Make sure that absolutely everything can be customised on a per-page basis.. Don't settle for fixed titles and fixed footers for example.

>> Questions to ask

"Can I see a demo site of something you've done?" And make sure you see the admin end and it makes sense to you.

- set requirements for basic server stuff - pages that are not found send a valid 404 for example (it's surprisingly common for custom 404 error pages to return 200 OK).

- decided in advance how granular your need permissions to be. What is the lowest level (page edit or possibly partial page edit)?

- maybe hire a third party to do a security audit and write it into the contract that changes required by 3rd party audit are part of the spec. You might even be able to agree on who that third party is in advance. There are some "default" choices that should be acceptable to any developer (personally, if I were the developer, I would consider this free education in hardening my code and would *love* to see this requirement... unless I was told to start over because there's no way to patch the holes I've created).

Good point on the 404/200 error issues, I didn't have that in my specs.

Also, I really like the security audit idea. One of the main reasons I'm building my own is because I don't trust Open Source CMS platforms in terms of security. It's okay for forums, not for my core.

Frankly, an Open Source app will likely have better security than a custom app that is not audited or written by someone who doesn't know how to make it secure.

The problem with the open source apps is
- open architecture that allows for many attack points (i.e. poorly written modules).

- huge user base and identifiable signatures that make it worth mass random attacks.

Hi Chris,
Ask them to make a small demo.
Demo should display 2 to 3 ways how to add/modify content and how to change boiler templates and how to make specific page customization.

Then take some pages from the your existing website and tell them to customize right in front of your eyes. Play with the tool in the demo. see your comfort level. I am sure you will meet plenty of gaps and expectation mismatch.

Go in the next round with the firm to improve.

Things I would ask:
- What are the key issues to manage with custom cms solutions
- Why would you use the technologies you have selected for this project
- How do you solve complex application design problems
- Who will you use to secure the application when its being deployed.
- How do you manage scope creep to get a win/win
- When I am close to signing, can I meet or talk to 2 or 3 cleints that you have deployed very similar (size, features, sector) projects for
- what are your rates for each area of the project
- what methodology or approach will you use to ensure its a success for both parties

I wouldnt insist on going local for this, you need the best a for custom CMS.

[edited by: ergophobe at 8:10 pm (utc) on July 21, 2008]
[edit reason] Minor edits [/edit]

Some sort of automated document management system if you have a large amount of documents (magazine/publication back issues) to upload or you will have to do it yourself manually or spend $$$ on hiring a contractor for weeks on end.