security plan

18F automates compliance documentation

18F is building an open source platform for automating system security plan (SSP) updates so agencies can easily access, update and create compliance documentation as rapidly as they deploy systems.

Currently a prototype, the Compliance Masonry platform is a content capture and management framework for documenting the usually complex and lengthy SSPs, which describe a system’s architecture, implemented security controls and overall security posture, according to 18F.

The tool is being designed to create machine-readable SSPs that continuously update with code as the system changes, allowing agency executives, system custodians and security operations staff to interact, update and generate assurance reports with searchable content and testable security controls.

To build the Compliance Masonry platform, 18F stores SSP data in machine readable YAML/JSON format with OpenControl Schema, a machine-readable format for storing compliance documentation.

It also provides automated processes, or pipelines, for generating  standardized certification documentation. There are pipelines already in place for converting these YAML/JSON SSPs to GitBooks (a GitHub tool) and Microsoft Word and for verifying complex tests like whether a system is using static code analysis tools.

18F took a component-first approach with the platform, meaning the SSP documentation is based on components rather than security controls. This focus will allow agencies to quickly add, adjust and remove documentation for new or updated components.

So far, 18F is using Compliance Masonry to organize SSP documentation for The open source platform is available for use and contribution by all agencies, developers and service providers.

About the Author

Amanda Ziadeh is a former reporter/producer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected