an in-person OpenControl summit?

[afeld]

@mogul @joshuamckenty @gregelin and others have brought up the idea of having an in-person get-together (in San Francisco?) in the fall to sync up about OpenControl. Starting this discussion to figure out the things that need figuring out. Will continue adding to this list.

• Location (18F SF office?)
• Duration (one day? two? three?)
• Agenda (what do we want to cover/accomplish?)
• Dates (September? we should set up a survey to see what works)
• Capacity (we'll probably need an open RSVP to figure out how much capacity we need)
• Planning (who's responsible for what planning?)

[gregelin]

@mogul @joshuamckenty @afeld @pburkholder

I'd recommend a planning call/hangout on 7/28 that we can promote.

OpenControl is currently targeted at FISMA compliance. It makes sense to have the first meeting in DC. We could have a second meeting in DC, or have a joint meeting in DC at same time...

[mogul]

Any particular reason for 7/28?

[gregelin]

@mogul Suggesting 7/28 (or 7/29) for urgency sake and get started before August. Would first week of August make more sense?

But I think we should decide today and get the word out. So maybe Aug 1 or 2nd works better so we can promote for week.

[joshuamckenty]

7/29 is easier for me. I'll set up a doodle. I disagree on the FISMA bias, though. We're using OpenControl for ICD-503, and investigating it for PCI, as well as the FISMA and FEDRAMP use cases.

[joshuamckenty]

Doodle poll for a planning call is up here: http://doodle.com/poll/ckqd5xfmzf7h27rw

[afeld]

Re: the dates and location for the actual event, maybe we put out another Doodle/survey later to see people's preferences, and go with the majority. I'm sure 18F can host in either city.

[gregelin]

Did we pick a time

[pburkholder]

Are we on today for 3pm EDT?

[JJediny]

+1 for a Google Hangout or the like for 3pm today EST/EDT

If Google hangout can someone not at GSA/18F setup the link as our Google Hangout doesn't allow for in room chat? Just post the link here

[gregelin]

Here is a URL for a 3pm hangout:

https://plus.google.com/hangouts/_/govready.com/opencontrol-mtg

[joshuamckenty]

Perfect, thank you. Easier to use yours.

Sent from my iPhone

On Jul 29, 2016, at 8:31 AM, Greg Elin notifications@github.com wrote:

Here is a URL for a 3pm hangout:

https://plus.google.com/hangouts/_/govready.com/opencontrol-mtg

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[gregelin]

@joshuamckenty Is the survey up?

[afeld]

planning meeting notes - 7/29/16

Attendees

• @afeld (18F)
• @gregelin (GovReady)
• @jbarnicle (18F)
• @jcscottiii (18F)
• @jgrevich (18F)
• @JJediny (data.gov)
• @joshuamckenty (Cloud Foundry Foundation)
• @mogul (18F)
• @mzia (18F)
• @nikzei (18F)
• @pburkholder (GovReady)

Agenda

• What are the high-level goals for an event?
• Getting an organizing committee together

Notes

• Origin story from Josh:
  • Did something like it at NASA for OpenStack
  • Had coffee with Noah Kunin
  • Josh ended up starting a repository
• Josh: other organizations requested an in-person event
• Josh: I had imagined it as an unconference, though it could be more of a convening
• Bret: 18F can look into whether we have facilities to host it
• Location preference
  • Aidan: simple survey with location pref (SF/DC) along with if the person can make it to the alternate location
  • Josh: this can also give a sense of who and how many would attend
  • Josh: aware of issues with travel for .gov employees, perhaps survey should include specific questions for them.
  • Greg: I would like to advocate strongly for DC due to the travel and early focus on the needs
• John J: the data.gov team would be willing to bring in contacts from NIST and ____
• Josh: I want a user swarm, not a vendor swarm
  • Josh: based on experience with OpenStack, cautious about having governance conversation
• Josh: Cloud Foundry Foundation can possibly provide drinks, as long as there aren’t Federal Acquisition Regulation or other issues
• Greg: suggests that we can borrow material from DevOps Days DC. Nathan from Chef/Opscode was a very helpful event organizer.
  • What are we doing as an organizing committee?
• Mossadeq: looking forward to get this integrated with a project and demonstrated to other agencies. Also mentioned that we need to tackle the FUD around keeping SSPs private. As a DC person he’d prefer the event be in DC.
• Josh: Comparison to Devops Days is helpful but many people would not be able to attend if there is a public registration (ie. meetup.com). People don’t want their name publicized.
• Bret: perhaps we can use something like Google survey that keeps certain bits anonymous.
• Organizing committee volunteers
  • Peter (in either 18F capacity or outside)
  • Greg
  • John (may be able to pitch in, but not fully committed)
  • ~~Mossadeq (busy with login.gov, may be more available post Oct)~~
  • Aidan
• Greg: I’m thinking this community needs some leveling up
  • John B: there’s some information in an 18F blog post
• Aidan: I think a hybrid single-track and unconference style would be good to make sure everyone’s on the same page: the history, the current state, the roadmap/TODOs
• Nikki: if part of the value is to be educational, the outreach should take this into consideration
  • Greg: is it important that we include particular people? E.g. auditors
• Peter: what would the duration be?
  • Josh: I had been imagining one-day, but we could hijack a meetup the night before or the day after to hack
  • Greg: should one question be one-day vs. two-day?
• High-level goals
  • We’re going for an unconference form
  • Governance is likely to be a conversation at the event but it’s not going to be established at this event, it’s an ongoing convo
  • We need to have another convo about: Are we reaching out to certain communities to make sure they are present at the event?
  • We want to avoid a vendor fest, though it will be an open invite
• Greg: do we want to do an email group? Is there anything we should do for organization before the conference?
  • Greg: we should add a note to the opencontrol site pointing to /discuss

TODOs

• [ ] Assemble and distribute a survey - @joshuamckenty
  • Location
  • Dates
  • Possibility to travel
  • background?
• [ ] look into whether 18F can host - @jbarnicle
• [ ] send a pull request to the opencontrol site pointing people to /discuss - @gregelin

We can break these TODOs out to issues on some repository at some point.

[afeld]

Some bad news the cloud.gov team found out after the meeting yesterday: money is a bit tight on our side at the moment, so we're not going to be able to cover travel for our attendees 😞 Maybe we should try and re-orient around a distributed conference?

[mogul]

...much less host. I'm investigating options for virtual unconference (ad-hoc breakout sessions, etc)

• Unhangouts looked promising, but requires attended to have a G+ profile, which is a non-starter for GSA.
• A friend recommended https://maestroconference.com/

Can anyone name other options as suited to this kind of interaction?

[gregelin]

I'm putting out some emails on possible spaces. I'm assuming our ideal space is vendor neutral. So possible ideas include:

• Another government agency like USPTO
• co-working space that could host (Eastern Foundry)
• COOP space (some of the counties/states have biz dev associations that run coop spaces)

[joshuamckenty]

Draft of the survey is up: https://www.surveymonkey.com/r/CSV29MP

Please provide feedback, as I'd like to start circulating this.

The Pivotal office in DC is in the WeWork space, which has also been used for hosting the Cloud Native Meetup and the Cloud Foundry meetups. I can see if they would be willing to donate the space, or alternatively if there's a fair-share way to let attendees contribute.

[afeld]

See my note above...most of the 18F team isn't in DC, and we wouldn't be able to travel there (i.e. the answer to survey question 2 would be "no"). Should we send the survey even if it ends up being a distributed thing?

For the survey, I'd make volunteering to help a checkbox, then make the contact info a separate optional question so we can follow up with them. Also, those dates seem a bit soon, no?

[gregelin]

@joshuamckenty the survey is excellent. Just a couple thoughts and I'm not strongly wedded to them.

• Should we add a link to the http://open-control.org?
• Would it make sense to ask people why they prefer one city over another?

[gregelin]

I'm checking out https://www.excella.com/events/arlington-tech-exchange as a potential space. Accommodates up to 100.

[gregelin]

Eastern-Foundry may be able to host in late Sep, Early Oct in their Rosslyn space at 1100 Wilson Avenue. The space has a large classroom plus a large co-working space. Would be very easy for us to use if event was on weekend. (cost is $71/hour for after hours HVAC on weekend). Bad dates for them are: September 18th, 26th, and 29th.

[gregelin]

Nice conference survey for online conference here by AutomationGuild here:

https://docs.google.com/a/civicactions.com/forms/d/e/1FAIpQLSf95PlBUnW9YaX23GVsEj1-BFuw4Ru_zjuAxU25LT3X9VibWQ/viewform

[gregelin]

Really like AutomationGuild's first survey question: "What is your single biggest automation challenge right now?"

[gregelin]

Draft description to describe event to venues:

We’re looking to host the first community event for the OpenControl community (http://open-control.org), a group of government staff and government contractors passionately pursuing Compliance-as-Code. We believe in both innovation and security and are developing tools necessary to align security assessments and authorization with modern, continuous software development and delivery.

We are currently conducting a survey to gauge audience. We currently expect attendance to range between 30 and 60 persons with a small chance of 100 persons. Attendees will be mostly DevOps-types with some security and information assurance professionals. We expect an even mix from federal agencies and contractors and vendors. Organizers include recognized names in govit and civic technologies.

The venue will be an un-conference with a couple of group plenary sessions in the morning. Wireless, power, and white boards will be important. We probably only need the plenary session area and one/two breakout room to have A/V.

The survey will give us feedback if a one-day or two-day event makes sense. We expect a one day event. Most likely during the week, but could be also be on a Saturday.

Food would be informal, like lunch boxes or pizza and snacks.

[joshuamckenty]

I don't expect interest to be limited to government, as we've seen a lot of interest from other regulated industries (financial services and healthcare). Looks good otherwise.

Sent from my iPhone

On Aug 3, 2016, at 7:41 AM, Greg Elin notifications@github.com wrote:

Draft description to describe event to venues:

We’re looking to host the first community event for the OpenControl community (http://open-control.org), a group of government staff and government contractors passionately pursuing Compliance-as-Code. We believe in both innovation and security and are developing tools necessary to align security assessments and authorization with modern, continuous software development and delivery.

We are currently conducting a survey to gauge audience. We currently expect attendance to range between 30 and 60 persons with a small chance of 100 persons. Attendees will be mostly DevOps-types with some security and information assurance professionals. We expect an even mix from federal agencies and contractors and vendors. Organizers include recognized names in govit and civic technologies.

The venu will be an un-conference with a couple of group plenary sessions in the morning. Wireless, power, and white boards will be important. We probably only need the plenary session area and one/two breakout room to have A/V.

The survey will give us feedback if a one-day or two-day event makes sense. We expect a one day event. Most likely during the week, but could be also be on a Saturday.

Food would be informal, like lunch boxes or pizza and snacks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[gregelin]

Draft #2 description to describe event to venues:

We’re looking to host the first community event for the OpenControl community (http://open-control.org), a group of government staff, government contractors, and other compliance-heavy tech fields who passionately pursuing Compliance-as-Code. We believe in both innovation and security and are developing tools necessary to align security assessments and authorization with modern, continuous software development and delivery.

We are currently conducting a survey to gauge audience. We currently expect attendance to range between 30 and 60 persons with a small chance of 100 persons. Attendees will be mostly DevOps-types with some security and information assurance professionals. We expect an even mix from federal agencies and contractors and vendors. Organizers include recognized names in govit and civic technologies.

The venue will be an un-conference with a couple of group plenary sessions in the morning. Wireless, power, and white boards will be important. We probably only need the plenary session area and one/two breakout room to have A/V.

The survey will give us feedback if a one-day or two-day event makes sense. We expect a one day event. Most likely during the week, but could be also be on a Saturday.

Food would be informal, like lunch boxes or pizza and snacks.

[gregelin]

Shorter Email Targeting Survey participation

Subject: Survey for Compliance-as-Code Face-to-Face in Sep/Oct

Hi,

Those of who started http://Open-Control.org are passionate about the idea of Compliance-as-Code and a better, more DevOps-ish way to generate generate System Security Plans.

We want to host the the first convening and un-conference on Compliance-as-Code and get the community together discuss status and possibilities.

We thought this would interest you, so we set up poll to learn what would be the best location and place.

https://www.surveymonkey.com/r/CSV29MP

Hope to hear from you!

[gregelin]

Note to myself: Remember to mention FedRAMP. And PCI. And ICD-503. And HIPAA. And other regimes.

[joshuamckenty]

We've had over 40 responses to the survey, and the data is pretty conclusive. Shall we host another team call to plan next steps? @gregelin would you coordinate?

[gregelin]

@joshuamckenty Will organize. Thanks!

Survey results as of 8/19/2016: opencontrol-event-survey-results-mid-aug2016.pdf

Ongoing survey results: https://www.surveymonkey.com/results/SM-Z2NXMLLM/

[joshuamckenty]

Washington, DC it is, then. 19 people have volunteered to help out with the event as well.

[pburkholder]

So what's next for this -- can we move on week of Oct 3 before that window closes?

[joshuamckenty]

+1 on this.

On Aug 30, 2016, at 12:26 PM, Peter Burkholder (@pburkholder) notifications@github.com wrote:

So what's next for this -- can we move on week of Oct 3 before that window closes?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[gregelin]

@pburkholder @joshuamckenty @afeld @mogul @JJediny I've confirmed Using Eastern-Foundry's collaboration space at 1100 Wilson Blvd, Rosslyn, VA for our all day event.

I'm thinking Thursday October 6, might be best day. We could also do weekend. But if we do weekend, we will need to pay a few hundred dollars for HVAC (not a big deal).

Do we think weekday or weekend is best?

I'm also getting a couple people to help me get the organizing going. So I can schedule some meetings starting next week to organize and promote.

[JJediny]

@gregelin let me know how I can help, I'd vote for a weekday Oct 6th works for me

[joshuamckenty]

Monday is the only day that week I can make it, so selfishly I would go for that. But generally I agree that a weekday is better.

@gregelin were you going to arrange another call?

[gregelin]

@pburkholder @joshuamckenty @afeld @mogul @JJediny - I had less time to work on moving things forward last week than I expected, but myself and @mcupp93 are really ready to pick up the gauntlet this evening.

Three questions:

1. Can I get a hold of the list of volunteers @joshuamckenty mentioned?
2. Do we want to push back to later in October, or still pursue for 2 to 3 weeks from now?
3. I kind of really want @joshuamckenty to be there, you being on the web site and all. Is Monday the only day you do an all day in Oct?

[joshuamckenty]

I don’t want to post the volunteer list, but I’ll email it to you if you provide an email :) I can do any time the week of the 10th or the week of the 24th, I believe.

On Sep 14, 2016, at 2:15 PM, Greg Elin notifications@github.com wrote:

@pburkholder @joshuamckenty @afeld @mogul @JJediny - I had less time to work on moving things forward last week than I expected, but myself and @mcupp93 are really ready to big up the gauntlet this evening.

Three questions:

• Can I get a hold of the list of volunteers @joshuamckenty mentioned?

• Do we want to push back to later in October, or still pursue for 2 to 3 weeks from now?

• I kind of really want @joshuamckenty to be there, you being on the web site and all. Is Monday the only day you do an all day in Oct?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[gregelin]

Best way to reach me via email is gregelin@govready.com

Sent from my iPhone

On Sep 15, 2016, at 12:08 PM, Joshua McKenty notifications@github.com wrote:

I don’t want to post the volunteer list, but I’ll email it to you if you provide an email :) I can do any time the week of the 10th or the week of the 24th, I believe.

On Sep 14, 2016, at 2:15 PM, Greg Elin notifications@github.com wrote:

@pburkholder @joshuamckenty @afeld @mogul @JJediny - I had less time to work on moving things forward last week than I expected, but myself and @mcupp93 are really ready to big up the gauntlet this evening.

Three questions:

• Can I get a hold of the list of volunteers @joshuamckenty mentioned?

• Do we want to push back to later in October, or still pursue for 2 to 3 weeks from now?

• I kind of really want @joshuamckenty to be there, you being on the web site and all. Is Monday the only day you do an all day in Oct?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[gregelin]

Are people available for a coordinating call on Monday or Tuesday next week?

[pburkholder]

I did express interest in coordinating the on-site a few weeks ago. However, my current work with 18F is pretty far afield from masonry, so I don't think I'd be able to justify coordination work under my current remit.

[gregelin]

@joshuamckenty Reminder to please send me the volunteers? Thanks!

[gregelin]

@mogul @joshuamckenty @gregelin @afeld @chipchilders @brittag @geramirez @jcscottiii @JJediny - Can people make a planning call for the face-to-face event either Tuesday 9/20 at 3:30 or Wed 9/21 at 3:00?

[gregelin]

OpenControl Gathering Planning Meeting Tuesday, 9/20, 3:30 PM EST / 12:30 PM PST

Zoom video: https://zoom.us/j/7783218166 iPhone one-tap (US Toll): +14086380968,7783218166# or +16465588656,7783218166# Telephone: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll) Meeting ID: 778 321 8166

AGENDA

• Confirming date(s)
• Schedule of planning meetings
• Volunteers
• Discuss proposed theme/goals: Draft Charter, Initial Governance, & Roadmap
• Include remote participation?
• DC Venue
• Promotion

[gregelin]

The Save the Date email prepared and ready to send. Please let me know addresses that should be included. See issue #13.

[gregelin]

Initial Email to start inviting people to 10/20 Open Control Symposium

You are invited to first OpenControl Virtual Symposium!!

We are hosting a Virtual Symposium (via Zoom) to grow our OpenControl Community.

When: Oct 20, 2016 10:00 AM to 6:00 PM Eastern Time (US and Canada)

Please register to help us prepare better (you can attend without registering) https://zoom.us/meeting/register/395a70acf379371a66858a512be5123a

We are group of technologists, government staff, contractors and others in regulated fields committed to Compliance-as-Code. We are developing tools necessary to align security assessments and authorizations with modern, continuous software development and delivery.

Draft Agenda

• Morning
  • What is OpenControl?
  • Breakouts: What's needed for OpenControl adoption?
  • Open Spaces Planning
• Lunch Break
• Afternoon
  • Open spaces
  • Report outs
  • Open spaces
  • Report outs
  • Wrap up

About OpenControl - Community, data, and tools for Compliance-as-Code

Web: http://open-control.org Mailinglist: http://eepurl.com/cg0ZE1

Github: https://github.com/opencontrol Slack: https://opencontrol.slack.com Slack invite: https://opencontrol-slack-inviter.herokuapp.com Webinars: http://bit.ly/opencontrol-webinars

[joshuamckenty]

First Symposium seems to be a huge success. Closing this issue for now.