...especially those without a ton of compliance experience. I've spoken with multiple software vendors in that boat who are interested in using OpenControl, but aren't sure about where to start. Would be good to include some of the following:
What is OpenControl / Compliance Masonry, and why should they care?
The fact that they will likely be creating a Component
Where those files should live: under @opencontrol, or in a repository under their control
That if they have federal customers already, it's likely that someone has done the hard part of writing up the narratives
They should reach out to their customers and ask if the relevant parts of the System Security Plan can be shared, which the vendor can then generalize and publish for other customers going forward.
...especially those without a ton of compliance experience. I've spoken with multiple software vendors in that boat who are interested in using OpenControl, but aren't sure about where to start. Would be good to include some of the following:
This would likely look a lot like Compliance Masonry for the Compliance Literate, but with an audience of Not Compliance Literate Vendors. Not sure where said resource should live.