OpenControl edit workflow for non-technical users?

[jtconnor]

Some of the people responsible for writing controls documentation might have trouble following the OpenControl edit workflow of editing YAML files in source control because it's different from their current workflows (e.g. writing controls in a word doc) and YAML and git are new things that are easy to make mistakes with. Has anyone else encountered this issue in their work on OpenControl? Do you have any recommendations for handling it?

We could potentially support entering controls into a spreadsheet (or Word template?) and automatically converting that into OpenControl docs. But it's not clear to me that that would be much better than just having clear instructions for how people can edit yaml in source control.

[afeld]

Hey! There have been a few efforts around an editor for OpenControl. The ones I know off the top of my head:

• GovReady Q
  • The Full Service plan includes "app authoring tools"
  • @gregelin How does HyperGRC relate to GovReady Q?
• OpenControl-Editor

Also remember that "every JSON file is also a valid YAML file", so you could adapt a JSON editor if you liked.

Something that I don't think has been explored: I've been researching static site content management systems for another project, and many of them support graphical editing of data files. See the Forestry and Netlify CMS documentation for more info. Not sure hard it would be to repurpose this for OpenControl, but might be an interesting experiment.

support entering controls into a spreadsheet

That could work!

or Word template?

Trying to programatically get information out of a Word document is very painful - I was trying to do so with FedRAMP Templater. Maybe there's something you could do when creating the Word doc to make this easier - not sure.

it's not clear to me that that would be much better than just having clear instructions for how people can edit yaml in source control

Agreed.

[openprivacy]

HyperGRC is a great lightweight editor for reviewing controls - I've used it for two ATOs and plan to publish some generic components as I work on a third. We converted spreadsheets downloaded from eMASS and CSAM into OpenControl-style yaml, making a rough cut into components during that process (using responsibilities). I still used Emacs or VS Code for the initial yaml control editing, and later HyperGRC for review and tweaking.

When they get the hyperlinking to work, HyperGRC may become my "go to" editor for controls. It also has built in linting.

[rafael5]

Hi Fen! #openprivacy - you have already solved the same problem I wish to solve: extract the information from a heavyweight compliance/controls tool (eMASS) into YAML.

In my case all the compliance information is in RiskVision.... all 400+ controls in 20 sheets within one excel file. Would you mind having a look and seeing if this is feasible to extend you eMASS parsing pipeline, and include RiskVision too? The RiskVision file and information is here:

https://github.com/vistadataproject/documents/tree/master/python#riskvision-schema-translation-to-yaml

[shawndwells]

On 3/6/19 5:44 PM, James Connor wrote:

Some of the people responsible for writing controls documentation might have trouble following the OpenControl edit workflow of editing YAML files in source control because it's different from their current workflows (e.g. writing controls in a word doc) and YAML and git are new things that are easy to make mistakes with. Has anyone else encountered this issue in their work on OpenControl? Do you have any recommendations for handling it?

We could potentially support entering controls into a spreadsheet (or Word template?) and automatically converting that into OpenControl docs. But it's not clear to me that that would be much better than just having clear instructions for how people can edit yaml in source control.

Out of curiosity, why are the OpenControl files being edited at all?

Is that a common use case? To create custom content, vs getting it from your vendors?

[mogul]

Some of us are vendors. :)

On Mon, Mar 25, 2019 at 6:50 PM Shawn Wells notifications@github.com wrote:

On 3/6/19 5:44 PM, James Connor wrote:

Some of the people responsible for writing controls documentation might have trouble following the OpenControl edit workflow of editing YAML files in source control because it's different from their current workflows (e.g. writing controls in a word doc) and YAML and git are new things that are easy to make mistakes with. Has anyone else encountered this issue in their work on OpenControl? Do you have any recommendations for handling it?

We could potentially support entering controls into a spreadsheet (or Word template?) and automatically converting that into OpenControl docs. But it's not clear to me that that would be much better than just having clear instructions for how people can edit yaml in source control.

Out of curiosity, why are the OpenControl files being edited at all?

Is that a common use case? To create custom content, vs getting it from your vendors?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opencontrol/discuss/issues/58#issuecomment-476442471, or mute the thread https://github.com/notifications/unsubscribe-auth/AAC6kgS7S6bY2lFDxIWL2OG13VfA-nKNks5vaXzUgaJpZM4bh-PY .

[jtconnor]

Hi @shawndwells ,

Out of curiosity, why are the OpenControl files being edited at all? Is that a common use case? To create custom content, vs getting it from your vendors?

In our case, application teams will create custom content to document how their application meets some controls and will inherit controls from other systems. Some of the internal system controls will be custom content and others will be vendor provided.