Lucee in Government

Not sure quite how to categorize this question, sorry. In the past using Adobe ColdFusion in US government contracts has been pretty straightforward as ACF has been “certified”. Has Lucee had any similar certification or use in government that I can point to? Our goal is to have our SAAS product Fedramp certified, and given our desire to move to OSS Lucee from ACF, we want to approach this with our eyes wide open.


I am not sure what to say specifically but you might want to get in touch with the BlueRiver folks that are deploying Mura into the US govt.

They might be able to point the way.

Thanks Mark. I’ll see how they are making out.


That’s not to stop anyone else with experience chiming in!

But the problem we faced at Railo was that as an Open Source Project, people were free to use it without letting us know so, in comparison to Adobe, we weren’t the best people to ask where it was being used. We could get some ideas from people asking for support.

One organisation I know is NASA and JPL that used Railo (and I presume now they use Lucee?)

Im pretty sure that we had heard that indeed Nasa JPL did use Lucee and we were able to reference as such.

The question of course is if you are creating a WAR (Your distribution) that is deployed on top of an approved web application server Tomcat or equivalent combined with an approved RDBMS are all elements of the distribution required to be approved ?

I mean I fully understand that as a commercial server product with cost, licensing and support ACF is required to be approved, but I assume that Jquery and various nuances of your applications build elsewhere are explicitly approved so I wonder whether its a point worth making. You are after all shipping Jars + your source code not an executable or modified version of tomcat ?

If you’re asking about Lucee being specifically added to one of the (multiple) internal lists of approved govt softwares, that hasn’t happened for Lucee as far as I know. I’m working with a DOD project right now that has gotten CommandBox added to a list since they’re using it for local dev and as part of the Ortus docker image for deploys, but lucee isn’t specifically on the list even though it’s part of CommandBox. (This project is using Adobe 2016 for their server).

My understanding is it takes a specific govt project to use Lucee and “sponsor” that software as being approved and added to the internal lists, but it’s not a quick process and I don’t really even know what all it entails. It’s a bit of a catch 22 since most departments, even if open to the idea of Lucee, are most likely to just stick with an already-approved software rather than going through the work of getting something new certified. And govt projects aren’t usually worried too much about licensing costs, so you have to come at them from a different angle to sell them on it. (They’re going to be worried much more about support, longevity, and security)

I think the best option here for Lucee is that devs getting govt contracts need to keep pushing Lucee as an enterprise solution until someone picks it up for a big enough project and are willing to sponsor its addition to the lists of approved softwares. In the meantime, I assume departments that are already using it, are doing so via “loopholes” since it’s a “java” war deploy on Tomcat, etc. Even if that does happen, I’m not sure if we’ll hear about it. The app I’m working on that uses CommandBox will never even see the light of the internet. It’s part of the large amount of CF out in the dark web that “doesn’t exist” which makes it very hard to use in marketing.

Just wanted to add to this-- I was just chatting with a dev who does a lot of govt work and he’s using Lucee 5.2.4 for a ContentBox CMS app he built for a government site which I unfortunately cannot name publicly :confused: His company was able to use Lucee without issue because it is not a site that the US govt hosts themselves, but rather a turn-key solution he provides to them which includes the hosting. They basically rent the site (which is publicly available) and he uses the technologies that are the fastest and easiest for him to get to production. I suppose it’s worth mentioning that there are scenarios in which you can use the technology you want as a vendor without having to go through as much red tape. What really sucks is you can’t point to successful projects like the one I’m talking about right now since that department doesn’t want any technical details published, lest hackers target them.

Thanks all for the responses. Exactly what I needed to hear.