├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── assets ├── detailpage.png ├── example.pdf ├── freedonia-hgrc-01.png ├── freedonia-hgrc-02.png ├── freedonia-hgrc-03.png ├── frontpage.png └── pdffirstpage.png ├── certifications ├── FredRAMP-low.yaml └── fisma-low-impact.yaml ├── components ├── AU_policy │ └── component.yaml ├── AWS_core │ └── component.yaml └── AWS_implementation │ └── component.yaml ├── markdowns ├── README.md ├── SUMMARY.md └── docs │ ├── Waterfall_model.png │ └── about-the-ssp.md ├── opencontrol.yaml └── standards ├── FRIST-800-53.yaml └── NIST-SP-800-53-rev4.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | exports/ 2 | *.env 3 | *.swp 4 | *__pycache__/ 5 | _book/ 6 | *.pyc 7 | tests/security-group-test-app/Godeps/_workspace/ 8 | *.python-version 9 | .cache/ 10 | schemas/ 11 | opencontrols 12 | .DS_Store 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | CC0 1.0 Universal 2 | 3 | Statement of Purpose 4 | 5 | The laws of most jurisdictions throughout the world automatically confer 6 | exclusive Copyright and Related Rights (defined below) upon the creator and 7 | subsequent owner(s) (each and all, an "owner") of an original work of 8 | authorship and/or a database (each, a "Work"). 9 | 10 | Certain owners wish to permanently relinquish those rights to a Work for the 11 | purpose of contributing to a commons of creative, cultural and scientific 12 | works ("Commons") that the public can reliably and without fear of later 13 | claims of infringement build upon, modify, incorporate in other works, reuse 14 | and redistribute as freely as possible in any form whatsoever and for any 15 | purposes, including without limitation commercial purposes. These owners may 16 | contribute to the Commons to promote the ideal of a free culture and the 17 | further production of creative, cultural and scientific works, or to gain 18 | reputation or greater distribution for their Work in part through the use and 19 | efforts of others. 20 | 21 | For these and/or other purposes and motivations, and without any expectation 22 | of additional consideration or compensation, the person associating CC0 with a 23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright 24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work 25 | and publicly distribute the Work under its terms, with knowledge of his or her 26 | Copyright and Related Rights in the Work and the meaning and intended legal 27 | effect of CC0 on those rights. 28 | 29 | 1. Copyright and Related Rights. A Work made available under CC0 may be 30 | protected by copyright and related or neighboring rights ("Copyright and 31 | Related Rights"). Copyright and Related Rights include, but are not limited 32 | to, the following: 33 | 34 | i. the right to reproduce, adapt, distribute, perform, display, communicate, 35 | and translate a Work; 36 | 37 | ii. moral rights retained by the original author(s) and/or performer(s); 38 | 39 | iii. publicity and privacy rights pertaining to a person's image or likeness 40 | depicted in a Work; 41 | 42 | iv. rights protecting against unfair competition in regards to a Work, 43 | subject to the limitations in paragraph 4(a), below; 44 | 45 | v. rights protecting the extraction, dissemination, use and reuse of data in 46 | a Work; 47 | 48 | vi. database rights (such as those arising under Directive 96/9/EC of the 49 | European Parliament and of the Council of 11 March 1996 on the legal 50 | protection of databases, and under any national implementation thereof, 51 | including any amended or successor version of such directive); and 52 | 53 | vii. other similar, equivalent or corresponding rights throughout the world 54 | based on applicable law or treaty, and any national implementations thereof. 55 | 56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of, 57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and 58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright 59 | and Related Rights and associated claims and causes of action, whether now 60 | known or unknown (including existing as well as future claims and causes of 61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum 62 | duration provided by applicable law or treaty (including future time 63 | extensions), (iii) in any current or future medium and for any number of 64 | copies, and (iv) for any purpose whatsoever, including without limitation 65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes 66 | the Waiver for the benefit of each member of the public at large and to the 67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver 68 | shall not be subject to revocation, rescission, cancellation, termination, or 69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work 70 | by the public as contemplated by Affirmer's express Statement of Purpose. 71 | 72 | 3. Public License Fallback. Should any part of the Waiver for any reason be 73 | judged legally invalid or ineffective under applicable law, then the Waiver 74 | shall be preserved to the maximum extent permitted taking into account 75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver 76 | is so judged Affirmer hereby grants to each affected person a royalty-free, 77 | non transferable, non sublicensable, non exclusive, irrevocable and 78 | unconditional license to exercise Affirmer's Copyright and Related Rights in 79 | the Work (i) in all territories worldwide, (ii) for the maximum duration 80 | provided by applicable law or treaty (including future time extensions), (iii) 81 | in any current or future medium and for any number of copies, and (iv) for any 82 | purpose whatsoever, including without limitation commercial, advertising or 83 | promotional purposes (the "License"). The License shall be deemed effective as 84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the 85 | License for any reason be judged legally invalid or ineffective under 86 | applicable law, such partial invalidity or ineffectiveness shall not 87 | invalidate the remainder of the License, and in such case Affirmer hereby 88 | affirms that he or she will not (i) exercise any of his or her remaining 89 | Copyright and Related Rights in the Work or (ii) assert any associated claims 90 | and causes of action with respect to the Work, in either case contrary to 91 | Affirmer's express Statement of Purpose. 92 | 93 | 4. Limitations and Disclaimers. 94 | 95 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 96 | surrendered, licensed or otherwise affected by this document. 97 | 98 | b. Affirmer offers the Work as-is and makes no representations or warranties 99 | of any kind concerning the Work, express, implied, statutory or otherwise, 100 | including without limitation warranties of title, merchantability, fitness 101 | for a particular purpose, non infringement, or the absence of latent or 102 | other defects, accuracy, or the present or absence of errors, whether or not 103 | discoverable, all to the greatest extent permissible under applicable law. 104 | 105 | c. Affirmer disclaims responsibility for clearing rights of other persons 106 | that may apply to the Work or any use thereof, including without limitation 107 | any person's Copyright and Related Rights in the Work. Further, Affirmer 108 | disclaims responsibility for obtaining any necessary consents, permissions 109 | or other rights required for any use of the Work. 110 | 111 | d. Affirmer understands and acknowledges that Creative Commons is not a 112 | party to this document and has no duty or obligation with respect to this 113 | CC0 or use of the Work. 114 | 115 | For more information, please see 116 | 117 | 118 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # This makefile provides some shortcuts to generating update documents 2 | # based on any changes in the input files. Typical usage to make a 3 | # PDF complete from all sources: 4 | # `make clean pdf` 5 | # or likewise for serving the content: 6 | # `make clean serve` 7 | # 8 | # FIXME: Add rules so generated files are compared instead of their directories 9 | 10 | CM = compliance-masonry 11 | GB = gitbook 12 | 13 | # GNU Make trick from 14 | # http://stackoverflow.com/questions/5618615/check-if-a-program-exists-from-a-makefile 15 | EXECUTABLES = $(CM) $(GB) 16 | K := $(foreach exec,$(EXECUTABLES),\ 17 | $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH"))) 18 | 19 | default: pdf 20 | 21 | clean: 22 | rm -rf exports/ opencontrols/ 23 | 24 | pdf: exports 25 | cd exports && gitbook pdf ./ ../assets/example.pdf 26 | 27 | serve: exports 28 | cd exports && gitbook serve 29 | 30 | exports: opencontrols 31 | ${CM} docs gitbook FredRAMP-low 32 | 33 | opencontrols: opencontrol.yaml */component.yaml markdowns/*/*md markdowns/*md 34 | -${CM} get 35 | 36 | coverage: 37 | ${CM} diff FredRAMP-low 38 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Beginner Exercise for OpenControl: Welcome to Freedonia Compliance 2 | =================================================================== 3 | 4 | _Updated and tested in February 2019!_ 5 | 6 | This project repository demonstrates a simple `System Security Plan` generated using the [OpenControl](http://open-control.org/) framework to automate security compliance paperwork. 7 | 8 | Audience 9 | --------- 10 | 11 | Anyone trying to get started with [OpenControl](http://open-control.org/), [Compliance-Masonry](https://github.com/opencontrol/compliance-masonry), and [hyperGRC](https://github.com/GovReady/hyperGRC): 12 | 13 | * FISMA newbies that don't want to write big word documents 14 | * FISMA experts that need a more efficent way of doing paper work 15 | * FISMA enforcers that need to trust the OpenControl model and tools we're presenting 16 | 17 | Scenario 18 | -------- 19 | 20 | Freedonia modeled their `FRedRAMP` program for cyber security certification of major Information Systems after America's `FedRAMP` program for certifying cloud service providers. 21 | 22 | The starting point for `FRedRAMP` certifications is the `FRIST 800-53`, which is like America's `NIST 800-53` except with fewer security controls. 23 | 24 | ### The Controls 25 | 26 | Freedonia's `FRIST 800-53` has only 6 security controls: 27 | 28 | | ID | Title | Type | 29 | | ---------- | -------------- | --------| 30 | | AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES | organizational control on audit policy | 31 | | AU-2 | AUDIT EVENTS | technical control at the node level | 32 | | PE-2 | PHYSICAL ACCESS AUTHORIZATIONS | organization control on who accesses data center | 33 | | SC-1 | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES | organizational control on how components communicate securely | 34 | | SC-7 | BOUNDARY PROTECTION | technical control defending boundary of entire system | 35 | | XX-1 | MOCK/DUMMY CONTROL | here to demonstrate that a control in standard does not have to referenced in a certification | 36 | 37 | ### The Certification 38 | 39 | The certification of `FRedRAMP-Low` requires all the above controls except for XX-1. 40 | 41 | The standards and certifications are included in this repository, but also housed in a separate repository for easier re-use at [https://github.com/opencontrol/freedonia-frist](https://github.com/opencontrol/freedonia-frist). 42 | 43 | ### The Information System 44 | 45 | The system we're building is a 'Hello World' website for Freedonia, which will comprise: 46 | 47 | * Two Amazon Web Service Virtual Private Clouds (AWS VPCs), 48 | one each for development and production 49 | * In each AWS VPC, one node with `NGINX` web server and the static content for the website 50 | * Infrastructure for logging traffic 51 | 52 | \[Note: This system is still fictitious, but could be built if it helps Masonry users understand the process\] 53 | 54 | Requirements to Use OpenControl 55 | -------------------------------- 56 | These steps assume you already have: 57 | 58 | * a \*nix type operating system 59 | * [Compliance Masonry installed](https://github.com/opencontrol/compliance-masonry#installation) 60 | * `calibre` installed for PDF generation 61 | * For OS X with Homebrew installed, try `brew cask install calibre` 62 | * `node-js` installed for local viewing at https://localhost:4000 63 | 64 | 65 | Minimal File Structure for an OpenControl-based SSP 66 | ---------------------------------------------------- 67 | 68 | Here's the tree structure of our repository: 69 | 70 | ``` 71 | . 72 | ├── README.md # the file you're reading now 73 | ├── components 74 | │ ├── AU_policy 75 | │   │ └── component.yaml # a local description of the Audit policy (AU) 76 | │ ├── AWS_core 77 | │   │ └── component.yaml # a local description of the "AWS core" component 78 | │ └── AWS_implementation 79 | │   └── component.yaml # a local description of the "AWS implementation" component 80 | │ 81 | ├── markdowns 82 | │   ├── README.md # the introduction to the entire SSP 83 | │   ├── SUMMARY.md # a table of contents for narrative documents of the SSP 84 | │   └── docs # directory for narrative documents 85 | │   ├── about-the-ssp.md 86 | │   └── Waterfall_model.png # an example image 87 | ├── opencontrol.yaml # the schema for SSP and its remote resources/dependencies 88 | ``` 89 | 90 | Running `compliance-masonry` will also generate the directories `opencontrols` and `exports` 91 | 92 | It just so happens you can get these files and file tree structure by cloning this repository! 93 | 94 | #### The opencontrol.yaml Config File 95 | 96 | Notice one file in particular, the `opencontrol.yaml` file in the root directory of the tree. The `opencontrol.yaml` file is key to using OpenControl. 97 | 98 | OpenControl uses a config file called `opencontrol.yaml` following the popular configuration file pattern we see with so many tools today. Every OpenControl repository will have at least one `opencontrol.yaml` file providing critical information and, importantly, information about dependencies on other other OpenControl YAML files and repos. 99 | 100 | Here's what the `opencontrol.yaml` file for our Freedonia project looks like: 101 | 102 | ```yaml 103 | schema_version: "1.0.0" 104 | name: freedonia.fd 105 | metadata: 106 | description: Simple example of OpenControl Compliance-as-Code 107 | maintainers: 108 | - greg.elin@govready.com 109 | components: 110 | - ./components/AU_policy 111 | - ./components/AWS_core 112 | - ./components/AWS_implementation 113 | standards: 114 | - ./standards/FRIST-800-53.yaml 115 | certifications: 116 | - ./certifications/FredRAMP-low.yaml 117 | ``` 118 | 119 | Using Compliance-Masonry Quickstart to Build your SSP from Structured Data 120 | -------------------------------------------------------------------------- 121 | 122 | Clone this repo, then `cd` into `freedonia-compliance`. Then run: 123 | 124 | ```shell 125 | compliance-masonry get 126 | compliance-masonry docs gitbook FredRAMP-low 127 | ``` 128 | 129 | The `compliance-masonry get` command reads the `opencontrol.yaml` file and retrieves all the dependencies, even from other OpenControl repositories! 130 | 131 | The `compliance-masonry docs gitbook FredRAMP-low` command generates a document of the components and standards matching the `FRedRAMP-Low` certification that is expressed in the `gitbook` format. 132 | 133 | At this point, you have generated content for your `SSP` inside of the `exports` directory that has artfully combined data from the all other OpenControl `YAML` files into a `gitbook`! 134 | 135 | Our next step is to publish/deploy our `gitbook` content representing our SSP for shared human access. First, install [GitBook](https://github.com/GitbookIO/gitbook-cli#readme): 136 | 137 | ```shell 138 | npm install -g gitbook-cli 139 | ``` 140 | 141 | To make a PDF version: 142 | 143 | ```shell 144 | cd exports && gitbook pdf ./ ./compliance.pdf 145 | # creates the PDF at `exports/compliance.pdf` 146 | ``` 147 | 148 | > ![PDF screenshoot](./assets/pdffirstpage.png) 149 | 150 | A complete generated PDF is [included here](./assets/example.pdf). 151 | 152 | To make a HTML web site version: 153 | 154 | ```shell 155 | cd exports && gitbook serve 156 | # visit your HTML SSP at http://localhost:4000 157 | ``` 158 | 159 | > ![frontpage](./assets/frontpage.png) 160 | 161 | and like this on a page for particular control: 162 | 163 | > ![detailpage](./assets/detailpage.png) 164 | 165 | The steps above are included in the project's `Makefile` so you can reliably run, say: 166 | 167 | ```shell 168 | make clean pdf 169 | # or 170 | make clean serve 171 | ``` 172 | 173 | hyperGRC Quickstart to Maintain your SSP Control Content in a GUI with Structured Data 174 | --------------------------------------------------------------------------------------- 175 | 176 | Clone this repo and clone [hyperGRC](https://github.com/GovReady/hyperGRC). 177 | 178 | Then `cd` into `hyperGRC` repository and follow the `README.md` instructions to install the Python packages. 179 | 180 | To view Freedonia-Compliance in hyperGRC: 181 | 182 | ```shell 183 | python -m hypergrc ../freedonia-compliance/ 184 | ``` 185 | _NOTE: Python 3.5 or higher required. Also, your path to freedonia-compliance repo may be different._ 186 | 187 | Visit your OpenControl repo in a GUI at `http://localhost:8000` 188 | 189 | See a list of components: 190 | 191 | > ![components](./assets/freedonia-hgrc-01.png) 192 | 193 | View controls associated with a component: 194 | 195 | > ![component-controls](./assets/freedonia-hgrc-02.png) 196 | 197 | View control assembled from components: 198 | 199 | > ![control](./assets/freedonia-hgrc-03.png) 200 | 201 | Review 202 | ------- 203 | 204 | We've generated a very simple `System Security Plan` from a bunch of re-usable `YAML` files and Markdown content in a computer-controlled pipeline style instead of a manually created word documents. 205 | 206 | There are big benefits to this approach: 207 | 208 | 1. Our `SSP` is now managed like our codebase; anytime we update our code we can also update our `SSP` and publish a new one with a single click 209 | 2. Our `SSP` is more structured and more machine-readable, so we can do other processing 210 | 3. We can document compliance of re-usable components ONCE and re-use the documentation, too 211 | 212 | Next Steps 213 | ---------- 214 | 215 | OK. So we got a document. But how do we do include actual verification of the controls in the document? We've started another repo (still in progress) to show building a system and documentation together--and deploying both. Visit [freedonia-aws-compliance](https://github.com/opencontrol/freedonia-aws-compliance) for that. 216 | 217 | You could use this repo as a kind of stub file for your own compliance documentation. Just change the `opencontrol.yaml` file and the content in the repo. 218 | 219 | 220 | Feedback 221 | -------- 222 | 223 | Please [open an issue](https://github.com/opencontrol/freedonia-compliance/issues) as needed. 224 | -------------------------------------------------------------------------------- /assets/detailpage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/assets/detailpage.png -------------------------------------------------------------------------------- /assets/example.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/assets/example.pdf -------------------------------------------------------------------------------- /assets/freedonia-hgrc-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/assets/freedonia-hgrc-01.png -------------------------------------------------------------------------------- /assets/freedonia-hgrc-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/assets/freedonia-hgrc-02.png -------------------------------------------------------------------------------- /assets/freedonia-hgrc-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/assets/freedonia-hgrc-03.png -------------------------------------------------------------------------------- /assets/frontpage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/assets/frontpage.png -------------------------------------------------------------------------------- /assets/pdffirstpage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/assets/pdffirstpage.png -------------------------------------------------------------------------------- /certifications/FredRAMP-low.yaml: -------------------------------------------------------------------------------- 1 | name: FredRAMP-low 2 | standards: 3 | 4 | FRIST-800-53: 5 | AU-1: {} 6 | AU-2: {} 7 | PE-2: {} 8 | SC-1: {} 9 | SC-7: {} 10 | -------------------------------------------------------------------------------- /certifications/fisma-low-impact.yaml: -------------------------------------------------------------------------------- 1 | # Based off Table D-2: SECURITY CONTROL BASELINES 2 | # in NIST 800-53 3 | # Current as of 2018-JUNE-2018 4 | # 5 | # Found on Page D-2 of NIST 800-53 rev 4: 6 | # https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf 7 | # 8 | name: FISMA Low Impact 9 | standards: 10 | 11 | NIST SP 800-53 Revision 4: 12 | AC-1: {} 13 | AC-2: {} 14 | AC-3: {} 15 | AC-7: {} 16 | AC-8: {} 17 | AC-14: {} 18 | AC-17: {} 19 | AC-18: {} 20 | AC-19: {} 21 | AC-20: {} 22 | AC-22: {} 23 | AT-1: {} 24 | AT-2: {} 25 | AT-3: {} 26 | AT-4: {} 27 | AU-1: {} 28 | AU-2: {} 29 | AU-3: {} 30 | AU-4: {} 31 | AU-5: {} 32 | AU-6: {} 33 | AU-8: {} 34 | AU-9: {} 35 | AU-11: {} 36 | AU-12: {} 37 | CA-1: {} 38 | CA-2: {} 39 | CA-3: {} 40 | CA-5: {} 41 | CA-6: {} 42 | CA-7: {} 43 | CA-9: {} 44 | CM-1: {} 45 | CM-2: {} 46 | CM-4: {} 47 | CM-6: {} 48 | CM-7: {} 49 | CM-8: {} 50 | CM-10: {} 51 | CM-11: {} 52 | CP-1: {} 53 | CP-2: {} 54 | CP-3: {} 55 | CP-4: {} 56 | CP-9: {} 57 | CP-10: {} 58 | IA-1: {} 59 | IA-2 (1): {} 60 | IA-2 (12): {} 61 | IA-4: {} 62 | IA-5 (1): {} 63 | IA-5 (11): {} 64 | IA-6: {} 65 | IA-7: {} 66 | IA-8 (1): {} 67 | IA-8 (2): {} 68 | IA-8 (3): {} 69 | IA-8 (4): {} 70 | IR-1: {} 71 | IR-2: {} 72 | IR-4: {} 73 | IR-5: {} 74 | IR-6: {} 75 | IR-7: {} 76 | IR-8: {} 77 | MA-1: {} 78 | MA-2: {} 79 | MA-4: {} 80 | MA-5: {} 81 | MP-1: {} 82 | MP-2: {} 83 | MP-6: {} 84 | MP-7: {} 85 | PE-1: {} 86 | PE-2: {} 87 | PE-3: {} 88 | PE-6: {} 89 | PE-8: {} 90 | PE-12: {} 91 | PE-13: {} 92 | PE-14: {} 93 | PE-15: {} 94 | PE-16: {} 95 | PL-1: {} 96 | PL-2: {} 97 | PL-4: {} 98 | PS-1: {} 99 | PS-2: {} 100 | PS-3: {} 101 | PS-4: {} 102 | PS-5: {} 103 | PS-6: {} 104 | PS-7: {} 105 | PS-8: {} 106 | RA-1: {} 107 | RA-2: {} 108 | RA-3: {} 109 | RA-5: {} 110 | SA-1: {} 111 | SA-2: {} 112 | SA-3: {} 113 | SA-4 (10): {} 114 | SA-5: {} 115 | SA-9: {} 116 | SC-1: {} 117 | SC-5: {} 118 | SC-7: {} 119 | SC-12: {} 120 | SC-13: {} 121 | SC-15: {} 122 | SC-20: {} 123 | SC-21: {} 124 | SC-22: {} 125 | SC-39: {} 126 | SI-1: {} 127 | SI-2: {} 128 | SI-3: {} 129 | SI-4: {} 130 | SI-5: {} 131 | SI-12: {} 132 | -------------------------------------------------------------------------------- /components/AU_policy/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: Audit Policy 3 | schema_version: 3.0.0 4 | references: 5 | - name: AU Policy 6 | path: https://github.com/opencontrol/freedonia-policies/wiki/Audit-Policy 7 | satisfies: 8 | - control_key: AU-1 9 | standard_key: FRIST-800-53 10 | covered_by: [] 11 | implementation_status: implemented 12 | narrative: 13 | - text: | 14 | This text describes how our organization is meeting the requirements for the 15 | Audit policy, and also references a more complete description at ./AU_policy/README.md 16 | 17 | Since the AU-1 `control` is to document and disseminate a policy on Audit and Accountability, then 18 | this narrative suffices to provide that control. A verification step could be something 19 | that checks that the referenced policy is no more than 365 days old. 20 | - control_key: AU-2 21 | standard_key: FRIST-800-53 22 | covered_by: [] 23 | implementation_status: none 24 | narrative: 25 | - text: | 26 | Application and Server logs are sent to PaperTrail to provide audit 27 | reduction and report generation capabilites for Freedonia Devops and end users 28 | of the Freedonia hello_world system. 29 | 30 | PaperTrail is a SaaS for aggregation of audit log data across multiple systems and tiers 31 | 32 | With the PaperTrail capability the organizations's operations and development teams 33 | can structure and customize audit logs queries to specific app instances, API 34 | calls, system metrics, user access, system components, network traffic flow and 35 | other criteria. 36 | -------------------------------------------------------------------------------- /components/AWS_core/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: AWS Core 3 | schema_version: 3.0.0 4 | satisfies: 5 | - control_key: PE-2 6 | standard_key: FRIST-800-53 7 | covered_by: [] 8 | control_origin: inherited 9 | implementation_status: complete 10 | narrative: 11 | - text: | 12 | PE-2 - Physical Access Authorizations 13 | 14 | This text describes how our organization is meeting the requirements for the 15 | PE-2 by dint of inheriting an approved set of Physical Environment controls 16 | with our use of AWS east/west or AWS GovCloud. 17 | -------------------------------------------------------------------------------- /components/AWS_implementation/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: AWS Implementation 3 | schema_version: 3.0.0 4 | references: 5 | - name: SC Policy 6 | path: https://github.com/opencontrol/freedonia-aws-compliance/wiki/Security-Controls 7 | type: URL 8 | satisfies: 9 | - control_key: AU-2 10 | standard_key: FRIST-800-53 11 | covered_by: [] 12 | implementation_status: none 13 | narrative: 14 | - text: | 15 | AU-2 - Audit Events 16 | All AWS events are sent to AWS CloudWatch. 17 | This is implemented with our Terraform build using the 18 | `aws_cloudtrail` resource (https://www.terraform.io/docs/providers/aws/r/cloudtrail.html) 19 | 20 | A verification step can be done by confirming the existence 21 | of the Cloudwatch bucket etc. with InSpec. 22 | - control_key: SC-1 23 | standard_key: FRIST-800-53 24 | covered_by: [] 25 | implementation_status: none 26 | narrative: 27 | - text: | 28 | SC-1 - System and Communications Protection Policy and Procedures 29 | This text describes how our organization is meeting the requirements for the 30 | Security Controls policy, and also references a more complete description at 31 | the referenced document at 32 | https://github.com/opencontrol/freedonia-aws-compliance/wiki/Security-Controls 33 | 34 | 35 | Since the SC-1 `control` is to document and disseminate a policy on 36 | Security Controls 37 | this narrative suffices to provide that control. A verification step could be something 38 | that checks that the referenced policy is no more than 365 days old. 39 | - control_key: SC-7 40 | standard_key: FRIST-800-53 41 | covered_by: [] 42 | implementation_status: none 43 | narrative: 44 | - text: | 45 | SC-7 - Boundary protection 46 | 47 | Boundary protection is provided, in AWS, with Security Groups that do not allow 48 | ingress except to port 443 on the ELBs 49 | 50 | Verification: No security groups allow 0.0.0.0 inbound except ones named 'elb.*' can 51 | allowed port 443 to 0.0.0.0 (testing with InspecAws) 52 | -------------------------------------------------------------------------------- /markdowns/README.md: -------------------------------------------------------------------------------- 1 | # Freedonia website SSP introduction 2 | 3 | These documents constitute the System Security Plan for the Freedonia "Hello World" application (under development). The contents of this file, (from `markdowns/README.md`) are rendered to appear as the introduction of the SSP by Masonry and GitBook. 4 | 5 | A Freedonia SSP (as well as one for USA) comprises: 6 | * Narrative: A narrative description (from `markdowns/README.md` and 7 | other content under `markdowns/docs` 8 | * Standards: A description of standards and relevant controls (generated from _components_ and _dependencies/systems_ references in the `opencontrol.yaml`) 9 | * Components: Links to details of the components (also generated from `opencontrol.yaml`) 10 | 11 | While a README.md may be sufficient to provide a narrative introduction 12 | for an SSP, it's likely you'll need to go into more depth. This Freedonia SSP 13 | project demonstrates the narrative by placing content and related images in `markdowns/docs` 14 | 15 | This SSP is intended to demonstrate the _process_, not the _content_ for an SSP built with OpenControl and ComplianceMasonry. For an example of the content: https://github.com/18F/cg-compliance and resulting site at https://compliance.cloud.gov. 16 | 17 | ## Version and update information 18 | 19 | We have yet to implement a strategy to version this document with a creation date and relevants tags. 20 | 21 | The source documents are under source-code control with Git and GitHub at the following URL: https://github.com/opencontrol/freedonia-compliance 22 | 23 | If there are errors or corrections, please submit them to https://github.com/opencontrol/ato1day-compliance/issues. 24 | -------------------------------------------------------------------------------- /markdowns/SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | This summary is the table of contents for material not automatically generated from OpenControls: 4 | 5 | * [About the SSP](docs/about-the-ssp.md) This is your executive summary 6 | 7 | ---- 8 | 9 | BUG NOTICE: 10 | 11 | The contents of this file should be included on the Table of Contents at the top level of the GitBook site (see https://toolchain.gitbook.com/structure.html and https://toolchain.gitbook.com/pages.html for the role of SUMMARY.md) 12 | 13 | The navigation above is included in the leftNav (About the SSP, System Classification) but the contextual descriptions are not generated into book contents in either HTML or PDF form. 14 | -------------------------------------------------------------------------------- /markdowns/docs/Waterfall_model.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencontrol/freedonia-compliance/85d5fea6c78fbdfd934f79aeb606ff495ddadc60/markdowns/docs/Waterfall_model.png -------------------------------------------------------------------------------- /markdowns/docs/about-the-ssp.md: -------------------------------------------------------------------------------- 1 | ## About the System Security Plan 2 | 3 | The typical USA FedRAMP system security plan (SSP) 4 | is written from a 304-page Microsoft document. See here: 5 | https://www.fedramp.gov/resources/templates-2016 6 | 7 | The first 12 sections are a narrative that is independent of the 8 | structure of the controls that OpenControl specifies with `component.yaml` files. The table of contents for the initial 12 9 | sections is like this: 10 | 11 | ``` 12 | 1 Information System Name/Title 1 13 | 2 Information System Categorization 1 14 | 3 Information System Owner 5 15 | 4 Authorizing Official 5 16 | 5 Other Designated Contacts 6 17 | 6 Assignment of Security Responsibility 7 18 | 7 Information System Operational Status 7 19 | 8 Information System Type 8 20 | 9 General System Description 10 21 | 10 System Environment 13 22 | 11 System Interconnections 16 23 | 12 Laws, Regulations, Standards, and Guidance 17 24 | ``` 25 | 26 | The content here could form the above 12-part narrative, 27 | but doesn't. For a complete example, see: 28 | 29 | https://github.com/18F/cg-compliance/tree/master/markdowns 30 | 31 | ## How are images included? 32 | 33 | By including them with Markdown: ```![Waterfall SDLC Image](./Waterfall_model.png)``` 34 | 35 | Like this: Let's not do the waterfall SDLC the way its typically understood: 36 | 37 | ![Waterfall SDLC Image](./Waterfall_model.png) 38 | 39 | (NB: The original waterfall papers included iterative feedback loops, but those got lost over time) 40 | -------------------------------------------------------------------------------- /opencontrol.yaml: -------------------------------------------------------------------------------- 1 | schema_version: "1.0.0" 2 | name: freedonia.fd 3 | metadata: 4 | description: Simple example of OpenControl Compliance-as-Code 5 | maintainers: 6 | - greg.elin@govready.com 7 | components: 8 | - ./components/AU_policy 9 | - ./components/AWS_core 10 | - ./components/AWS_implementation 11 | standards: 12 | - ./standards/FRIST-800-53.yaml 13 | certifications: 14 | - ./certifications/FredRAMP-low.yaml 15 | -------------------------------------------------------------------------------- /standards/FRIST-800-53.yaml: -------------------------------------------------------------------------------- 1 | name: FRIST-800-53 2 | AU-1: 3 | family: AU 4 | name: Audit and Accountability Policy and Procedures 5 | AU-2: 6 | family: AU 7 | name: Audit Events 8 | AU-2 (3): 9 | family: AU 10 | name: Audit Events | Reviews and Updates 11 | PE-2: 12 | family: PE 13 | name: Physical Access Authorizations 14 | SC-1: 15 | family: SC 16 | name: System and Communications Protection Policy and Procedures 17 | SC-7: 18 | family: SC 19 | name: Boundary Protection 20 | XX-1: 21 | family: XX 22 | name: Dummy Mock Control 23 | --------------------------------------------------------------------------------