Contains many Cloud.gov-specific narratives

opencontrol / cf-compliance

Controls for Cloud Foundry

5 stars 5 forks source link

Contains many Cloud.gov-specific narratives #3

Open clhynfield opened 7 years ago

clhynfield commented 7 years ago

While the project title, description, and Readme all imply that this project applies to Cloud Foundry broadly, half of its components make explicit reference to the Cloud.gov-specific instance of Cloud Foundry. Some of these references aren't even applicable to plain, open source Cloud Foundry, e.g. UAA satisfies standard NIST-800-53, control key AC-7:

  - text: "#### a  \nCloud.gov displays banner on the cloud.gov login page\n  \n####
      b  \nThe banner displays on the login page until the user is logged in\n  \n####
      c  \nThe banner displays all requirements"

If product management agrees, I'll be happy to work up a pull request that replaces all cloud.gov references, to the best of my ability:

replacing them with "Cloud Foundry" where the narrative has an OSS equivalent
removing ones that are narratives exclusive to cloud.gov

I expect there to be some back-and-forth, as I'm completely unfamiliar with Cloud.gov.

Thanks!

clhynfield commented 7 years ago

So, @geramirez, @afeld, and @dlapiduz – you are the three contributors to this project. If I were to submit a cloud.gov-scrubbing PR, would you be the ones to review and approve/reject? Thanks!

openprivacy commented 7 years ago

We're starting with this, replaced (locally) cloud.gov with our system name, but would really like to see a templated system with e.g. {% PROJECT_NAME %} etc. in the text so it could be picked up and used by most anyone. Not sure the best mechanism to do this...

We're planning on using OpenControl and build directly on AWS, but inherit e.g. FedRAMP controls from https://github.com/opencontrol/FedRAMP-Certifications with default templated text. Eventually we'll need to do the same for applications like MySQL, Apache, etc.

dlapiduz commented 7 years ago

@clhynfield I believe that cloud.gov is not using this repo anymore and it is using https://github.com/18F/cg-compliance instead.

If you want to submit the PR I think we can take it, @mogul @brittag can you 👍 ?

clhynfield commented 7 years ago

Thanks for chiming in so quickly, @dlapiduz!

@openprivacy: good to hear. As elsewhere in software engineering, I'd look to use composition to bring components from cf-compliance and other projects into my own independent, composable projects. I haven't looked deep into how to make that happen with Compliance Masonry, but if the community agrees, maybe it's at least an ideal we can iterate toward.

brittag commented 7 years ago

Hi everyone! That's correct, cloud.gov is not using this cf-compliance repository. Glad to have this ping though - I'm interested to watch this repo and learn from changes here.