Open afeld opened 6 years ago
afeld
commented
6 years ago Another way of asking: we are looking for testimonials of why continuing to support OpenControl is important. Hearing about other organizations' investment (whether successful or not) will help with that case.
shawndwells
commented
6 years ago On 9/7/17 3:30 PM, Aidan Feldman wrote:
For Project Boise (#28 https://github.com/opencontrol/discuss/issues/28), we're looking for who is actively using the OpenControl schema, Compliance Masonry, or any of the other tools under the OpenControl umbrella, and how they are being used. We are going to use this information to make the case for GSA renewing focus (and $$) on OpenControl, so it's important we hear from you.
If you're using it
- In what context is it being used? In a product, at a federal agency, etc.
Customers are expecting us (Red Hat) to provide template system security plans for them. Immediate example is how Red Hat and Microsoft chose to author the OpenShift on Azure SSP in OpenControl and open source it:
PR: https://blogs.msdn.microsoft.com/azuregov/2017/06/05/red-hat-releases-partner-azure-blueprint-for-openshift-on-azure-government/ Code: https://github.com/opencontrol/RedHat/releases/tag/v1.0.0
We chose OpenShift as our first target primarily due to customer demand. Up next is OpenStack, which is progress and will be formally released no latter than OpenStack Summit Sydney. Keith Basil (Product Manager, OpenStack) and myself will be on stage with announcement and demos:
Current plan is to incrementally go through the Red Hat product portfolio over the next year, releasing OpenControl-based SSPs for FISMA High across our platform, middleware, storage, identity management, and middleware portfolios.
Outside of integrating OpenControl-based content into product offerings, customers from civilian and defense have proactively requested that ATO documentation be authored using OpenControl. Leading business driver is the dynamic creation of SSPs, pulling in multiple system components into a single end-product document. Being able to mash together content from the CxO office (policies, like training), processes at a program management office (e.g. "how are users vetted?") with technical controls ("how is $component auditing administrative actions?") has been invaluable. ComplianceMasonry used for this, together with doc-templater.
- How is it being used? For example: o Are you using the schema files on their own?
..... what schema files?.....
* o Are you using Compliance Masonry or the FedRAMP Templater directly?
Yes.
doc-templater is emerging over fedramp-templater because every agency has their own DOCX format. Pushing people slowly towards just using the FedRAMP templates.... but hesitations arise over the term "FedRAMP Template." Want to make an impact? Have GSA release FISMA templates for low/med/high. This would be huge.
Have also started to package the OpenControl content for EPEL (supplimentary packages available to RHEL and it's derivatives like CentOS, but not officially supported yet).
The Red Hat OpenControl content was packaged on 26-AUG and will be making its way into EPEL over the next few days/weeks: https://koji.fedoraproject.org/koji/taskinfo?taskID=21474919
Would be great to see other vendors package their content (e.g. opencontrol-docker, opencontrol-redhat, opencontrol-aws). Happy to help other vendors start this process if there is interest.... shawn@redhat.com.
Right now we have a build system for RedHat-based systems. In the future (Novemberish?) will expand to Debian and Ubuntu. Help wanted if there are interested collaborators.
* o Have you built any other tooling around OpenControl, even if it's just internal?
Some. Will reply to your other thread on that.
*
If you're not using it, but are interested in doing so
- What are the barriers to doing so?
From detractors, most often we hear things like:
From supporters, some comments have included:
- What answers/features/permission would you need?
anweiss
commented
6 years ago We, Docker, have been working with OpenControl for the past 10 months. In December 2016, we kicked off our open source efforts with OpenControl to support agency ATO efforts -> https://blog.docker.com/2016/12/docker-datacenter-fedramp-azure/. This has been very-well received amongst a number of different commercial and government entities.
All of our OpenControl-based content that we've delivered to date is 100% open source under CC0 Public Domain and resides on GitHub at https://github.com/docker/compliance. This acts as the central point for all compliance content we develop and ship as guidance to end-users. We're also using this to auto-generate NIST 800-53 reference documentation on docs.docker.com -> https://docs.docker.com/compliance/reference/800-53/ ... which is great for folks that don't want to mess with .yml files and simply need a quick-reference to applicable controls for Docker. And of course, we provide official Docker images on Docker Hub for running all of the tools within containers. We also have a number of items in the works to expand upon existing tooling.
We've even engaged ecosystem partners to help deliver more formal ATO-supporting engagements using OpenControl at the core.
We're excited to help support the OpenControl community as it matures and hope it becomes better aligned with other governing bodies and standards organizations. We also hope to see further participation by other OS vendors and cloud providers as our tools are completely infrastructure and OS agnostic.
gregelin
commented
6 years ago GovReady PBC is a Maryland and Virginia based, public benefit corporation whose mission is to lower the cost of digital innovation to citizens. GovReady’s innovative self-service tools for compliance were developed as part of a R&D contract from DHS Science & Technology Directorate to automate and lower the cost of cyber security.
We have developed tooling around OpenControl and are using OpenControl to support compliance automation at two federal agencies, two state agencies, and a private sector defense contractor. We have verbal agreements for other agencies and other private sector companies as well. We are developing OpenControl for Drupal and Drupal plugins to make help automate compliance for government websites that use this popular open source CMS. We are active in the OpenControl community.
In 2016, GovReady PBC received a significant R&D contract to automate and lower the cost of cyber security compliance from the Department of Homeland Security, Science and Technology Directorate, Cyber Security Division.
A key component of lowering the cost of compliance is component-based, reusable control implementation descriptions to save developers the time of constantly re-creating control content for different systems using the same IT stacks (e.g., components).
We use OpenControl content within our innovative “compliance apps” that are reusable data packages that map a system component to the security controls in a compliance framework. These compliance apps link together in our open source compliance server software to form a complete picture of the IT system, the steps needed to reach an Authority to Operate, and automatically generate compliance artifacts.
When a vendor, such as Docker or RedHat, documents the controls their products provide in machine-readable OpenControl format, we can rapidly and programmatically create a compliance app for those products. The drag and drop nature of compliance apps makes it easy for anyone on the development team to generate or update a richly informative System Security Plan or other compliance artifacts in minutes.
ComplianceLib, our open source Python library for turning the 800-53 controls into data objects, also uses OpenControl content. ComplianceLib is like Compliance Masonry but provides a command line interface to enable programmatic determination of the controls and compliance state of a system, for example as part of the CI/CD pipeline. As a library, we can use ComplianceLib to integrate 800-53 controls and OpenControl content into other applications. Command line querying is not currently supported in Compliance Masonry.
We are currently developing compliance automation for prime-contractors who support IT Systems at the Department of Education, the Defense Nuclear Facility Safety Bureau, and the San Francisco Department of Environment. We are using OpenControl content from RedHat in these projects as well as OpenControl content developed by 18F. We are also producing OpenControl for Drupal plugins
We are providing support to automate 800-171 compliance for a private sector company that will incorporate OpenControl content from 18F’s AWS OpenControl repo, Docker, and RedHat. These are just our first uses. We participate in the NGA’s ATO-in-a-Day effort that uses OpenControl (and variations).
We have several other projects in our pipeline at other Federal agencies that will use OpenControl in addition to those already mentioned.
It is also worth noting that we do weekly webinars on compliance as code topics and have participants attend to learn about OpenControl and Compliance Masonry from a variety of recognizable organizations and overseas.
wslack
commented
5 years ago The Centers for Medicare & Medicaid Services (CMS) is actively leveraging OpenControl in its work to improve cloud services and offerings for the agency! Happy to provide more details if helpful.
openprivacy
commented
5 years ago CivicActions is using OpenControl schema files to drive the ATO process for three Federal clients. We were using some home grown scripts and then switched to https://github.com/GovReady/hyperGRC (which we like) and plan to check out compliance masonry again (as it's been a while and the file formats should be compatible) to see what's new in that arena.
its-a-lisa
commented
3 years ago Suggest moving responses into website and closing issue once pull request is merged
For Project Boise (#28), we're looking for who is actively using the OpenControl schema, Compliance Masonry, or any of the other tools under the OpenControl umbrella, and how they are being used. We are going to use this information to make the case for GSA renewing focus (and $$) on OpenControl, so it's important we hear from you.
If you're using it
If you're not using it, but are interested in doing so
Feel free to respond here, or email me directly at aidan.feldman@gsa.gov. Happy to keep your answers private, if you like - being able to say "it's in use at X number of agencies" is useful on its own. Please respond by 9/13. Thanks!