afeld
commented
8 years ago I might need a plain language version of this issue to understand it 😉
controls for targeted system...listed in a spreadsheet as NIST SP 800-53 baseline allocation info
Do such spreadsheets exist, or are they hypothetical? If the former, do you have a full example?
/cc https://github.com/18F/compliance-toolkit/issues/12 (maybe?)
I think one of the problems I’ve observed is just getting started and without the assumption that there’s a FedRAMPed CSP or PaaS in the picture. We should always assume we are starting from scratch with a team/org that's determined its own set of controls for the system to build.
Feature: Initial CM FISMA doc In order to start the System Security Plan to support ATO in accordance to NIST 800-53 An engineer should be able to start providing content after controls are selected QUICKLY
Scenario: Creating my initial CM content Given: team has determined a set of controls for targeted system And: they are listed in a spreadsheet as NIST SP 800-53 baseline allocation info When: spreadsheet data is used as input value for an initializer Then: generate a corresponding opencontrol.yaml file with templated content
Scenario: Creating my initial CM content Given: team has determined a set of controls for targeted system And: they are in a spreadsheet as NIST SP 800-53 baseline allocation info When: spreadsheet data is used as input value for an initializer Then: generate corresponding Control Policy Directories and component.yaml with templated content
Baseline Allocation sample from NIST SP 800-53