Project Boise announcement from 18F

[afeld]

Hi folks! Wanted to send you an update about what's happening at 18F. We have started an initiative with the (arbitrary) working title "Project Boise", whose goal is to "reduce the burden (time, cost, and pain) and improve the effectiveness of the federal government’s software security compliance processes." This is, we hope, very much in line with OpenControl, though may extend more broadly (to things like policy). Take a look at our project overview (https://boise.18f.gov) - would love your feedback! Feel free to leave comments here, shoot me an email, etc.

In our “Discovery” phase, we’re looking to talk to folks in the following areas:

• Chief Information Security Officers, cybersecurity policy/rule-makers, or others involved in shaping federal security compliance in or across agencies
• People who deal with a lot of ATOs, such as auditors/assessors
• Companies who build products that help with security compliance

If you fall into one of those categories, or have a connection with someone who does, please get in touch.

Thanks! Aidan Feldman aidan.feldman@gsa.gov

[johnmod3]

cool, this needs lots of light and heat

[afeld]

I hope that's a compliment 😉

[shawndwells]

Interested. But how do I help?

[openprivacy]

ditto. I only deal with two Federal ATOs at the moment, but that's enough with present (lack of) technology.

On Tue, Jul 25, 2017 at 1:15 PM, Shawn Wells notifications@github.com wrote:

Interested. But how do I help?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opencontrol/discuss/issues/28#issuecomment-317805462, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJlpz6EN7DES2f9J3YtwRMF_XbalLIZks5sRiLNgaJpZM4OhtJS .

[gregelin]

@afeld Can you say more about where Project Boise fits in at GSA?

[afeld]

It's a project funded by the Technology Transformation Service (TTS, which is the parent of 18F) Incubator. Currently staffed by @andrewmaier @timothybjones and myself, who are all at @18F. Does that answer your question?

[afeld]

@shawndwells

• General feedback
• Introductions to folks that fall in the categories described up top
• Other companies/products/initiatives we should know about

[andrewmaier]

Also, howdy from 18F/GSA 👋 . My name's Andrew. I'm the researcher/designer-type person working on Project Boise with @afeld and @timothybjones. I like to listen and make things pretty.

[trevor-vaughan]

@afeld We build a system https://github.com/NationalSecurityAgency/SIMP that is trying to automate the 'over time' compliance and validation of that compliance from the code-base up and would like to work on making the OpenControl materials something that we can work with.

My most recent feedback is at https://github.com/opencontrol/discuss/issues/25

[trevor-vaughan]

@afeld Re-read the discovery overview and I have a few comments.

Hypothesis - Prescriptiveness is good

I can't currently find the reference, maybe @shawndwells will know it, but I don't believe that the Government can prescribe technology due to competition laws. They can dictate requirements, sometimes so narrowly that only one vendor can meet the requirements, but I don't think they can say "use X".

(Frankly, if they did, we probably wouldn't want it. Did anyone really like ADA?)

My Thoughts

On Requirements/Laws

Vendors need to be held to the standards dictated by current law, whether this be the low level underpinnings of NIST 800-53 (FIPS 140-2 and Common Criteria), or the requirement that the system have a full mapping to the necessary policies. The Government needs to stop being on the hook to document software that they are purchasing. I know that I would automatically prefer software that came with all of the necessary documentation.

Yes, I'm sorry that some of the current laws make using the new shiny tools impossible. Either fix the laws or fix the new shiny tools and stop ignoring the problem.

On ATO Enablement

I want a standard data format that I can use to automatically provide everything anyone would want to know about my system. I want something that is easy to transform into.

• I don't want to try to teach ISSOs how to use Git and write YAML
• I have a passing chance with Markdown and/or RestructuredText
• Give me a standardized API and let me write to it, I'll figure out how to get you the data that you want

Hopefully this is helpful. Looking forward to seeing where things end up.

[kishorebabu12]

@afeld I read some whitepapers/articles where FISMA compliance process is being streamlined. As per the analysis, the initiation phase (preparation, notification & resource identification, and system security plan analysis, update, and acceptance) is a major bottle neck in the overall compliance certification process. This whitepaper talks about three more phases as part of the ATO process. Good read for the team.

https://it-cnp.com/sites/default/files/FISMA_WhitePaper.pdf https://it-cnp.com/white-papers

Related article: http://www.federaltimes.com/it-networks/cloud/2016/01/12/fedramp-seeks-easier-way-for-cloud-providers-to-show-ongoing-compliance/

[sreddygh]

Aiden,

I will be glad to help work with you folks. I have significant background into information assurance, policies, controls as well as NIST and frameworks all the way to Dev, Ops and Security and a combination. Fundamental to "Change" adoption is Education, that must start at different levels and require stakeholders (CIOs) buy-in that makes Acquisition departments to collaborate with Techies. Nothing fancy I'm talking about here, we need to bring Business, Technology, Acquisition and Procurement together (in total 4 as oppose to 2 in private sector - Just Business and Technology).

[afeld]

I don't believe that the Government can prescribe technology due to competition laws

Yep, that makes sense, and is why we stated it's more likely at the agency level than cross-agency. In this case, it would be presented as something like "we, Agency X, have already procured and figured out how to configure/run Y software to do vulnerability scanning - all our projects should use it."

I will be glad to help work with you folks

@sreddygh Great! The more specific the ideas the better. Please reach out to aidan.feldman@gsa.gov.

[afeld]

Also, we get a lot of questions about "will OpenControl be supported [by @18F] over time?" The short answer is: we don't know yet.

We are proud of Compliance Masonry, and its uptake (even without us promoting it or doing much active development) continues to shock me. Project Boise takes a step back from active development work on OpenControl projects to make sure we're solving the right problem. More pointedly: should we put more effort into trying to make it easier to generate System Security Plans, or is that emphasis on workflows centered around giant Word documents fundamentally broken? If the latter, where can 18F have a bigger impact in the security compliance process, rather than putting "lipstick on a pig"?

To be clear: we are not trying to discourage anyone's use of OpenControl, and even if our focus ends up elsewhere, there is almost definitely still a place for OpenControl across agencies and industries. We're just trying to figure out where 18F's time (and thus tax dollars) can be spent most effectively.

[afeld]

We now have a site! https://boise.18f.gov

[afeld]

Our first (overdue) weekly update: https://boise.18f.gov/updates/2017/08/31/

[shawndwells]

Boise project was completed with findings published at https://boise.18f.gov/post-discovery/synthesis/

closing.