afeld
commented
5 years ago Also, if you know of a team that would be willing to share their SSP(s) with another government agency, that would work too. aidan.l.feldman@census.gov
Open afeld opened 5 years ago
afeld
commented
5 years ago Also, if you know of a team that would be willing to share their SSP(s) with another government agency, that would work too. aidan.l.feldman@census.gov
mogul
commented
5 years ago As a govvie, you can certainly request access to the entire cloud.gov FedRAMP package (which includes the SSP) using the FedRAMP form and our package ID.
trevorbryant
commented
5 years ago SSPs in other agencies will be hard to come. AOs and CISOs will be reluctant to share even the templates. If they're willing to share there'll be an approval process and typically an MOU. Something to be prepared for.
openprivacy
commented
5 years ago We are actively working to create reusable components that will generate the majority of an SSP, including not only control implementation but also templated system and technical descriptions, POCs, and various policies/plans usually found in an appendix. It is my understanding that AWS is doing the same for their related components. Doesn't help you now (as we haven't published yet) but we plan to publish all on GitHub.
afeld
commented
5 years ago Worth noting that the cloud.gov Control Implementation Summary + Customer Responsibility Matrix + Control-by-Control Inheritance spreadsheet is available publicly. Is this the case for other platforms?
trevorbryant
commented
5 years ago cloud.gov is unique in that it took the steps to actually provide information and open source it. The majority of USG do not yet use FedRAMP, and thus their solutions to FISMA are considered legacy. I would be surprised if agencies had a matrix, if at all a RACI for these.
afeld
commented
5 years ago I suppose the OpenControl full project examples qualify here too.
afeld
commented
4 years ago I had been looking at the Azure Blueprint before, which seems to be a template for systems that are building on top of Azure. I didn't realize the Azure SSP itself is public!!! Kudos to @dlapiduz for the tip.
I'm working on a project that involves natural language processing of System Security Plans (SSPs; #65). While I will be working with SSPs from within the agency, I'm looking for others that I can test with. Do you know of any SSPs / platform SSP templates that are publicly accessible? @Jkrzy just pointed me to the Azure one via @anweiss - wondering if there are others. Thanks!