security-stories-nist800-53

A collection of security related user stories compatible with NIST Special Publication 800-53

Motivation

It's hard to bake-in security and compliance into software projects when security and compliance are not part of the day to day agile work of software developers.

Now you can start every project with vetted, security-related user stories to make sure your IT system is built to be compliant.

Add these some or all of these stories to your agile backlog. Then add two or three to each sprint. As you build your system you will be making it secure, compliant, and your acceptance criteria will be evidence for your assessor!

You're security team will love you for treating them as a customer!

User Stories

As of March 2017, the list of user stories is still under development.

User stories are grouped by NIST SP 800-53 control family, system impact, and priority rating.

• AC - Access Control Low Impact P-1
• AT - Awareness and Training Low Impact P-1
• AU - Audit and Accountability Low Impact P-1
• AU - Audit and Accountability Low Impact P-3
• CM - Configuration Management Low Impact P-1
• CP - Contigency Planning Low Impact P-1
• IA - Identification and Authentication Low Impact P-1
• PL - Planning Low Impact P-1

Contributing

To contribute, fork the repository and make pull requests.

See template.yaml file for format and existing YAML files for reference examples.