Open afeld opened 5 years ago
I'm kind of trying to solve this from another direction. I'm trying to make a template project that people can copy, add their app, and then use the mostly prepopulated opencontrol data while they are filling out their SSP by following along in the generated opencontrol gitbook as they work through their SSP. The text in the different sections should give them example content they can cut and paste in, or will give directions on what documents they should read to understand how to fill something out.
https://github.com/18F/gcp-appengine-template/blob/dev/README.md#ato-and-compliance-considerations
However, I have a few problems:
I'd like to think that having all this info prepopulated for somebody would save them a ton of time. I have spent a couple of months struggling with this, but if I had to do it again, I feel like I could just use this thing to zip through the process as I understand it.
Anyways, not sure if this is useful or not, but that's been my approach. I am trying to snowplow the difficulties away by creating most of the documentation up front in language that (I hope) security people will understand.
Have you used the OpenControl templates for information systems and system components? What did you think of them?
ref
https://github.com/ComplianceAsCode/template-system-component https://github.com/ComplianceAsCode/template-information-system
Note the github.com/opencontrol is mostly used to house data schema, not actual content.
I think this would be a good time to revisit https://github.com/opencontrol/discuss/issues/25 by @trevor-vaughan as they actively in this space of automating IA efforts and reducing ATO's delivery times.
My specific experience in this space is pushing agency's to create methods for "live" documentation in which CM Plans, SSP's, etc are created and/or updated as Docs As Code during the SDLC and integrated into CI/CD pipelines. However, that idea may be out of scope for this if OpenControl is housing schema and not necessarily targeting Enterprise solutions.
Seems the conversation is wandering a bit - mind if we split out to one or more separate issues?
There's now a repository, if anyone is interested in following along: https://github.com/uscensusbureau/fismatic
Here's a swipe at something I did a while ago. It works reasonably well for creating the SSP templates and letting people know what to do: https://github.com/simp/NIST-800-18-SSP_Template
Updated the "Short version" up top with what I'm looking for.
Also looking for assessors to talk to for their perspective - any agency. Please connect me if you know of anyone!
This would be a natural language-based SSP "linter" to check work after creation? Looks like a super useful tool, particularly for organizational controls.
I've been exploring building reusable components ("system elements" in RMFv2-speak) that embed control/guidance specific language into their templates. For technical controls, these components would pair with a verifier that gathers evidence and scores against a baseline, for which (in some cases) there could be default values. Perhaps a post processor that ranks "control coverage" could be included as part of FISMAtic (I like the name!).
Update on the Discovery: going well - learning a ton! At this point, looking to talk with people that have:
If anyone has any leads, please introduce!
This would be a natural language-based SSP "linter" to check work after creation?
During and/or after, yep!
embed control/guidance specific language into their templates
cc https://github.com/uscensusbureau/fismatic/issues/20
control coverage
Compliance Masonry refers to this as gap analysis.
In case anyone's interested, posted the summary of our research interviews for your enjoyment.
@afeld Where would you like discussion on the summary?
Hmmmm... no strong feelings. Here is fine, or perhaps an issue on the FISMAtic repository if [a piece of] feedback warrants its own discussion thread. Thanks for asking!
On second thought, let's do an issue there, and keep this thread for soliciting collaborators. Thanks!
Awesome! Suggest closing considering this announcement is over a year old.
The short version:
We are working to reduce time to ATO by building a tool to give automated feedback on SSPs. If you:
please reach out! aidan.l.feldman@census.gov
The long version:
I’m an employee at the Census Bureau, and like anyone doing technology in/around federal government, security compliance is time consuming for us. In particular, there was a pain point identified around the back-and-forth between delivery teams and assessors during the Authority to Operate (ATO) process. This happens at the Implement/Assess Controls steps of the Risk Management Framework:
Delivery teams, who may or may not have experience writing System Security Plans (SSPs), spend a lot of time working on the language for security controls. This is then sent to the assessor, who may be pointing out common mistakes. Each of these back-and-forths can take days or weeks, costing staff hours and stretching out the time before the project can actually deliver value to users.
We got funding internally to work on this problem, to try and reduce this turnaround time. The idea is to have a tool to give automated feedback on security control responses. The working title is "FISMAtic"; think “Clippy for ATOs” 😉 To get there, we are planning to use natural language processing to do analysis of past SSPs, to find things like “what are terms that are commonly present in this control?”
If you’ve worked in this space or are interested in collaborating, please reach out! aidan.l.feldman@census.gov
Thanks!
cc @gregelin @JJediny