pburkholder / ato1day-compliance Goto Github PK
View Code? Open in Web Editor NEWATO-in-day
ato1day-compliance's People
Contributors
Watchers
Forkers
gregelinato1day-compliance's Issues
Integrate testable platform #5 with freedonia-compliance
Once we have verifications of infra running, determine how to integrate with compliance framework. This may be more reading than anything else.
As the owner of ATO1Day, I should understand automated compliance landscape
This is a holding place for issues related to reading and research....
SSP should pull AWS compliance from `freedonia-aws`
Request 18F to consolidate compliance-toolkit issues into the relevant component projects
18F has a https://github.com/18F/compliance-toolkit repo which seems to just be a duplicate place for issues re. opencontrol/schema and opencontrol/compliance-toolkit, adding confusion to how to track work on those projects. Tempted to call them out on that, but I'll let it ride for now.
Security Policy violation Branch Protection
This issue was automatically created by Allstar.
Security Policy Violation
No protection found for branch master
Created by pburkholder/.allstar and GSA-TTS/.allstar
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
Security Policy violation SECURITY.md
This issue was automatically created by Allstar.
Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.
To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/pburkholder/ato1day-compliance/security/policy to enable.
For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.
Created by pburkholder/.allstar and GSA-TTS/.allstar
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
Review compliance-viewer, e.g. https://compliance-viewer.18f.gov/results/college%20scorecard/current
Where are these compliance results coming from?
Open issue about remote dependencies
This issue is my scratch space for gathering my thoughts to open an issue in discuss
To wit:
urlseems to require not a URL, but a path to Git repo- The repo seems to require a top-level
opencontrol.yamleven though it might be sensible to nest that as in freedonia-aws/compliance/opencontrol.yaml - the
dependenciesfield should support an numbered/signed release/archive
See also: opencontrol/discuss#4
Perhaps something like the following for 5 different systems:
dependencies:
systems:
- repository: https://bitbucket.com/org/repo
path: ./docs/compliance/opencontrol.yaml
revision: master
- archive: https://github.com/opencontrol/compliance-masonry/archive/v1.1.1.tar.gz
signature: https://github.com/opencontrol/compliance-masonry/archive/v1.1.1.tar.gz.asc
path: ./docs/compliance/opencontrol.yaml
- url: https://path/to/url/not/a/repo/opencontrol.yaml
- url: file://my/path/to/some/wip/opencontrol.yaml
- repository: file://my/path/to/git/repo
path: ./docs/compliance/opencontrol.yaml
revision: master
Why is there a benefit to cloning git repos locally?
archive would be best for assurance purposes
url or repository
SSP needs controls implemented as inherited by Provisional ATO
What I have in mind here is that:
- freedonia-aws-compliance describes how Freedonia is using AWS comply with standards.e, g we have an SC-1 policy as an organization, and we have an SC-7 technical control implemented with security groups in our Terraform plan.
- In addition, the freedonia-aws-policy notes that AWS has provisional ATO including PE-2 physical access controls. So all we have to do is reference it.
Read and digest the Before You Ship site
Exemplify ATO process with simpler standards/certifications
Assuming a fictional nation of Freedonia,
- standards of FIST-1 with, say 3 controls in 2 families, including technical controls and organizational controls, and
- a certification of FreeLow that reference back to that.
Write an ideal SSP
Use opencontrol, compliance-masonry to generate something close to the ideal SSP.
freedonia-compliance should demonstrate full use of compliance schema
Corollary to #12, show how to use all the fields in a sane manner.
Read me should work
SSP should pull org policies from `freedonia-policies`
Review 18f/compliance-toolkit
SSP needs local controls for AU/logging
freedonia-compliance should generate a complete SSP
Current state has too many non-implemented pages.
Separate the various components into their own repositories
Demonstrate testable platform w/ Terraform and InSpec AWS
Are the markdowns consumed from upstream systems?
See opencontrol/compliance-masonry#131
If aws-compliance has a markdown directory (with or without diagrams) are those included in the final document?
freedonia-compliance should demonstrate minimal necessary .yaml components
As a user of masonry, the plethora of fields is daunting, so some components should only have the minimal required field.
SSP should pull standards and certs from freedonia-frist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.