search

opencontrol / discuss

a place to have conversations about OpenControl projects
https://github.com/opencontrol/discuss/issues
Other
16 stars 0 forks source link

OpenControl template #66

Open afeld opened 5 years ago

afeld commented 5 years ago

Originally posted by @timothy-spencer in https://github.com/opencontrol/discuss/issues/65#issuecomment-484288724:

I'm trying to make a template project that people can copy, add their app, and then use the mostly prepopulated opencontrol data while they are filling out their SSP by following along in the generated opencontrol gitbook as they work through their SSP. The text in the different sections should give them example content they can cut and paste in, or will give directions on what documents they should read to understand how to fill something out.

https://github.com/18F/gcp-appengine-template/blob/dev/README.md#ato-and-compliance-considerations

However, I have a few problems:

  1. The opencontrol format is kind of undocumented (like how are you supposed to actually represent where to look for a control that you have inherited?), so I keep having to puzzle over how/where to write about things.
  2. Everybody seems busy, so I have yet to get anybody to give a serious look at the controls that I have written up so far. :-( I think that I have documentation that ISSOs will like, but I don't know for sure.
  3. The project is truly mostly aimed at the GSA LATO. It all maps back to 800-53 and all, so it ought to be relatively portable, but those are the only 24 controls that I have spent any time on at all.
  4. Nobody has actually used this project yet besides me.
  5. I'm not quite done with everything, so there are still rough spots.

I'd like to think that having all this info prepopulated for somebody would save them a ton of time. I have spent a couple of months struggling with this, but if I had to do it again, I feel like I could just use this thing to zip through the process as I understand it.

Anyways, not sure if this is useful or not, but that's been my approach. I am trying to snowplow the difficulties away by creating most of the documentation up front in language that (I hope) security people will understand.

afeld commented 5 years ago

Originally posted by @shawndwells in https://github.com/opencontrol/discuss/issues/65#issuecomment-484321761:

Have you used the OpenControl templates for information systems and system components? What did you think of them?

ref

https://github.com/ComplianceAsCode/template-system-component https://github.com/ComplianceAsCode/template-information-system

Note the github.com/opencontrol is mostly used to house data schema, not actual content.

trevorbryant commented 5 years ago

@timothy-spencer as a former heavy lifter of that documentation, happy to help with 2.

Where can I find the verbiage?

timothy-spencer commented 5 years ago

@shawndwells No, I have not seen those before! I will look them over. They might be part of what I need. I've been looking at some of the stuff that cloud.gov did, but it seems to have only been a good start rather than something that actually got battle-tested.

@trevorbryant, check out https://github.com/18F/gcp-appengine-template/tree/dev#ato-and-compliance-considerations . It has the directions of how one would go through the process of getting a GSA LATO, including how to generate the gitbook that you would consult while filling out the SSP (step 6 in https://github.com/18F/gcp-appengine-template/tree/dev#gsa-lato-process). All of the opencontrol stuff that I have written is in that gitbook. You ought to be able to follow the links to the components from the compliance/opencontrol.yaml file in that repo to find the yaml.

Any comments/feedback would be super welcome!

its-a-lisa commented 3 years ago

Bump