Include NIST control statements in output?

[rashidchowdhury]

Great work on this tool! Last week, a colleague discovered, that the SSP PDFs that are produced by Compliance Masonry do not include the NIST Control statements; just the implementation statements of the respective controls. This could prove rather cumbersome for our assessors. Is there way to include the NIST control statements for each control, right before the implementation statements? I couldn’t find an easy way of doing that.

[brittag]

I agree with doing this! As a person who works closely with our system's traditional SSP Word doc (using the FedRAMP template), including referencing and updating it, having the NIST control statements embedded in the doc is really important to me for enabling efficient work.

[brittag]

Also a good thing to note is that https://github.com/opencontrol/compliance-masonry isn't under active development by anyone in particular right now, but there are definitely people with merge permission who can merge PRs if people make them.

[shawndwells]

Would it be possible to create a mockup of what you need? Either share a template you have to fill out today, or provide an example of what you mean?

We've been using the SSPTool (GUI front end for OpenControl content). An open demo: http://ssptool.securitycentral.io/certifications/FedRAMP-high/NIST-800-53/AU-8

Behind the scenes everything is OpenControl-based, which means using FedRAMP templater to dynamically regenerate the FedRAMP Word Templates and PDFs after every change to the docs.

[rashidchowdhury]

Thanks Shawn - I'll give that tool a look/try. It may just do what we need :)

On Mon, Apr 9, 2018 at 5:07 PM, Shawn Wells notifications@github.com wrote:

Would it be possible to create a mockup of what you need? Either share a template you have to fill out today, or provide an example of what you mean?

We've been using the SSPTool (GUI front end for OpenControl content). An open demo: http://ssptool.securitycentral.io/certifications/FedRAMP-high/ NIST-800-53/AU-8

Behind the scenes everything is OpenControl-based, which means using FedRAMP templater to dynamically regenerate the FedRAMP Word Templates and PDFs after every change to the docs.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/opencontrol/discuss/issues/43#issuecomment-379894357, or mute the thread https://github.com/notifications/unsubscribe-auth/AkdKdLOGuVUqX8gqyv9IcF16RFLInEShks5tm82FgaJpZM4TNEfV .

[shawndwells]

On 4/9/18 6:13 PM, rashidchowdhury wrote:

Thanks Shawn - I'll give that tool a look/try. It may just do what we need :)

Upstream SSP Tool: https://github.com/jenglish/ssptool

Populated w/the example content: https://github.com/securitycentral/ssptool

[its-a-lisa]

@rashidchowdhury were you ever able to give this a try?

[rashidchowdhury]

Actually, I've moved on to a new position. I'll try to forward this info on to a colleague. They might find some value in it. Thanks for following up @its-a-lisa .

[openprivacy]

Perhaps this works as a mockup, where the NIST 800-83 Guidance precedes the implementation statements: https://github.com/CivicActions/ssp-toolkit/blob/master/docs/controls/AC.md#ac-1-access-control-policy-and-procedures