opinion, the members of this committee did a very thorough, professional, and objective job in reviewing all the content management systems that are possible for our university.  The members were very open to ideas and suggestions, and while the members may not always agree with each other, they were willing to listen to all ideas.  Decisions were made based on facts and consensus - not emotional attachments to any particular product or ideology.

Amanda Price, chair of Web CMS Requirements and Evaluation Committee, responded as follows:

The requirements and evaluations committee was charged with selecting a CMS solution for the campus last year. We assembled a committee with representatives from academic, research and administrative groups from across campus. Our roles on the committee varied – some of us have technical jobs, and others of us have marketing or communications-related jobs.

The candidate systems reviewed in great detail by the committee included a range of both commercial and open source solutions. One of the open source solutions we looked at thoroughly was Plone. Our group committed a great deal of time and expertise over the course of 10 months to conduct the level of analysis required to produce the most comprehensive and appropriate recommendation for the campus. Our process included quantitative analysis, as well as qualitative processes. In fact, the committee’s method has been described as “impeccable” by campus leadership, and is being replicated by other higher education institutions in their own Web CMS searches.

For accurate information about our detailed evaluation and selection process, I invite you to review the “Summary of Selection Process” documentation posted at this site. Please also refer to the Web CMS project site at http://cms.ucdavis.edu for the latest information about status and progress.

Signed,
Amanda Price
Director of Marketing and Communications, College of Letters and Science
Chair, Requirements and Evaluation Committee

On behalf of the Requirements and Evaluation Committee:
Vicki Bencken, UC Davis Health System
Brian Donnelly, IET
Craig Farris, University Communications
Bryce Grant, Office of Graduate Studies
Rick Hill, College of Engineering
Elliot Lopez, University Communications
Ann Mansker, IET
Minh Nguyen, College of Letters and Sciences
Fredericka Parker, Office of Graduate Studies
Susanne Rockwell, University Communications
Sharie Sprague, Offices of the Chancellor and Provost
Charles Turner, IET

Finally, another individual (not on the review committee) expressed substantial support for Plone, citing several specific technical features as well as an overarching philosophy:

I believe we have seen what the effects [of] vendor lock-in can be. And in my personal opinion, our University has more human resources than capital resources, which to me favors the "learn to be self-supporting" model that open platforms can provide.

Sponsor: We acknowledge that Plone is a very popular Web CMS among certain members of the technical community on campus, and agree that open source solutions can be especially attractive to some, depending on context and business needs. In fact, the Requirements and Evaluation committee made exceptional efforts to include open source solutions in the review process: the committee invited the leading Plone expert on campus to participate as a member, solicited product demonstrations from notable and leading open source vendors and integrators from across the country, and included a substantial number (approximately 50%) of open source solutions in the finalist group.

However, based on the functional and technical requirements identified by the committee at the onset of the process, under the comprehensive process employed, Hannon Hill Cascade Server was clearly distinguished as the best recommendation for the campus. This selection was further confirmed by a decisive committee vote, and subsequently approved by the initiative’s project team and steering committee.

Campus IT Security Coordinator Review

• The project apparently supports authentication and authorization for workflow purposes. However, the project description does not indicate whether authentication can integrated with campus AD or CAS. This capability would align solution authentication with existing campus infrastructure.

Sponsor: As part of the initial deployment of the product, the initiative’s Implementation committee will work with IET to integrate the Web CMS into central campus systems for role management (LDAP, etc.) and authentication (CAS). Other higher ed institutions have already successfully integrated these capabilities into their deployments of the selected product.

• It is essential that controls ensure that content is accessed, modified, removed or approved for posting by authorized individuals. The project description does not describe authorization controls. Along with authorization controls, are there logs that reflect actions taken by solution users? The project description does not describe audit log capabilities nor controls to protect the integrity and availability of log files.

Sponsor: Hannon Hill Cascade Server logs all user activities and make log information available via an intuitive tool called the “Audit Trail.” Administrators can see a summary of activities performed in the system by a particular user, group, role, or for the entire system. Selecting the audit trail for a group or roles will display the actions performed by all users belonging to that group or role. A date/time filter is provided as part of the Audit Trail view and is useful for filtering the results into a more specific timeframe.

• Has the vendor evaluated this solution for critical security vulnerabilities during the development process? Does the vendor have a program to routinely scan the solution for high-severity security vulnerabilities and implement remediation methods? The university needs to be assured that there are no serious application security vulnerabilities.

Sponsor: Hannon Hill does have a full time QA staff, which is tasked to search for vulnerabilities.

• What is the vendor commitment to release timely security patches should a critical security vulnerability be identified in the vendor developed components? What is the vendor commitment to maintain timely compatibility with critical security patches released by other independent software vendors (e.g., Microsoft, Red Hat, etc.)?

Sponsor: Hannon Hill is committed to timely compatibility with security patches from major software vendors. It should be noted that Cascade Server is tested with recent JVM updates.

• Over the next few years, the campus identity management initiative will provide support for account provisioning and roles management. While this cannot be a requirement at this time, it would be interesting to know if identity management-related APIs exist.

Sponsor: Custom authentication is supported with Cascade Server. LDAP is used for authentication, for the management of users, groups, and roles. A rich web services layer allows for the ability to edit users groups and roles. Cascade Server has been further customized to support items like PubCookie and CAS for authentication.