has anyone done textual analysis of SSPs, or tried automating feedback on them?

[afeld]

The short version:

We are working to reduce time to ATO by building a tool to give automated feedback on SSPs. If you:

• Have worked in this space
• Know of any relevant tools/efforts we should know about
• Are interested in collaborating on it
• Know any assessors (any agency) who would be willing to chat with us

please reach out! aidan.l.feldman@census.gov

The long version:

I’m an employee at the Census Bureau, and like anyone doing technology in/around federal government, security compliance is time consuming for us. In particular, there was a pain point identified around the back-and-forth between delivery teams and assessors during the Authority to Operate (ATO) process. This happens at the Implement/Assess Controls steps of the Risk Management Framework:

Delivery teams, who may or may not have experience writing System Security Plans (SSPs), spend a lot of time working on the language for security controls. This is then sent to the assessor, who may be pointing out common mistakes. Each of these back-and-forths can take days or weeks, costing staff hours and stretching out the time before the project can actually deliver value to users.

We got funding internally to work on this problem, to try and reduce this turnaround time. The idea is to have a tool to give automated feedback on security control responses. The working title is "FISMAtic"; think “Clippy for ATOs” 😉 To get there, we are planning to use natural language processing to do analysis of past SSPs, to find things like “what are terms that are commonly present in this control?”

If you’ve worked in this space or are interested in collaborating, please reach out! aidan.l.feldman@census.gov

Thanks!

cc @gregelin @JJediny

[timothy-spencer]

I'm kind of trying to solve this from another direction. I'm trying to make a template project that people can copy, add their app, and then use the mostly prepopulated opencontrol data while they are filling out their SSP by following along in the generated opencontrol gitbook as they work through their SSP. The text in the different sections should give them example content they can cut and paste in, or will give directions on what documents they should read to understand how to fill something out.

https://github.com/18F/gcp-appengine-template/blob/dev/README.md#ato-and-compliance-considerations

However, I have a few problems:

1. The opencontrol format is kind of undocumented (like how are you supposed to actually represent where to look for a control that you have inherited?), so I keep having to puzzle over how/where to write about things.
2. Everybody seems busy, so I have yet to get anybody to give a serious look at the controls that I have written up so far. :-( I think that I have documentation that ISSOs will like, but I don't know for sure.
3. The project is truly mostly aimed at the GSA LATO. It all maps back to 800-53 and all, so it ought to be relatively portable, but those are the only 24 controls that I have spent any time on at all.
4. Nobody has actually used this project yet besides me.
5. I'm not quite done with everything, so there are still rough spots.

I'd like to think that having all this info prepopulated for somebody would save them a ton of time. I have spent a couple of months struggling with this, but if I had to do it again, I feel like I could just use this thing to zip through the process as I understand it.

Anyways, not sure if this is useful or not, but that's been my approach. I am trying to snowplow the difficulties away by creating most of the documentation up front in language that (I hope) security people will understand.

[shawndwells]

Have you used the OpenControl templates for information systems and system components? What did you think of them?

[shawndwells]

ref

https://github.com/ComplianceAsCode/template-system-component https://github.com/ComplianceAsCode/template-information-system

Note the github.com/opencontrol is mostly used to house data schema, not actual content.

[trevorbryant]

I think this would be a good time to revisit https://github.com/opencontrol/discuss/issues/25 by @trevor-vaughan as they actively in this space of automating IA efforts and reducing ATO's delivery times.

My specific experience in this space is pushing agency's to create methods for "live" documentation in which CM Plans, SSP's, etc are created and/or updated as Docs As Code during the SDLC and integrated into CI/CD pipelines. However, that idea may be out of scope for this if OpenControl is housing schema and not necessarily targeting Enterprise solutions.

[afeld]

Seems the conversation is wandering a bit - mind if we split out to one or more separate issues?

[afeld]

There's now a repository, if anyone is interested in following along: https://github.com/uscensusbureau/fismatic

[trevor-vaughan]

Here's a swipe at something I did a while ago. It works reasonably well for creating the SSP templates and letting people know what to do: https://github.com/simp/NIST-800-18-SSP_Template

[afeld]

Updated the "Short version" up top with what I'm looking for.

Also looking for assessors to talk to for their perspective - any agency. Please connect me if you know of anyone!

[openprivacy]

This would be a natural language-based SSP "linter" to check work after creation? Looks like a super useful tool, particularly for organizational controls.

I've been exploring building reusable components ("system elements" in RMFv2-speak) that embed control/guidance specific language into their templates. For technical controls, these components would pair with a verifier that gathers evidence and scores against a baseline, for which (in some cases) there could be default values. Perhaps a post processor that ranks "control coverage" could be included as part of FISMAtic (I like the name!).

[afeld]

Update on the Discovery: going well - learning a ton! At this point, looking to talk with people that have:

• Been involved in a number of ATOs on the assessment side (ISSM/ISSEs)
• Done market research on tools that deal with compliance documentation (Archer, GovReady, Xacta, etc.)

If anyone has any leads, please introduce!

This would be a natural language-based SSP "linter" to check work after creation?

During and/or after, yep!

embed control/guidance specific language into their templates

cc https://github.com/uscensusbureau/fismatic/issues/20

control coverage

Compliance Masonry refers to this as gap analysis.

[afeld]

In case anyone's interested, posted the summary of our research interviews for your enjoyment.

[trevor-vaughan]

@afeld Where would you like discussion on the summary?

[afeld]

Hmmmm... no strong feelings. Here is fine, or perhaps an issue on the FISMAtic repository if [a piece of] feedback warrants its own discussion thread. Thanks for asking!

[afeld]

On second thought, let's do an issue there, and keep this thread for soliciting collaborators. Thanks!

[its-a-lisa]

Awesome! Suggest closing considering this announcement is over a year old.