GSA-TTS / tts-common-controls

[WIP] development of Inspec tests using the Heimdall Data Format (HDF) specification to create baseline and inheritable Security Controls and Documentation for reuse by TTS Systems
Other
7 stars 2 forks source link

Technology Transformation Services (TTS) Common Control Platform

This repository is for system owners at TTS, to help them reduce the burden of their narrative-writing for security controls when working on their Authority to Operate (ATO). This will be most useful when drafting a System Security Plan (SSP) ahead of an assessment, for initial launch and re-assessment.

By having well-defined components with good security compliance baked in and their associated security control narratives, system owners can pull in that information for reuse during their assessment, and reduce the amount they need to implement, monitor, manage, and validate up through assessment.

MVP

The minimum viable product is an automatically generated artifact (spreadsheet, document in a human readable format) that can be immediately used by TTS System’s to fill out their System Security Plan (SSP) as part of their Authority to Operate (ATO).

Concepts

TBD

Usage

You as the TTS System will be responsible for using the results from the tests contained in this repository. The Customer Responsibility Matrix (CRM) for SaaS products and IaaS Cloud Service Providers products in use at TTS have been compiled here for you and their implementation (as well as the test to validate these implementations).

This repository can be used in multiple ways, either by:

  1. Taking output of the test results and copy and paste this information into your SSP
  2. Provide a URI link to copy and paste as a reference in your system's SSP.
  3. Provide a manual attestation for a control implementation.
  4. Provide an automated test to serve as attestation for a control implementation.

Getting Started

The TTS Tech Portfolio conducts these scans as part of our continuous integration (planned implementation). We can coordinate with your assigned ISSO/ISSM to provide them the results, attestation, audit reporting required for your System's (A&A process) and ultimate Authority to Operate (ATO).

TBD open a github issue to request an coordination; feel free to reach out to use in Slack #tts-tech-portfolio or by email tts-tech-portfolio@gsa.gov to discuss/coordinate.

Authors

tts-tech-portfolio@gsa.gov

Contributing and Getting Help

To report a bug or feature request, please open an issue.