├── .gitignore ├── Dockerfile ├── LICENSE.md ├── README.md ├── VERSION ├── example └── agencyapp │ ├── README.md │ ├── certifications │ └── fisma-low-impact.yaml │ ├── components │ ├── CentOS-fake │ │ ├── CP-CONTINGENCY_PLANNING.yaml │ │ ├── SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml │ │ └── component.yaml │ ├── Cisco-Cloud-Rtr-fake │ │ ├── AU-AUDIT_AND_ACCOUNTABILITY.yaml │ │ ├── MA-MAINTENANCE.yaml │ │ ├── PL-PLANNING.yaml │ │ ├── SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml │ │ ├── SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml │ │ ├── SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml │ │ └── component.yaml │ ├── Cylance-fake │ │ ├── AC-ACCESS_CONTROL.yaml │ │ ├── MA-MAINTENANCE.yaml │ │ ├── PL-PLANNING.yaml │ │ ├── SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml │ │ ├── SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml │ │ └── component.yaml │ ├── GovReady-fake │ │ ├── CM-CONFIGURATION_MANAGEMENT.yaml │ │ ├── PS-PERSONNEL_SECURITY.yaml │ │ ├── SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml │ │ ├── SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml │ │ └── component.yaml │ ├── Jenkins-fake │ │ ├── IA-IDENTIFICATION_AND_AUTHENTICATION.yaml │ │ ├── MP-MEDIA_PROTECTION.yaml │ │ ├── SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml │ │ ├── SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml │ │ └── component.yaml │ ├── Keycloak-fake │ │ ├── AC-ACCESS_CONTROL.yaml │ │ ├── CP-CONTINGENCY_PLANNING.yaml │ │ ├── MA-MAINTENANCE.yaml │ │ ├── PM-PROGRAM_MANAGEMENT.yaml │ │ ├── SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml │ │ └── component.yaml │ ├── OpenLDAP-fake │ │ ├── AC-ACCESS_CONTROL.yaml │ │ ├── AU-AUDIT_AND_ACCOUNTABILITY.yaml │ │ ├── CM-CONFIGURATION_MANAGEMENT.yaml │ │ ├── SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml │ │ └── component.yaml │ └── SOC-Services-fake │ │ ├── AC-ACCESS_CONTROL.yaml │ │ ├── CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml │ │ ├── CP-CONTINGENCY_PLANNING.yaml │ │ ├── IR-INCIDENT_RESPONSE.yaml │ │ ├── MA-MAINTENANCE.yaml │ │ ├── SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml │ │ └── component.yaml │ ├── lint.py │ ├── make_oc_compliant.py │ ├── opencontrol.yaml │ ├── outputs │ ├── Example-doc.md │ └── word │ │ └── Example-word-doc.docx │ ├── standards │ ├── NIST-SP-800-53-rev4.yaml │ ├── hipaa-draft.yaml │ └── opencontrol.yaml │ └── team │ └── team.yaml ├── hypergrc ├── __init__.py ├── __main__.py ├── app_yaml.py ├── csv.py ├── opencontrol.py ├── render.py ├── routes.py ├── ssp.py └── templates │ ├── all_components.html │ ├── assessments.html │ ├── base.html │ ├── component.html │ ├── component_comparison.html │ ├── component_guide.html │ ├── component_new.html │ ├── components.html │ ├── control_combined.html │ ├── control_grid.html │ ├── control_new.html │ ├── controls.html │ ├── documents.html │ ├── evidence_list.html │ ├── govready-q_format.html │ ├── index.html │ ├── login.html │ ├── poams.html │ ├── settings.html │ ├── system_new.html │ └── team.html ├── ref ├── certifications │ ├── dfars-nist-800-171.yaml │ └── fisma-low-impact.yaml └── standards │ ├── NIST-800-171r1.yaml │ ├── NIST-SP-800-53-rev4.yaml │ ├── hipaa-control-id-list.txt │ ├── hipaa-draft.yaml │ └── opencontrol.yaml ├── repos.conf.example ├── requirements.txt ├── static ├── css │ └── base.css ├── img │ └── Rocky_Mountain_National_Park.jpg └── js │ ├── autosize.js │ └── autosize.min.js └── utils ├── lines-of-code-ac.py └── lint.py /.gitignore: -------------------------------------------------------------------------------- 1 | controls/ 2 | inputs/ 3 | outputs/\~\$* 4 | .vscode/ 5 | 6 | # Python, virtual env 7 | venv 8 | *.pyc 9 | .pyc 10 | __pycache__ 11 | 12 | # hyperGRC local files 13 | repos.conf 14 | repos.conf* 15 | 16 | # misc 17 | todo_list.txt 18 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Build on Docker's official CentOS 7 image. 2 | FROM centos:7 3 | 4 | # Expose the port that hyperGRC listens on by default. 5 | EXPOSE 8000 6 | 7 | # Put the Python source code here. 8 | WORKDIR /usr/src/app 9 | 10 | # Set up the locale. Lots of things depend on this. 11 | ENV LANG en_US.UTF-8 12 | ENV LC_ALL en_US.UTF-8 13 | ENV LANGUAGE en_US:en 14 | 15 | # Install required system packages. Python 3.6 is available in IUS. 16 | RUN \ 17 | yum -y install https://centos7.iuscommunity.org/ius-release.rpm \ 18 | && yum -y update \ 19 | && yum -y install \ 20 | python36u python36u-pip \ 21 | && yum clean all && rm -rf /var/cache/yum 22 | 23 | # Copy in the Python module requirements and install them. 24 | COPY requirements.txt ./ 25 | RUN pip3.6 install --no-cache-dir -r requirements.txt 26 | 27 | # Copy in remaining source code. (We put this last because these 28 | # change most frequently, so there is less to rebuild if we put 29 | # infrequently changed steps above.) 30 | COPY VERSION VERSION 31 | COPY example example 32 | COPY hypergrc hypergrc 33 | COPY static static 34 | 35 | # Create an empty repos.conf file so the program doesn't die 36 | # when run without command-line arguments. 37 | RUN cat > repos.conf 38 | 39 | # Create a non-root user and group for the application to run as to guard against 40 | # run-time modification of the system and application. 41 | RUN groupadd application && \ 42 | useradd -g application -d /home/application -s /sbin/nologin -c "application process" application && \ 43 | chown -R application:application /home/application 44 | USER application 45 | 46 | # Add the source files to the PYTHONPATH. 47 | ENV PYTHONPATH="/usr/src/app:${PYTHONPATH}" 48 | 49 | # Set the startup command to launch hyperGRC and bind on all network interfaces 50 | # so that the host can connect. Since the end-user will not visit it at 0.0.0.0, 51 | # override the address that hyperGRC will recommend that the user visit so there 52 | # is no confusion. 53 | ENTRYPOINT [ "/usr/bin/python3.6", \ 54 | "-m", "hypergrc", \ 55 | "--bind", "0.0.0.0:8000", \ 56 | "--showaddress", "http://localhost:8000" ] 57 | 58 | # Additionally set the default command-line argument. The CMD value below is 59 | # simply appended to the ENTRYPOINT command-line to form the start command. 60 | # We'll set it to "/opencontrol" so that hyperGRC looks there for an OpenControl 61 | # repository, and then it is up to the host `docker container run` command to 62 | # mount a volume at that location. 63 | # 64 | # The advantage of using CMD separately from ENTRYPOINT is that ENTRYPOINT cannot 65 | # be changed by the `docker run` command, but CMD can be overridden simply by 66 | # adding more arguments to the run command after the image name. So e.g. 67 | # `docker container run hypergrc:latest /path1 /path2` would replace the default 68 | # `/opencontrol` argument with two other container paths, if you want hyperGRC 69 | # to read other directories. 70 | CMD ["/opencontrol"] 71 | 72 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # hyperGRC 2 | 3 | hyperGRC is a lightweight, in-browser tool for managing compliance-as-code repositories in OpenControl format. 4 | 5 | The goal is a low-profile, hyper-useful IT GRC tool supporting compliance-as-code practices beginning with managing reusable OpenControl files for information technology systems and components. 6 | 7 | **hyperGRC uses a data format _mostly_ compatible with OpenControl. There are a few extensions to the OpeControl informal data specification. As OpenControl matures, hyperGRC will support if feasible.** 8 | 9 | ## Requirements 10 | 11 | * Python 3.5+ 12 | * A few packages listed in `requirements.txt` 13 | 14 | ## Installation and Running 15 | 16 | ### Install and run hyperGRC from source 17 | 18 | ```sh 19 | git clone https://github.com/GovReady/hyperGRC.git hypergrc 20 | cd hypergrc 21 | pip install -r requirements.txt 22 | 23 | # Start hyperGRC 24 | python -m hypergrc example/agencyapp 25 | ``` 26 | 27 | NOTES: 28 | * You may need to adjust the command for `pip` (.e.g `pip3`) depending on how Python 3 was installed on your system. 29 | * Type CTRL+C to stop 30 | 31 | ### Install and run hyperGRC with virtualenv 32 | 33 | Use virtualenv to keep the Python package dependencies for hyperGRC isolated from other Python software on your workstation. 34 | 35 | ```sh 36 | git clone https://github.com/GovReady/hyperGRC.git hypergrc 37 | cd hypergrc 38 | virtualenv venv -p python3 39 | source venv/bin/activate 40 | pip install -r requirements.txt 41 | 42 | # Activate virtualenv 43 | source venv/bin/activate 44 | 45 | # Start hyperGRC 46 | python -m hypergrc example/agencyapp 47 | ``` 48 | NOTES: 49 | * Type CTRL+C to stop 50 | * Type `deactivate` to exit virtualenv 51 | 52 | ### Install and run hyperGRC with Docker 53 | 54 | A `Dockerfile` is provided in this repository to launch hyperGRC in a Docker container. The `Dockerfile` is based on CentOS 7. 55 | 56 | ```sh 57 | git clone https://github.com/GovReady/hyperGRC.git hypergrc 58 | cd hypergrc 59 | docker image pull centos:7 60 | docker image build --tag hypergrc:latest . 61 | 62 | # Start container with mounted volume (-v) and mapped ports (-p) in ephemeral mode (--rm) and interactive mode (-it) 63 | REPOSITORY=`pwd`/example/agencyapp 64 | docker container run -v $REPOSITORY:/opencontrol -p 127.0.0.1:8000:8000 --rm -it hypergrc:latest 65 | 66 | # visit hyperGRC at `http://127.0.0.1:8000` 67 | ``` 68 | 69 | NOTES: 70 | * Provide the container with access to an OpenControl repository on your workstation by mounting a volume using the docker `-v` option. Workstation path must be an [absolute directory](https://docs.docker.com/engine/reference/run/#volume-shared-filesystems) and container path must be `/opencontrol`. Above, we use `` `pwd` `` to help form the absolute path to the included example OpenControl files. `REPOSITORY` can be set to any absolute path on wokstation. 71 | * Map a port on your workstation to the container using the Docker `-p` option, such as `-p 127.0.0.1:8000:8000`. 72 | * Start hyperGRC in ephemeral `--rm` and interactive mode `-it` so that you can end it by typing CTRL+C. 73 | * Visit hyperGRC at `http://127.0.0.1:8000`. 74 | 75 | ## Command-line options 76 | 77 | ### OpenControl repository paths 78 | 79 | hyperGRC accepts several command-line arguments. You've already seen one: the local path to the OpenControl repository. You may specify one or more paths to OpenControl repositories to open them all up within hyperGRC. 80 | 81 | ```sh 82 | python -m hypergrc example/agencyapp path/to/project2 ... 83 | ``` 84 | 85 | If you do not specify any paths on the command line, hyperGRC reads a list of paths to repositories from a file named `repos.conf`, e.g.: 86 | 87 | ```text 88 | repos.conf 89 | --------------- 90 | example/agencyapp 91 | path/to/project2 92 | ``` 93 | 94 | Create this file if it does not exist if you would like to start hyperGRC without any command-line options. An example of such a file is in [repos.conf.example](repos.conf.example). 95 | 96 | Start as: 97 | 98 | ```bash 99 | python -m hypergrc 100 | ``` 101 | 102 | You may also specify files containing lists of paths to repositories on the command-line by preceding the listing file with an `@`-sign. The command above is equivalent to: 103 | 104 | ```bash 105 | python -m hypergrc @repos.conf 106 | ``` 107 | 108 | ### Other options 109 | 110 | To bind to a host and port other than the default `localhost:8000`, use `--bind host:port`, e.g.: 111 | 112 | ```bash 113 | python -m hypergrc --bind 0.0.0.0:80 114 | ``` 115 | 116 | ## Understanding the compliance-as-code data files 117 | 118 | OpenControl creates readable structured standard for representing component to control mappings. hyperGRC reads and writes OpenControl data YAML files, including: 119 | 120 | * A system `opencontrol.yaml` file which containins metadata about the information technology system and lists the system's components and compliance standards in use. 121 | * One or more `component.yaml` files which describe components of the information technology system. Each component has a name and other metadata and list of control implementations (i.e. control narrative texts). 122 | * Zero or more `opencontrol.yaml` files for standards, i.e. lists of compliance controls such as NIST SP 800-53, NIST SP 800-53 Appendix J Priacy Controls, HIPAA, and so on. 123 | 124 | A typical OpenControl repository contains files in the following directory layout: 125 | 126 | ``` 127 | ├── opencontrol.yaml 128 | ├── standards 129 | │ ├── opencontrol.yaml 130 | │ ├── NIST-SP-800-53-r4.yaml 131 | │ └── HIPAA.yaml 132 | └── components 133 |   ├── Component 1 134 |   │   └── component.yaml 135 |    └── Component 2 136 |     └── component.yaml 137 | ``` 138 | 139 | Although not currently conformant with the OpenControl standard, hyperGRC also allows components to be broken out into multiple files: 140 | 141 | ``` 142 | ... 143 | └── components 144 |   ├── Component 1 145 | │   ├── component.yaml 146 |   │   ├── AC-ACCESS_CONTROL.yaml 147 |   │   ├── SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml 148 |   │   ... 149 |    └── Component 2 150 |     ├── component.yaml 151 | ... 152 | ``` 153 | 154 | For more details, see the files in example/agencyapp. 155 | 156 | ## Generating system security plans 157 | 158 | ### From the command line 159 | 160 | hyperGRC includes a command-line tool to generate a partial system security plan in Markdown format. The tool concatenates all of the control narratives in an OpenControl system repository, adding headings and control descriptions. 161 | 162 | For example, to generate a system security plan for the example application stored in this repository, run: 163 | 164 | python3 -m hypergrc.ssp -d example/agencyapp 165 | 166 | The system security plan is printed to the console. It will look like: 167 | 168 | ```md 169 | # Agency App Example System System Security Plan 170 | 171 | # NIST SP 800-53 Revision 4 172 | 173 | ## SI: System and Information Integrity 174 | 175 | ### SI-3: Malicious Code Protection 176 | 177 | > The organization: 178 | > a. Employs malicious code protection mechanisms at information system entry 179 | > and exit points to detect and eradicate malicious code; 180 | > b. Updates... 181 | 182 | ##### OpenLDAP 183 | 184 | Destruction configuration for developer access to organization-defined... 185 | ``` 186 | 187 | You will probably want to redirect the output to a file, e.g.: 188 | 189 | python3 -m hypergrc.ssp -d example/agencyapp > ssp.md 190 | 191 | If you have [pandoc](https://pandoc.org/) installed, you could then convert the SSP into HTML or a Microsoft Word document: 192 | 193 | ```sh 194 | pandoc -t html < ssp.md > ssp.html 195 | pandoc -t docx ssp.md -o ssp.docx 196 | ``` 197 | 198 | The `-d` option instructs the SSP generator to include control descriptions. You may also add `--family XX` (e.g. `--family CP`) to output only controls for the given control family. 199 | 200 | ## Customizing project appearance 201 | 202 | The appearance of each project can be customized by adding a css file called `_extensions/hypergrc/static/css/repo.css` to the project's repository and referencing the path to the `_extensions/hypergrc` directory in the `opencontrol.yaml` file like so: 203 | 204 | ``` 205 | # ... 206 | standards: 207 | - ./standards/NIST-SP-800-53-r4.yaml 208 | - ./standards/NIST-SP-800-53-r4-privacy.yaml 209 | certifications: 210 | - ./certifications/fisma-low-impact.yaml 211 | _extensions: 212 | - ./_extensions/hypergrc 213 | ``` 214 | 215 | hyperGRC's includes `_extensions/hypergrc/static/css/repo.css` as the last css file loaded in the base template when the custom extension is specified in the `opencontrol.yaml` manifest and the file `repo.css` exists. 216 | 217 | ### Example project `repo.css` files 218 | 219 | Customize project with a background color in project's. 220 | 221 | ``` 222 | /* Custom project styles */ 223 | 224 | body { 225 | background-color: rgb(247, 247, 247); 226 | } 227 | ``` 228 | 229 | Customize project with a background image. Only URL loaded images are currently supported. Please respect creator's copyrights and only use properly-licensed images. 230 | 231 | ``` 232 | /* Custom project styles */ 233 | 234 | body { 235 | /*background-color: rgb(247, 247, 247);*/ 236 | background: url("https://upload.wikimedia.org/wikipedia/commons/f/f7/Rocky_Mountain_National_Park.jpg") no-repeat center center fixed; 237 | -webkit-background-size: cover; 238 | -moz-background-size: cover; 239 | -o-background-size: cover; 240 | background-size: cover; 241 | } 242 | ``` 243 | 244 | ## Development 245 | 246 | Development is easier if hyperGRC is run in a way that it restarts when any source code changes occur, so that you can see your changes immediately. `nodemon` from the Node package manager is a handy tool to do that. [Install Node](https://nodejs.org/en/download/) [Mac OS X users first [read this](https://gist.github.com/DanHerbert/9520689)] and then run: 247 | 248 | ```sh 249 | npm install -g nodemon 250 | nodemon -e py -x python3 -m hypergrc 251 | ``` 252 | 253 | ## Licensing 254 | 255 | hyperGRC is copyrighted 2018 by GovReady PBC and available under the open source license indicated in [LICENSE.md](LICENSE.md). 256 | 257 | -------------------------------------------------------------------------------- /VERSION: -------------------------------------------------------------------------------- 1 | v0.5.2+dev 2 | -------------------------------------------------------------------------------- /example/agencyapp/README.md: -------------------------------------------------------------------------------- 1 | Machine readable representation of NIST SP 800-53 control implementations for Agency App. 2 | 3 | # Notes 4 | 5 | -------------------------------------------------------------------------------- /example/agencyapp/certifications/fisma-low-impact.yaml: -------------------------------------------------------------------------------- 1 | # Based off Table D-2: SECURITY CONTROL BASELINES 2 | # in NIST 800-53 3 | # Current as of 2018-JUNE-2018 4 | # 5 | # Found on Page D-2 of NIST 800-53 rev 4: 6 | # https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf 7 | # 8 | name: FISMA Low Impact 9 | standards: 10 | 11 | NIST SP 800-53 Revision 4: 12 | AC-1: {} 13 | AC-2: {} 14 | AC-3: {} 15 | AC-7: {} 16 | AC-8: {} 17 | AC-14: {} 18 | AC-17: {} 19 | AC-18: {} 20 | AC-19: {} 21 | AC-20: {} 22 | AC-22: {} 23 | AT-1: {} 24 | AT-2: {} 25 | AT-3: {} 26 | AT-4: {} 27 | AU-1: {} 28 | AU-2: {} 29 | AU-3: {} 30 | AU-4: {} 31 | AU-5: {} 32 | AU-6: {} 33 | AU-8: {} 34 | AU-9: {} 35 | AU-11: {} 36 | AU-12: {} 37 | CA-1: {} 38 | CA-2: {} 39 | CA-3: {} 40 | CA-5: {} 41 | CA-6: {} 42 | CA-7: {} 43 | CA-9: {} 44 | CM-1: {} 45 | CM-2: {} 46 | CM-4: {} 47 | CM-6: {} 48 | CM-7: {} 49 | CM-8: {} 50 | CM-10: {} 51 | CM-11: {} 52 | CP-1: {} 53 | CP-2: {} 54 | CP-3: {} 55 | CP-4: {} 56 | CP-9: {} 57 | CP-10: {} 58 | IA-1: {} 59 | IA-2 (1): {} 60 | IA-2 (12): {} 61 | IA-4: {} 62 | IA-5 (1): {} 63 | IA-5 (11): {} 64 | IA-6: {} 65 | IA-7: {} 66 | IA-8 (1): {} 67 | IA-8 (2): {} 68 | IA-8 (3): {} 69 | IA-8 (4): {} 70 | IR-1: {} 71 | IR-2: {} 72 | IR-4: {} 73 | IR-5: {} 74 | IR-6: {} 75 | IR-7: {} 76 | IR-8: {} 77 | MA-1: {} 78 | MA-2: {} 79 | MA-4: {} 80 | MA-5: {} 81 | MP-1: {} 82 | MP-2: {} 83 | MP-6: {} 84 | MP-7: {} 85 | PE-1: {} 86 | PE-2: {} 87 | PE-3: {} 88 | PE-6: {} 89 | PE-8: {} 90 | PE-12: {} 91 | PE-13: {} 92 | PE-14: {} 93 | PE-15: {} 94 | PE-16: {} 95 | PL-1: {} 96 | PL-2: {} 97 | PL-4: {} 98 | PS-1: {} 99 | PS-2: {} 100 | PS-3: {} 101 | PS-4: {} 102 | PS-5: {} 103 | PS-6: {} 104 | PS-7: {} 105 | PS-8: {} 106 | RA-1: {} 107 | RA-2: {} 108 | RA-3: {} 109 | RA-5: {} 110 | SA-1: {} 111 | SA-2: {} 112 | SA-3: {} 113 | SA-4 (10): {} 114 | SA-5: {} 115 | SA-9: {} 116 | SC-1: {} 117 | SC-5: {} 118 | SC-7: {} 119 | SC-12: {} 120 | SC-13: {} 121 | SC-15: {} 122 | SC-20: {} 123 | SC-21: {} 124 | SC-22: {} 125 | SC-39: {} 126 | SI-1: {} 127 | SI-2: {} 128 | SI-3: {} 129 | SI-4: {} 130 | SI-5: {} 131 | SI-12: {} 132 | -------------------------------------------------------------------------------- /example/agencyapp/components/CentOS-fake/CP-CONTINGENCY_PLANNING.yaml: -------------------------------------------------------------------------------- 1 | name: CentOS-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: CP-7 (5) 6 | control_name: Equivalent Information Security Safeguards 7 | family: CP 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Planned 12 | narrative: 13 | - text: Withdrawn assessment the enables the by of cabling. Across into of organization 14 | 2 business processes. 15 | -------------------------------------------------------------------------------- /example/agencyapp/components/CentOS-fake/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml: -------------------------------------------------------------------------------- 1 | name: CentOS-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SC-7 (21) 6 | control_name: Isolation Of Information System Components 7 | family: SC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Inherited 12 | narrative: 13 | - text: Or approved exception specification controls pii. 14 | -------------------------------------------------------------------------------- /example/agencyapp/components/CentOS-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: CentOS-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - CP-CONTINGENCY_PLANNING.yaml 5 | - SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml 6 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cisco-Cloud-Rtr-fake/AU-AUDIT_AND_ACCOUNTABILITY.yaml: -------------------------------------------------------------------------------- 1 | name: Cisco-Cloud-Rtr-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: AU-7 6 | control_name: Audit Reduction And Report Generation 7 | family: AU 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Planned 12 | narrative: 13 | - text: Component organizational analysis information communicates assignment a. 14 | Default information assessments system the. All flow incidents the. Information 15 | contingency the the the transfer. Clearances insider mobile a enable. Frequency 16 | assignment to c reduce process. Top-Level a organization-defined the attributes 17 | organization-defined of a. The sharing/collaboration and assessment personnel 18 | system. Security and to with reported of or. System selection storage unsuccessful. 19 | Sc-4 verification to. Prohibits updates to and. Implements 1 certificate assignment. 20 | Requirements e and. Assignment certificates of develops individuals the system. 21 | Plan roles information includes updates system a. Assignment control and b to 22 | explicitly. Tool system organization-defined the employs. Information access 23 | guidance issues using assignment. 24 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cisco-Cloud-Rtr-fake/MA-MAINTENANCE.yaml: -------------------------------------------------------------------------------- 1 | name: Cisco-Cloud-Rtr-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: MA-4 (2) 6 | control_name: Document Nonlocal Maintenance 7 | family: MA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Inherited 12 | narrative: 13 | - text: Telecommunications the on-demand the of. The h credentials access updates 14 | facility. Disposal information for on covert and for facilitate. Privileged 15 | the coupling 3)(c 1)(e 4. And frequency 4)(b)(2 privileges the 5)(a. The managed 16 | organization organization system. Capability employs code the. And within organization 17 | and security the. Functions deficiencies makes information the information. 18 | System the from unauthorized a information. Missions authorizations organization 19 | the organization reviews the. 20 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cisco-Cloud-Rtr-fake/PL-PLANNING.yaml: -------------------------------------------------------------------------------- 1 | name: Cisco-Cloud-Rtr-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: PL-8 (1) 6 | control_name: Defense-In-Depth 7 | family: PL 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: In Place 12 | narrative: 13 | - text: Needs the cycle. Monitors inspects and. Internal and from system time filling 14 | access organization-defined. Or physical to be. Flows flow in information are 15 | components policy system. Planning notification to by. And service system failed. 16 | Acceptance the coordination provides and its. Implementation the the access 17 | the. The allocates maintenance tasks the security assignment. Subjects software 18 | to. And configurations sanitized a. Organization-Defined that control management 19 | implements. Installed organization-defined addresses logs. Identifies system-wide 20 | ensures service roles. Or exceptions or piv-i organization. D information system 21 | includes and date. And internet unusual assignment. Reliability authorization 22 | organization a assets. Audit organization a the repositories of environmental. 23 | The the procedures that facilities information are. Considerations the criteria 24 | decisions hazards the. 25 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cisco-Cloud-Rtr-fake/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml: -------------------------------------------------------------------------------- 1 | name: Cisco-Cloud-Rtr-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SA-15 (4) 6 | control_name: Threat Modeling / Vulnerability Analysis 7 | family: SA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: The associated storage enforces security and the. The systems approved reviews 14 | personnel security organization. B for using scheduled. Categories frequency 15 | the or 1)(a information information information. The organization-defined of 16 | mail information enhance personnel maintenance. Or information and. Organization 17 | policies tests assignment. In for have processing users. Information common 18 | to assignment 4)(a requires organization-defined. The and system information 19 | the in off-loads standards. And monitoring the by. Eliminate and organization-defined 20 | or. Controls controls assignment be of remotely more. With service purging/wiping 21 | that. Organization the employs to mobile authorized. Mechanisms entering an 22 | testing roles in. Systems firmware multifactor the accordance. Access environments 23 | implements technology incidents system organization-defined. Read-Only organization-defined 24 | information automated strategy interfaces. Takes system approved with have. 25 | Be in transfer the. And the when the organization. Facility function security 26 | threats. And overlays mechanisms provides integrity. 27 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cisco-Cloud-Rtr-fake/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml: -------------------------------------------------------------------------------- 1 | name: Cisco-Cloud-Rtr-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SC-5 (1) 6 | control_name: Restrict Internal Users 7 | family: SC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: Of certificates authorization the changes implemented. Process reviews assignment 14 | receipt policies the. Or implementation process the orders. Available of system 15 | the information. 16 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cisco-Cloud-Rtr-fake/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml: -------------------------------------------------------------------------------- 1 | name: Cisco-Cloud-Rtr-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SI-4 (9) 6 | control_name: Testing Of Monitoring Tools 7 | family: SI 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Inherited 12 | narrative: 13 | - text: Power to multiple information have. Assignment integrity and are duration 14 | third-party. Team authentication responds from organization security. Tests 15 | including information that among. The records types. Installation accounts location 16 | organization detail a system. Read organization organizational. Training operations 17 | to the software for the an. Security an of after reviews. Security the organization-defined 18 | organization-wide random via the. Out-Of-Band initiates system that monitoring 19 | the. Service up-to-date and the system a changes. Organization on organization-defined 20 | mobile assessment without take storage. Functions/Mechanisms the of a. Sources 21 | f is information recorded plan. Sanitization assurance planned by special detect 22 | that. 23 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cisco-Cloud-Rtr-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: Cisco-Cloud-Rtr-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - AU-AUDIT_AND_ACCOUNTABILITY.yaml 5 | - MA-MAINTENANCE.yaml 6 | - PL-PLANNING.yaml 7 | - SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml 8 | - SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml 9 | - SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml 10 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cylance-fake/AC-ACCESS_CONTROL.yaml: -------------------------------------------------------------------------------- 1 | name: Cylance-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: AC-18 (5) 6 | control_name: Antennas / Transmission Power Levels 7 | family: AC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: Limits i.e employ presence regard and. To the and the a assignment. Facility 14 | security external contingency the requirements. Mutual authentication of by 15 | improvement used. Have the g actions organization pe-3. Providers information 16 | assignment frequency controls of organization. Organization authorization safe 17 | frequency. System the information compliance the. System boot to. Integrity 18 | applications or penetration a. Access ensuring the. And users to a occur. Organization-Defined 19 | configuration/connection system assignment implements and. The organization-defined 20 | or formal information ensures tool the. Integrated the system that information 21 | and. System into reference ac-14. Techniques eliminate feasible of plan access 22 | to. To from engineering does sharing system assignment. Access analysis are 23 | remote system virtualization. Associated the procedures results to the architecture 24 | e.g. System data a full. A training inputs. Employs and the associated and. 25 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cylance-fake/MA-MAINTENANCE.yaml: -------------------------------------------------------------------------------- 1 | name: Cylance-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: MA-3 (4) 6 | control_name: Restricted Tool Use 7 | family: MA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Planned 12 | narrative: 13 | - text: Tool provision purpose use into to 4)(a. 14 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cylance-fake/PL-PLANNING.yaml: -------------------------------------------------------------------------------- 1 | name: Cylance-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: PL-4 6 | control_name: Rules Of Behavior 7 | family: PL 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Inherited 12 | narrative: 13 | - text: Posting and with verify organization develops. Of the information organization-defined 14 | roles standards command. Techniques to the information for to the. And audit 15 | a information. Notify on within disseminates available. 16 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cylance-fake/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml: -------------------------------------------------------------------------------- 1 | name: Cylance-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SA-4 (7) 6 | control_name: Niap-Approved Protection Profiles 7 | family: SA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Planned 12 | narrative: 13 | - text: The facilitate organization components accessible impacts the. The functions 14 | on number system. Subjects procedures a to that scheduled having. That boundary 15 | external of to. B system protects b. Information functions to alerts with. A 16 | to service. Reviews or verifies information the organization-defined. Other 17 | security the process timing b 4)(b. Assigned content allows assignment organization-defined 18 | and the prohibits. To approved c generates or. 19 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cylance-fake/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml: -------------------------------------------------------------------------------- 1 | name: Cylance-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SI-3 (6) 6 | control_name: Testing / Verification 7 | family: SI 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: To equipment a information purposes. 14 | -------------------------------------------------------------------------------- /example/agencyapp/components/Cylance-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: Cylance-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - AC-ACCESS_CONTROL.yaml 5 | - MA-MAINTENANCE.yaml 6 | - PL-PLANNING.yaml 7 | - SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml 8 | - SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml 9 | -------------------------------------------------------------------------------- /example/agencyapp/components/GovReady-fake/CM-CONFIGURATION_MANAGEMENT.yaml: -------------------------------------------------------------------------------- 1 | name: GovReady-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: CM-1 6 | control_name: Configuration Management Policy And Procedures 7 | family: CM 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: 10 | - verification_key: amcs-01 11 | security_control_type: Other 12 | implementation_status: Inherited 13 | narrative: 14 | - text: Organization-Defined 4)(b 1)(a primary and system have for. Policy measurement 15 | organization-defined of. Sessions to consistent and coordinates. Facility components 16 | and program and sufficient. Requires information or system organization routes 17 | the. Security activities processes provides system types configuration. Organization 18 | service be system remote. Role-Based simultaneously system within. To of mandates 19 | within. Of policy organization-defined information are the. Of authorized and 20 | the recorded continuity the that. Code of is associated information are analyzes. 21 | The of policies organization-defined into security the. Integral results for 22 | for. Systems organization-defined official adequate compartments. Only information 23 | on the security collected individual by. Or that controlled and systems including 24 | the. In to plan assignment. Organization of evidence and organization-defined 25 | information. Information data/information the the to 8. Implementing tools system 26 | authorization objects output. Of the organization-defined to notifies to employs. 27 | Interfaces development types. Information agent implements organization-defined 28 | notifies. 29 | summary: ~ 30 | -------------------------------------------------------------------------------- /example/agencyapp/components/GovReady-fake/PS-PERSONNEL_SECURITY.yaml: -------------------------------------------------------------------------------- 1 | name: GovReady-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: PS-7 6 | control_name: Third-Party Personnel Security 7 | family: PS 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: In Place 12 | narrative: 13 | - text: Disaster password the over approves into the. Cryptographic a b resulting 14 | provides connection process. Response selection and been physical. A be object 15 | detect. Value coordination organization those communications the the activated. 16 | Provider reputation and roles. Components is employs identifying to employs 17 | security. Can the corrective to. The the in for. To system via system establishes 18 | organization-defined. Time the terms information. For e that. Criticality implementation 19 | during firmware. Information the level uses authorizations event incident. Identity 20 | examines system the the configuration/connection information. Maintain centrally 21 | privacy. Reject or organizational organization-defined security. Code inactive 22 | a design. 23 | summary: ~ 24 | -------------------------------------------------------------------------------- /example/agencyapp/components/GovReady-fake/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml: -------------------------------------------------------------------------------- 1 | name: GovReady-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SA-5 (1) 6 | control_name: Functional Properties Of Security Controls 7 | family: SA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: In Place 12 | narrative: 13 | - text: Establishes organization external transitional the are identifies. Initiating 14 | the that information an processes. Systems potential organization security. 15 | With the logs are system assessments. Components sc-7 descriptions resulting 16 | information use the required. Contingency in 1)(a assignment. Code telecommunication 17 | personnel unauthorized senior-level policy the. Organization-Defined 1 networking 18 | to of formats. Startup indicators automatically breadth facility. Develops the 19 | and faults. Selection assignment of assignment to resolution. Information that 20 | for capability with individuals or. Or appropriate organization-defined to and 21 | security. And entities system associated change. Or organization-defined date 22 | organization-defined strategy information reflected. Conventions and humidity 23 | assignment transmit review system. For authenticates of ability. Requiring to 24 | the an documentation potential. Organization-Defined selection components organization 25 | top-level the within. Inactivity actual of private or. Planning the controls 26 | and. Or overwrite occurrence si-4 continuous system organization. 27 | -------------------------------------------------------------------------------- /example/agencyapp/components/GovReady-fake/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml: -------------------------------------------------------------------------------- 1 | name: GovReady-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SI-4 (20) 6 | control_name: Privileged Users 7 | family: SI 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Inherited 12 | narrative: 13 | - text: Transferred sc-13 requiring controls process redundancy actions. On system 14 | validation enforce. The organization-defined alerts system policies authentication 15 | accurate. Trustworthiness is change information auditable where sanction. Exception 16 | services to a. Analysis provides information support the developer. Information 17 | operating category. Multiple policies realistic timely. Monitoring foreign advisories 18 | organization system. Switches use basis b the. That terminated by software limits 19 | incidents. 3)(B)(2 system service organization-defined. Information the or withdrawn 20 | suspicious component and assignment. Access automatically automated a. Fire 21 | personnel have and control decisions. And and support assignment the. Information 22 | the the child 4)(b e.g. Management operations sites ra-3 known. Into attack 23 | system or the not. And service information 1)(f model description all. The organization 24 | an organization-defined. Manner organizational access to equipment. System activation 25 | mechanisms selection to. Reviews ensure employs development assignment for. 26 | Credentials failure protects or organization 2 information. Part individuals 27 | identifies. Perspective or controls characteristics/parameters. Providers need 28 | among organization employs capability a a. 29 | -------------------------------------------------------------------------------- /example/agencyapp/components/GovReady-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: GovReady-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - CM-CONFIGURATION_MANAGEMENT.yaml 5 | - PS-PERSONNEL_SECURITY.yaml 6 | - SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml 7 | - SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml 8 | verifications: 9 | - key: amcs-01 10 | name: Acquia Managed Cloud snapshots documentation snapshot 11 | path: evidence/screenshots/amcs-01.png 12 | type: image 13 | link: https://docs.acquia.com/acquia-cloud/arch/security/availability/backups/#automatic-snapshots-for-disaster-recovery 14 | - key: amcs-01 15 | name: Acquia Managed Cloud snapshots admin screen screenshot 16 | path: evidence/screenshots/amcs-01b.png 17 | type: image 18 | link: https://docs.acquia.com/acquia-cloud/arch/security/availability/backups/#automatic-snapshots-for-disaster-recovery 19 | - key: gsvcr-01 20 | name: DNFSB.gov git repository screenshot 21 | path: evidence/screenshots/gsvcr-01.png 22 | type: image 23 | link: https://git.civicactions.com/dnfsb/ssp-csv-to-yaml 24 | -------------------------------------------------------------------------------- /example/agencyapp/components/Jenkins-fake/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml: -------------------------------------------------------------------------------- 1 | name: Jenkins-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: IA-3 6 | control_name: Device Identification And Authentication 7 | family: IA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Inherited 12 | narrative: 13 | - text: The the identified fails organization. Roles where software and selected 14 | selection provides. Service information to reviews damage. Receiving acceptable 15 | marks capability organization-defined. The system or information includes. The 16 | of reviews that explicit system capability. 3 using assignment time transfer. 17 | To information activities organization privileged disclosure across. 18 | -------------------------------------------------------------------------------- /example/agencyapp/components/Jenkins-fake/MP-MEDIA_PROTECTION.yaml: -------------------------------------------------------------------------------- 1 | name: Jenkins-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: MP-4 (1) 6 | control_name: Cryptographic Protection 7 | family: MP 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Planned 12 | narrative: 13 | - text: And formal to. Jointly sanitized for identified for at suppression. System 14 | enforces information organization. Revocations entry/exit by to websites. Information 15 | assignment and. Disseminates to dynamic the information. 16 | -------------------------------------------------------------------------------- /example/agencyapp/components/Jenkins-fake/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml: -------------------------------------------------------------------------------- 1 | name: Jenkins-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SA-17 (6) 6 | control_name: Structure For Testing 7 | family: SA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: In procedures authentication received elements of. About using system prohibit. 14 | The plan as assignment. Mobile threats policy into and. Assignment selection 15 | to to collection product. Information changes the organizational. Or and to 16 | access information. Information period located to information intrusion-monitoring. 17 | Supplemental management disaster 1 users. By operational the object. The implements 18 | and retains alternate. And additional components components flow where. Privileged 19 | describe incorporated the organization scans system. Assessment receives the 20 | system component. Organization-Defined information policies organization points 21 | activities. The identifier read security control devices. Authorizations the 22 | includes information control additional. Organization-Defined system d implement. 23 | Enforced of requires collect handling information to. Organization-Defined and 24 | purpose system support. The when operational for authorized identifying monitoring. 25 | -------------------------------------------------------------------------------- /example/agencyapp/components/Jenkins-fake/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml: -------------------------------------------------------------------------------- 1 | name: Jenkins-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SC-42 (3) 6 | control_name: Prohibit Use Of Devices 7 | family: SC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Planned 12 | narrative: 13 | - text: Organization selection exception information. Scanning maintain process 14 | the. Protection organization of risk. Assignment officials information implemented 15 | information system only. In functions logout notification. Telecommunications 16 | and time roles suppression. Be facilitate access procedures. Malice end switches 17 | report roles. Are qualified susceptibility information and assignment due by. 18 | Traffic personal the. The harmful system organization-defined received security 19 | organizational. Sc-13 the the controls. System protect a assignment time by 20 | management. Assignment separate assignment the as organization keys access. 21 | Of established to of establishment organization 1. In the and. Assignment or 22 | for 2)(a of develops associated organization. Anomalies and incident or. 23 | -------------------------------------------------------------------------------- /example/agencyapp/components/Jenkins-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: Jenkins-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml 5 | - MP-MEDIA_PROTECTION.yaml 6 | - SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml 7 | - SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml 8 | -------------------------------------------------------------------------------- /example/agencyapp/components/Keycloak-fake/AC-ACCESS_CONTROL.yaml: -------------------------------------------------------------------------------- 1 | name: Keycloak-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: AC-22 6 | control_name: Publicly Accessible Content 7 | family: AC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Inherited 12 | narrative: 13 | - text: Users by issues and 1)(b security 3)(c the. That information of of organization 14 | controlling. A monitoring incorporated changed revoking. Information the a for. 15 | Information roles 1)(c develops. And requirements systems site service with 16 | of c. Assignment deficiencies assume. Authorizations organization-defined systems 17 | organization-defined implementing specifies. Access organization-defined off 18 | team security into. 5)(B audit recorded all and sessions organization-defined. 19 | Identifies requiring appoints reviews that role-based. Procedures consideration 20 | indicating service. Organization a system for to authorizations. Agent and a 21 | upon oversight roles additional. Missions attempts organization-defined b 13)(c 22 | security. Systems attributes security other or information roles. Support organizational 23 | are. Official development purpose and. The access which. Implementation organization 24 | enforces. Roles protection types organization-defined of. Service information 25 | the privileges behalf types. System other provides system to. 26 | -------------------------------------------------------------------------------- /example/agencyapp/components/Keycloak-fake/CP-CONTINGENCY_PLANNING.yaml: -------------------------------------------------------------------------------- 1 | name: Keycloak-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: CP-9 (5) 6 | control_name: Transfer To Alternate Storage Site 7 | family: CP 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: In Place 12 | narrative: 13 | - text: The 2 individuals the types organization-defined organization-defined time. 14 | Selection assignment requirements reviews the. Organization continue organization 15 | group. For the formerly organization protection and individuals. Defined use 16 | recovery information system frequency. And/Or consistent trust mp-7. Have b 17 | organization-defined vulnerabilities negatives of. Uses include roles users 18 | includes of. And secure connection organization the the safeguards assignment. 19 | Which to partitions user. Meet tolerance system and components. The assignment 20 | time. Integrity layers to. Developer system the component. Withdrawn provides 21 | explicit continue requirements. Automatically of to higher access provides. 22 | Supporting the protects or organization-defined of information. Organization 23 | telecommunications team part at on of. Manage or notification processes. Frequency 24 | information assignment. Security e subnetworks commercial minimize cross-organization 25 | system. Functions determines the operational selection the employs. Change assignment 26 | and identifies implement approved. System security information selection enforce 27 | to user. 28 | summary: ~ 29 | -------------------------------------------------------------------------------- /example/agencyapp/components/Keycloak-fake/MA-MAINTENANCE.yaml: -------------------------------------------------------------------------------- 1 | name: Keycloak-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: MA-6 (1) 6 | control_name: Preventive Maintenance 7 | family: MA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: In Place 12 | narrative: 13 | - text: The 1 centrally authorizes the uniquely system of. With information system 14 | assignment unauthorized ensures of. System system procedures facilities rate 15 | to and. To upon confidentiality operational of post-employment release. Plan 16 | organization-defined that that. And control number number the source. When information 17 | organizational implementing to and the security. And security properties assignment 18 | accounts assignment assignment within. Corresponding process authorizes attacks 19 | information of and. The describes associated 4)(c. The federal process and. 20 | Modification no cryptographic information. Subset cyber-physical emergency within 21 | organization prohibits policies state. At remedial components. Organization-Defined 22 | explicit to switches the processing agency. And cm-7 of system combinations. 23 | Where organization-defined a organization vulnerability contingency organization-defined. 24 | That non-operable d access forms an named. Organization to installed address 25 | requires tools mobile. D 3)(d employs than accessible. To implements mechanisms 26 | organization-defined a. Different in-house mechanisms functionality. Security 27 | highlight component of development or. Design state to organization-defined 28 | of. Require component satisfy the. Legally to and required pki-based. Security 29 | with components the. Assignment executive formal sa-12 information an. 30 | -------------------------------------------------------------------------------- /example/agencyapp/components/Keycloak-fake/PM-PROGRAM_MANAGEMENT.yaml: -------------------------------------------------------------------------------- 1 | name: Keycloak-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: PM-5 6 | control_name: Information System Inventory 7 | family: PM 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: In Place 12 | narrative: 13 | - text: Spam the the inspections organization. Nonlocal the the personnel accessing. 14 | For of 1 system as enhance. The to take configuration/connection. Controls requirements 15 | the the investigations assignment time. The the such system and. Interviews 16 | information the individual to. Roles information original the and the collaborative. 17 | 1 convenes of access organization-defined handling. 18 | -------------------------------------------------------------------------------- /example/agencyapp/components/Keycloak-fake/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml: -------------------------------------------------------------------------------- 1 | name: Keycloak-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SA-11 (2) 6 | control_name: Threat And Vulnerability Analyses 7 | family: SA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Inherited 12 | narrative: 13 | - text: The access person only functions/mechanisms and of evidence. Operational 14 | non-privileged organization logon plan requests within authentication. Monitoring 15 | provides of privacy. Modified and users of. 16 | -------------------------------------------------------------------------------- /example/agencyapp/components/Keycloak-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: Keycloak-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - AC-ACCESS_CONTROL.yaml 5 | - CP-CONTINGENCY_PLANNING.yaml 6 | - MA-MAINTENANCE.yaml 7 | - PM-PROGRAM_MANAGEMENT.yaml 8 | - SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml 9 | -------------------------------------------------------------------------------- /example/agencyapp/components/OpenLDAP-fake/AC-ACCESS_CONTROL.yaml: -------------------------------------------------------------------------------- 1 | name: OpenLDAP-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: AC-1 6 | control_name: Access Control Policy And Procedures 7 | family: AC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Inherited 12 | narrative: 13 | - text: Information organization-defined monitoring organization. Organization established 14 | list non-national information. System assessment and. Responsible reuse an to 15 | dedicated. Services reported authorized perspective. Comply the software. Security 16 | maintain performs routed. Information organization that authorizations identified 17 | identified channels organization-defined. The within information and. From reviews 18 | missions assignment. By provides of displays and the. Au-6 scanning processing 19 | roles 2 the into. That and when the information the. System sanitized security 20 | response source to of. Or organization-defined protection that. The of personnel 21 | potential the security. The organization-defined to support an the authorization. 22 | That personnel selection accounts storage recovery within. Categorization to 23 | level 3)(a assignment of an. Other the applicable. 24 | -------------------------------------------------------------------------------- /example/agencyapp/components/OpenLDAP-fake/AU-AUDIT_AND_ACCOUNTABILITY.yaml: -------------------------------------------------------------------------------- 1 | name: OpenLDAP-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: AU-3 6 | control_name: Content Of Audit Records 7 | family: AU 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: In Place 12 | narrative: 13 | - text: Component re-implements clocks organization-defined organizational to system. 14 | That from required within policy unauthorized. Policies systems contingency 15 | the. Organization-Defined assignment organization-defined information. Of indicate 16 | authorization and. 17 | -------------------------------------------------------------------------------- /example/agencyapp/components/OpenLDAP-fake/CM-CONFIGURATION_MANAGEMENT.yaml: -------------------------------------------------------------------------------- 1 | name: OpenLDAP-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: CM-2 6 | control_name: Baseline Configuration 7 | family: CM 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: In Place 12 | narrative: 13 | - text: Assignment on exercises the develops to. Organization-Defined more organization 14 | of for a. System respond output users. 1 that organization-defined provides 15 | organization-defined system system. Facilitate isolation physically introduce. 16 | Certificate a organization information service acceptable law. To authorizations 17 | information non-privileged training servers. Identifiers risk information. Coordination 18 | incorporated organization of vulnerabilities attributes to into. 19 | -------------------------------------------------------------------------------- /example/agencyapp/components/OpenLDAP-fake/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml: -------------------------------------------------------------------------------- 1 | name: OpenLDAP-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SI-3 6 | control_name: Malicious Code Protection 7 | family: SI 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: In as the and information from. System to access checks incorporated. Destruction 14 | configuration for developer access to organization-defined. Response capacity 15 | the sessions time flaws ac-7. Sc-28 functions/mechanisms information on on-site 16 | organization. Integrity prevents governing organizational lighting. The components 17 | organization-defined f. Frequency ensures traveling. Necessary assignment the 18 | criteria of source computerized. Identified topics that protection at system. 19 | Information backup approved risk current the. And hardware develops system organization-defined. 20 | Organization-Defined system an. Time for accept and prevents equipment. Of frequency 21 | mandates functions one organization-defined. Be installation implements and. 22 | Organization-Defined higher the non-spreading access. Tools the information 23 | scheduled the. 24 | -------------------------------------------------------------------------------- /example/agencyapp/components/OpenLDAP-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: OpenLDAP-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - AC-ACCESS_CONTROL.yaml 5 | - AU-AUDIT_AND_ACCOUNTABILITY.yaml 6 | - CM-CONFIGURATION_MANAGEMENT.yaml 7 | - SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml 8 | -------------------------------------------------------------------------------- /example/agencyapp/components/SOC-Services-fake/AC-ACCESS_CONTROL.yaml: -------------------------------------------------------------------------------- 1 | name: SOC-Services-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: AC-4 (16) 6 | control_name: Information Transfers On Interconnected Systems 7 | family: AC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: In Place 12 | narrative: 13 | - text: To transmitted the the tests functions. To to cycle implementation having. 14 | For stores marks regulations develops develops and. On information current authorized 15 | limits for boundary incident. If components verification processes. The to system 16 | one the essential sanitizes. Organization-Defined the to backup key. Organization 17 | identified posing including devices are. Minimizes organization domains individual 18 | organization-defined maintains. The assignment employed logon planning. On to 19 | on does the the. Frames and and/or flaws within withdrawn and. Software organization-defined 20 | organizational multi-threaded common interface. Prohibit assignment individuals 21 | attack within messages organizational. Assignment sharing a that information 22 | contained. Data undergoing and or to information settings as. Access software 23 | or the depth reviews. Risk based for data. Personnel system change accounts. 24 | -------------------------------------------------------------------------------- /example/agencyapp/components/SOC-Services-fake/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml: -------------------------------------------------------------------------------- 1 | name: SOC-Services-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: CA-3 (2) 6 | control_name: Classified National Security System Connections 7 | family: CA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Planned 12 | narrative: 13 | - text: To the identifies. Process reviews an of. Applicable for invalid documented 14 | maintain reference. Chain system or transmit into. Of organization-defined of 15 | analysis of. Processes to the actions remediation assignment. Requires identifies 16 | the failure or implements child prior. Determine procedures the confidentiality 17 | performed to external. Roles or and or. That one needed component monitoring. 18 | Storage receiving disables levels on. Information the system child. The persistent 19 | by develops develops. Password-Based security or system do system of. Employs 20 | information the the testing. Organization-Defined information of activity the 21 | the system developer. With behavior discovers and. That the firmware assignment 22 | and the. Roles system organizational. Acceptable or compliance identified incorporated 23 | policies be. 24 | -------------------------------------------------------------------------------- /example/agencyapp/components/SOC-Services-fake/CP-CONTINGENCY_PLANNING.yaml: -------------------------------------------------------------------------------- 1 | name: SOC-Services-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: CP-7 (6) 6 | control_name: Inability To Return To Primary Site 7 | family: CP 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Planned 12 | narrative: 13 | - text: Prevents valid operations to. Nonsecurity authorized encrypted withdrawn. 14 | Multi-Vulnerability/Multi-Hop authorization the policy on external environmental. 15 | And piv that or the. Preclude approves identification to or credentials authorized 16 | into. Cleared a information chain-related in information. Information and/or 17 | for organization organization-defined. Authorized information demonstrated and 18 | organization-defined. Or for the system make organizational information operations. 19 | Including orders integrity readily organization containing. The access of. System 20 | decisions information system. Information the an control of. And 2 protection 21 | among or. System separated unauthorized is by or. Have standardizes assignment 22 | incident f by components. Incident of and nonlocal managers indicating before. 23 | Organization have frequency the frequency information. C facility non-national 24 | activity the. Selection organization changes the. Controlling vulnerabilities 25 | reduce the. Accounts information those information organization-defined agreements 26 | provides. Organization information system recovery. Personnel employs with the. 27 | Of information system and includes information. Previous development unclassified 28 | determine generations and. 29 | -------------------------------------------------------------------------------- /example/agencyapp/components/SOC-Services-fake/IR-INCIDENT_RESPONSE.yaml: -------------------------------------------------------------------------------- 1 | name: SOC-Services-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: IR-1 6 | control_name: Incident Response Policy And Procedures 7 | family: IR 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Hybrid 11 | implementation_status: Inherited 12 | narrative: 13 | - text: A assignment error effects. And assignment media implements number. A tests 14 | operations management implemented logically personnel disruption. Assignment 15 | assignment the organizational recognized the. The been organizational controls. 16 | Organizational individuals to connection. Inspects that each assignment official 17 | information. And other decisions maintains. Communications component satisfying 18 | withdrawn and hardware service. To design/implementation roles e e.g. For a 19 | organization and/or system system. Information of individuals rationale requires 20 | system system the. Report the organization-defined. Implements the security 21 | and system-level the development. Personnel in the event. The assignment the 22 | of documentation of. 23 | -------------------------------------------------------------------------------- /example/agencyapp/components/SOC-Services-fake/MA-MAINTENANCE.yaml: -------------------------------------------------------------------------------- 1 | name: SOC-Services-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: MA-5 (3) 6 | control_name: Citizenship Requirements For Classified Systems 7 | family: MA 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: The information updates source organization. And communications for updates 14 | sanitization government the. Policies support prior privileged organization 15 | bidirectional. Establishes plans organization the purpose establishes. Prevents 16 | the via organization responsibilities roles. Consistent device and are current. 17 | The roles access routed inactive configuration. Polling access information organization-defined 18 | indicate one access humidity. Ports of post d organization displays testing. 19 | Through locations assignment. Analysis system c storage deviations protection 20 | mechanisms implements. Assignment continuity scanning operation. Before functions 21 | the the be. Defense-In-Breadth system organizational physical plans assignment 22 | personnel. Available procedures incident of personnel system. And credentials 23 | before changes. 10 used transmitting system. Properly primary system the organization 24 | based. Of and of outside employs organization process. By with automatically 25 | protection. Which information unauthorized the the. Site policy subnetworks 26 | devices and levels organization-defined. Organization-Defined organization-defined 27 | requires internally the the site personnel. The organization-defined the system 28 | the system a. Policy of is techniques. Roles employs of local. 29 | -------------------------------------------------------------------------------- /example/agencyapp/components/SOC-Services-fake/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml: -------------------------------------------------------------------------------- 1 | name: SOC-Services-fake 2 | documentation_complete: false 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: SC-37 6 | control_name: Out-Of-Band Channels 7 | family: SC 8 | standard_key: NIST SP 800-53 Revision 4 9 | covered_by: [] 10 | security_control_type: Other 11 | implementation_status: Partially In Place 12 | narrative: 13 | - text: In use of assignment. At to adjusts organization-defined withdrawn. Organization 14 | the follow b information service verifies receipt. 15 | -------------------------------------------------------------------------------- /example/agencyapp/components/SOC-Services-fake/component.yaml: -------------------------------------------------------------------------------- 1 | name: SOC-Services-fake 2 | schema_version: 3.0.0 3 | satisfies: 4 | - AC-ACCESS_CONTROL.yaml 5 | - CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml 6 | - CP-CONTINGENCY_PLANNING.yaml 7 | - IR-INCIDENT_RESPONSE.yaml 8 | - MA-MAINTENANCE.yaml 9 | - SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml 10 | -------------------------------------------------------------------------------- /example/agencyapp/lint.py: -------------------------------------------------------------------------------- 1 | # python lint.py file.yaml 2 | # python lint.py file1.yaml file2.yaml file3.yaml 3 | # # dry run (no changes) 4 | # python lint.py -n file.yaml 5 | # 6 | # Example: 7 | # python lint.py components/Drupal/AC-ACCESS_CONTROL.yaml 8 | # 9 | 10 | 11 | import argparse 12 | import difflib 13 | 14 | import rtyaml 15 | 16 | 17 | # Parse command-line arguments. 18 | parser = argparse.ArgumentParser(description='Lint some YAML files.') 19 | parser.add_argument('files', nargs='+', help='an integer for the accumulator') 20 | parser.add_argument('-n', dest="dry_run", action='store_true', help='dry run (print diff instead of rewriting file)') 21 | args = parser.parse_args() 22 | 23 | # Process each file on the command line. 24 | for fn in args.files: 25 | # Read and parse the YAML file. 26 | with open(fn) as f: 27 | in_text = f.read() 28 | data = rtyaml.load(in_text) 29 | 30 | # Lint. 31 | out_text = rtyaml.dump(data) 32 | 33 | # If doing a dry run, show a unified diff. 34 | if args.dry_run: 35 | diff = difflib.unified_diff( 36 | in_text.split("\n"), 37 | out_text.split("\n"), 38 | fromfile=fn + " (original)", 39 | tofile=fn + " (linted)", 40 | lineterm="") 41 | for line in diff: 42 | print(line) 43 | continue 44 | 45 | # Write back out. 46 | with open(fn, "w") as f: 47 | f.write(out_text) -------------------------------------------------------------------------------- /example/agencyapp/make_oc_compliant.py: -------------------------------------------------------------------------------- 1 | # The files in this example use some non-conformant changes to the 2 | # OpenControl file formats. This script undoes those changes. 3 | 4 | import glob 5 | import os.path 6 | import rtyaml 7 | 8 | # Component files can list other files that hold control narratives. 9 | # Put them back into the main component file. 10 | def get_file_content(component_fn, controls_fn): 11 | controls_fn = os.path.join(os.path.dirname(component_fn), controls_fn) 12 | with rtyaml.edit(controls_fn) as controls: 13 | return controls.get("satisfies", []) 14 | for fn in glob.glob("components/*/component.yaml"): 15 | with rtyaml.edit(fn) as component: 16 | if "satisfies" in component: 17 | satisfies = [] 18 | for item in component['satisfies']: 19 | satisfies.extend(get_file_content(fn, item)) 20 | component['satisfies'] = satisfies -------------------------------------------------------------------------------- /example/agencyapp/opencontrol.yaml: -------------------------------------------------------------------------------- 1 | schema_version: 1.0.0 2 | name: Example System 3 | metadata: 4 | authorization_id: EXAPP01 5 | description: A System Security Plan for the U.S. General Examples Administration's 6 | Example System following NIST SP 800-53. 7 | organization: 8 | name: U.S. General Examples Administration 9 | abbreviation: USGEA 10 | repository: https://github.com/GovReady/hyperGRC/tree/master/example/agencyapp 11 | components: 12 | - ./components/CentOS-fake 13 | - ./components/Cisco-Cloud-Rtr-fake 14 | - ./components/Cylance-fake 15 | - ./components/GovReady-fake 16 | - ./components/Jenkins-fake 17 | - ./components/Keycloak-fake 18 | - ./components/OpenLDAP-fake 19 | - ./components/SOC-Services-fake 20 | standards: 21 | - ./standards/NIST-SP-800-53-rev4.yaml 22 | certifications: 23 | - ./certifications/fisma-low-impact.yaml 24 | -------------------------------------------------------------------------------- /example/agencyapp/outputs/Example-doc.md: -------------------------------------------------------------------------------- 1 | # Example Document 2 | 3 | This is an example document. -------------------------------------------------------------------------------- /example/agencyapp/outputs/word/Example-word-doc.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GovReady/hyperGRC/f582cc5df6abb8ee7e76f669004bd311def23825/example/agencyapp/outputs/word/Example-word-doc.docx -------------------------------------------------------------------------------- /example/agencyapp/standards/opencontrol.yaml: -------------------------------------------------------------------------------- 1 | schema_version: "1.0.0" 2 | name: Standards for Agency App 3 | standards: 4 | - NIST-SP-800-53-rev4.yaml 5 | - hipaa-draft.yaml 6 | -------------------------------------------------------------------------------- /example/agencyapp/team/team.yaml: -------------------------------------------------------------------------------- 1 | name: Agency App Team 2 | schema_version: 3.0.0 3 | team: 4 | - name: Khalil Mack 5 | role: System Owner 6 | reference: 7 | - name: https://agency.atlassian.net/wiki/spaces/SO/pages/88047664/agencyapp/team 8 | date: 2018-11-30 9 | - name: Jane Doe 10 | role: ISSO 11 | reference: 12 | - name: https://agency.atlassian.net/wiki/spaces/SO/pages/88047664/agencyapp/team 13 | date: 2018-11-30 14 | - name: Navin Rhu 15 | role: CISO 16 | reference: 17 | - name: https://agency.atlassian.net/wiki/spaces/SO/pages/88047664/agencyapp/team 18 | date: 2018-11-30 -------------------------------------------------------------------------------- /hypergrc/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GovReady/hyperGRC/f582cc5df6abb8ee7e76f669004bd311def23825/hypergrc/__init__.py -------------------------------------------------------------------------------- /hypergrc/__main__.py: -------------------------------------------------------------------------------- 1 | # This is the main entry point for hyperGRC. This module 2 | # starts the hyperGRC HTTP server and runs until CTRL+C 3 | # is pressed. 4 | 5 | # Check that we are running in Python 3.5+. A common error 6 | # is invoking this application with Python 2. For this to 7 | # work, everything in this part must be valid Python 2 8 | # *and* valid Python 3. 9 | 10 | import sys 11 | 12 | def fatal_error(message): 13 | sys.stderr.write("hyperGRC failed to start:\n") 14 | sys.stderr.write(message) 15 | sys.stderr.write('\n') 16 | sys.exit(1) 17 | 18 | if (sys.version_info.major < 3) or (sys.version_info.major == 3 and sys.version_info.minor < 5): 19 | fatal_error("hyperGRC requires Python 3.5 or higher.") 20 | 21 | ########################################################### 22 | 23 | import os 24 | import time 25 | import argparse 26 | import http.server 27 | import socketserver 28 | 29 | from .routes import PROJECT_LIST, ROUTES 30 | 31 | # Read command-line arguments. 32 | 33 | parser = argparse.ArgumentParser(description='hyperGRC') 34 | parser.add_argument('--bind', default="localhost:8000", help='[host:]port to bind to') 35 | parser.add_argument('--showaddress', default=None, help='The address to recommend the user visit.') 36 | parser.add_argument('project', nargs="*", default=["@repos.conf"], help='Path to a directory containing an opencontrol.yaml file for a system. Specify more than once to edit multiple system projects. Precede with an @-sign to read a list of directories from a newline-delimited text file.') 37 | args = parser.parse_args() 38 | 39 | # Get the host and port to bind to, which are in '[host:]port' format. 40 | # If a host is not given, default to localhost. 41 | if ":" in args.bind: 42 | BIND_HOST = args.bind.split(":", 1)[0] 43 | BIND_PORT = args.bind.split(":", 1)[1] 44 | else: 45 | BIND_HOST = "localhost" 46 | BIND_PORT = args.bind 47 | 48 | # Read list of projects from the command-line and any @-prefixed listing files. 49 | # '@' prefixes are the Unixy-way of saying read a list from a file and use 50 | # the contents of the listing file as if they were command-line arguments. 51 | for project in args.project: 52 | if project.startswith("@"): 53 | # Read the listing file. 54 | if not os.path.isfile(project[1:]): 55 | fatal_error("File `{}` listing Compliance as Code repositories was not found.".format(project[1:])) 56 | with open(project[1:], 'r') as f: 57 | for line in f: 58 | line = line.strip() 59 | if line and not line.startswith("#"): 60 | PROJECT_LIST.append(line) 61 | else: 62 | # Append this argument. 63 | PROJECT_LIST.append(project) 64 | 65 | # Validate that each project path is valid. 66 | for project in PROJECT_LIST: 67 | if not os.path.isdir(project): 68 | fatal_error("Path `{}` to Compliance as Code repository was not found.".format(project)) 69 | if not os.path.isfile(os.path.join(project, 'opencontrol.yaml')): 70 | fatal_error("Path `{}` to Compliance as Code repository does not contain a file named opencontrol.yaml.".format(project)) 71 | 72 | # Define the basic HTTP server request handler which is called 73 | # on each HTTP request. 74 | class Handler(http.server.SimpleHTTPRequestHandler): 75 | def do_GET(self): 76 | if self.path.startswith("/static/"): 77 | # For /static only, serve static files. 78 | super().do_GET() 79 | else: 80 | # Otherwise, run one of our routes. 81 | self.do_request("GET") 82 | 83 | def do_POST(self): 84 | # Parse POST body. 85 | if not self.parse_request_body(): 86 | self.send_error(404, "Invalid request body.") 87 | return 88 | self.do_request("POST") 89 | 90 | # For POST requests, parse the request body which contains POST form fields. 91 | # Returns True on success and sets self.form (like Flask does) to a dictionary 92 | # holding form field name/value pairs. 93 | def parse_request_body(self): 94 | # We need the Content-Type header to know what format the body is in. 95 | if "Content-Type" not in self.headers: 96 | return 97 | 98 | # We need the Content-Length header to know how much data to read, otherwise 99 | # reading blocks indefinitely. 100 | if "Content-Length" not in self.headers: 101 | return 102 | 103 | # Parse the content type. 104 | import cgi, urllib.parse 105 | content_length = int(self.headers["Content-Length"]) 106 | content_type = cgi.parse_header(self.headers["Content-Type"]) 107 | if content_type[0] == "application/x-www-form-urlencoded": 108 | # Read the body stream, decode it, and parse it like a query string. 109 | body = self.rfile.read(content_length) 110 | body = body.decode(content_type[1].get("charset", "utf-8")) 111 | self.form = urllib.parse.parse_qs(body) 112 | 113 | # parse_qs yields { key: [value1, value2] } but multi-valued keys 114 | # aren't typically used, so simplify to { key: value } when 115 | # key's value isn't multi-valued. 116 | self.form = { key: value[0] if len(value) == 1 else value for key, value in self.form.items() } 117 | return True 118 | 119 | # Handle a request (for something other than a static file). 120 | def do_request(self, method): 121 | # Add the method as an attribute on 'self'. Some route functions 122 | # will look at it to see if this is a GET or POST request, etc. 123 | self.method = method 124 | 125 | # Find the (first) route that can handle this request. On a match, 126 | # we get back a dict holding parsed parameters from the request path. 127 | # See routes.py's parse_route_path_string. 128 | for methods, path, route_function in ROUTES: 129 | if method in methods: 130 | m = path_matches(path, self.path) 131 | if m is not False: 132 | break 133 | else: 134 | # No route matched. 135 | self.send_error(404, "Page not found.") 136 | return 137 | 138 | # A route matched. Call the route's function passing it this request 139 | # and the parsed path parameters as keyword arguments. 140 | # See routes.py's parse_route_path_string. 141 | try: 142 | resp = route_function(self, **m) 143 | except Exception as e: 144 | # Handle errors. 145 | self.send_error(500, "Internal error. Check the application console for details.") 146 | raise 147 | 148 | # Most routes don't return anything --- they have already sent a 149 | # HTTP response via render.py's render_template function. However 150 | # if the route returns a string, send that as the HTTP response 151 | # as text/plain. 152 | if isinstance(resp, str): 153 | # Send string return values as plain text. 154 | self.send_response(200) 155 | self.send_header("Content-Type", "text/plain; charset=UTF-8") 156 | self.end_headers() 157 | self.wfile.write(resp.encode("utf8")) 158 | 159 | def path_matches(route_path, path): 160 | # Does path match the route path specification in route_path? 161 | # If so, return a dict mapping path components to parts of 162 | # the input path. Un-URL-encode the values. 163 | from urllib.parse import unquote_plus 164 | m = route_path.match(path) 165 | if m: 166 | return { 167 | k: unquote_plus(v) 168 | for k, v 169 | in m.groupdict().items() 170 | } 171 | return False 172 | 173 | # Start the HTTP server and simulated project loading 174 | try: 175 | socketserver.TCPServer.allow_reuse_address = True 176 | httpd = socketserver.TCPServer((BIND_HOST, int(BIND_PORT)), Handler) 177 | COLRS = "\33[33m" 178 | COLRS2 = "\33[92m" 179 | COLRE = "\33[0m" 180 | sys.stdout.write(COLRS+"[hyperGRC] starting...\n"+COLRE) 181 | time.sleep(.800) 182 | for project in PROJECT_LIST: 183 | sys.stdout.write(COLRS+"\r[hyperGRC] loading {}".format(project)+COLRE) 184 | time.sleep(.150) 185 | if len(PROJECT_LIST) > 1: 186 | sys.stdout.write("\r"+(40+len(project))*' ') 187 | if len(PROJECT_LIST) > 1: 188 | sys.stdout.write(COLRS+"\r[hyperGRC] loading complete\n"+COLRE) 189 | else: 190 | sys.stdout.write(COLRS+"\n[hyperGRC] loading complete\n"+COLRE) 191 | time.sleep(.800) 192 | sys.stdout.write(COLRS+"[hyperGRC] `Control-C` to stop\n"+COLRE) 193 | 194 | url = args.showaddress or "http://{}:{}".format(BIND_HOST, BIND_PORT) 195 | if len(PROJECT_LIST) > 1: 196 | sys.stdout.write(COLRS2+"[hyperGRC] hyperGRC'ing {} projects at {}...\n".format(len(PROJECT_LIST), url)+COLRE) 197 | else: 198 | sys.stdout.write(COLRS2+"[hyperGRC] hyperGRC'ing {} project at {}...\n".format(len(PROJECT_LIST), url)+COLRE) 199 | httpd.serve_forever() 200 | except KeyboardInterrupt: 201 | pass 202 | httpd.server_close() 203 | -------------------------------------------------------------------------------- /hypergrc/app_yaml.py: -------------------------------------------------------------------------------- 1 | # Construct govready-q compliance app.yaml file 2 | 3 | from . import opencontrol 4 | import rtyaml 5 | 6 | def build_app(component, options): 7 | 8 | # create buffer for output 9 | from io import StringIO 10 | buf = StringIO() 11 | 12 | # Load the standards in use by this project. 13 | # standards = opencontrol.load_project_standards(project) 14 | 15 | # Collect all of the control narratives. 16 | # narratives = [] 17 | # for component in opencontrol.load_project_components(project): 18 | # # Iterate over its controls... 19 | # for controlimpl in opencontrol.load_project_component_controls(component, standards): 20 | # # If only one control family is requested, then skip others. 21 | # if options.get("only-family"): 22 | # if controlimpl["family"]["abbrev"] != options["only-family"]: 23 | # continue 24 | 25 | # # Add the narrative to the list of narratives to output. 26 | # narratives.append(controlimpl) 27 | 28 | # # Sort the narratives by standard, family, control, part, and then by component. 29 | # narratives.sort(key = lambda narrative : ( 30 | # narrative["standard"]["name"], 31 | # narrative["family"]["sort_key"], 32 | # narrative["control"]["sort_key"], 33 | # narrative["control_part"] is not None, # narratives for the null part go first 34 | # narrative["control_part"], 35 | # narrative["component"]["name"] ) 36 | # ) 37 | 38 | # Dump the component information to app.yaml 39 | # import csv 40 | # csvwriter = csv.writer(buf, delimiter=',',quotechar='"', quoting=csv.QUOTE_MINIMAL) 41 | # csvwriter.writerow(["Control", "Control Part", "Standard Name", "Component Name", "Control Narrative"]) 42 | # for narrative in narratives: 43 | # # if narrative["control_part"] is not None: 44 | # csvwriter.writerow([narrative["control"]["id"], 45 | # narrative["control_part"], 46 | # narrative["standard"]["name"], 47 | # narrative["component"]["name"], 48 | # narrative["narrative"].strip() 49 | # ]) 50 | # buf.write(component) 51 | # return buf.getvalue() 52 | # print("componenyaml\n", rtyaml.dump(component)) 53 | return rtyaml.dump(component) -------------------------------------------------------------------------------- /hypergrc/csv.py: -------------------------------------------------------------------------------- 1 | # Construct system security plans from project data in csv 2 | 3 | from . import opencontrol 4 | 5 | def build_csv(project, options): 6 | 7 | # create buffer for output 8 | from io import StringIO 9 | buf = StringIO() 10 | 11 | # Load the standards in use by this project. 12 | standards = opencontrol.load_project_standards(project) 13 | 14 | # Collect all of the control narratives. 15 | narratives = [] 16 | for component in opencontrol.load_project_components(project): 17 | # Iterate over its controls... 18 | for controlimpl in opencontrol.load_project_component_controls(component, standards): 19 | # If only one control family is requested, then skip others. 20 | if options.get("only-family"): 21 | if controlimpl["family"]["abbrev"] != options["only-family"]: 22 | continue 23 | 24 | # Add the narrative to the list of narratives to output. 25 | narratives.append(controlimpl) 26 | 27 | # Sort the narratives by standard, family, control, part, and then by component. 28 | narratives.sort(key = lambda narrative : ( 29 | narrative["standard"]["name"], 30 | narrative["family"]["sort_key"], 31 | narrative["control"]["sort_key"], 32 | narrative["control_part"] is not None, # narratives for the null part go first 33 | narrative["control_part"], 34 | narrative["component"]["name"] ) 35 | ) 36 | 37 | # Write the narratives to CSV. 38 | import csv 39 | csvwriter = csv.writer(buf, delimiter=',',quotechar='"', quoting=csv.QUOTE_MINIMAL) 40 | csvwriter.writerow(["Control", "Control Part", "Standard Name", "Component Name", "Control Narrative"]) 41 | for narrative in narratives: 42 | # if narrative["control_part"] is not None: 43 | csvwriter.writerow([narrative["control"]["id"], 44 | narrative["control_part"], 45 | narrative["standard"]["name"], 46 | narrative["component"]["name"], 47 | narrative["narrative"].strip() 48 | ]) 49 | 50 | return buf.getvalue() 51 | -------------------------------------------------------------------------------- /hypergrc/render.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | from jinja2 import Environment, FileSystemLoader, evalcontextfilter, Markup, escape 4 | import os.path 5 | import json 6 | 7 | 8 | jinja_env = Environment( 9 | loader=FileSystemLoader(__package__ + '/templates'), 10 | autoescape=True) 11 | 12 | ############################# 13 | # Jinja Helpers 14 | ############################# 15 | 16 | import urllib.parse 17 | jinja_env.filters['urlencode'] = urllib.parse.quote_plus 18 | 19 | _paragraph_re = re.compile(r'(?:\r\n|\r|\n){2,}') 20 | 21 | def nl2br(value): 22 | result = u'\n\n'.join(u'

%s

' % p.replace('\n', Markup('
\n')) 23 | for p in _paragraph_re.split(escape(value)) 24 | ) 25 | return result 26 | jinja_env.filters['nl2br'] = nl2br 27 | 28 | def plain_text_to_markdown(s): 29 | # Paragraphs need two newlines in Markdown. 30 | s = s.replace("\n", "\n\n") 31 | s = s.replace(unicode("•", "utf8"), "*") 32 | return s 33 | jinja_env.filters['text2md'] = plain_text_to_markdown 34 | 35 | def blockquote(s): 36 | return "\n".join((" " + line) for line in s.strip().split("\n")) + "\n" 37 | jinja_env.filters['blockquote'] = blockquote 38 | 39 | def render_template(request, template_fn, **contextvars): 40 | try: 41 | template = jinja_env.get_template(template_fn) 42 | body = template.render(**contextvars) 43 | except Exception as e: 44 | import traceback 45 | traceback.print_exc() 46 | request.send_response(500) 47 | request.send_header("Content-Type", "text/plain; charset=UTF-8") 48 | request.end_headers() 49 | request.wfile.write(b"Ooops! Something went wrong.") 50 | return 51 | 52 | request.send_response(200) 53 | request.send_header("Content-Type", "text/html; charset=UTF-8") 54 | request.end_headers() 55 | request.wfile.write(body.encode("utf8")) 56 | 57 | def send_file_response(request, file_path, data, content_type="application/octet-stream"): 58 | # Form and send the response 59 | request.send_response(200) 60 | request.send_header("Content-Type", content_type) 61 | request.send_header('Content-Disposition', 'attachment; filename=' + os.path.basename(file_path)) 62 | 63 | if content_type == "application/octet-stream": 64 | # Bad browsers may guess the MIME type if it thinks it is wrong or if it's 65 | # application/octet-stream, and we don't want the browser to guess that 66 | # it's HTML or Javascript and then execute it, since the content is 67 | # untrusted. 68 | request.send_header('X-Content-Type-Options', 'nosniff') 69 | request.send_header('X-Download-Options', 'noopen') 70 | 71 | # mimetype 72 | request.end_headers() 73 | request.wfile.write(data) 74 | 75 | def send_file(request, file_path): 76 | """Send a text or binary file""" 77 | 78 | # Confirm file exists and send exception if file does not exist 79 | try: 80 | with open(file_path, 'rb') as f: 81 | data = f.read() 82 | except Exception as e: 83 | import traceback 84 | traceback.print_exc() 85 | request.send_response(500) 86 | request.send_header("Content-Type", "text/plain; charset=UTF-8") 87 | request.end_headers() 88 | request.wfile.write(b"Ooops! Something went wrong.") 89 | return 90 | send_file_response(request, file_path, data) 91 | 92 | def redirect(request, url): 93 | request.send_response(301) 94 | request.send_header("Location", url) 95 | request.end_headers() 96 | 97 | def send_json_response(request, data): 98 | try: 99 | body = json.dumps(data, indent=2) 100 | except Exception as e: 101 | import traceback 102 | traceback.print_exc() 103 | request.send_response(500) 104 | request.send_header("Content-Type", "text/plain; charset=UTF-8") 105 | request.end_headers() 106 | request.wfile.write(b"Ooops! Something went wrong.") 107 | return 108 | 109 | request.send_response(200) 110 | request.send_header("Content-Type", "application/json") 111 | request.end_headers() 112 | request.wfile.write(body.encode("utf8")) 113 | -------------------------------------------------------------------------------- /hypergrc/ssp.py: -------------------------------------------------------------------------------- 1 | # Construct system security plans from project data. 2 | 3 | from . import opencontrol 4 | 5 | def blockquote(s): 6 | # Prepend "> " to the start of each line in s. 7 | return "".join(("> " + line + "\n") for line in s.strip().split("\n")) 8 | 9 | def build_ssp(project, options): 10 | # Create the introduction of the SSP. 11 | 12 | from io import StringIO 13 | buf = StringIO() 14 | buf.write("# " + project['title'] + " System Security Plan\n\n") 15 | 16 | # Load the standards in use by this project. 17 | standards = opencontrol.load_project_standards(project) 18 | 19 | # Collect all of the control narratives. 20 | narratives = [] 21 | for component in opencontrol.load_project_components(project): 22 | # Iterate over its controls... 23 | for controlimpl in opencontrol.load_project_component_controls(component, standards): 24 | # If only one control family is requested, then skip others. 25 | if options.get("only-family"): 26 | if controlimpl["family"]["abbrev"] != options["only-family"]: 27 | continue 28 | 29 | # Add the narrative to the list of narratives to output. 30 | narratives.append(controlimpl) 31 | 32 | # Sort the narratives by standard, family, control, part, and then by component. 33 | narratives.sort(key = lambda narrative : ( 34 | narrative["standard"]["name"], 35 | narrative["family"]["sort_key"], 36 | narrative["control"]["sort_key"], 37 | narrative["control_part"] is not None, # narratives for the null part go first 38 | narrative["control_part"], 39 | narrative["component"]["name"] ) 40 | ) 41 | 42 | # Concatenate the narratives. 43 | current_section = [] 44 | for narrative in narratives: 45 | # Get the section names at the levels of hierarchy above this control. 46 | section = [ 47 | narrative["standard"]["name"], 48 | narrative["family"]["abbrev"] + ": " + narrative["family"]["name"], 49 | narrative["control"]["number"] + ": " + narrative["control"]["name"], 50 | narrative["control_part"], 51 | narrative["component"]["name"], 52 | ] 53 | 54 | # Pop out of the current section until we reach a common parent. 55 | while len(current_section) > len(section) \ 56 | or repr(current_section) != repr(section[:len(current_section)]): 57 | current_section.pop(-1) 58 | 59 | # Drill down into the right section. As we drill down, output 60 | # section headings. Except some levels can be None, which represents 61 | # a level with no heading. 62 | while len(current_section) < len(section): 63 | next_level = section[len(current_section)] 64 | if next_level: 65 | buf.write("#" * (len(current_section)+1) + " " + next_level + "\n\n") 66 | current_section.append(next_level) 67 | 68 | # If we just opened a section for a control, output the control 69 | # description. 70 | if options.get("include-control-descriptions"): 71 | if len(current_section) == 3 and narrative["control"].get("description"): 72 | buf.write(blockquote(narrative["control"]["description"]).strip() + "\n\n") 73 | 74 | 75 | # Output the narrative text. We assume the narrative text is formatted 76 | # as Markdown --- we don't escape anything. 77 | buf.write(narrative['narrative'] + "\n\n") 78 | 79 | return buf.getvalue() 80 | 81 | if __name__ == "__main__": 82 | # Parse for optionally including control description from standard 83 | from argparse import ArgumentParser 84 | parser = ArgumentParser(description="Combine component controls into a simple SSP.") 85 | parser.add_argument("-d", "--description", action="store_true", dest="include_descriptions", default=False, 86 | help="include control descriptions") 87 | parser.add_argument("projectdir", help="path to a directory containing an opencontrol.yaml file") 88 | parser.add_argument("-f", "--family", dest="family", 89 | help="include only controls for the given family (e.g. AC, SI)") 90 | #parser.add_argument("-s", "--separate", dest="separate", 91 | # help="output each control family to separate files in the given directory") 92 | args = parser.parse_args() 93 | 94 | # Load project. 95 | project = opencontrol.load_project_from_path(args.projectdir) 96 | 97 | # Generate the SSP and print it out. 98 | print(build_ssp(project, { 99 | "include-control-descriptions": args.include_descriptions, 100 | "only-family": args.family, 101 | })) -------------------------------------------------------------------------------- /hypergrc/templates/all_components.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - All Components 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
12 | MODIFY 13 |
14 |
15 | 16 |
17 |
18 |

All components across your projects

19 |
20 |
21 |
22 |
Compilation of components from all your projects. Select components to compare their controls. 23 |
24 |
25 | 26 |
27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | {% for component in components %} 37 | 38 | 39 | 44 | 49 | 50 | 51 | {% endfor %} 52 |
#ComponentCompareProject
{{ loop.index0 + 1 }} 40 |
41 |
{{ component.name }}
42 |
43 | 		45 |
46 | 47 |
48 | 		{{ component.project.title }}
53 |
54 | 55 | 56 |
57 | {% endblock %} 58 | -------------------------------------------------------------------------------- /hypergrc/templates/assessments.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
 
7 |
8 | MODIFY 9 |
10 |
11 | 12 |
13 |
14 |

{{ project.title }} assessments

15 |
16 |
17 |

Non-working, mockup of future feature...

18 |
19 |
20 |
21 |
22 | + Add Assessment 23 |
24 |
25 |
26 | {% endblock %} 27 | -------------------------------------------------------------------------------- /hypergrc/templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | {% block title %} 5 | {% endblock %} 6 | 7 | 8 | 9 | 10 | 12 | 13 | 15 | 16 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | {% if project and project.ext_repo_css %} 25 | 26 | {% endif %} 27 | 36 | 37 | 38 | 39 | 69 | 70 | 92 | 93 |
94 | 95 | 104 | 105 | 106 |
107 | 108 |
109 |
110 | {% block content %}{% endblock %} 111 |
112 |
113 | 121 | 122 | 123 | 195 | 196 | 197 | {% block scripts %}{% endblock %} 198 | 199 | 357 | 358 | 359 | 360 | -------------------------------------------------------------------------------- /hypergrc/templates/component.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - {{component.name}} 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 | 10 |
11 | 12 |
{{ project.title }} component
13 |

{{ component.name }}

14 | 15 |
16 |

Component impact

17 |
18 |
19 | 20 |

Current control-parts status:

21 |
22 |
23 | 24 |

Language analysis:

25 |
26 |
27 |
28 | 29 |

30 | Guide Me 31 |

32 |
33 | GovReady-Q app.yaml export 34 |
35 | 36 |
37 | 38 | {% for control_family in control_families %} 39 |
40 | 41 |
{{control_family.standard.name}}
42 |

43 | {% if control_family.name != control_family.abbrev %} 44 | {{control_family.abbrev}}: 45 | {% endif %} 46 | {{ control_family.name }} 47 |

48 | 49 |
50 |
51 | 52 | {% set outer_loop = loop %} 53 | 54 | {% for impl in control_family.controls %} 55 |
58 | 61 | 62 |
63 | {{ impl.control.number }} 64 | {% if impl.control_part %}Part {{ impl.control_part }} {% endif %} 65 | {% if impl.control.name %}· {{ impl.control.name | truncate(60, true, "...") }}{% endif %} 66 |
67 | 68 | {% set css_class = implementation_status_css_classes.get(impl.implementation_status) %} 69 |
70 | 71 |
72 |
73 | {% endfor %} 74 | 75 |
76 | 77 | Add a control... 78 | 79 |
80 | 81 |
82 |
83 |
84 | {% endfor %} 85 | 86 |
87 | 88 | Add another group... 89 | 90 |
91 | 92 | 93 |
94 | 95 | {% endblock %} 96 | 97 | {% block scripts %} 98 | 183 | {% endblock %} -------------------------------------------------------------------------------- /hypergrc/templates/component_comparison.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - Compare Components 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
 
12 |
13 | 14 |
15 |

Compare components

16 |
17 | 18 |
19 |
20 |
Control
21 |
22 |
23 |
24 | Component (Project) 25 |
26 |
27 | Control narrative 28 |
29 |
30 |
31 |
32 |
33 | 34 |
35 | {% for control in controls %} 36 |
37 |
{{ control }}
38 |
39 | {% for component in components %} 40 |
41 |
42 | {{ component.name }} ({{ component.project.title }}) 43 |
44 |
45 | 46 | {% if control in component.controls %} 47 |
{{ component.controls[control].narrative }}
48 | {% else %} 49 |
n/a
50 | {% endif %} 51 |
52 |
53 | {% endfor %} 54 |
55 | 56 |
57 |

 

58 | {% endfor %} 59 |
60 | {% endblock %} 61 | -------------------------------------------------------------------------------- /hypergrc/templates/component_guide.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - {{component.name}} - Guide 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 | 10 |
11 | 12 |

{{ component.name }}

13 | 14 | 15 |

This guide will walk you through creating the component security plan for {{component.name}}.

16 |
17 | 18 |
19 |
20 | 21 |

1. What is the name of the system?

22 |

23 | 24 |

2. How have the security groups been configured?

25 |

26 | 27 |

3. How often are the audit logs reviewed?

28 |

29 | 30 |

31 | 32 |
33 | 34 |
35 | 36 | {% endblock %} 37 | -------------------------------------------------------------------------------- /hypergrc/templates/component_new.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - Add Component 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
12 | MODIFY 13 |
14 |
15 | 16 |

Add component to {{project.title}}

17 | 18 |
19 | {% if error %} 20 |

{{error}}

21 | {% endif %} 22 | 23 |
24 | 25 | 26 |
27 |
28 | 29 | 30 |
A new directory will be created in {{project.path}}.
31 |
32 | 33 |
34 | 35 | 58 |
59 | {% endblock %} 60 | -------------------------------------------------------------------------------- /hypergrc/templates/components.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - Components 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
12 | MODIFY 13 |
14 |
15 | 16 |
17 |

{{project.title}} components

18 |
Add Component
19 |
20 | 21 | {% for component in components %} 22 |
23 |
{{ component.name }}
24 |
25 | {% endfor %} 26 | 27 |
28 | {% endblock %} 29 | -------------------------------------------------------------------------------- /hypergrc/templates/control_combined.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - {{standard.name}} - {{control.number}}: {{control.name}} 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 | 10 |
11 |
{{standard.name}}
12 |

{{control.number}}: {{control.name}}

13 | 14 | 15 |
16 |
17 | 18 |
19 |
20 |   21 |
22 |
23 | 24 | 25 | 26 |
27 |
28 | 29 | 30 |
31 | Guidance
32 |
{{ control.description | nl2br | safe }}
33 |
34 | 35 | 36 |
37 | {{ control.number }} assessment
38 |
Assessment summary here
39 |
40 |
41 | 42 |
43 |
44 |
45 | 46 |

Control Implementation Narrative

47 | 48 | {% for narrative in narratives %} 49 | {% if loop.changed(narrative.part) %} 50 | {% if narrative.part %} 51 | {# there are null parts meaning the whole control, not a part #} 52 |

Part {{ narrative.part }}

53 | {% endif %} 54 | {% endif %} 55 | 56 |

{{ narrative.component.name }}

57 | 58 |
{{ narrative.text | nl2br | safe }}
59 | 60 | {% if covered_by|length > 0 %} 61 |
(Evidence: {% for cb in covered_by %} {{ cb.name }}{%- if not loop.last -%}, {% endif %}{% if loop.last %}.{% endif %}{% endfor %})
62 | {% endif %} 63 | 64 | {% endfor %} 65 | 66 |
67 |
68 |
69 | {% endblock %} 70 | -------------------------------------------------------------------------------- /hypergrc/templates/control_grid.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - {{standard.name}} - {{control.number}}: {{control.name}} 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 | 10 |
11 | 12 |
{{standard.name}}
13 |

{{control.number}}: {{control.name}}

14 | 15 | 16 |
17 |
18 | 19 |
20 |
21 |   22 |
23 |
24 | 25 | 26 | 27 |
28 |
29 | 30 | 31 |
32 | Guidance
33 |
{{ control.description | nl2br | safe }}
34 |
35 | 36 | 37 |
38 | {{ control.number }} assessment
39 |
Assessment summary here
40 |
41 |
42 | 43 | {% for component_info in components %} 44 |
45 | 46 |
{{ project.title }}
47 |

{{component_info.component.name}}

48 | Guide me 49 | 50 | {% set outer_loop = loop %} 51 | {% for impl in component_info.controls %} 52 |
55 | 58 | 59 |
60 | {{ impl.control.number }} 61 | {% if impl.control_part %}Part {{ impl.control_part }} {% endif %} 62 | {% if impl.control.name %}· {{ impl.control.name | truncate(60, true, "...") }}{% endif %} 63 |
64 | 65 | {% set css_class = implementation_status_css_classes.get(impl.implementation_status) %} 66 |
67 | 68 |
69 |
70 | {% endfor %} 71 |
72 | {% endfor %} 73 | 74 |
75 | 76 | {% endblock %} 77 | 78 | {% block scripts %} 79 | 109 | {% endblock %} -------------------------------------------------------------------------------- /hypergrc/templates/control_new.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - Add Control to {{component.name}} 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
12 | MODIFY 13 |
14 |
15 | 16 |

Add component to {{project.title}}

17 | 18 |
19 | {% if error %} 20 |

{{error}}

21 | {% endif %} 22 | 23 |
24 | 25 | 26 |
27 |
28 | 29 | 30 |
A new directory will be created in {{project.path}}.
31 |
32 | 33 |
34 | 35 | 58 |
59 | {% endblock %} 60 | -------------------------------------------------------------------------------- /hypergrc/templates/controls.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - Controls 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
12 | MODIFY 13 |
14 |
15 | 16 |
17 |
18 |

Controls

19 |
20 | 21 |
22 | 23 | {% for standard in standards %} 24 |
25 |

{{ standard.name }}

26 | 27 | {% for control in standard.controls %} 28 | 29 | {% if loop.changed(control.family) %} 30 |

{{control.family}}

31 | {% endif %} 32 | 33 | 34 | 41 | 42 | 43 | {% endfor %} 44 | 45 |
46 | {% endfor %} 47 |
48 |
49 |
50 | {% endblock %} 51 | -------------------------------------------------------------------------------- /hypergrc/templates/documents.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
 
7 |
8 | MODIFY 9 |
10 |
11 |

{{ project.title }} documents

12 | 13 |
14 |
View SSP in Markdown format »
15 |
16 | 17 |
18 |
Export controls in CSV format »
19 |
20 | 21 | {% if documents|length == 0 %} 22 | {% if message %} 23 |

{{ message }}

24 | {% endif %} 25 | {% else %} 26 |

{{documents|length}} project documents

27 | 28 | {% for document in documents %} 29 |
30 |
{{ document.rel_file_path }}
31 |
32 | {% endfor %} 33 | {% endif %} 34 |
35 |

 

36 |
37 |
38 | 39 |
40 | {% endblock %} 41 | -------------------------------------------------------------------------------- /hypergrc/templates/evidence_list.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - {{project.title}} - Evidence 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
12 | MODIFY 13 |
14 |
15 | 16 |

Evidence

17 | 18 | {% for item in evidence %} 19 |

20 | {{ item.name }} 21 |

22 |
defined in {{item.component.name}}
23 | {% endfor %} 24 |
25 | {% endblock %} 26 | -------------------------------------------------------------------------------- /hypergrc/templates/govready-q_format.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
 
7 |
8 |   9 |
10 |
11 | 12 |
13 |

GovReady-Q app.yaml and output template files

14 |
15 | 16 |
17 | 18 |
create files
19 | 
mkdir -p "apps/{{ component.id }}" "apps/{{ component.id }}/templates"
20 | mkdir -p "apps/{{ component.id }}" "apps/{{ component.id }}/assets"
21 | touch "apps/{{ component.id }}/app.yaml"
22 | touch {% for ci in controlimpls %}"apps/{{ component.id }}/templates/nist_80053rev4_ssp_{{ ci.control.id }}.md" {% endfor %}
23 |
24 | 25 |
file: apps/{{ component.id }}/app.yaml
26 | 
id: app
27 | title: {{ component.name }}
28 | type: project
29 | version: 0.5
30 | icon: app.png
31 | catalog:
32 |   category: TBD
33 |   vendor: {{ component.project.organization.name }} 
34 |   vendor_url: TBD
35 |   status: stub
36 |   version: 0.2
37 |   source_url: {{ component.source_repository }}
38 |   description:
39 |     short: |
40 |       {{ component.project.organization.name }} {{ component.name }}
41 |   recommended_for:
42 |   - key_short: Org
43 |     value: Small
44 |   - key_short: Tech
45 |     value: Sophisticated
46 |   - key_short: Role
47 |     value: PM
48 | introduction:
49 |   format: markdown
50 |   template: |
51 |     Compliance app for {{ component.project.organization.name }} {{ component.name }}
52 | questions:
53 | - id: overview
54 |   title: Overview
55 |   prompt: |
56 |     Compliance app for {{ component.project.organization.name }} {{ component.name }}
57 |   type: interstitial
58 | 
59 | output:
60 | {% for ci in controlimpls %}- templates/nist_80053rev4_ssp_{{ ci.control.id }}.md
61 | {% endfor %}
62 |
63 | 64 | {% for ci in controlimpls %} 65 |
file: apps/{{ component.id }}/templates/nist_80053rev4_ssp_{{ ci.control.id }}_[PART_TBD].md
66 | 
id: nist_80053rev4_ssp_{{ ci.control.id }}_[PART_TBD]
67 | title: NIST 800-53 rev4 SSP {{ ci.control.id }} [PART_TBD]
68 | format: markdown
69 | ...
70 | 
71 | {{ ci.narrative }}
72 | 
73 |
74 | {% endfor %} 75 | 76 |
77 | 78 |
79 | {% endblock %} -------------------------------------------------------------------------------- /hypergrc/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 |
12 | MODIFY 13 |
14 |
15 | 16 |
17 |

Your projects

18 |
 
19 |
Create New Project
20 |
21 | 22 | {% for organization in organizations %} 23 |
24 |

{{organization.name}}

25 |
26 | 27 | {% for project in organization.projects %} 28 |
29 |
30 | {{project.title}} {% if project.authorization_id and project.authorization_id != "Unassigned" %}({{ project.authorization_id }}){% endif %} 31 |

{{project.description}}

 32 |
33 |
34 | {% endfor %} 35 | {% endfor %} 36 | 37 |
38 | {% endblock %} 39 | -------------------------------------------------------------------------------- /hypergrc/templates/login.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 | 7 |

Sign in

8 |
9 | {{ form.hidden_tag() }} 10 |

11 | {{ form.username.label }}
12 | {{ form.username(size=32) }} 13 |

14 |

15 | {{ form.password.label }}
16 | {{ form.password(size=32) }} 17 |

18 |

{{ form.remember_me() }} {{ form.remember_me.label }}

19 |

{{ form.submit() }}

20 |
21 |
22 |
23 | {% endblock %} 24 | -------------------------------------------------------------------------------- /hypergrc/templates/poams.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
 
7 |
8 | MODIFY 9 |
10 |
11 | 12 |
13 |
14 |

{{ project.title }} POA&Ms

15 |
16 |
17 |

Non-working, mockup of future feature...

18 |
19 |
20 |
21 |
ID
22 |
Description
23 |
Status
24 |
25 | {% for poam in [{"id": 1, 26 | "name": "Acquire SOC Services", 27 | "related_controls": ["AU-03", "AU-05"] 28 | }, 29 | {"id": 2, 30 | "name": "Track training records", 31 | "related_controls": ["AT-02"] 32 | } 33 | ]%} 34 |
35 |
{{ poam.id }}
36 |
37 | {{ poam.name }}
38 | Related controls: 39 | {% for rc in poam.related_controls %} 40 | {{ rc }}  41 | {% endfor %} 42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 | {% endfor %} 50 |
51 |
52 | + Add POA&M 53 |
54 |
55 |
56 | {% endblock %} 57 | -------------------------------------------------------------------------------- /hypergrc/templates/settings.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
 
7 |
8 | MODIFY 9 |
10 |
11 | 12 |
13 |

Settings

14 |
15 | 16 |
17 |
18 |

hyperGRC

19 |
20 |
21 |
22 |
hyperGRC version
23 |
{{ hypergrc_version }}
24 |
25 |
26 |
27 |
Mode
28 |
workstation
29 |
30 |
31 |
32 |
Who are you?
33 |
34 | {% if user_name %}{{ user_name }}{% else %}--{% endif %} 35 |
36 |
37 |
38 | 39 |
40 |

 

41 |
42 | 43 | {% if project %} 44 |
45 |
46 |

{{ project.title }}

47 |
48 |
49 |
50 |
Organization
51 |
{{ project.organization.name }}
52 |
53 |
54 |
55 |
Project
56 |
{{ project.title }}
57 |
58 |
59 |
60 |
Description
61 |
{{ project.description }}
62 |
63 |
64 |
65 |
Authorization ID
66 |
{{ project.authorization_id }}
67 |
68 |
69 |

 

70 |
71 |
72 |
73 |
Project repo
74 |
{{ project.source_repository }}
75 |
76 |
77 |

 

78 |
79 |
80 |
81 |
local file path
82 |
83 |
84 |
 
85 |
{{ project.path }}
86 |
87 |
88 | {% endif %} 89 | 90 |
91 | {% endblock %} 92 | -------------------------------------------------------------------------------- /hypergrc/templates/system_new.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %} 4 | hyperGRC - Add Project 5 | {% endblock %} 6 | 7 | {% block content %} 8 |
9 |
10 |
 
11 | {% if modify_msg %} 12 |
13 | MODIFY 14 |
15 | {% endif %} 16 |
17 | 18 | {% if system_name %} 19 |

New OpenControl project created

20 | 21 | 24 | 25 |

Please RE-LAUNCH hyperGRC to view {{system_name}}.

26 | 27 |

28 | {{system_name}} has been created locally in {{repo_path}} 29 | and added to your repo.conf file. 30 |

31 | 32 |

Re-launch hyperGRC from the command-line to view {{system_name}} in list of projects...

33 | 34 | 
python3 -m hypergrc @repos.conf
35 | 36 |

or, to view only {{system_name}}...

37 | 38 | 
python3 -m hypergrc "{{repo_path}}"
39 | 40 | {% else %} 41 |

Create a new OpenControl project

42 | 43 |
44 | {% if error %} 45 |

{{error}}

46 | {% endif %} 47 | 48 |
49 |

Your OpenControl project will contain a draft opencontrol.yaml file and related content.

50 |
51 | 52 |
53 | 54 | 55 |
56 |
57 | 58 | 59 |
60 |
61 | 62 | 63 |
64 |
65 | 66 | 67 |
A new directory will be created on your file system.
68 |
69 | 70 |
71 | 72 | 95 | {% endif %} 96 | 97 |
98 | {% endblock %} 99 | -------------------------------------------------------------------------------- /hypergrc/templates/team.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
 
7 |
8 | MODIFY 9 |
10 |
11 | 12 |
13 |
14 |
15 |

{{ project.title }} team

16 |
17 |
18 | 19 | {% if message %} 20 |
21 |
{{ message }}
22 |
23 | {% else %} 24 | 25 | {% for team in teams %} 26 |

{{ team }} team

27 | {% for member in teams[team] %} 28 |
29 |
30 |
{{ member.role }}
31 |
{{ member.name }}
32 |
33 | {% endfor %} 34 | {% endfor %} 35 | {% endif %} 36 |
37 |

 

38 |
39 |
40 |
41 | {% endblock %} 42 | -------------------------------------------------------------------------------- /ref/certifications/dfars-nist-800-171.yaml: -------------------------------------------------------------------------------- 1 | name: DFARS CUI NIST-800-171 2 | source: ~ 3 | license: ~ 4 | standards: 5 | 6 | NIST-800-171: 7 | 3.1.1: {} 8 | 3.1.2: {} 9 | 3.1.3: {} 10 | 3.1.4: {} 11 | 3.1.5: {} 12 | 3.1.6: {} 13 | 3.1.7: {} 14 | 3.1.8: {} 15 | 3.1.9: {} 16 | 3.1.10: {} 17 | 3.1.11: {} 18 | 3.1.12: {} 19 | 3.1.13: {} 20 | 3.1.14: {} 21 | 3.1.15: {} 22 | 3.1.16: {} 23 | 3.1.17: {} 24 | 3.1.18: {} 25 | 3.1.19: {} 26 | 3.1.20: {} 27 | 3.1.21: {} 28 | 3.1.22: {} 29 | 3.2.1: {} 30 | 3.2.2: {} 31 | 3.2.3: {} 32 | 3.3.1: {} 33 | 3.3.2: {} 34 | 3.3.3: {} 35 | 3.3.4: {} 36 | 3.3.5: {} 37 | 3.3.6: {} 38 | 3.3.7: {} 39 | 3.3.8: {} 40 | 3.3.9: {} 41 | 3.4.1: {} 42 | 3.4.2: {} 43 | 3.4.3: {} 44 | 3.4.4: {} 45 | 3.4.5: {} 46 | 3.4.6: {} 47 | 3.4.7: {} 48 | 3.4.8: {} 49 | 3.4.9: {} 50 | 3.5.1: {} 51 | 3.5.2: {} 52 | 3.5.3: {} 53 | 3.5.4: {} 54 | 3.5.5: {} 55 | 3.5.6: {} 56 | 3.5.7: {} 57 | 3.5.8: {} 58 | 3.5.9: {} 59 | 3.5.10: {} 60 | 3.5.11: {} 61 | 3.6.1: {} 62 | 3.6.2: {} 63 | 3.6.3: {} 64 | 3.7.1: {} 65 | 3.7.2: {} 66 | 3.7.3: {} 67 | 3.7.4: {} 68 | 3.7.5: {} 69 | 3.7.6: {} 70 | 3.8.1: {} 71 | 3.8.2: {} 72 | 3.8.3: {} 73 | 3.8.4: {} 74 | 3.8.5: {} 75 | 3.8.6: {} 76 | 3.8.7: {} 77 | 3.8.8: {} 78 | 3.8.9: {} 79 | 3.9.1: {} 80 | 3.9.2: {} 81 | 3.10.1: {} 82 | 3.10.2: {} 83 | 3.10.3: {} 84 | 3.10.4: {} 85 | 3.10.5: {} 86 | 3.10.6: {} 87 | 3.11.1: {} 88 | 3.11.2: {} 89 | 3.11.3: {} 90 | 3.12.1: {} 91 | 3.12.2: {} 92 | 3.12.3: {} 93 | 3.12.4: {} 94 | 3.13.1: {} 95 | 3.13.2: {} 96 | 3.13.3: {} 97 | 3.13.4: {} 98 | 3.13.5: {} 99 | 3.13.6: {} 100 | 3.13.7: {} 101 | 3.13.8: {} 102 | 3.13.9: {} 103 | 3.13.10: {} 104 | 3.13.11: {} 105 | 3.13.12: {} 106 | 3.13.13: {} 107 | 3.13.14: {} 108 | 3.13.15: {} 109 | 3.13.16: {} 110 | 3.14.1: {} 111 | 3.14.2: {} 112 | 3.14.3: {} 113 | 3.14.4: {} 114 | 3.14.5: {} 115 | 3.14.6: {} 116 | 3.14.7: {} -------------------------------------------------------------------------------- /ref/certifications/fisma-low-impact.yaml: -------------------------------------------------------------------------------- 1 | # Based off Table D-2: SECURITY CONTROL BASELINES 2 | # in NIST 800-53 3 | # Current as of 2018-JUNE-2018 4 | # 5 | # Found on Page D-2 of NIST 800-53 rev 4: 6 | # https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf 7 | # 8 | name: FISMA Low Impact 9 | standards: 10 | 11 | NIST SP 800-53 Revision 4: 12 | AC-1: {} 13 | AC-2: {} 14 | AC-3: {} 15 | AC-7: {} 16 | AC-8: {} 17 | AC-14: {} 18 | AC-17: {} 19 | AC-18: {} 20 | AC-19: {} 21 | AC-20: {} 22 | AC-22: {} 23 | AT-1: {} 24 | AT-2: {} 25 | AT-3: {} 26 | AT-4: {} 27 | AU-1: {} 28 | AU-2: {} 29 | AU-3: {} 30 | AU-4: {} 31 | AU-5: {} 32 | AU-6: {} 33 | AU-8: {} 34 | AU-9: {} 35 | AU-11: {} 36 | AU-12: {} 37 | CA-1: {} 38 | CA-2: {} 39 | CA-3: {} 40 | CA-5: {} 41 | CA-6: {} 42 | CA-7: {} 43 | CA-9: {} 44 | CM-1: {} 45 | CM-2: {} 46 | CM-4: {} 47 | CM-6: {} 48 | CM-7: {} 49 | CM-8: {} 50 | CM-10: {} 51 | CM-11: {} 52 | CP-1: {} 53 | CP-2: {} 54 | CP-3: {} 55 | CP-4: {} 56 | CP-9: {} 57 | CP-10: {} 58 | IA-1: {} 59 | IA-2 (1): {} 60 | IA-2 (12): {} 61 | IA-4: {} 62 | IA-5 (1): {} 63 | IA-5 (11): {} 64 | IA-6: {} 65 | IA-7: {} 66 | IA-8 (1): {} 67 | IA-8 (2): {} 68 | IA-8 (3): {} 69 | IA-8 (4): {} 70 | IR-1: {} 71 | IR-2: {} 72 | IR-4: {} 73 | IR-5: {} 74 | IR-6: {} 75 | IR-7: {} 76 | IR-8: {} 77 | MA-1: {} 78 | MA-2: {} 79 | MA-4: {} 80 | MA-5: {} 81 | MP-1: {} 82 | MP-2: {} 83 | MP-6: {} 84 | MP-7: {} 85 | PE-1: {} 86 | PE-2: {} 87 | PE-3: {} 88 | PE-6: {} 89 | PE-8: {} 90 | PE-12: {} 91 | PE-13: {} 92 | PE-14: {} 93 | PE-15: {} 94 | PE-16: {} 95 | PL-1: {} 96 | PL-2: {} 97 | PL-4: {} 98 | PS-1: {} 99 | PS-2: {} 100 | PS-3: {} 101 | PS-4: {} 102 | PS-5: {} 103 | PS-6: {} 104 | PS-7: {} 105 | PS-8: {} 106 | RA-1: {} 107 | RA-2: {} 108 | RA-3: {} 109 | RA-5: {} 110 | SA-1: {} 111 | SA-2: {} 112 | SA-3: {} 113 | SA-4 (10): {} 114 | SA-5: {} 115 | SA-9: {} 116 | SC-1: {} 117 | SC-5: {} 118 | SC-7: {} 119 | SC-12: {} 120 | SC-13: {} 121 | SC-15: {} 122 | SC-20: {} 123 | SC-21: {} 124 | SC-22: {} 125 | SC-39: {} 126 | SI-1: {} 127 | SI-2: {} 128 | SI-3: {} 129 | SI-4: {} 130 | SI-5: {} 131 | SI-12: {} 132 | -------------------------------------------------------------------------------- /ref/standards/hipaa-control-id-list.txt: -------------------------------------------------------------------------------- 1 | 164.308(a)(1)(i): 2 | 164.308(a)(1)(i)(A): 3 | 164.308(a)(1)(i)(B): 4 | 164.308(a)(1)(i)(C): 5 | 164.308(a)(1)(i)(D): 6 | 164.308(a)(2): 7 | 164.308(a)(3)(i): 8 | 164.308(a)(3)(ii)(A): 9 | 164.308(a)(3)(ii)(B): 10 | 164.308(a)(3)(ii)(C): 11 | 164.308(a)(4)(i): 12 | 164.308(a)(4)(ii)(A): 13 | 164.308(a)(4)(ii)(B): 14 | 164.308(a)(4)(ii)(C): 15 | 164.308(a)(5)(i): 16 | 164.308(a)(5)(ii)(A): 17 | 164.308(a)(5)(ii)(B): 18 | 164.308(a)(5)(ii)(C): 19 | 164.308(a)(5)(ii)(D): 20 | 164.308(a)(6)(i): 21 | 164.308(a)(6)(ii): 22 | 164.308(a)(7)(i): 23 | 164.308(a)(7)(ii)(A): 24 | 164.308(a)(7)(ii)(B): 25 | 164.308(a)(7)(ii)(C): 26 | 164.308(a)(7)(ii)(D): 27 | 164.308(a)(7)(ii)(E): 28 | 164.308(a)(8): 29 | 164.308(b)(1): 30 | 164.308(b)(2): 31 | 164.308(b)(3): 32 | 164.310(a)(1): 33 | 164.310(a)(2)(i): 34 | 164.310(a)(2)(ii): 35 | 164.310(a)(2)(iii): 36 | 164.310(a)(2)(iv): 37 | 164.310(b): 38 | 164.310(c): 39 | 164.310(d)(1): 40 | 164.310(d)(2)(i): 41 | 164.310(d)(2)(ii): 42 | 164.310(d)(2)(iii): 43 | 164.310(d)(2)(iv): 44 | 164.312(a)(1): 45 | 164.312(a)(2)(i): 46 | 164.312(a)(2)(ii): 47 | 164.312(a)(2)(iii): 48 | 164.312(a)(2)(iv): 49 | 164.312(b): 50 | 164.312(c)(1): 51 | 164.312(c)(2): 52 | 164.312(d): 53 | 164.312(e)(1): 54 | 164.312(e)(2)(i): 55 | 164.312(e)(2)(ii): 56 | 164.314(B): 57 | 164.314(C): 58 | 164.314(C)(ii): 59 | 164.314(C)(iii): 60 | 164.314(C)(iii)(b)(2): 61 | 164.314(C)(iii)(b)(2)(i): 62 | 164.314(C)(iii)(b)(2)(ii): 63 | 164.314(C)(iii)(b)(2)(iii): 64 | 164.316(a): 65 | 164.316(b)(1)(i): 66 | 164.316(b)(1)(ii): 67 | 164.316(2)(i): 68 | 164.316(2)(ii): 69 | 164.316(2)(iii): -------------------------------------------------------------------------------- /ref/standards/hipaa-draft.yaml: -------------------------------------------------------------------------------- 1 | name: HIPAA-draft 2 | source: https://github.com/opencontrol/standards/blob/master/hippa-draft.yaml 3 | license: ~ 4 | 164.308(a)(1)(i): 5 | family: Security Management Process 6 | type: Standard 7 | req: ~ 8 | name: Security management process 9 | description: Implement policies and procedures to prevent, detect, contain, and 10 | correct security violations. 11 | (ii) Implementation specifications: ~ 12 | 164.308(a)(1)(i)(A): 13 | family: Security Management Process 14 | type: Implementation 15 | req: Required 16 | name: Risk analysis 17 | description: Conduct an accurate and thorough assessment of the potential risks 18 | and vulnerabilities to the confidentiality, integrity, and availability of electronic 19 | protected health information held by the covered entity or business associate. 20 | 164.308(a)(1)(i)(B): 21 | family: Security Management Process 22 | type: Implementation 23 | req: Required 24 | name: Risk management 25 | description: Implement security measures sufficient to reduce risks and vulnerabilities 26 | to a reasonable and appropriate level to comply with § 164.306(a). 27 | 164.308(a)(1)(i)(C): 28 | family: Security Management Process 29 | type: Implementation 30 | req: Required 31 | name: Sanction policy 32 | description: Apply appropriate sanctions against workforce members who fail to comply 33 | with the security policies and procedures of the covered entity or business associate. 34 | 164.308(a)(1)(i)(D): 35 | family: Security Management Process 36 | type: Implementation 37 | req: Required 38 | name: Information system activity review 39 | description: Implement procedures to regularly review records of information system 40 | activity, such as audit logs, access reports, and security incident tracking reports. 41 | 164.308(a)(2): 42 | family: Security Management Process 43 | type: Standard 44 | name: Assigned security responsibility 45 | description: Identify the security official who is responsible for the development 46 | and implementation of the policies and procedures required by this subpart for 47 | the covered entity or business associate. 48 | 164.308(a)(3)(i): 49 | family: Security Management Process 50 | type: Standard 51 | name: Workforce security 52 | description: Implement policies and procedures to ensure that all members of its 53 | workforce have appropriate access to electronic protected health information, 54 | as provided under paragraph (a)(4) of this section, and to prevent those workforce 55 | members who do not have access under paragraph (a)(4) of this section from obtaining 56 | access to electronic protected health information. 57 | 164.308(a)(3)(ii) Implementation specifications: ~ 58 | 164.308(a)(3)(ii)(A): 59 | family: Security Management Process 60 | type: Implementation 61 | req: Addressable 62 | name: Authorization and/or supervision 63 | description: Implement procedures for the authorization and/or supervision of workforce 64 | members who work with electronic protected health information or in locations 65 | where it might be accessed. 66 | 164.308(a)(3)(ii)(B): 67 | family: Security Management Process 68 | type: Implementation 69 | req: Addressable 70 | name: Workforce clearance procedure 71 | description: Implement procedures to determine that the access of a workforce member 72 | to electronic protected health information is appropriate. 73 | 164.308(a)(3)(ii)(C): 74 | family: Security Management Process 75 | type: Implementation 76 | req: Addressable 77 | name: Termination procedures 78 | description: Implement procedures for terminating access to electronic protected 79 | health information when the employment of, or other arrangement with, a workforce 80 | member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) 81 | of this section. 82 | 164.308(a)(4)(i): 83 | family: Security Management Process 84 | type: Standard 85 | name: Information access management 86 | description: Implement policies and procedures for authorizing access to electronic 87 | protected health information that are consistent with the applicable requirements 88 | of subpart E of this part. 89 | 164.308(a)(4)(ii)(A): 90 | family: Security Management Process 91 | type: Implementation 92 | req: Required 93 | name: Isolating health care clearinghouse functions 94 | description: If a health care clearinghouse is part of a larger organization, the 95 | clearinghouse must implement policies and procedures that protect the electronic 96 | protected health information of the clearinghouse from unauthorized access by 97 | the larger organization. 98 | 164.308(a)(4)(ii)(B): 99 | family: Security Management Process 100 | type: Implementation 101 | req: Addressable 102 | name: Access authorization 103 | description: Implement policies and procedures for granting access to electronic 104 | protected health information, for example, through access to a workstation, transaction, 105 | program, process, or other mechanism. 106 | 164.308(a)(4)(ii)(C): 107 | family: Security Management Process 108 | type: Implementation 109 | req: Addressable 110 | name: Access establishment and modification 111 | description: Implement policies and procedures that, based upon the covered entity's 112 | or the business associate's access authorization policies, establish, document, 113 | review, and modify a user's right of access to a workstation, transaction, program, 114 | or process. 115 | 164.308(a)(5)(i): 116 | family: Security Management Process 117 | type: Standard 118 | req: ~ 119 | name: Security awareness and training 120 | description: Implement a security awareness and training program for all members 121 | of its workforce (including management). 122 | 164.308(a)(5)(ii)(A): 123 | family: Security Management Process 124 | type: Implementation 125 | req: Addressable 126 | name: Security reminders 127 | description: Periodic security updates. 128 | 164.308(a)(5)(ii)(B): 129 | family: Security Management Process 130 | type: Implementation 131 | req: Addressable 132 | name: Protection from malicious software 133 | description: Procedures for guarding against, detecting, and reporting malicious 134 | software. 135 | 164.308(a)(5)(ii)(C): 136 | family: Security Management Process 137 | type: Implementation 138 | req: Addressable 139 | name: Log-in monitoring 140 | description: Procedures for monitoring log-in attempts and reporting discrepancies. 141 | 164.308(a)(5)(ii)(D): 142 | family: Security Management Process 143 | type: Implementation 144 | req: Addressable 145 | name: Password management 146 | description: Procedures for creating, changing, and safeguarding passwords. 147 | 164.308(a)(6)(i): 148 | family: Security Management Process 149 | type: Standard 150 | req: ~ 151 | name: Security incident procedures 152 | description: Implement policies and procedures to address security incidents. 153 | 164.308(a)(6)(ii): 154 | family: Security Management Process 155 | type: Implementation 156 | req: Required 157 | name: Response and reporting 158 | description: Identify and respond to suspected or known security incidents; mitigate, 159 | to the extent practicable, harmful effects of security incidents that are known 160 | to the covered entity or business associate; and document security incidents and 161 | their outcomes. 162 | 164.308(a)(7)(i): 163 | family: Security Management Process 164 | type: Standard 165 | req: ~ 166 | name: Contingency plan 167 | description: Establish (and implement as needed) policies and procedures for responding 168 | to an emergency or other occurrence (for example, fire, vandalism, system failure, 169 | and natural disaster) that damages systems that contain electronic protected health 170 | information. 171 | 164.308(a)(7)(ii)(A): 172 | family: Security Management Process 173 | type: Implementation 174 | req: Required 175 | name: Data backup plan 176 | description: Establish and implement procedures to create and maintain retrievable 177 | exact copies of electronic protected health information. 178 | 164.308(a)(7)(ii)(B): 179 | family: Security Management Process 180 | type: Implementation 181 | req: Required 182 | name: Disaster recovery plan 183 | description: Establish (and implement as needed) procedures to restore any loss 184 | of data. 185 | 164.308(a)(7)(ii)(C): 186 | family: Security Management Process 187 | type: Implementation 188 | req: Required 189 | name: Emergency mode operation plan 190 | description: Establish (and implement as needed) procedures to enable continuation 191 | of critical business processes for protection of the security of electronic protected 192 | health information while operating in emergency mode. 193 | 164.308(a)(7)(ii)(D): 194 | family: Security Management Process 195 | type: Implementation 196 | req: Addressable 197 | name: Testing and revision procedures 198 | description: Implement procedures for periodic testing and revision of contingency 199 | plans. 200 | 164.308(a)(7)(ii)(E): 201 | family: Security Management Process 202 | type: Implementation 203 | req: Addressable 204 | name: Applications and data criticality analysis 205 | description: Assess the relative criticality of specific applications and data in 206 | support of other contingency plan components. 207 | 164.308(a)(8): 208 | family: Security Management Process 209 | type: Standard 210 | req: ~ 211 | name: Evaluation 212 | description: Perform a periodic technical and nontechnical evaluation, based initially 213 | upon the standards implemented under this rule and, subsequently, in response 214 | to environmental or operational changes affecting the security of electronic protected 215 | health information, that establishes the extent to which a covered entity's or 216 | business associate's security policies and procedures meet the requirements of 217 | this subpart. 218 | 164.308(b)(1): 219 | family: Security Management Process 220 | type: Standard 221 | req: ~ 222 | name: Business associate contracts and other arrangements 223 | description: > 224 | A covered entity may permit a business associate to create, receive, maintain, 225 | or transmit electronic protected health information on the covered entity's behalf 226 | only if the covered entity obtains satisfactory assurances, in accordance with 227 | § 164.314(a), that the business associate will appropriately safeguard the information. 228 | A covered entity is not required to obtain such satisfactory assurances from a 229 | business associate that is a subcontractor. 230 | 164.308(b)(2): 231 | family: Security Management Process 232 | type: Standard 233 | req: ~ 234 | name: Business associate contracts and other arrangements 235 | description: A business associate may permit a business associate that is a subcontractor 236 | to create, receive, maintain, or transmit electronic protected health information 237 | on its behalf only if the business associate obtains satisfactory assurances, 238 | in accordance with § 164.314(a), that the subcontractor will Required appropriately 239 | safeguard the information. 240 | note: The structure and content for 164.308(b) may be incorrect. 241 | 164.308(b)(3): 242 | family: Security Management Process 243 | type: Implementation 244 | req: Required 245 | name: Written contract or other arrangement 246 | description: Document the satisfactory assurances required by paragraph (b)(1) or 247 | (b)(2) of this section through a written contract or other arrangement with the 248 | business associate that meets the applicable requirements of § 164.314(a). 249 | 164.310(a)(1): 250 | family: Physical safeguards 251 | type: Standard 252 | req: ~ 253 | name: Facility access controls 254 | description: Implement policies and procedures to limit physical access to its electronic 255 | information systems and the facility or facilities in which they are housed, while 256 | ensuring that properly authorized access is allowed. 257 | 164.310(a)(2)(i): 258 | family: Physical safeguards 259 | type: Implementation 260 | req: Addressable 261 | name: Contingency operations 262 | description: Establish (and implement as needed) procedures that allow facility 263 | access in support of restoration of lost data under the disaster recovery plan 264 | and emergency mode operations plan in the event of an emergency. 265 | 164.310(a)(2)(ii): 266 | family: Physical safeguards 267 | type: Implementation 268 | req: Addressable 269 | name: Facility security plan 270 | description: Implement policies and procedures to safeguard the facility and the 271 | equipment therein from unauthorized physical access, tampering, and theft. 272 | 164.310(a)(2)(iii): 273 | family: Physical safeguards 274 | type: Implementation 275 | req: Addressable 276 | name: Access control and validation procedures 277 | description: Implement procedures to control and validate a person's access to facilities 278 | based on their role or function, including visitor control, and control of access 279 | to software programs for testing and revision. 280 | 164.310(a)(2)(iv): 281 | family: Physical safeguards 282 | type: Implementation 283 | req: Addressable 284 | name: Maintenance records 285 | description: Implement policies and procedures to document repairs and modifications 286 | to the physical components of a facility which are related to security (for example, 287 | hardware, walls, doors, and locks). 288 | 164.310(b): 289 | family: Physical safeguards 290 | type: Standard 291 | req: ~ 292 | name: Workstation use 293 | description: Implement policies and procedures that specify the proper functions 294 | to be performed, the manner in which those functions are to be performed, and 295 | the physical attributes of the surroundings of a specific workstation or class 296 | of workstation that can access electronic protected health information. 297 | 164.310(c): 298 | family: Physical safeguards 299 | type: Standard 300 | req: ~ 301 | name: Workstation security 302 | description: Implement physical safeguards for all workstations that access electronic 303 | protected health information, to restrict access to authorized users. 304 | 164.310(d)(1): 305 | family: Physical safeguards 306 | type: Standard 307 | req: ~ 308 | name: Device and media controls 309 | description: Implement policies and procedures that govern 310 | the receipt and removal of hardware and electronic media that contain electronic 311 | protected health information into and out of a facility, and the movement of these 312 | items within the facility. 313 | 164.310(d)(2)(i): 314 | family: Physical safeguards 315 | type: Implementation 316 | req: Required 317 | name: Disposal 318 | description: Implement policies and procedures to address the final disposition 319 | of electronic protected health information, and/or the hardware or electronic 320 | media on which it is stored. 321 | 164.310(d)(2)(ii): 322 | family: Physical safeguards 323 | type: Implementation 324 | req: Required 325 | name: Media re-use 326 | description: Implement procedures for removal of electronic protected health information 327 | from electronic media before the media are made available for re- use. 328 | 164.310(d)(2)(iii): 329 | family: Physical safeguards 330 | type: Implementation 331 | req: Addressable 332 | name: Accountability 333 | description: Maintain a record of the movements of hardware and electronic media 334 | and any person responsible therefore. 335 | 164.310(d)(2)(iv): 336 | family: Physical safeguards 337 | type: Implementation 338 | req: Addressable 339 | name: Data backup and storage 340 | description: Create a retrievable, exact copy of electronic protected health information, 341 | when needed, before movement of equipment. 342 | 164.312(a)(1): 343 | family: Technical safeguards 344 | type: Standard 345 | req: ~ 346 | name: Access control 347 | description: Implement technical policies and procedures for electronic information 348 | systems that maintain electronic protected health information to allow access 349 | only to those persons or software programs that have been granted access rights 350 | as specified in § 164.308(a)(4). 351 | 164.312(a)(2)(i): 352 | family: Technical safeguards 353 | type: Implementation 354 | req: Required 355 | name: Unique user identification 356 | description: Assign a unique name and/or number for identifying and tracking user 357 | identity. 358 | 164.312(a)(2)(ii): 359 | family: Technical safeguards 360 | type: Implementation 361 | req: Required 362 | name: Emergency access procedure 363 | description: Establish (and implement as needed) procedures for obtaining necessary 364 | electronic protected health information during an emergency. 365 | 164.312(a)(2)(iii): 366 | family: Technical safeguards 367 | type: Implementation 368 | req: Addressable 369 | name: Automatic logoff 370 | description: Implement electronic procedures that terminate an electronic session 371 | after a predetermined time of inactivity. 372 | 164.312(a)(2)(iv): 373 | family: Technical safeguards 374 | type: Implementation 375 | req: Addressable 376 | name: Encryption and decryption 377 | description: Implement a mechanism to encrypt and decrypt electronic protected health 378 | information. 379 | 164.312(b): 380 | family: Technical safeguards 381 | type: Standard 382 | req: ~ 383 | name: Audit controls 384 | description: Implement hardware, software, and/or procedural mechanisms that record 385 | and examine activity in information systems that contain or use electronic protected 386 | health information. 387 | 164.312(c)(1): 388 | family: Technical safeguards 389 | type: Standard 390 | req: ~ 391 | name: Integrity 392 | description: Implement policies and procedures to protect electronic protected health 393 | information from improper alteration or destruction. 394 | 164.312(c)(2): 395 | family: Technical safeguards 396 | type: Implementation 397 | req: Addressable 398 | name: Mechanism to authenticate electronic protected health information 399 | description: Implement electronic mechanisms to corroborate that electronic protected 400 | health information has not been altered or destroyed in an unauthorized manner. 401 | 164.312(d): 402 | family: Technical safeguards 403 | type: Standard 404 | req: ~ 405 | name: Person or entity authentication 406 | description: Implement procedures to verify that a person or entity seeking access 407 | to electronic protected health information is the one claimed. 408 | 164.312(e)(1): 409 | family: Technical safeguards 410 | type: Standard 411 | req: ~ 412 | name: Transmission security 413 | description: Implement technical security measures to guard against unauthorized 414 | access to electronic protected health information that is being transmitted over 415 | an electronic communications network. 416 | 164.312(e)(2)(i): 417 | family: Technical safeguards 418 | type: Implementation 419 | req: Addressable 420 | name: Integrity controls 421 | description: Implement security measures to ensure that electronically transmitted 422 | electronic protected health information is not improperly modified without detection 423 | until disposed of. 424 | 164.312(e)(2)(ii): 425 | family: Technical safeguards 426 | type: Implementation 427 | req: Addressable 428 | name: Encryption 429 | description: Implement a mechanism to encrypt electronic protected health information 430 | whenever deemed appropriate. 431 | 164.314(B): 432 | family: Organizational requirements 433 | type: ~ 434 | req: ~ 435 | name: ~ 436 | description: In accordance with § 164.308(b)(2), ensure that any subcontractors 437 | that create, receive, maintain, or transmit electronic protected health information 438 | on behalf of the business associate agree to comply with the applicable requirements 439 | of this subpart by entering into a contract or other arrangement that complies 440 | with this section; and 441 | 164.314(C): 442 | family: Organizational requirements 443 | type: ~ 444 | req: ~ 445 | name: ~ 446 | description: Report to the covered entity any security incident of which it becomes 447 | aware, including breaches of unsecured protected health information as required 448 | by § 164.410. 449 | 164.314(C)(ii): 450 | family: Organizational requirements 451 | type: ~ 452 | req: ~ 453 | name: Other arrangements 454 | description: The covered entity is in compliance with paragraph 455 | (a)(1) of this section if it has another arrangement in place that meets the requirements 456 | of § 164.504(e)(3). 457 | 164.314(C)(iii): 458 | family: Organizational requirements 459 | type: ~ 460 | req: ~ 461 | name: Business associate contracts with subcontractors 462 | description: The requirements 463 | of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or 464 | other arrangement between a business associate and a subcontractor required by 465 | § 164.308(b)(4) in the same manner as such requirements apply to contracts or 466 | other arrangements between a covered entity and business associate. 467 | 164.314(C)(iii)(b)(1): 468 | type: Standard 469 | req: ~ 470 | name: Requirements for group health plans 471 | description: Except when the only electronic protected health information disclosed 472 | to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as 473 | authorized under § 164.508, a group health plan must ensure that its plan documents 474 | provide that the plan sponsor will reasonably and appropriately safeguard electronic 475 | protected health information created, received, maintained, or transmitted to 476 | or by the plan sponsor on behalf of the group health plan. 477 | 164.314(C)(iii)(b)(2): 478 | family: Organizational requirements 479 | type: Implementation 480 | req: Required 481 | name: Implementation specifications 482 | description: The plan documents of the 483 | group health plan must be amended to incorporate provisions to require the plan 484 | sponsor to— 485 | 164.314(C)(iii)(b)(2)(i): 486 | family: Organizational requirements 487 | type: ~ 488 | req: ~ 489 | name: ~ 490 | description: Implement administrative, physical, and technical safeguards that reasonably 491 | and appropriately protect the confidentiality, integrity, and availability of 492 | the electronic protected health information that it creates, receives, maintains, 493 | or transmits on behalf of the group health plan; 494 | 164.314(C)(iii)(b)(2)(ii): 495 | family: Organizational requirements 496 | type: ~ 497 | req: ~ 498 | name: ~ 499 | description: Ensure that the adequate separation required by § 164.504(f)(2)(iii) 500 | is supported by reasonable and appropriate security measures; 501 | 164.314(C)(iii)(b)(2)(iii): 502 | family: Organizational requirements 503 | type: ~ 504 | req: ~ 505 | name: ~ 506 | description: Ensure that any agent to whom it provides this information agrees to 507 | implement reasonable and appropriate security measures to protect the information; 508 | and (iv) Report to the group health plan any security incident of which it becomes 509 | aware. 510 | 164.316(a): 511 | family: Policies and procedures and documentation requirements 512 | type: Standard 513 | req: ~ 514 | name: Policies and procedures 515 | description: Implement reasonable and appropriate policies and procedures to comply 516 | with the standards, implementation specifications, or other requirements of this 517 | subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), 518 | (iii), and (iv). This standard is not to be construed to permit or excuse an action 519 | that violates any other standard, implementation specification, or other requirements 520 | of this subpart. A covered entity or business associate may change its policies 521 | and procedures at any time, provided that the changes are documented and are implemented 522 | in accordance with this subpart. 523 | 164.316(b)(1)(i): 524 | family: Policies and procedures and documentation requirements 525 | type: Standard 526 | req: ~ 527 | name: Documentation (i) 528 | description: Maintain the policies and procedures implemented to comply with this 529 | subpart in written (which may be electronic) form. 530 | 164.316(b)(1)(ii): 531 | family: Policies and procedures and documentation requirements 532 | type: Standard 533 | req: ~ 534 | name: Documentation (ii) 535 | description: If an action, activity or assessment is required by this subpart to 536 | be documented, maintain a written (which may be electronic) record of the action, 537 | activity, or assessment. 538 | 164.316(2)(i): 539 | family: Policies and procedures and documentation requirements 540 | type: Implementation 541 | req: Required 542 | name: Time limit 543 | description: Retain the documentation required by paragraph (b)(1) of this section 544 | for 6 years from the date of its creation or the date when it last was in effect, 545 | whichever is later. 546 | 164.316(2)(ii): 547 | family: Policies and procedures and documentation requirements 548 | type: Implementation 549 | req: Required 550 | name: Availability 551 | description: Make documentation available to those persons responsible for implementing 552 | the procedures to which the documentation pertains. 553 | 164.316(2)(iii): 554 | family: Policies and procedures and documentation requirements 555 | type: Implementation 556 | req: Required 557 | name: Updates 558 | description: Review documentation periodically, and update as needed, in response 559 | to environmental or operational changes affecting the security of the electronic 560 | protected health information. 561 | -------------------------------------------------------------------------------- /ref/standards/opencontrol.yaml: -------------------------------------------------------------------------------- 1 | schema_version: "1.0.0" 2 | name: Standards for Agency App 3 | standards: 4 | - NIST-SP-800-53-r4.yaml -------------------------------------------------------------------------------- /repos.conf.example: -------------------------------------------------------------------------------- 1 | # List of paths to local repositories with opencontrol.yaml files 2 | 3 | # Example compliance-as-code repo 4 | example/agencyapp 5 | 6 | # Add relative or full paths to your compliance-as-code repos below 7 | # /full/path/to/my/repo 8 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | rtyaml 2 | jinja2 -------------------------------------------------------------------------------- /static/css/base.css: -------------------------------------------------------------------------------- 1 | 2 | /******************************* 3 | * General 4 | *******************************/ 5 | 6 | body { 7 | background-color: #78909C; 8 | /*background-color: rgb(247, 247, 247);*/ 9 | /*background: url("https://upload.wikimedia.org/wikipedia/commons/f/f7/Rocky_Mountain_National_Park.jpg") no-repeat center center fixed; */ 10 | /*background: url("/static/img/Rocky_Mountain_National_Park.jpg") no-repeat center center fixed; */ 11 | -webkit-background-size: cover; 12 | -moz-background-size: cover; 13 | -o-background-size: cover; 14 | background-size: cover; 15 | margin: 40px 0 0 0; 16 | font-family: helvetica, sans-serif; 17 | } 18 | 19 | h1, h2, h3, h4, h5 { 20 | font-weight: bold; 21 | } 22 | h1 { font-size: 24px; } 23 | h2 { font-size: 20px; } 24 | h3 { font-size: 18px; } 25 | h4 { font-size: 16px; } 26 | 27 | #static-page-content { 28 | width: 760px; 29 | margin-left: 0px; 30 | background-color: rgb(245, 245, 245); 31 | padding: 0 30px 10px 30px; 32 | border-radius: 5px; 33 | margin-bottom: 8px; 34 | border: 1px solid #eee; 35 | min-height: 160px; 36 | opacity: 0.95; 37 | height: 94%; 38 | overflow: auto; 39 | } 40 | 41 | #static-page-content h3 { 42 | color: black; 43 | margin-top: 0.5em; 44 | margin-bottom: 1.0em; 45 | border-bottom: 0.5px solid #999; 46 | } 47 | 48 | #static-page-content .item-ctl { 49 | margin-top: 8px; 50 | /*margin-bottom: -10px;*/ 51 | color: #999; 52 | font-size: 0.9em; 53 | cursor: hand; 54 | } 55 | 56 | /******************************* 57 | /* sidebar 58 | *******************************/ 59 | 60 | #sidebar-wrapper { 61 | position: fixed; 62 | left: 0px; 63 | top: 0px; 64 | height: 100%; 65 | z-index: 100; 66 | background-color: #333; 67 | color: white; 68 | opacity: 1.0; 69 | width: 60px; 70 | padding: 22px 8px 8px 8px; 71 | margin: 0 0 0 0; 72 | vertical-align: top; 73 | text-align: center; 74 | font-size: 1.5em; 75 | border-right: 1px solid #121212; 76 | } 77 | 78 | #sidebar a:link, #sidebar a:visited { 79 | color: white; 80 | text-decoration: none; 81 | } 82 | 83 | #sidebar .small-menu { 84 | font-size: 7pt; 85 | } 86 | /******************************* 87 | /* cards 88 | *******************************/ 89 | 90 | .card-control-container { 91 | width: 276px; 92 | /*min-height:100px;*/ 93 | max-height: 94%; 94 | background-color: rgb(223, 227, 230); 95 | margin-right: 12px; 96 | margin-bottom:20px; 97 | float: left; 98 | padding: 18px 8px 8px 8px; 99 | border-radius: 5px; 100 | overflow-y: auto; 101 | } 102 | 103 | .card-control { 104 | background-color: #fff; 105 | border-bottom: 1.5px solid #aaa; 106 | margin-bottom: 8px; 107 | padding:8px 7px 8px 6px; 108 | min-height: 43px; 109 | overflow-y: hidden; 110 | overflow-x: hidden; 111 | border-radius: 5px; 112 | cursor: pointer; 113 | } 114 | 115 | .card-control:hover { 116 | background-color: #eee; 117 | } 118 | 119 | .card-control-textlink { 120 | color: #333; 121 | font-size: 0.85em; 122 | } 123 | 124 | .card-control-guidance { 125 | background-color: #fff; 126 | border-bottom: 1.5px solid #aaa; 127 | margin-bottom: 8px;padding:12px; 128 | border-radius: 5px; 129 | } 130 | 131 | .page-info-card-container { 132 | width:340px; 133 | min-height:100px; 134 | max-height: 94%; 135 | overflow-y: auto;background-color: #cdcdcd; 136 | margin-right: 12px; 137 | float: left; 138 | padding: 18px 8px 8px 8px; 139 | /*font-size: 0.85em;*/ 140 | font-size: 8pt; 141 | font-family: trebuchet ms, sans-serif; 142 | border-radius: 5px; 143 | } 144 | 145 | .page-info-card { 146 | background-color: #fff; 147 | margin-bottom: 8px;padding:12px; 148 | min-height: 82px; 149 | overflow-y: auto; 150 | border-radius: 5px; 151 | } 152 | .page-info-card h4 { 153 | font-size: inherit; 154 | font-weight: normal; 155 | text-decoration: underline; 156 | } 157 | 158 | /******************************* 159 | * MODAL AS LEFT/RIGHT SIDEBAR 160 | * Add "left" or "right" in modal parent div, after class="modal". 161 | * Get free snippets on bootpen.com 162 | *******************************/ 163 | 164 | .modal.left .modal-dialog, 165 | .modal.right .modal-dialog { 166 | position: fixed; 167 | margin: auto; 168 | width: 740px; 169 | /*height: 800px;*/ 170 | -webkit-transform: translate3d(0%, 0, 0); 171 | -ms-transform: translate3d(0%, 0, 0); 172 | -o-transform: translate3d(0%, 0, 0); 173 | transform: translate3d(0%, 0, 0); 174 | } 175 | 176 | .modal.left .modal-content, 177 | .modal.right .modal-content { 178 | height: 100%; 179 | overflow-y: auto; 180 | } 181 | 182 | .modal.left .modal-body, 183 | .modal.right .modal-body { 184 | padding: 15px 15px 80px; 185 | } 186 | 187 | /*Left*/ 188 | .modal.left.fade .modal-dialog{ 189 | left: -320px; 190 | -webkit-transition: opacity 0.3s linear, left 0.3s ease-out; 191 | -moz-transition: opacity 0.3s linear, left 0.3s ease-out; 192 | -o-transition: opacity 0.3s linear, left 0.3s ease-out; 193 | transition: opacity 0.3s linear, left 0.3s ease-out; 194 | } 195 | 196 | .modal.left.fade.in .modal-dialog{ 197 | left: 0; 198 | } 199 | 200 | /*Right*/ 201 | .modal.right.fade .modal-dialog { 202 | right: -520px; 203 | -webkit-transition: opacity 0.3s linear, right 0.1s ease-out; 204 | -moz-transition: opacity 0.3s linear, right 0.1s ease-out; 205 | -o-transition: opacity 0.3s linear, right 0.1s ease-out; 206 | transition: opacity 0.3s linear, right 0.1s ease-out; 207 | } 208 | 209 | .modal.right.fade.in .modal-dialog { 210 | right: 0; 211 | } 212 | 213 | /* ----- MODAL STYLE ----- */ 214 | .modal-content { 215 | border-radius: 1; 216 | border: none; 217 | } 218 | 219 | .modal-header { 220 | border-bottom-color: #EEEEEE; 221 | } 222 | 223 | .modal-content textarea, .modal-content input, .modal-content select { 224 | border: 1px solid #ccc; 225 | font-family: trebuchet ms, sans-serif; 226 | } 227 | 228 | #control-editor-narrative { 229 | font-size: 8pt; 230 | font-family: trebuchet ms, sans-serif; 231 | } 232 | 233 | /******************************* 234 | /* misc 235 | *******************************/ 236 | 237 | .ctl-btns .btn { 238 | width: 97px; 239 | overflow: hidden; 240 | height: 3.5em; 241 | margin: 0 .9em .9em 0; 242 | } 243 | 244 | /******************************* 245 | /* Page loading spinner 246 | *******************************/ 247 | 248 | div#loading { 249 | width: 35px; 250 | height: 35px; 251 | display: none; 252 | /*background: url(/static/loadingimage.gif) no-repeat;*/ 253 | cursor: wait; 254 | margin: auto; 255 | margin-top: 20%; 256 | } 257 | 258 | /* https://github.com/tobiasahlin/SpinKit */ 259 | .spinner { 260 | margin: 10px auto; 261 | width: 50px; 262 | height: 40px; 263 | text-align: center; 264 | font-size: 10px; 265 | } 266 | 267 | .spinner > div { 268 | background-color: #333; 269 | height: 100%; 270 | width: 6px; 271 | display: inline-block; 272 | -webkit-animation: sk-stretchdelay 1.2s infinite ease-in-out; 273 | animation: sk-stretchdelay 1.2s infinite ease-in-out; 274 | } 275 | 276 | .spinner .rect2 { 277 | -webkit-animation-delay: -1.1s; 278 | animation-delay: -1.1s; 279 | } 280 | 281 | .spinner .rect3 { 282 | -webkit-animation-delay: -1.0s; 283 | animation-delay: -1.0s; 284 | } 285 | 286 | .spinner .rect4 { 287 | -webkit-animation-delay: -0.9s; 288 | animation-delay: -0.9s; 289 | } 290 | 291 | .spinner .rect5 { 292 | -webkit-animation-delay: -0.8s; 293 | animation-delay: -0.8s; 294 | } 295 | 296 | @-webkit-keyframes sk-stretchdelay { 297 | 0%, 40%, 100% { -webkit-transform: scaleY(0.4) } 298 | 20% { -webkit-transform: scaleY(1.0) } 299 | } 300 | 301 | @keyframes sk-stretchdelay { 302 | 0%, 40%, 100% { 303 | transform: scaleY(0.4); 304 | -webkit-transform: scaleY(0.4); 305 | } 20% { 306 | transform: scaleY(1.0); 307 | -webkit-transform: scaleY(1.0); 308 | } 309 | } 310 | 311 | .color-green { color: green; } 312 | .color-cyan { color: cyan; } 313 | .color-gold { color: gold; } 314 | .color-grey { color: grey; } 315 | .color-red { color: red; } 316 | 317 | .card-control.active { 318 | border: 1px solid #BBB; 319 | background-color: #F3EAE5; 320 | } -------------------------------------------------------------------------------- /static/img/Rocky_Mountain_National_Park.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GovReady/hyperGRC/f582cc5df6abb8ee7e76f669004bd311def23825/static/img/Rocky_Mountain_National_Park.jpg -------------------------------------------------------------------------------- /static/js/autosize.js: -------------------------------------------------------------------------------- 1 | /*! 2 | autosize 4.0.2 3 | license: MIT 4 | http://www.jacklmoore.com/autosize 5 | */ 6 | (function (global, factory) { 7 | if (typeof define === "function" && define.amd) { 8 | define(['module', 'exports'], factory); 9 | } else if (typeof exports !== "undefined") { 10 | factory(module, exports); 11 | } else { 12 | var mod = { 13 | exports: {} 14 | }; 15 | factory(mod, mod.exports); 16 | global.autosize = mod.exports; 17 | } 18 | })(this, function (module, exports) { 19 | 'use strict'; 20 | 21 | var map = typeof Map === "function" ? new Map() : function () { 22 | var keys = []; 23 | var values = []; 24 | 25 | return { 26 | has: function has(key) { 27 | return keys.indexOf(key) > -1; 28 | }, 29 | get: function get(key) { 30 | return values[keys.indexOf(key)]; 31 | }, 32 | set: function set(key, value) { 33 | if (keys.indexOf(key) === -1) { 34 | keys.push(key); 35 | values.push(value); 36 | } 37 | }, 38 | delete: function _delete(key) { 39 | var index = keys.indexOf(key); 40 | if (index > -1) { 41 | keys.splice(index, 1); 42 | values.splice(index, 1); 43 | } 44 | } 45 | }; 46 | }(); 47 | 48 | var createEvent = function createEvent(name) { 49 | return new Event(name, { bubbles: true }); 50 | }; 51 | try { 52 | new Event('test'); 53 | } catch (e) { 54 | // IE does not support `new Event()` 55 | createEvent = function createEvent(name) { 56 | var evt = document.createEvent('Event'); 57 | evt.initEvent(name, true, false); 58 | return evt; 59 | }; 60 | } 61 | 62 | function assign(ta) { 63 | if (!ta || !ta.nodeName || ta.nodeName !== 'TEXTAREA' || map.has(ta)) return; 64 | 65 | var heightOffset = null; 66 | var clientWidth = null; 67 | var cachedHeight = null; 68 | 69 | function init() { 70 | var style = window.getComputedStyle(ta, null); 71 | 72 | if (style.resize === 'vertical') { 73 | ta.style.resize = 'none'; 74 | } else if (style.resize === 'both') { 75 | ta.style.resize = 'horizontal'; 76 | } 77 | 78 | if (style.boxSizing === 'content-box') { 79 | heightOffset = -(parseFloat(style.paddingTop) + parseFloat(style.paddingBottom)); 80 | } else { 81 | heightOffset = parseFloat(style.borderTopWidth) + parseFloat(style.borderBottomWidth); 82 | } 83 | // Fix when a textarea is not on document body and heightOffset is Not a Number 84 | if (isNaN(heightOffset)) { 85 | heightOffset = 0; 86 | } 87 | 88 | update(); 89 | } 90 | 91 | function changeOverflow(value) { 92 | { 93 | // Chrome/Safari-specific fix: 94 | // When the textarea y-overflow is hidden, Chrome/Safari do not reflow the text to account for the space 95 | // made available by removing the scrollbar. The following forces the necessary text reflow. 96 | var width = ta.style.width; 97 | ta.style.width = '0px'; 98 | // Force reflow: 99 | /* jshint ignore:start */ 100 | ta.offsetWidth; 101 | /* jshint ignore:end */ 102 | ta.style.width = width; 103 | } 104 | 105 | ta.style.overflowY = value; 106 | } 107 | 108 | function getParentOverflows(el) { 109 | var arr = []; 110 | 111 | while (el && el.parentNode && el.parentNode instanceof Element) { 112 | if (el.parentNode.scrollTop) { 113 | arr.push({ 114 | node: el.parentNode, 115 | scrollTop: el.parentNode.scrollTop 116 | }); 117 | } 118 | el = el.parentNode; 119 | } 120 | 121 | return arr; 122 | } 123 | 124 | function resize() { 125 | if (ta.scrollHeight === 0) { 126 | // If the scrollHeight is 0, then the element probably has display:none or is detached from the DOM. 127 | return; 128 | } 129 | 130 | var overflows = getParentOverflows(ta); 131 | var docTop = document.documentElement && document.documentElement.scrollTop; // Needed for Mobile IE (ticket #240) 132 | 133 | ta.style.height = ''; 134 | ta.style.height = ta.scrollHeight + heightOffset + 'px'; 135 | 136 | // used to check if an update is actually necessary on window.resize 137 | clientWidth = ta.clientWidth; 138 | 139 | // prevents scroll-position jumping 140 | overflows.forEach(function (el) { 141 | el.node.scrollTop = el.scrollTop; 142 | }); 143 | 144 | if (docTop) { 145 | document.documentElement.scrollTop = docTop; 146 | } 147 | } 148 | 149 | function update() { 150 | resize(); 151 | 152 | var styleHeight = Math.round(parseFloat(ta.style.height)); 153 | var computed = window.getComputedStyle(ta, null); 154 | 155 | // Using offsetHeight as a replacement for computed.height in IE, because IE does not account use of border-box 156 | var actualHeight = computed.boxSizing === 'content-box' ? Math.round(parseFloat(computed.height)) : ta.offsetHeight; 157 | 158 | // The actual height not matching the style height (set via the resize method) indicates that 159 | // the max-height has been exceeded, in which case the overflow should be allowed. 160 | if (actualHeight < styleHeight) { 161 | if (computed.overflowY === 'hidden') { 162 | changeOverflow('scroll'); 163 | resize(); 164 | actualHeight = computed.boxSizing === 'content-box' ? Math.round(parseFloat(window.getComputedStyle(ta, null).height)) : ta.offsetHeight; 165 | } 166 | } else { 167 | // Normally keep overflow set to hidden, to avoid flash of scrollbar as the textarea expands. 168 | if (computed.overflowY !== 'hidden') { 169 | changeOverflow('hidden'); 170 | resize(); 171 | actualHeight = computed.boxSizing === 'content-box' ? Math.round(parseFloat(window.getComputedStyle(ta, null).height)) : ta.offsetHeight; 172 | } 173 | } 174 | 175 | if (cachedHeight !== actualHeight) { 176 | cachedHeight = actualHeight; 177 | var evt = createEvent('autosize:resized'); 178 | try { 179 | ta.dispatchEvent(evt); 180 | } catch (err) { 181 | // Firefox will throw an error on dispatchEvent for a detached element 182 | // https://bugzilla.mozilla.org/show_bug.cgi?id=889376 183 | } 184 | } 185 | } 186 | 187 | var pageResize = function pageResize() { 188 | if (ta.clientWidth !== clientWidth) { 189 | update(); 190 | } 191 | }; 192 | 193 | var destroy = function (style) { 194 | window.removeEventListener('resize', pageResize, false); 195 | ta.removeEventListener('input', update, false); 196 | ta.removeEventListener('keyup', update, false); 197 | ta.removeEventListener('autosize:destroy', destroy, false); 198 | ta.removeEventListener('autosize:update', update, false); 199 | 200 | Object.keys(style).forEach(function (key) { 201 | ta.style[key] = style[key]; 202 | }); 203 | 204 | map.delete(ta); 205 | }.bind(ta, { 206 | height: ta.style.height, 207 | resize: ta.style.resize, 208 | overflowY: ta.style.overflowY, 209 | overflowX: ta.style.overflowX, 210 | wordWrap: ta.style.wordWrap 211 | }); 212 | 213 | ta.addEventListener('autosize:destroy', destroy, false); 214 | 215 | // IE9 does not fire onpropertychange or oninput for deletions, 216 | // so binding to onkeyup to catch most of those events. 217 | // There is no way that I know of to detect something like 'cut' in IE9. 218 | if ('onpropertychange' in ta && 'oninput' in ta) { 219 | ta.addEventListener('keyup', update, false); 220 | } 221 | 222 | window.addEventListener('resize', pageResize, false); 223 | ta.addEventListener('input', update, false); 224 | ta.addEventListener('autosize:update', update, false); 225 | ta.style.overflowX = 'hidden'; 226 | ta.style.wordWrap = 'break-word'; 227 | 228 | map.set(ta, { 229 | destroy: destroy, 230 | update: update 231 | }); 232 | 233 | init(); 234 | } 235 | 236 | function destroy(ta) { 237 | var methods = map.get(ta); 238 | if (methods) { 239 | methods.destroy(); 240 | } 241 | } 242 | 243 | function update(ta) { 244 | var methods = map.get(ta); 245 | if (methods) { 246 | methods.update(); 247 | } 248 | } 249 | 250 | var autosize = null; 251 | 252 | // Do nothing in Node.js environment and IE8 (or lower) 253 | if (typeof window === 'undefined' || typeof window.getComputedStyle !== 'function') { 254 | autosize = function autosize(el) { 255 | return el; 256 | }; 257 | autosize.destroy = function (el) { 258 | return el; 259 | }; 260 | autosize.update = function (el) { 261 | return el; 262 | }; 263 | } else { 264 | autosize = function autosize(el, options) { 265 | if (el) { 266 | Array.prototype.forEach.call(el.length ? el : [el], function (x) { 267 | return assign(x, options); 268 | }); 269 | } 270 | return el; 271 | }; 272 | autosize.destroy = function (el) { 273 | if (el) { 274 | Array.prototype.forEach.call(el.length ? el : [el], destroy); 275 | } 276 | return el; 277 | }; 278 | autosize.update = function (el) { 279 | if (el) { 280 | Array.prototype.forEach.call(el.length ? el : [el], update); 281 | } 282 | return el; 283 | }; 284 | } 285 | 286 | exports.default = autosize; 287 | module.exports = exports['default']; 288 | }); -------------------------------------------------------------------------------- /static/js/autosize.min.js: -------------------------------------------------------------------------------- 1 | /*! 2 | autosize 4.0.2 3 | license: MIT 4 | http://www.jacklmoore.com/autosize 5 | */ 6 | !function(e,t){if("function"==typeof define&&define.amd)define(["module","exports"],t);else if("undefined"!=typeof exports)t(module,exports);else{var n={exports:{}};t(n,n.exports),e.autosize=n.exports}}(this,function(e,t){"use strict";var n,o,p="function"==typeof Map?new Map:(n=[],o=[],{has:function(e){return-1 5 | 6 | # Basic Lines-Of-Code counter in Python source files, reporting the 7 | # number of blank, comment and source code lines and total number of 8 | # lines in all Python files scanned. 9 | 10 | # Usage example: 11 | 12 | # % python locs.py -rec ~/Projects 13 | # 8691 *.py files: 365038 blank (14.0%), 212100 comment (8.1%), 14 | # 2030198 source (77.9%), 2607336 total lines 15 | # (2.739 secs, 951872 lines/sec) 16 | 17 | # % python3 locs.py -rec ~/Projects 18 | # 8691 *.py files: 365037 blank (14.0%), 212100 comment (8.1%), 19 | # 2030198 source (77.9%), 2607335 total lines 20 | # (2.599 secs, 1003158 lines/sec) 21 | 22 | # % python3 locs.py -h 23 | # usage: locs.py [-help] [-recurse] [-verbose] ... 24 | 25 | # Tested with 64-bit Python 2.7.10 and 3.5.1 on MacOS 10.11.6 only. 26 | 27 | from glob import iglob 28 | from os.path import basename, exists, isdir, join 29 | from time import time 30 | 31 | __all__ = ('Loc',) 32 | __version__ = '16.10.25' 33 | 34 | 35 | class Loc(object): 36 | '''Lines-Of-Code accumulator. 37 | ''' 38 | blank = 0 39 | comment = 0 40 | files = 0 41 | source = 0 42 | ext = '.py' 43 | 44 | _time0 = 0 45 | 46 | _recurse = False # process dirs 47 | _verbose = False # print details 48 | 49 | def __init__(self, recurse=False, verbose=False): 50 | if recurse: 51 | self._recurse = recurse 52 | if verbose: 53 | self._verbose = verbose 54 | self._time0 = time() 55 | 56 | def __str__(self): 57 | s = time() - self._time0 58 | n = self.source + self.comment + self.blank 59 | p = int(n / s) if n > s > 0 else '-' 60 | t = ['%s *%s files:' % (self.files, self.ext), 61 | self._bcst(self.blank, self.comment, self.source), 62 | '(%.3f secs, %s lines/sec)' % (s, p)] 63 | return ' '.join(t) 64 | 65 | def _bcst(self, blank, comment, source): 66 | t, n = [], blank + comment + source 67 | for a, v in (('blank', blank), 68 | ('comment', comment), 69 | ('source', source)): 70 | p = ' (%.1f%%)' % ((v * 100.0) / n,) if n > 0 else '' 71 | t.append('%s %s%s' % (v, a, p)) 72 | t.append('%s total lines' % (n,)) 73 | return ', '.join(t) 74 | 75 | def adir(self, name): 76 | '''Process a directory. 77 | ''' 78 | if self._recurse: 79 | if self._verbose: 80 | print(' dir %s: %s' % (name, '...')) 81 | b, c, s = self.blank, self.comment, self.source 82 | self.aglob(join(name, '*')) 83 | b = self.blank - b 84 | c = self.comment - c 85 | s = self.source - s 86 | t = name, self._bcst(b, c, s) 87 | print(' dir %s: %s' % t) 88 | else: 89 | self.aglob(join(name, '*')) 90 | 91 | def afile(self, name): 92 | '''Process a file. 93 | ''' 94 | if name.endswith(self.ext) and exists(name): 95 | b = c = s = 0 96 | with open(name, 'rb') as f: 97 | for t in f.readlines(): 98 | t = t.lstrip() 99 | if not t: 100 | b += 1 101 | elif t.startswith(b'#'): # Python 3+ 102 | c += 1 103 | else: 104 | s += 1 105 | 106 | self.blank += b 107 | self.comment += c 108 | self.source += s 109 | self.files += 1 110 | if self._verbose: 111 | t = self.files, name, self._bcst(b, c, s) 112 | print('file %s %s: %s' % t) 113 | 114 | def aglob(self, wild): 115 | '''Process a possible wildcard. 116 | ''' 117 | for t in iglob(wild): 118 | if isdir(t): 119 | self.adir(t) 120 | else: 121 | self.afile(t) 122 | 123 | 124 | if __name__ == '__main__': 125 | 126 | import sys 127 | 128 | argv0 = basename(sys.argv[0]) 129 | 130 | loc = Loc() 131 | try: 132 | for arg in sys.argv[1:]: 133 | if not arg.startswith('-'): 134 | loc.aglob(arg) 135 | 136 | elif '-help'.startswith(arg): 137 | print('usage: %s [-help] [-recurse] [-verbose] ...' % (argv0,)) 138 | sys.exit(0) 139 | elif '-recurse'.startswith(arg): 140 | loc._recurse = True 141 | elif '-verbose'.startswith(arg): 142 | loc._verbose = True 143 | elif arg != '--': 144 | print('%s: invalid option: %r' % (argv0, arg)) 145 | sys.exit(1) 146 | 147 | except KeyboardInterrupt: 148 | print('') 149 | 150 | print('%s' % (loc,)) 151 | -------------------------------------------------------------------------------- /utils/lint.py: -------------------------------------------------------------------------------- 1 | # python lint.py file.yaml 2 | # python lint.py file1.yaml file2.yaml file3.yaml 3 | # # dry run (no changes) 4 | # python lint.py -n file.yaml 5 | # 6 | # Example: 7 | # python lint.py components/Drupal/AC-ACCESS_CONTROL.yaml 8 | # 9 | 10 | 11 | import argparse 12 | import difflib 13 | 14 | import rtyaml 15 | 16 | 17 | # Parse command-line arguments. 18 | parser = argparse.ArgumentParser(description='Lint some YAML files.') 19 | parser.add_argument('files', nargs='+', help='an integer for the accumulator') 20 | parser.add_argument('-n', dest="dry_run", action='store_true', help='dry run (print diff instead of rewriting file)') 21 | args = parser.parse_args() 22 | 23 | # Process each file on the command line. 24 | for fn in args.files: 25 | # Read and parse the YAML file. 26 | with open(fn, encoding="utf8") as f: 27 | in_text = f.read() 28 | data = rtyaml.load(in_text) 29 | 30 | # Lint. 31 | out_text = rtyaml.dump(data) 32 | 33 | # If doing a dry run, show a unified diff. 34 | if args.dry_run: 35 | diff = difflib.unified_diff( 36 | in_text.split("\n"), 37 | out_text.split("\n"), 38 | fromfile=fn + " (original)", 39 | tofile=fn + " (linted)", 40 | lineterm="") 41 | for line in diff: 42 | print(line) 43 | continue 44 | 45 | # Write back out. 46 | with open(fn, "w") as f: 47 | f.write(out_text) --------------------------------------------------------------------------------