This repository is for system owners at TTS, to help them reduce the burden of their narrative-writing for security controls when working on their Authority to Operate (ATO). This will be most useful when drafting a System Security Plan (SSP) ahead of an assessment, for initial launch and re-assessment.
By having well-defined components with good security compliance baked in and their associated security control narratives, system owners can pull in that information for reuse during their assessment, and reduce the amount they need to implement, monitor, manage, and validate up through assessment.
The minimum viable product is an automatically generated artifact (spreadsheet, document in a human readable format) that can be immediately used by TTS System’s to fill out their System Security Plan (SSP) as part of their Authority to Operate (ATO).
TBD
You as the TTS System will be responsible for using the results from the tests contained in this repository. The Customer Responsibility Matrix (CRM) for SaaS products and IaaS Cloud Service Providers products in use at TTS have been compiled here for you and their implementation (as well as the test to validate these implementations).
This repository can be used in multiple ways, either by:
The TTS Tech Portfolio conducts these scans as part of our continuous integration (planned implementation). We can coordinate with your assigned ISSO/ISSM to provide them the results, attestation, audit reporting required for your System's (A&A process) and ultimate Authority to Operate (ATO).
TBD open a github issue to request an coordination; feel free to reach out to use in Slack #tts-tech-portfolio or by email tts-tech-portfolio@gsa.gov to discuss/coordinate.
To report a bug or feature request, please open an issue.