Bring SSP to SAR-ready state

[mogul]

@mogul commented on Fri May 20 2016

In order to enter the FedRAMP SAR auditing process with all prerequisites satisfied, we must provide our SSP rendered in the mandated FedRAMP format with all required Moderate-level controls documented.

Acceptance Criteria

• [x] Information is present for every control required for FedRAMP Moderate certification
• [x] Where we don't have anything currently that satisfies a control, a sketch of our intended method of satisfying the control is provided and the sketch is clearly labeled as a TODO item
• [x] Every TODO item in the document is captured in a card in the Backlog column of the cg-atlas board
• [x] Every card with a TODO item has its parent Epic set to the FedRAMP P-ATO Remediations card.

---

People involved:

• @jcscottiii is chasing down some diagrams, etc that are not being rendered even when it's in the YAML files.
• @afeld is ensuring we can render into the FedRAMP Word template and that we can generate a gap report that shows all the empty controls.
• @NoahKunin @dlapiduz and @mzia are taking on the actual documentation of all the missing controls

[mogul]

(I believe @clovett3 is also working on this.)

[mogul]

@frsfx said he could help out with documenting controls as well... he's been through the FedRAMP process before.

[mogul]

The list tracking the state of all the controls is in Google Drive.

[afeld]

Issue for templatizing the FedRAMP SSP: https://github.com/opencontrol/compliance-masonry/issues/140

[afeld]

The list tracking the state of all the controls

@clovett3 just showed me a different one:

https://docs.google.com/spreadsheets/d/1Z_PScNd_NgJKgkCf74tZuSH-HvCjcd5qd2B7AbIQSaw/edit#gid=566813369

[mogul]

We just had a meeting to talk about how/where to track the remaining work, since it wasn't clear which of the above issues/Google Docs was canonical. For expediency, the remaining work on the FedRAMP template version of the SSP will be going through @clovett3's hands and into a .docx via Word, with other people contributing in certain controls. (We will NOT be using Compliance Masonry to generate into the FedRAMP template until a later date; it won't help cloud.gov but may help followers in future.) @dlapiduz @mzia and @clovett3 will be getting together early tomorrow to hash out how/where that list will be tracked; please post a reference here when that's available.

[mzia]

Cloud.Gov FISMA Control Canonical List

SSP Completion Checklist

[mogul]

I've converted this to an Epic, attached all the issues newly created in the cg-compliance repo (since it's the sum-total of all that work which will determine when this one is done) and moved it to the Feature column so we don't try to talk about this level of detail at stand-ups.

[mogul]

I've removed the AC about rendering directly into the Word doc, as this is otherwise done and no longer blocking our progress.